diff options
| -rw-r--r-- | README.md | 11 | ||||
| -rw-r--r-- | debian/changelog | 67 | ||||
| -rw-r--r-- | nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c | 4 | ||||
| -rw-r--r-- | nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c | 5 | ||||
| -rw-r--r-- | nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c | 20 |
5 files changed, 101 insertions, 6 deletions
@@ -44,7 +44,11 @@ Release goals (phase 1) for nx-libs release series 3.6.0.x: * replace as many liNX_X* libraries by X.org's libX* libraries (work in progress) * support for iOS (nxproxy, complete) - +* Unix file socket communication for nxproxy -C <-> nxproxy -S connections + (todo) +* allow Unix file sockets as channel endpoints (work in progress) +* allow embedding of nxproxy into other windows + ## Release series 3.7.0.x Scheduled for Q1/2016. @@ -52,16 +56,13 @@ Scheduled for Q1/2016. Release goals (phase 2) for nx-libs release series 3.7.0.x (not branched-off, yet): * provide support for latest X11 extensions -* socket communication for nxproxy -C <-> nxproxy -S connections - (todo) * event FIFO sockets for attaching external applications (todo) -* allow embedding of nxproxy into other windows * support for multimedia If you have any questions about this NX development or want to file a bug report, please contact the Arctica developers, the X2Go developers or the TheQVD developers via the project's Github issue tracker. -thanks+light+love, 20150515 +thanks+light+love, 20150531 Mike Gabriel <mike.gabriel@das-netzwerkteam.de> diff --git a/debian/changelog b/debian/changelog index e664e5b0f..0d56a4b96 100644 --- a/debian/changelog +++ b/debian/changelog @@ -157,6 +157,48 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low * debian/control: workaround missing dependencies of nxagent on Ubuntu for now. * debian/libnx-xinerama1.*: fix faulty logic when creating symlinks. + Backported from Arctica GH 3.6.x branch. + * Security fixes: + - X.Org CVE-2014-8100: + v3: port to NXrender.c rather than render.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1027-render-check-request-size-before-reading-it-CVE.full.patch + * Security fixes: + - X.Org CVE-2014-8100: + v3: port to NXrender.c rather than render.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch + * nxcomp/Misc.cpp: fix build failure introduced in + a27a8aae3ca7a3f70e05152ac3d347942e11159d. + Backported from Arctica GH 3.6.x branch. + Affects: + - 9900-dxpc-license-history.full+lite.patch + * Security fixes: + - X.Org CVE-2013-4396: + v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo) + v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch + * Security fixes: + - X.Org CVE-2014-8092: + v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch + * Security fixes: + - X.Org CVE-2015-3418: + v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch + * Security fixes: + - X.Org CVE-2014-8099: + v3: port to NXxvdisp.c rather than xvdisp.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch [ Bernard Cafarelli ] * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'. @@ -175,6 +217,31 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low * nxcompshad: Prevent underlinking by linking to libNX_Xext. Adds: - 0650_nxcompshad_link-to-NX_Xext.full.patch + * Security fixes: + - X.Org CVE-2015-3418: + 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch + * debian/roll-tarball.sh: + + Make sure *.keyboard, debian/**, nx-libs.spec, .pc/** don't end up + in tarball (special focus on the nx-libs-lite tarball). + + Allow patch files names having a dash next to the four digits (i.e., + 1234-<patchname>.<suffix>). + + Support tarring up the HEAD of the current branch. + * debian/COPYING.full+lite: + + Replace content with GPL-2 license text, because that is the overall + (i.e., strictest) license we have to deal with in nx-libs. + * Add 9900-dxpc-license-history.full+lite.patch. Document license history of + DXPC (where nxcomp got forked from). + Backported from Arctica GH 3.6.x branch. + * nxcomp/README.on-retroactive-DXPC-license: Some layout and + interpunctuation fixes. + Backported from Arctica GH 3.6.x branch. + Affects: + - 9900-dxpc-license-history.full+lite.patch + + [ Nito Martinez ] + * nxcomp: fix DEBUG, TEST, DUMP, FLUSH, TOKEN, PING, MIXED et al builds. + Adds: + - 0992_fix-DEBUG-TEST-DUMP-FLUSH-TOKEN-PING-et-al-builds.full+lite.patch -- X2Go Release Manager <git-admin@x2go.org> Tue, 17 Mar 2015 19:19:32 +0100 diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c index 3d9ee8c7f..0ed7277a1 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c @@ -2618,7 +2618,9 @@ ProcPutImage(register ClientPtr client) tmpImage = (char *)&stuff[1]; lengthProto = length; - + if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + (sizeof(xPutImageReq) >> 2)) != client->req_len) return BadLength; diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c index 922443633..5622f8cee 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c @@ -1694,6 +1694,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) GC *pGC; unsigned char *data; ITclosurePtr new_closure; + ITclosurePtr old_closure; /* We're putting the client to sleep. We need to save some state. Similar problem to that handled @@ -1706,6 +1707,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) err = BadAlloc; goto bail; } + old_closure = c; *new_closure = *c; c = new_closure; @@ -1713,6 +1715,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) if (!data) { xfree(c); + c = old_closure; err = BadAlloc; goto bail; } @@ -1724,6 +1727,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) { xfree(c->data); xfree(c); + c = old_closure; err = BadAlloc; goto bail; } @@ -1742,6 +1746,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) FreeScratchGC(pGC); xfree(c->data); xfree(c); + c = old_closure; err = BadAlloc; goto bail; } diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c b/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c index b8543f7a6..cfce34463 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c @@ -1423,6 +1423,7 @@ SProcXvQueryExtension(ClientPtr client) { register char n; REQUEST(xvQueryExtensionReq); + REQUEST_SIZE_MATCH(xvQueryExtensionReq); swaps(&stuff->length, n); return ProcXvQueryExtension(client); } @@ -1432,6 +1433,7 @@ SProcXvQueryAdaptors(ClientPtr client) { register char n; REQUEST(xvQueryAdaptorsReq); + REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); swaps(&stuff->length, n); swapl(&stuff->window, n); return ProcXvQueryAdaptors(client); @@ -1442,6 +1444,7 @@ SProcXvQueryEncodings(ClientPtr client) { register char n; REQUEST(xvQueryEncodingsReq); + REQUEST_SIZE_MATCH(xvQueryEncodingsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvQueryEncodings(client); @@ -1452,6 +1455,7 @@ SProcXvGrabPort(ClientPtr client) { register char n; REQUEST(xvGrabPortReq); + REQUEST_SIZE_MATCH(xvGrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1463,6 +1467,7 @@ SProcXvUngrabPort(ClientPtr client) { register char n; REQUEST(xvUngrabPortReq); + REQUEST_SIZE_MATCH(xvUngrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1474,6 +1479,7 @@ SProcXvPutVideo(ClientPtr client) { register char n; REQUEST(xvPutVideoReq); + REQUEST_SIZE_MATCH(xvPutVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1494,6 +1500,7 @@ SProcXvPutStill(ClientPtr client) { register char n; REQUEST(xvPutStillReq); + REQUEST_SIZE_MATCH(xvPutStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1514,6 +1521,7 @@ SProcXvGetVideo(ClientPtr client) { register char n; REQUEST(xvGetVideoReq); + REQUEST_SIZE_MATCH(xvGetVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1534,6 +1542,7 @@ SProcXvGetStill(ClientPtr client) { register char n; REQUEST(xvGetStillReq); + REQUEST_SIZE_MATCH(xvGetStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1554,6 +1563,7 @@ SProcXvPutImage(ClientPtr client) { register char n; REQUEST(xvPutImageReq); + REQUEST_AT_LEAST_SIZE(xvPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1578,6 +1588,7 @@ SProcXvShmPutImage(ClientPtr client) { register char n; REQUEST(xvShmPutImageReq); + REQUEST_SIZE_MATCH(xvShmPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1605,6 +1616,7 @@ SProcXvSelectVideoNotify(ClientPtr client) { register char n; REQUEST(xvSelectVideoNotifyReq); + REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); swaps(&stuff->length, n); swapl(&stuff->drawable, n); return ProcXvSelectVideoNotify(client); @@ -1615,6 +1627,7 @@ SProcXvSelectPortNotify(ClientPtr client) { register char n; REQUEST(xvSelectPortNotifyReq); + REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvSelectPortNotify(client); @@ -1625,6 +1638,7 @@ SProcXvStopVideo(ClientPtr client) { register char n; REQUEST(xvStopVideoReq); + REQUEST_SIZE_MATCH(xvStopVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1636,6 +1650,7 @@ SProcXvSetPortAttribute(ClientPtr client) { register char n; REQUEST(xvSetPortAttributeReq); + REQUEST_SIZE_MATCH(xvSetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1647,6 +1662,7 @@ SProcXvGetPortAttribute(ClientPtr client) { register char n; REQUEST(xvGetPortAttributeReq); + REQUEST_SIZE_MATCH(xvGetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1658,6 +1674,7 @@ SProcXvQueryBestSize(ClientPtr client) { register char n; REQUEST(xvQueryBestSizeReq); + REQUEST_SIZE_MATCH(xvQueryBestSizeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swaps(&stuff->vid_w, n); @@ -1672,6 +1689,7 @@ SProcXvQueryPortAttributes(ClientPtr client) { register char n; REQUEST(xvQueryPortAttributesReq); + REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvQueryPortAttributes(client); @@ -1682,6 +1700,7 @@ SProcXvQueryImageAttributes(ClientPtr client) { register char n; REQUEST(xvQueryImageAttributesReq); + REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); swaps(&stuff->length, n); swapl(&stuff->id, n); swaps(&stuff->width, n); @@ -1694,6 +1713,7 @@ SProcXvListImageFormats(ClientPtr client) { register char n; REQUEST(xvListImageFormatsReq); + REQUEST_SIZE_MATCH(xvListImageFormatsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvListImageFormats(client); |