diff options
| author | Mihai Moldovan <ionic@ionic.de> | 2015-02-16 09:35:47 +0100 |
|---|---|---|
| committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-16 10:04:20 +0100 |
| commit | ae898ff13b4782239a152b43125aa1fc0b80ba3d (patch) | |
| tree | 71a2caafcc254779ebdd9d0ba0a21934487b3ca6 /debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch | |
| parent | f74f59d2f3962b227753d5eb0ecc1af82f41dbbc (diff) | |
| download | nx-libs-ae898ff13b4782239a152b43125aa1fc0b80ba3d.tar.gz nx-libs-ae898ff13b4782239a152b43125aa1fc0b80ba3d.tar.bz2 nx-libs-ae898ff13b4782239a152b43125aa1fc0b80ba3d.zip | |
CVE security review [1/2].
* CVE security review [1/2]:
- Update 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch.
Use xfree() instead of free() in nx-libs.
- Update 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch.
Apply correctly on nx-libs 3.6.x.
- Update 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch.
Human-readable version of "1 MB".
Diffstat (limited to 'debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch')
| -rw-r--r-- | debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch b/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch index 619794f7e..1d880399f 100644 --- a/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch +++ b/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch @@ -1,4 +1,4 @@ -From d4c76981f7fddb364166464c571ed8d3de3086cd Mon Sep 17 00:00:00 2001 +From b6b5b14e4190048fadbfbcf063d873d318127e81 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Mon, 6 Jan 2014 23:30:14 -0800 Subject: [PATCH 20/40] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4] @@ -14,6 +14,7 @@ This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) +v3: human-readable version of "1 MB" (Mihai Moldovan) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> @@ -25,7 +26,7 @@ Conflicts: 1 file changed, 6 insertions(+) diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c -index b6a70a7..0e9d138 100644 +index b6a70a7..532a2f8 100644 --- a/nx-X11/programs/Xserver/os/access.c +++ b/nx-X11/programs/Xserver/os/access.c @@ -1719,6 +1719,10 @@ GetHosts ( @@ -34,7 +35,7 @@ index b6a70a7..0e9d138 100644 n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry); + /* Could check for INT_MAX, but in reality having more than 1mb of + hostnames in the access list is ridiculous */ -+ if (n >= 1048576) ++ if (n >= 1024*1024) + break; } if (n) |