| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[CVE-2014-8093 5/6]
v2:
Fix constants in __glXMap2fReqSize (Michal Srb)
Validate w/h/d for proxy targets too (Keith Packard)
v3:
Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
v3: backport to RHEL5 hit old paths
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These are paranoid about integer overflow, and will return -1 if their
operation would overflow a (signed) integer or if either argument is
negative.
Note that RenderLarge requests are sized with a uint32_t so in principle
this could be sketchy there, but dix limits bigreqs to 128M so you
shouldn't ever notice, and honestly if you're sending more than 2G of
rendering commands you're already doing something very wrong.
v2: Use INT_MAX for consistency with the rest of the server (jcristau)
v3: Reject negative arguments (anholt)
v4: RHEL5: add limits.h, use inline
v5: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(v2) [CVE-2014-8093 3/6]
If the computed reply size is negative, something went wrong, treat it
as an error.
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this we'd just clamp the image size to 0, which was just
hideously stupid; if the parameters were such that they'd overflow an
integer, you'd allocate a small buffer, then pass huge values into (say)
ReadPixels, and now you're scribbling over arbitrary server memory.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
v2: backport to RHEL5 - fix swap paths
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
fixup swaps
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Conflicts:
xfixes/select.c
|
|
|
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
render/render.c
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise we may be reading outside of the client request.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Conflicts:
render/render.c
|
|
|
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
Xext/xvdisp.c
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.
This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
Xi/chgdctl.c
Xi/chgfctl.c
Xi/xiallowev.c
Xi/xichangecursor.c
Xi/xichangehierarchy.c
Xi/xigetclientpointer.c
Xi/xigrabdev.c
Xi/xipassivegrab.c
Xi/xiproperty.c
Xi/xiquerydevice.c
Xi/xiquerypointer.c
Xi/xiselectev.c
Xi/xisetclientpointer.c
Xi/xisetdevfocus.c
Xi/xiwarppointer.c
[RHEL5: Xi/xi* files are XI2 ]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.
SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc. While doing the swapping, the
length field is not validated, which can cause memory corruption.
v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dbe/dbe.c
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
RHEL5: add #include <stdint.h> for uint64_t
v3: backport to nx-libs 3.6.x (Mike DePaulo)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Conflicts:
dix/region.c
include/regionstr.h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/access.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dix/dispatch.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/rpcauth.c
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit d338f81df1e188eb16e1d6aeea7f4800f89c1218
fs_read_list_info() parses a reply from the font server. The reply
contains a number of additional data items with embedded length or
count fields, none of which are validated. This can cause out of
bound reads when looping over these items in the reply.
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 5fa73ac18474be3032ee7af9c6e29deab163ea39
fs_read_list() parses a reply from the font server. The reply
contains a list of strings with embedded length fields, none of
which are validated. This can cause out of bound reads when looping
over the strings in the reply.
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 520683652564c2a4e42328ae23eef9bb63271565
fs_read_glyphs() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated.
This can cause out of bound reads when looping over the glyph
bitmaps in the reply.
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit a3f21421537620fc4e1f844a594a4bcd9f7e2bd8
Looping over the extents in the reply could go past the end of the
reply buffer if the reply indicated more extents than could fit in
the specified reply length.
|
|
|
|
|
|
|
|
| |
commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33
fs_alloc_glyphs() is a malloc wrapper used by the font code.
It contains a classic integer overflow in the malloc() call,
which can cause memory corruption.
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit c578408c1fd4db09e4e3173f8a9e65c81cc187c1
fs_read_extent_info() parses a reply from the font server.
The reply contains a 32bit number of elements field which is used
to calculate a buffer length. There is an integer overflow in this
calculation which can lead to memory corruption.
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f
fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b
fs_get_reply() would take any reply size, multiply it by 4 and pass to
_fs_start_read. If that size was bigger than the current reply buffer
size, _fs_start_read would add it to the existing buffer size plus the
buffer size increment constant and realloc the buffer to that result.
This math could overflow, causing the code to allocate a smaller
buffer than the amount it was about to read into that buffer from
the network. It could also succeed, allowing the remote font server
to cause massive allocations in the X server, possibly using up all
the address space in a 32-bit X server, allowing the triggering of
other bugs in code that fails to handle malloc failure properly.
This patch protects against both problems, by disconnecting any
font server trying to feed us more than (the somewhat arbitrary)
64 mb in a single reply.
|
|
|
|
|
|
|
|
| |
from xorg/lib/libXfont commit cbb64aef35960b2882be721f4b8fbaa0fb649d12
Functions to handle replies to font server requests were casting replies
from the generic form to reply specific structs without first checking
that the reply was at least as long as the struct being cast to.
|
|
|
|
| |
Jover). from xorg/lib/libXfont commit bfb8a71f4f7e5c5ed4278cb3ee271bf9990d276d
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d
The connection setup reply from the font server can include a list
of alternate servers to contact if this font server stops working.
