NXv3 (redistributed) https://cgit.arctica-project.org/nx-libs/atom?h=pr%2Frender-cleanup 2015-04-28T03:09:09+00:00 2015-04-28T03:09:09+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-04-21T22:37:47+00:00 urn:sha1:662a89545f3e953a47f176cf64e574350643d446 2015-04-22T04:22:37+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-04-14T07:24:55+00:00 urn:sha1:70b77a0fc329e2e205a596a738c7307d354e7b1c 2015-04-04T08:59:50+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-03-04T12:29:02+00:00 urn:sha1:f5f280417cb0af489406c8c3234e4ad69b008c74 2015-02-16T04:58:21+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2014-01-07T07:30:14+00:00 urn:sha1:b6b5b14e4190048fadbfbcf063d873d318127e81 GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: human-readable version of "1 MB" (Mihai Moldovan) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c 2015-02-16T04:55:23+00:00 Mihai Moldovan ionic@ionic.de 2015-02-16T04:55:23+00:00 urn:sha1:03a2922d9cc17af26bd91d4a471061c54db50789 This reverts commit d4c76981f7fddb364166464c571ed8d3de3086cd. 2015-02-14T15:14:31+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2014-01-07T07:30:14+00:00 urn:sha1:d4c76981f7fddb364166464c571ed8d3de3086cd GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c 2015-02-14T15:14:31+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2014-01-18T02:54:03+00:00 urn:sha1:37e7fb1f64b29ef06ec4d69ab0b7afa99c613383 authdes_ezdecode() calls malloc() using a length provided by the connection handshake sent by a newly connected client in order to authenticate to the server, so should be treated as untrusted. It didn't check if malloc() failed before writing to the newly allocated buffer, so could lead to a server crash if the server fails to allocate memory (up to UINT16_MAX bytes, since the len field is a CARD16 in the X protocol). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/rpcauth.c 2015-02-14T15:14:31+00:00 Mike DePaulo mikedep333@gmail.com 2015-02-09T00:16:38+00:00 urn:sha1:df4a3b7270539843ae76275485ca76efcdf361d9 use O_NOFOLLOW to open the existing lock file, so symbolic links aren't followed, thus avoid revealing if it point to an existing file. 2015-02-13T12:57:39+00:00 Oleksandr Shneyder oleksandr.shneyder@obviously-nice.de 2015-02-13T12:57:39+00:00 urn:sha1:1fd8551f1632efbc2655c9293087bba08cf2f0c9 When launched with NX Agent flavour, the startup screen gets unbranded by this patch (the !M logo does not get shown). When launched with X2Go Agent flavour, the startup screen gets branded with the X2GO logo. 2015-02-13T12:32:17+00:00 Orion Poplawski orion@cora.nwra.com 2015-02-13T12:32:17+00:00 urn:sha1:415b20b6fbf562d4132fca90a00b6c32d94040ed The Fedora review of NX (redistributed) caught the following rpmlint issue: This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this mean it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem. Ref POS36-C: https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges This patch adds initgroups() calls to the code to initialize the supplemental group list.