[X2Go-Dev] [X2Go-Commits] [nx-libs] 13/52: LZW decompress: fix for CVE-2011-2895 From xorg/lib/Xfont commit d11ee5886e9d9ec610051a206b135a4cdc1e09a0
Michael DePaulo
mikedep333 at gmail.com
Sun Feb 15 21:15:07 CET 2015
On Sun, Feb 15, 2015 at 3:01 PM, Michael DePaulo <mikedep333 at gmail.com> wrote:
> On Sun, Feb 15, 2015 at 2:11 PM, Mihai Moldovan <ionic at ionic.de> wrote:
>> On 14.02.2015 05:47 PM, git-admin at x2go.org wrote:
>>> This is an automated email from the git hooks/post-receive script.
>>>
>>> x2go pushed a commit to branch 3.6.x
>>> in repository nx-libs.
>>>
>>> commit af55da1e9c1a6a352b24823a8f7062c288ffbbc0
>>> Author: Mike DePaulo <mikedep333 at gmail.com>
>>> Date: Sun Feb 8 19:15:20 2015 -0500
>>>
>>> LZW decompress: fix for CVE-2011-2895 From xorg/lib/Xfont commit d11ee5886e9d9ec610051a206b135a4cdc1e09a0
>>>
>>> Specially crafted LZW stream can crash an application using libXfont
>>> that is used to open untrusted font files. With X server, this may
>>> allow privilege escalation when exploited
>>> ---
>>> nx-X11/lib/font/fontfile/decompress.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c
>>> index a4c5468..553b315 100644
>>> --- a/nx-X11/lib/font/fontfile/decompress.c
>>> +++ b/nx-X11/lib/font/fontfile/decompress.c
>>> @@ -261,6 +261,8 @@ BufCompressedFill (BufFilePtr f)
>>> */
>>> while ( code >= 256 )
>>> {
>>> + if (stackp - de_stack >= STACK_SIZE - 1)
>>> + return BUFFILEEOF;
>> Personally, I would have written that as
>> if ((stackp - de_stack) >= (STACK_SIZE - 1))
>>
>> But that's my personal style and I like to over-parenthesis.
> Both the upstream commit and the RHEL5 patch have it written this way,
> but I agree that your style is better.
>
> http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0
>
> ftp://ftp.redhat.com/redhat/linux/enterprise/5Server/en/os/SRPMS/libXfont-1.2.2-1.0.6.el5_11.src.rpm
> (cve-2011-2895.patch)
On a related note, upstream has this follow-up commit:
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=bd48ad11fd11412c62c3ac8ed5d52c4f10a985aa
It was not backported to RHEL5 though.
More information about the x2go-dev
mailing list