aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog7
-rw-r--r--debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch14
-rw-r--r--debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch34
-rw-r--r--debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch7
-rw-r--r--debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch35
-rw-r--r--debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch109
6 files changed, 182 insertions, 24 deletions
diff --git a/debian/changelog b/debian/changelog
index efe018cf4..4f6833df2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -197,6 +197,13 @@ nx-libs (2:3.5.0.29-0x2go2) UNRELEASED; urgency=medium
[ Mihai Moldovan ]
* Change string "X2go" to "X2Go" where appropriate.
+ * CVE security review:
+ - Update 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch.
+ Use xfree() instead of free() in nx-libs.
+ - Update 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch.
+ Apply correctly on nx-libs 3.6.x.
+ - Update 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch.
+ Human-readable version of "1 MB".
-- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Thu, 13 Nov 2014 21:59:00 +0100
diff --git a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
index b71627214..2b2fa76c8 100644
--- a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
+++ b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
@@ -1,4 +1,4 @@
-From 94c6de0649cd295044b1e4ff7265949c9c787519 Mon Sep 17 00:00:00 2001
+From 31322c2bd9be76493a5a04a23ea68e063fe3b7e6 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 21:03:33 -0500
Subject: [PATCH 07/40] CVE-2014-0210: unvalidated length in
@@ -13,15 +13,17 @@ then provides a list of names. _fs_recv_conn_setup() allocated the
specified total size for copying the names to, but didn't check to
make sure it wasn't copying more data to that buffer than the size
it had allocated.
+
+v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan)
---
nx-X11/lib/font/fc/fserve.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
-index bac0b8e..0fdcc1d 100644
+index 0d792c7..86b5753 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
-@@ -2782,7 +2782,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
+@@ -2985,7 +2985,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
int ret;
fsConnSetup *setup;
FSFpeAltPtr alts;
@@ -30,7 +32,7 @@ index bac0b8e..0fdcc1d 100644
int setup_len;
char *alt_save, *alt_names;
-@@ -2809,9 +2809,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
+@@ -3012,9 +3012,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
}
if (setup->num_alternates)
{
@@ -42,7 +44,7 @@ index bac0b8e..0fdcc1d 100644
if (alts)
{
alt_names = (char *) (setup + 1);
-@@ -2820,10 +2820,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
+@@ -3023,10 +3023,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
{
alts[i].subset = alt_names[0];
alt_len = alt_names[1];
@@ -57,7 +59,7 @@ index bac0b8e..0fdcc1d 100644
+ "invalid alt list (length %lx >= %lx)\n",
+ (long) alt_len, (long) alt_name_len);
+#endif
-+ free(alts);
++ xfree(alts);
+ return FSIO_ERROR;
+ }
alts[i].name = alt_save;
diff --git a/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch b/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
index 96b7b9749..9d0f3f875 100644
--- a/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
+++ b/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
@@ -1,4 +1,4 @@
-From c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7 Mon Sep 17 00:00:00 2001
+From e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:08:09 -0500
Subject: [PATCH 11/40] CVE-2014-0210: unvalidated length fields in
@@ -9,13 +9,15 @@ fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
+
+v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan)
---
nx-X11/lib/font/fc/fsconvert.c | 19 ++++++++++++++-----
- nx-X11/lib/font/fc/fserve.c | 40 ++++++++++++++++++++++++++++++++++++++--
- 2 files changed, 52 insertions(+), 7 deletions(-)
+ nx-X11/lib/font/fc/fserve.c | 43 +++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 54 insertions(+), 8 deletions(-)
diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
-index 9ff54f5..d41e0b8 100644
+index 9a5e194..afa2c32 100644
--- a/nx-X11/lib/font/fc/fsconvert.c
+++ b/nx-X11/lib/font/fc/fsconvert.c
@@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
@@ -56,18 +58,18 @@ index 9ff54f5..d41e0b8 100644
}
off_adr += SIZEOF(fsPropOffset);
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
-index 7762653..2a6f6c9 100644
+index 9e652d2..75cabdd 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
-@@ -865,6 +865,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -866,6 +866,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
