[X2Go-Commits] [nx-libs] 02/17: Security fixes: X.Org CVE-2013-7439:
git-admin at x2go.org
git-admin at x2go.org
Mon Apr 27 02:50:39 CEST 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch 3.5.0.x
in repository nx-libs.
commit 79a4ed92dbae5089d3ddfcc0acec427ff057ad9b
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Sun Apr 26 21:51:23 2015 +0200
Security fixes: X.Org CVE-2013-7439:
v2: backport to 3.5.0.x branch. (Mihai Moldovan)
Adds:
- 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
---
debian/changelog | 5 ++
...39-MakeBigReq-don-t-move-the-last-wo.full.patch | 77 ++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 83 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 0534c5e..079b2de 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,11 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
Adds:
- 0630_nx-X11_fix-underlinking-dlopen-dlsym.full.patch
+ [ Mike Gabriel ]
+ * Security fixes:
+ - X.Org CVE-2013-7439:
+ 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
+
-- X2Go Release Manager <git-admin at x2go.org> Tue, 17 Mar 2015 19:19:32 +0100
nx-libs (2:3.5.0.31-0x2go1) unstable; urgency=low
diff --git a/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
new file mode 100644
index 0000000..6613d80
--- /dev/null
+++ b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
@@ -0,0 +1,77 @@
+commit ac9fbaabd6bdbca6dd1d94fa385aea41fdebf2c1
+Author: Karl Tomlinson <xmail at karlt.net>
+Date: Wed Apr 15 10:16:18 2015 +0200
+
+ MakeBigReq: don't move the last word, already handled by Data32 (X.Org CVE-2013-7439).
+
+ MakeBigReq inserts a length field after the first 4 bytes of the request
+ (after req->length), pushing everything else back by 4 bytes.
+
+ The current memmove moves everything but the first 4 bytes back. If a
+ request aligns to the end of the buffer pointer when MakeBigReq is
+ invoked for that request, this runs over the buffer. Instead, we need to
+ memmove minus the first 4 bytes (which aren't moved), minus the last 4
+ bytes (so we still align to the previous tail).
+
+ The 4 bytes that fell out are already handled with Data32, which will
+ handle the buffermax correctly.
+
+ The case where req->length = 1 was already not functional.
+
+ Reported by Abhishek Arya <inferno at chromium.org> (against X.Org BTS).
+
+ https://bugzilla.mozilla.org/show_bug.cgi?id=803762
+
+ Reviewed-by: Jeff Muizelaar <jmuizelaar at mozilla.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+ Rebased-for-NX: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
+
+--- a/nx-X11/lib/X11/Xlibint.h
++++ b/nx-X11/lib/X11/Xlibint.h
+@@ -561,6 +561,14 @@ extern LockInfoPtr _Xglobal_lock;
+ dpy->request++
+ #endif
+
++/*
++ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
++ * length, after req->length, before the data in the request. The new length
++ * includes the "n" extra 32-bit words.
++ *
++ * Do not use MakeBigReq if there is no data already in the request.
++ * req->length must already be >= 2.
++ */
+ #ifdef WORD64
+ #define MakeBigReq(req,n) \
+ { \
+@@ -580,7 +588,7 @@ extern LockInfoPtr _Xglobal_lock;
+ CARD32 _BRlen = req->length - 1; \
+ req->length = 0; \
+ _BRdat = ((CARD32 *)req)[_BRlen]; \
+- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+ ((CARD32 *)req)[1] = _BRlen + n + 2; \
+ Data32(dpy, &_BRdat, 4); \
+ }
+@@ -591,13 +599,20 @@ extern LockInfoPtr _Xglobal_lock;
+ CARD32 _BRlen = req->length - 1; \
+ req->length = 0; \
+ _BRdat = ((CARD32 *)req)[_BRlen]; \
+- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+ ((CARD32 *)req)[1] = _BRlen + n + 2; \
+ Data32(dpy, &_BRdat, 4); \
+ }
+ #endif
+ #endif
+
++/*
++ * SetReqLen increases the count of 32-bit words in the request by "n",
++ * or by "badlen" if "n" is too large.
++ *
++ * Do not use SetReqLen if "req" does not already have data after the
++ * xReq header. req->length must already be >= 2.
++ */
+ #define SetReqLen(req,n,badlen) \
+ if ((req->length + n) > (unsigned)65535) { \
+ if (dpy->bigreq_size) { \
diff --git a/debian/patches/series b/debian/patches/series
index f0870d9..2856cbe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -129,5 +129,6 @@
1102-include-introduce-byte-counting-functions.patch
1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
1104-xkb-Check-strings-length-against-request-size.patch
+1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
0016_nx-X11_install-location.debian.patch
0102_xserver-xext_set-securitypolicy-path.debian.patch
--
Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
More information about the x2go-commits
mailing list