diff options
-rw-r--r-- | debian/changelog | 3 | ||||
-rw-r--r-- | debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch | 29 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 33 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index fbc633d08..95d39bedf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -160,6 +160,9 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low * nxcompshad: Prevent underlinking by linking to libNX_Xext. Adds: - 0650_nxcompshad_link-to-NX_Xext.full.patch + * Security fixes: + - X.Org CVE-2015-3418: + 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch -- X2Go Release Manager <git-admin@x2go.org> Tue, 17 Mar 2015 19:19:32 +0100 diff --git a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch new file mode 100644 index 000000000..7b6f28c00 --- /dev/null +++ b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch @@ -0,0 +1,29 @@ +commit dba779d9f99ab2fc6bf05c78515dbdd82840cadd +Author: Keith Packard <keithp@keithp.com> +Date: Fri May 1 13:09:24 2015 +0200 + + dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418). + + The length checking code validates PutImage height and byte width by + making sure that byte-width >= INT32_MAX / height. If height is zero, + this generates a divide by zero exception. Allow zero height requests + explicitly, bypassing the INT32_MAX check. + + Fix for regression introduced by fix for CVE-2014-8092. + + v2: backports to nx-libs 3.6.x (Mike Gabriel) + Signed-off-by: Keith Packard <keithp@keithp.com> + +diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c +index 5ad2f5a..ab10640 100644 +--- a/nx-X11/programs/Xserver/dix/dispatch.c ++++ b/nx-X11/programs/Xserver/dix/dispatch.c +@@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client) + + tmpImage = (char *)&stuff[1]; + lengthProto = length; +- if (lengthProto >= (INT32_MAX / stuff->height)) ++ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + diff --git a/debian/patches/series b/debian/patches/series index 2c7d970c7..763eb0547 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -132,5 +132,6 @@ 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch 1104-xkb-Check-strings-length-against-request-size.full.patch 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch +1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch 0016_nx-X11_install-location.debian.patch 0102_xserver-xext_set-securitypolicy-path.debian.patch |