FSFpePtr conn = (FSFpePtr) fpe->private;
fsQueryXInfoReply *rep;
char *buf;
-+ long bufleft; /* length of reply left to use */
++ long bufleft = 0; /* length of reply left to use */
fsPropInfo *pi;
fsPropOffset *po;
pointer pd;
-@@ -895,7 +896,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -896,7 +897,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
buf = (char *) rep;
buf += SIZEOF(fsQueryXInfoReply);
@@ -79,7 +81,7 @@ index 7762653..2a6f6c9 100644
/* move the data over */
fsUnpack_XFontInfoHeader(rep, pInfo);
-@@ -903,19 +907,51 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -904,19 +908,52 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
_fs_init_fontinfo(conn, pInfo);
/* Compute offsets into the reply */
@@ -94,22 +96,24 @@ index 7762653..2a6f6c9 100644
+ }
pi = (fsPropInfo *) buf;
buf += SIZEOF (fsPropInfo);
-+ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
-
-+ if (bufleft < pi->data_len)
+-
++ bufleft -= SIZEOF (fsPropInfo);
++
++ if ((bufleft / SIZEOF (fsPropOffset)) < pi->num_offsets)
+ {
+ ret = -1;
+#ifdef DEBUG
+ fprintf(stderr,
-+ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
-+ bufleft, pi->data_len);
++ "fsQueryXInfo: (bufleft / SIZEOF (fsPropOffset)) (%ld) < pi->num_offsets (%d)\n",
++ bufleft / SIZEOF (fsPropOffset), pi->num_offsets);
+#endif
+ goto bail;
+ }
po = (fsPropOffset *) buf;
buf += pi->num_offsets * SIZEOF(fsPropOffset);
-+ bufleft -= pi->data_len;
++ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
++ if (bufleft < pi->data_len)
+ {
+ ret = -1;
+#ifdef DEBUG
diff --git a/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch b/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
index 619794f7e..1d880399f 100644
--- a/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
+++ b/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
@@ -1,4 +1,4 @@
-From d4c76981f7fddb364166464c571ed8d3de3086cd Mon Sep 17 00:00:00 2001
+From b6b5b14e4190048fadbfbcf063d873d318127e81 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 6 Jan 2014 23:30:14 -0800
Subject: [PATCH 20/40] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
@@ -14,6 +14,7 @@ This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
+v3: human-readable version of "1 MB" (Mihai Moldovan)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
@@ -25,7 +26,7 @@ Conflicts:
1 file changed, 6 insertions(+)
diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c
-index b6a70a7..0e9d138 100644
+index b6a70a7..532a2f8 100644
--- a/nx-X11/programs/Xserver/os/access.c
+++ b/nx-X11/programs/Xserver/os/access.c
@@ -1719,6 +1719,10 @@ GetHosts (
@@ -34,7 +35,7 @@ index b6a70a7..0e9d138 100644
n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry);
+ /* Could check for INT_MAX, but in reality having more than 1mb of
+ hostnames in the access list is ridiculous */
-+ if (n >= 1048576)
++ if (n >= 1024*1024)
+ break;
}
if (n)
diff --git a/debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch b/debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch
new file mode 100644
index 000000000..4203bf674
--- /dev/null
+++ b/debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch
@@ -0,0 +1,35 @@
+From b04f11915e29d9563d279e1326f61b50ea414dba Mon Sep 17 00:00:00 2001
+From: Mihai Moldovan <ionic@ionic.de>
+Date: Mon, 16 Feb 2015 06:03:48 +0100
+Subject: [PATCH 07/15] nx-X11/lib/font/fc/fserve.c: initialize remaining
+ bufleft variables.
+
+---
+ nx-X11/lib/font/fc/fserve.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 86b5753..6bbb8c2 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -1917,7 +1917,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ FontInfoPtr pfi = &pfont->info;
+ fsQueryXBitmaps16Reply *rep;
+ char *buf;
+- long bufleft; /* length of reply left to use */
++ long bufleft = 0; /* length of reply left to use */
+ fsOffset32 *ppbits;
+ fsOffset32 local_off;
+ char *off_adr;
+@@ -2501,7 +2501,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data;
+ fsListFontsWithXInfoReply *rep;
+ char *buf;
+- long bufleft;
++ long bufleft = 0;
+ FSFpePtr conn = (FSFpePtr) fpe->private;
+ fsPropInfo *pi;
+ fsPropOffset *po;
+--
+2.1.4
+
diff --git a/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch b/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch
new file mode 100644
index 000000000..9e5d00e98
--- /dev/null
+++ b/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch
@@ -0,0 +1,109 @@
+From 6acafc9334828da22446380c81af81bde14b5d86 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg@britannica.bec.de>
+Date: Sun, 21 Aug 2011 18:51:53 +0200
+Subject: [PATCH 08/15] Do proper input validation to fix for CVE-2011-2895.
