aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMihai Moldovan <ionic@ionic.de>2015-06-02 17:59:28 +0200
committerMihai Moldovan <ionic@ionic.de>2015-06-02 19:48:40 +0200
commit4fb35326a190f95f262bf9ea2e27de1ff81bda25 (patch)
treedc0475238b0d8a766be9c97492f1f022497ad869
parent86937b86cbc9a00734d1a77140e557db2218225e (diff)
downloadnx-libs-4fb35326a190f95f262bf9ea2e27de1ff81bda25.tar.gz
nx-libs-4fb35326a190f95f262bf9ea2e27de1ff81bda25.tar.bz2
nx-libs-4fb35326a190f95f262bf9ea2e27de1ff81bda25.zip
Security fixes: X.Org CVE-2013-4396:
v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo) v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: - 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
-rw-r--r--debian/changelog6
-rw-r--r--debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch51
2 files changed, 52 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog
index cb4fb7f13..d02711295 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -163,6 +163,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
Backported from Arctica GH 3.6.x branch.
Affects:
- 9900-dxpc-license-history.full+lite.patch
+ * Security fixes:
+ - X.Org CVE-2013-4396:
+ v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo)
+ v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan)
+ Changes:
+ + 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
[ Bernard Cafarelli ]
* nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'.
diff --git a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
index 8cb1d0d7b..b7d63f6d4 100644
--- a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
+++ b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
@@ -21,12 +21,14 @@ X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.
+
+v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo)
+v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan)
+
---
nx-X11/programs/Xserver/dix/dixfonts.c | 5 +++++
1 file changed, 5 insertions(+)
-diff --git a/nx-X11/programs/Xserver/dix/dixfonts.c b/nx-X11/programs/Xserver/dix/dixfonts.c
-index 193f555..42fd647 100644
--- a/nx-X11/programs/Xserver/dix/dixfonts.c
+++ b/nx-X11/programs/Xserver/dix/dixfonts.c
@@ -1559,6 +1559,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
@@ -69,6 +71,45 @@ index 193f555..42fd647 100644
err = BadAlloc;
goto bail;
}
---
-2.1.4
-
+--- a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c
++++ b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c
+@@ -1711,6 +1711,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ GC *pGC;
+ unsigned char *data;
+ ITclosurePtr new_closure;
++ ITclosurePtr old_closure;
+
+ /* We're putting the client to sleep. We need to
+ save some state. Similar problem to that handled
+@@ -1723,6 +1724,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ err = BadAlloc;
+ goto bail;
+ }
++ old_closure = c;
+ *new_closure = *c;
+ c = new_closure;
+
+@@ -1730,6 +1732,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ if (!data)
+ {
+ xfree(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1741,6 +1744,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ {
+ xfree(c->data);
+ xfree(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1759,6 +1763,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ FreeScratchGC(pGC);
+ xfree(c->data);
+ xfree(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }