diff options
| author | Mihai Moldovan <ionic@ionic.de> | 2015-06-02 18:27:15 +0200 |
|---|---|---|
| committer | Mihai Moldovan <ionic@ionic.de> | 2015-06-02 20:22:15 +0200 |
| commit | e5ff9ace4c2b5a4e04b771c2ec417ceba63218cf (patch) | |
| tree | 781f39c6d60c442ed159ae13a341c98e95b88fd0 | |
| parent | 125254d35483d0e645f935b27d3ba8cf52786a36 (diff) | |
| download | nx-libs-e5ff9ace4c2b5a4e04b771c2ec417ceba63218cf.tar.gz nx-libs-e5ff9ace4c2b5a4e04b771c2ec417ceba63218cf.tar.bz2 nx-libs-e5ff9ace4c2b5a4e04b771c2ec417ceba63218cf.zip | |
Security fixes: X.Org CVE-2015-3418:
v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
Changes:
- 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch | 16 |
2 files changed, 20 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 4d03fc415..3201670e6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -175,6 +175,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: + 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch + * Security fixes: + - X.Org CVE-2015-3418: + v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch [ Bernard Cafarelli ] * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'. diff --git a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch index 7b6f28c00..8fc777eda 100644 --- a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch +++ b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch @@ -12,10 +12,11 @@ Date: Fri May 1 13:09:24 2015 +0200 Fix for regression introduced by fix for CVE-2014-8092. v2: backports to nx-libs 3.6.x (Mike Gabriel) + v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Signed-off-by: Keith Packard <keithp@keithp.com> -diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c -index 5ad2f5a..ab10640 100644 --- a/nx-X11/programs/Xserver/dix/dispatch.c +++ b/nx-X11/programs/Xserver/dix/dispatch.c @@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client) @@ -27,3 +28,14 @@ index 5ad2f5a..ab10640 100644 return BadLength; if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + +--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c ++++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +@@ -2630,7 +2630,7 @@ ProcPutImage(register ClientPtr client) + + tmpImage = (char *)&stuff[1]; + lengthProto = length; +- if (lengthProto >= (INT32_MAX / stuff->height)) ++ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + |