On 14.02.2015 05:47 PM, git-admin@x2go.org wrote:

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x in repository nx-libs.

commit ece51493f1d970f45e53588e33a700464a42fbab Author: Mike DePaulo <mikedep333@gmail.com> Date: Sun Feb 8 22:27:47 2015 -0500

CVE-2014-0210: unvalidated length fields in fs_read_glyphs() from xorg/lib/libXfont commit 520683652564c2a4e42328ae23eef9bb63271565

fs_read_glyphs() parses a reply from the font server.  The reply
contains embedded length fields, none of which are validated.
This can cause out of bound reads when looping over the glyph
bitmaps in the reply.

---

nx-X11/lib/font/fc/fserve.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index 79de4f3..26218e5 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -1916,6 +1916,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) FontInfoPtr pfi = &pfont->info; fsQueryXBitmaps16Reply *rep; char *buf;

• long bufleft; /* length of reply left to use */

I'd also initialize this: long bufleft = 0; Everything else here is OK.