+
+It ensures that all valid input can be decompressed, checks that the
+overflow conditions doesn't happen and generally tightens the
+validation of the LZW stream and doesn't pessimize the inner loop for
+no good reason. It's derived from a change in libarchive from 2004.
+
+v2: backports to nx-libs 3.6.x (Mihai Moldovan)
+Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
+Reviewed-by: Tomas Hoger <thoger@redhat.com>
+---
+ nx-X11/lib/font/fontfile/decompress.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c
+index 553b315..12b9f0a 100644
+--- a/nx-X11/lib/font/fontfile/decompress.c
++++ b/nx-X11/lib/font/fontfile/decompress.c
+@@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" }; /* 1F 9D */
+ #define FIRST 257 /* first free entry */
+ #define CLEAR 256 /* table clear output code */
+
+-#define STACK_SIZE 8192
++#define STACK_SIZE 65300
+
+ typedef struct _compressedFILE {
+ BufFilePtr file;
+@@ -180,14 +180,12 @@ BufFilePushCompressed (BufFilePtr f)
+ file->tab_suffix[code] = (char_type) code;
+ }
+ file->free_ent = ((file->block_compress) ? FIRST : 256 );
++ file->oldcode = -1;
+ file->clear_flg = 0;
+ file->offset = 0;
+ file->size = 0;
+ file->stackp = file->de_stack;
+ bzero(file->buf, BITS);
+- file->finchar = file->oldcode = getcode (file);
+- if (file->oldcode != -1)
+- *file->stackp++ = file->finchar;
+ return BufFileCreate ((char *) file,
+ BufCompressedFill,
+ 0,
+@@ -232,9 +230,6 @@ BufCompressedFill (BufFilePtr f)
+ if (buf == bufend)
+ break;
+
+- if (oldcode == -1)
+- break;
+-
+ code = getcode (file);
+ if (code == -1)
+ break;
+@@ -243,26 +238,34 @@ BufCompressedFill (BufFilePtr f)
+ for ( code = 255; code >= 0; code-- )
+ file->tab_prefix[code] = 0;
+ file->clear_flg = 1;
+- file->free_ent = FIRST - 1;
+- if ( (code = getcode (file)) == -1 ) /* O, untimely death! */
+- break;
++ file->free_ent = FIRST;
++ oldcode = -1;
++ continue;
+ }
+ incode = code;
+ /*
+ * Special case for KwKwK string.
+ */
+ if ( code >= file->free_ent ) {
++ if ( code > file->free_ent || oldcode == -1 ) {
++ /* Bad stream. */
++ return BUFFILEEOF;
++ }
+ *stackp++ = finchar;
+ code = oldcode;
+ }
+-
+++ /*
+++ * The above condition ensures that code < free_ent.
+++ * The construction of tab_prefixof in turn guarantees that
+++ * each iteration decreases code and therefore stack usage is
+++ * bound by 1 << BITS - 256.
+++ */
++
+ /*
+ * Generate output characters in reverse order
+ */
+ while ( code >= 256 )
+ {
+- if (stackp - de_stack >= STACK_SIZE - 1)
+- return BUFFILEEOF;
+ *stackp++ = file->tab_suffix[code];
+ code = file->tab_prefix[code];
+ }
+@@ -272,7 +275,7 @@ BufCompressedFill (BufFilePtr f)
+ /*
+ * Generate the new entry.
+ */
+- if ( (code=file->free_ent) < file->maxmaxcode ) {
++ if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) {
+ file->tab_prefix[code] = (unsigned short)oldcode;
+ file->tab_suffix[code] = finchar;
+ file->free_ent = code+1;
+--
+2.1.4
+