[X2Go-Commits] [nx-libs] 02/17: Security fixes: X.Org CVE-2013-7439:

git-admin at x2go.org git-admin at x2go.org
Mon Apr 27 02:50:39 CEST 2015


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.5.0.x
in repository nx-libs.

commit 79a4ed92dbae5089d3ddfcc0acec427ff057ad9b
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Sun Apr 26 21:51:23 2015 +0200

    Security fixes: X.Org CVE-2013-7439:
    
    v2: backport to 3.5.0.x branch. (Mihai Moldovan)
    
    Adds:
      - 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
---
 debian/changelog                                   |    5 ++
 ...39-MakeBigReq-don-t-move-the-last-wo.full.patch |   77 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 3 files changed, 83 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 0534c5e..079b2de 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,11 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
     Adds:
     - 0630_nx-X11_fix-underlinking-dlopen-dlsym.full.patch
 
+  [ Mike Gabriel ]
+  * Security fixes:
+    - X.Org CVE-2013-7439:
+      1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
+
  -- X2Go Release Manager <git-admin at x2go.org>  Tue, 17 Mar 2015 19:19:32 +0100
 
 nx-libs (2:3.5.0.31-0x2go1) unstable; urgency=low
diff --git a/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
new file mode 100644
index 0000000..6613d80
--- /dev/null
+++ b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
@@ -0,0 +1,77 @@
+commit ac9fbaabd6bdbca6dd1d94fa385aea41fdebf2c1
+Author: Karl Tomlinson <xmail at karlt.net>
+Date:   Wed Apr 15 10:16:18 2015 +0200
+
+    MakeBigReq: don't move the last word, already handled by Data32 (X.Org CVE-2013-7439).
+
+     MakeBigReq inserts a length field after the first 4 bytes of the request
+     (after req->length), pushing everything else back by 4 bytes.
+
+     The current memmove moves everything but the first 4 bytes back. If a
+     request aligns to the end of the buffer pointer when MakeBigReq is
+     invoked for that request, this runs over the buffer. Instead, we need to
+     memmove minus the first 4 bytes (which aren't moved), minus the last 4
+     bytes (so we still align to the previous tail).
+
+     The 4 bytes that fell out are already handled with Data32, which will
+     handle the buffermax correctly.
+
+     The case where req->length = 1 was already not functional.
+
+     Reported by Abhishek Arya <inferno at chromium.org> (against X.Org BTS).
+
+     https://bugzilla.mozilla.org/show_bug.cgi?id=803762
+
+     Reviewed-by: Jeff Muizelaar <jmuizelaar at mozilla.com>
+     Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+     Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+     Rebased-for-NX: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
+
+--- a/nx-X11/lib/X11/Xlibint.h
++++ b/nx-X11/lib/X11/Xlibint.h
+@@ -561,6 +561,14 @@ extern LockInfoPtr _Xglobal_lock;
+ 	dpy->request++
+ #endif
+ 
++/*
++ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
++ * length, after req->length, before the data in the request. The new length
++ * includes the "n" extra 32-bit words.
++ *
++ * Do not use MakeBigReq if there is no data already in the request.
++ * req->length must already be >= 2.
++ */
+ #ifdef WORD64
+ #define MakeBigReq(req,n) \
+     { \
+@@ -580,7 +588,7 @@ extern LockInfoPtr _Xglobal_lock;
+     CARD32 _BRlen = req->length - 1; \
+     req->length = 0; \
+     _BRdat = ((CARD32 *)req)[_BRlen]; \
+-    memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++    memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+     ((CARD32 *)req)[1] = _BRlen + n + 2; \
+     Data32(dpy, &_BRdat, 4); \
+     }
+@@ -591,13 +599,20 @@ extern LockInfoPtr _Xglobal_lock;
+     CARD32 _BRlen = req->length - 1; \
+     req->length = 0; \
+     _BRdat = ((CARD32 *)req)[_BRlen]; \
+-    memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++    memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+     ((CARD32 *)req)[1] = _BRlen + n + 2; \
+     Data32(dpy, &_BRdat, 4); \
+     }
+ #endif
+ #endif
+ 
++/*
++ * SetReqLen increases the count of 32-bit words in the request by "n",
++ * or by "badlen" if "n" is too large.
++ *
++ * Do not use SetReqLen if "req" does not already have data after the
++ * xReq header. req->length must already be >= 2.
++ */
+ #define SetReqLen(req,n,badlen) \
+     if ((req->length + n) > (unsigned)65535) { \
+ 	if (dpy->bigreq_size) { \
diff --git a/debian/patches/series b/debian/patches/series
index f0870d9..2856cbe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -129,5 +129,6 @@
 1102-include-introduce-byte-counting-functions.patch
 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
 1104-xkb-Check-strings-length-against-request-size.patch
+1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
 0016_nx-X11_install-location.debian.patch
 0102_xserver-xext_set-securitypolicy-path.debian.patch

--
Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git


More information about the x2go-commits mailing list