[X2Go-Commits] [nx-libs] 01/02: Security fixes: X.Org CVE-2015-3418:

git-admin at x2go.org git-admin at x2go.org
Sat May 2 00:09:09 CEST 2015


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.5.0.x
in repository nx-libs.

commit 6b9df6cae0a8eca72005e14f370807816a704fcf
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Fri May 1 23:38:44 2015 +0200

    Security fixes: X.Org CVE-2015-3418:
    
    v3: backport to 3.5.0.x branch. (Mihai Moldovan)
    
    Adds:
      - 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
---
 debian/changelog                                   |    3 ++
 ...18-dix-Allow-zero-height-PutImage-re.full.patch |   29 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 3 files changed, 33 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index fbc633d..95d39be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -160,6 +160,9 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
   * nxcompshad: Prevent underlinking by linking to libNX_Xext.
     Adds:
     - 0650_nxcompshad_link-to-NX_Xext.full.patch
+  * Security fixes:
+    - X.Org CVE-2015-3418:
+      1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
 
  -- X2Go Release Manager <git-admin at x2go.org>  Tue, 17 Mar 2015 19:19:32 +0100
 
diff --git a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
new file mode 100644
index 0000000..7b6f28c
--- /dev/null
+++ b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
@@ -0,0 +1,29 @@
+commit dba779d9f99ab2fc6bf05c78515dbdd82840cadd
+Author: Keith Packard <keithp at keithp.com>
+Date:   Fri May 1 13:09:24 2015 +0200
+
+    dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
+
+     The length checking code validates PutImage height and byte width by
+     making sure that byte-width >= INT32_MAX / height. If height is zero,
+     this generates a divide by zero exception. Allow zero height requests
+     explicitly, bypassing the INT32_MAX check.
+
+     Fix for regression introduced by fix for CVE-2014-8092.
+
+     v2: backports to nx-libs 3.6.x (Mike Gabriel)
+     Signed-off-by: Keith Packard <keithp at keithp.com>
+
+diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
+index 5ad2f5a..ab10640 100644
+--- a/nx-X11/programs/Xserver/dix/dispatch.c
++++ b/nx-X11/programs/Xserver/dix/dispatch.c
+@@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client)
+ 
+     tmpImage = (char *)&stuff[1];
+     lengthProto = length;
+-    if (lengthProto >= (INT32_MAX / stuff->height))
++    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
+         return BadLength;
+ 
+     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
diff --git a/debian/patches/series b/debian/patches/series
index 2c7d970..763eb05 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -132,5 +132,6 @@
 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch
 1104-xkb-Check-strings-length-against-request-size.full.patch
 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
+1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
 0016_nx-X11_install-location.debian.patch
 0102_xserver-xext_set-securitypolicy-path.debian.patch

--
Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git


More information about the x2go-commits mailing list