I am looking into fixing the recently announced X.org vulnerability (CVE-2015-0255) in nx-libs. http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
It looks like nx-libs is affected.
It also looks like some distros (Fedora, Debian) have fixed it, while others (RHEL 5, 6 and 7, Debian LTS) have not.
It also looks like the X.org 1.16.x commits are easier to apply to nx-libs than the X.org 1.17.x commits are. The 1.17.x commits are linked to on that advisory page.
The X.org 1.16.x commits are here: the branch: http://cgit.freedesktop.org/xorg/xserver/log/?h=server-1.16-branch the prereq: http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=747cea16c4de1f48e838e1388301a2e24a3da6c4 the fix itself: http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=8f61533b16635a0a13f4048235246edb138fa40b
-Mike#2
On Mon, Feb 16, 2015 at 8:14 AM, Michael DePaulo <mikedep333@gmail.com> wrote:
I am looking into fixing the recently announced X.org vulnerability (CVE-2015-0255) in nx-libs. http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
It looks like nx-libs is affected.
It also looks like some distros (Fedora, Debian) have fixed it, while others (RHEL 5, 6 and 7, Debian LTS) have not.
It also looks like the X.org 1.16.x commits are easier to apply to nx-libs than the X.org 1.17.x commits are. The 1.17.x commits are linked to on that advisory page.
The X.org 1.16.x commits are here: the branch: http://cgit.freedesktop.org/xorg/xserver/log/?h=server-1.16-branch the prereq: http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=747cea16c4de1f48e838e1388301a2e24a3da6c4 the fix itself: http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=8f61533b16635a0a13f4048235246edb138fa40b
-Mike#2
Status Update:
I managed to backport the prereq commit to nx-libs 3.6.x. http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=a1cd16d6d05b197fff110d2...
It was non-trivial to merge due to this refactoring commit from 2011: http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=2c7c520cfe0df30f4bc3adba59d9c62582823bf8
On 17.02.2015 02:39 PM, Michael DePaulo wrote:
On Mon, Feb 16, 2015 at 8:14 AM, Michael DePaulo <mikedep333@gmail.com> wrote:
I am looking into fixing the recently announced X.org vulnerability (CVE-2015-0255) in nx-libs. http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
It looks like nx-libs is affected.
It also looks like some distros (Fedora, Debian) have fixed it, while others (RHEL 5, 6 and 7, Debian LTS) have not.
It also looks like the X.org 1.16.x commits are easier to apply to nx-libs than the X.org 1.17.x commits are. The 1.17.x commits are linked to on that advisory page.
The X.org 1.16.x commits are here: the branch: http://cgit.freedesktop.org/xorg/xserver/log/?h=server-1.16-branch the prereq: http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=747cea16c4de1f48e838e1388301a2e24a3da6c4 the fix itself: http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=8f61533b16635a0a13f4048235246edb138fa40b
-Mike#2 Status Update:
I managed to backport the prereq commit to nx-libs 3.6.x. http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=a1cd16d6d05b197fff110d2...
LGTM, thanks!
Mihai
Hi Mike#2,
On Di 17 Feb 2015 18:48:26 CET, Mihai Moldovan wrote:
On 17.02.2015 02:39 PM, Michael DePaulo wrote:
On Mon, Feb 16, 2015 at 8:14 AM, Michael DePaulo
<mikedep333@gmail.com> wrote:I am looking into fixing the recently announced X.org vulnerability (CVE-2015-0255) in nx-libs. http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
It looks like nx-libs is affected.
It also looks like some distros (Fedora, Debian) have fixed it, while others (RHEL 5, 6 and 7, Debian LTS) have not.
It also looks like the X.org 1.16.x commits are easier to apply to nx-libs than the X.org 1.17.x commits are. The 1.17.x commits are linked to on that advisory page.
