aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-04-26 21:51:23 +0200
committerMihai Moldovan <ionic@ionic.de>2015-04-26 21:51:23 +0200
commit79a4ed92dbae5089d3ddfcc0acec427ff057ad9b (patch)
tree70da3dc1d957df972f5dbef5eab9b4185e812b08
parentca36175735d4ad5d389b3b7797391ff36b1854ba (diff)
downloadnx-libs-79a4ed92dbae5089d3ddfcc0acec427ff057ad9b.tar.gz
nx-libs-79a4ed92dbae5089d3ddfcc0acec427ff057ad9b.tar.bz2
nx-libs-79a4ed92dbae5089d3ddfcc0acec427ff057ad9b.zip
Security fixes: X.Org CVE-2013-7439:
v2: backport to 3.5.0.x branch. (Mihai Moldovan) Adds: - 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
-rw-r--r--debian/changelog5
-rw-r--r--debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch77
-rw-r--r--debian/patches/series1
3 files changed, 83 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 0534c5e91..079b2decb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,11 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
Adds:
- 0630_nx-X11_fix-underlinking-dlopen-dlsym.full.patch
+ [ Mike Gabriel ]
+ * Security fixes:
+ - X.Org CVE-2013-7439:
+ 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
+
-- X2Go Release Manager <git-admin@x2go.org> Tue, 17 Mar 2015 19:19:32 +0100
nx-libs (2:3.5.0.31-0x2go1) unstable; urgency=low
diff --git a/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
new file mode 100644
index 000000000..6613d80d2
--- /dev/null
+++ b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
@@ -0,0 +1,77 @@
+commit ac9fbaabd6bdbca6dd1d94fa385aea41fdebf2c1
+Author: Karl Tomlinson <xmail@karlt.net>
+Date: Wed Apr 15 10:16:18 2015 +0200
+
+ MakeBigReq: don't move the last word, already handled by Data32 (X.Org CVE-2013-7439).
+
+ MakeBigReq inserts a length field after the first 4 bytes of the request
+ (after req->length), pushing everything else back by 4 bytes.
+
+ The current memmove moves everything but the first 4 bytes back. If a
+ request aligns to the end of the buffer pointer when MakeBigReq is
+ invoked for that request, this runs over the buffer. Instead, we need to
+ memmove minus the first 4 bytes (which aren't moved), minus the last 4
+ bytes (so we still align to the previous tail).
+
+ The 4 bytes that fell out are already handled with Data32, which will
+ handle the buffermax correctly.
+
+ The case where req->length = 1 was already not functional.
+
+ Reported by Abhishek Arya <inferno@chromium.org> (against X.Org BTS).
+
+ https://bugzilla.mozilla.org/show_bug.cgi?id=803762
+
+ Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Rebased-for-NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+
+--- a/nx-X11/lib/X11/Xlibint.h
++++ b/nx-X11/lib/X11/Xlibint.h
+@@ -561,6 +561,14 @@ extern LockInfoPtr _Xglobal_lock;
+ dpy->request++
+ #endif
+
++/*
++ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
++ * length, after req->length, before the data in the request. The new length
++ * includes the "n" extra 32-bit words.
++ *
++ * Do not use MakeBigReq if there is no data already in the request.
++ * req->length must already be >= 2.
++ */
+ #ifdef WORD64
+ #define MakeBigReq(req,n) \
+ { \
+@@ -580,7 +588,7 @@ extern LockInfoPtr _Xglobal_lock;
+ CARD32 _BRlen = req->length - 1; \
+ req->length = 0; \
+ _BRdat = ((CARD32 *)req)[_BRlen]; \
+- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+ ((CARD32 *)req)[1] = _BRlen + n + 2; \
+ Data32(dpy, &_BRdat, 4); \
+ }
+@@ -591,13 +599,20 @@ extern LockInfoPtr _Xglobal_lock;
+ CARD32 _BRlen = req->length - 1; \
+ req->length = 0; \
+ _BRdat = ((CARD32 *)req)[_BRlen]; \
+- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+ ((CARD32 *)req)[1] = _BRlen + n + 2; \
+ Data32(dpy, &_BRdat, 4); \
+ }
+ #endif
+ #endif
+
++/*
++ * SetReqLen increases the count of 32-bit words in the request by "n",
++ * or by "badlen" if "n" is too large.
++ *
++ * Do not use SetReqLen if "req" does not already have data after the
++ * xReq header. req->length must already be >= 2.
++ */
+ #define SetReqLen(req,n,badlen) \
+ if ((req->length + n) > (unsigned)65535) { \
+ if (dpy->bigreq_size) { \
diff --git a/debian/patches/series b/debian/patches/series
index f0870d926..2856cbe9b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -129,5 +129,6 @@
1102-include-introduce-byte-counting-functions.patch
1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
1104-xkb-Check-strings-length-against-request-size.patch
+1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
0016_nx-X11_install-location.debian.patch
0102_xserver-xext_set-securitypolicy-path.debian.patch