On 14.02.2015 05:47 PM, git-admin@x2go.org wrote:

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x in repository nx-libs.

commit d4c76981f7fddb364166464c571ed8d3de3086cd Author: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Mon Jan 6 23:30:14 2014 -0800

dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]

GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.

This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.

v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

Conflicts:
	os/access.c

---

nx-X11/programs/Xserver/os/access.c | 6 ++++++ 1 file changed, 6 insertions(+)

diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c index b6a70a7..0e9d138 100644 --- a/nx-X11/programs/Xserver/os/access.c +++ b/nx-X11/programs/Xserver/os/access.c @@ -1719,6 +1719,10 @@ GetHosts ( { nHosts++; n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry);

•    /* Could check for INT_MAX, but in reality having more than 1mb of

•       hostnames in the access list is ridiculous */

•    if (n >= 1048576)

Not an error: I'd change the number "1048576" to "1024*1024", because "1048576" is not easily recognized as 1 MB while the latter is more clear (and the compiler statically optimizes it at compile/preprocessing time anyway.) if (n >= 1024*1024) Everything else looks fine.