The X.org 1.16.x commits are here: the branch: http://cgit.freedesktop.org/xorg/xserver/log/?h=server-1.16-branch the prereq: http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=747cea16c4de1f48e838e1388301a2e24a3da6c4 the fix itself: http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=8f61533b16635a0a13f4048235246edb138fa40b
-Mike#2 Status Update:
I managed to backport the prereq commit to nx-libs 3.6.x. http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=a1cd16d6d05b197fff110d2...
LGTM, thanks!
Mihai
Please directly apply the patch on top of the 3.6.x code and push to
3.6.x branches (Arctica/X2Go nx-libs repo).
I will backport the patch to the 3.5.0.x branch for X2Go (and Arctica)
(or you may do it yourself: Please use the Git commit from the 3.6.x
branch in debian/patches/ for this). Similar to how I backported the
other 40 patches you provided.
Thanks+Greets, Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hi MIke#1 & Mihai,
On Tue, Feb 17, 2015 at 4:34 PM, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
Hi Mike#2,
On Di 17 Feb 2015 18:48:26 CET, Mihai Moldovan wrote:
On 17.02.2015 02:39 PM, Michael DePaulo wrote:
On Mon, Feb 16, 2015 at 8:14 AM, Michael DePaulo <mikedep333@gmail.com> wrote:
I am looking into fixing the recently announced X.org vulnerability (CVE-2015-0255) in nx-libs. http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
It looks like nx-libs is affected.
It also looks like some distros (Fedora, Debian) have fixed it, while others (RHEL 5, 6 and 7, Debian LTS) have not.
It also looks like the X.org 1.16.x commits are easier to apply to nx-libs than the X.org 1.17.x commits are. The 1.17.x commits are linked to on that advisory page.
The X.org 1.16.x commits are here: the branch: http://cgit.freedesktop.org/xorg/xserver/log/?h=server-1.16-branch the prereq:
http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=747cea16c4de1f48e838e1388301a2e24a3da6c4 the fix itself:
-Mike#2
Status Update:
I managed to backport the prereq commit to nx-libs 3.6.x.
http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=a1cd16d6d05b197fff110d2...
LGTM, thanks!
Mihai
Please directly apply the patch on top of the 3.6.x code and push to 3.6.x branches (Arctica/X2Go nx-libs repo).
I will backport the patch to the 3.5.0.x branch for X2Go (and Arctica) (or you may do it yourself: Please use the Git commit from the 3.6.x branch in debian/patches/ for this). Similar to how I backported the other 40 patches you provided.
Thanks+Greets, Mike
Done.
I had to backport 2 more commits as prereqs. However, they are non-intrusive.
I will wait for review (e.g., from Mihai) before backporting from 3.6.x to 3.5.0.x.
I did do a test build successfully (on Ubuntu 14.04 64-bit.)
-Mike
On 18.02.2015 03:30 AM, Michael DePaulo wrote:
Done.
I had to backport 2 more commits as prereqs. However, they are non-intrusive.
I will wait for review (e.g., from Mihai) before backporting from 3.6.x to 3.5.0.x.
Everything looks sane. Nitpick: a little bit of mismatching whitespace here and there, but it's not worth going back, checking and changing all of that.
Thanks again!
Mihai
On Tue, Feb 17, 2015 at 10:00 PM, Mihai Moldovan <ionic@ionic.de> wrote:
On 18.02.2015 03:30 AM, Michael DePaulo wrote:
Done.
I had to backport 2 more commits as prereqs. However, they are non-intrusive.
I will wait for review (e.g., from Mihai) before backporting from 3.6.x to 3.5.0.x.
Everything looks sane. Nitpick: a little bit of mismatching whitespace here and there, but it's not worth going back, checking and changing all of that.
Thanks again!
Mihai
Thanks for helping me configure Vim to spot those whitespace issues.
I will backport them to 3.5.0.x in the morning.
-Mike
-
Michael DePaulo -
Mihai Moldovan -
Mike Gabriel