The reply specifies a total size of all the font server names, and
then provides a list of names. _fs_recv_conn_setup() allocated the
specified total size for copying the names to, but didn't check to
make sure it wasn't copying more data to that buffer than the size
it had allocated.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc
lexAlias() reads from a file in a loop. It does this by starting with a
64 byte buffer. If that size limit is hit, it does a realloc of the
buffer size << 1, basically doubling the needed length every time the
length limit is hit.
Eventually, this will shift out to 0 (for a length of ~4gig), and that
length will be passed on to realloc(). A length of 0 (with a valid
pointer) causes realloc to free the buffer on most POSIX platforms,
but the caller will still have a pointer to it, leading to use after
free issues.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e
FontFileReadDirectory() opens a fonts.dir file, and reads over every
line in an fscanf loop. For each successful entry read (font name,
file name) a call is made to FontFileAddFontFile().
FontFileAddFontFile() will add a font file entry (for the font name
and file) each time it’s called, by calling FontFileAddEntry().
FontFileAddEntry() will do the actual adding. If the table it has
to add to is full, it will do a realloc, adding 100 more entries
to the table size without checking to see if that will overflow the
int used to store the size.
|
|
|
|
|
|
|
|
| |
bdfReadCharacters() from xorg/lib/libXfont http://lists.x.org/archives/xorg-announce/2014-January/002389.html
Fixes cppcheck warning:
[lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
scanf without field width limits can crash with huge input data.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/Xserver http://lists.x.org/archives/xorg-announce/2013-October/002332.html
Save a pointer to the passed in closure structure before copying it
and overwriting the *c pointer to point to our copy instead of the
original. If we hit an error, once we free(c), reset c to point to
the original structure before jumping to the cleanup code that
references *c.
Since one of the errors being checked for is whether the server was
able to malloc(c->nChars * itemSize), the client can potentially pass
a number of characters chosen to cause the malloc to fail and the
error path to be taken, resulting in the read from freed memory.
Since the memory is accessed almost immediately afterwards, and the
X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.
|
|
|
|
|
|
|
|
| |
commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file.
|
|
|
|
|
|
|
|
| |
d11ee5886e9d9ec610051a206b135a4cdc1e09a0
Specially crafted LZW stream can crash an application using libXfont
that is used to open untrusted font files. With X server, this may
allow privilege escalation when exploited
|
|
|
|
|
|
|
| |
Adapted packaging scripts:
debian/roll-tarballs.sh
nx-libs.spec
|
|
|
|
|
|
|
|
| |
Affected packagings scripts:
debian/roll-tarballs.sh
debian/rules
nx-libs.spec
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation process copies NX wrapper scripts into
$(srcbase)/bin/ before build time.
Those wrapper scripts are now in place natively and need not
to be copied prior to building NX.
Packaging scripts with adaptation:
debian/roll-tarballs.sh
debian/rules
debian/*.docs
nx-libs.spec
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes it obsolete to add changes to debian/changelog. We document
our changes in Git (3.6.x branch and other related branches). On
release, we generate an upstream ChangeLog from Git history.
Only on the 3.5.0.x, we continue maintaining our changes in
debian/changelog (to be compliant with current nx-libs release workflow
in X2Go).
The following packaging scripts needed adaptations to this change:
debian/roll-tarballs.sh
debian/rules
nx-libs.spec
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nx*/VERSION and hw/nxagent/VERSION.
This commit removes the debian/VERSION file at makes it now unnecessary to
copy/symlink the VERSION file at build time. These build scripts got adapted:
debian/roll-tarballs.sh
debian/rules
nx-libs.spec
Furthermore, all NX component now use the main VERSION file as reference.
typechange: nxcomp/VERSION
typechange: nxcompext/VERSION
typechange: nxcompshad/VERSION
typechange: nxproxy/VERSION
|
|
|
|
|
|
|
|
| |
packaging these scripts:
debian/roll-tarballs.sh
debian/rules
nx-libs.spec
|
|
|
|
| |
e91277d02bf1288909daed3b0de8f876f6403acf.
|
|
|
|
| |
d4d3fe0e6e77a58e68defc5895a589a681d7d092.
|
| |
|
| |
|
|
|
|
| |
This reverts commit 4436e97903aa6e2a7732fb98dcb46758a73fe130.
|
|
|
|
|
|
|
|
|
|
| |
NoMachine kept all original X.Org 6.9 files in the nx-X11 source
tree. These files have been removed in Feb 2015 during a major
code cleanup.
For later studying we provide all diffs of the changes that
NoMachine employed on the original X.Org X11 code tree in the
doc/nx-X11_vs_XOrg69_patches folder.
|
|
|
|
|
|
|
|
|
|
| |
(999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch).
When launched with NX Agent flavour, the startup screen gets unbranded by
this patch (the !M logo does not get shown).
When launched with X2Go Agent flavour, the startup screen gets branded
with the X2GO logo.
|
|
|
|
|
|
| |
Former patch file names:
991_fix-hr-typos.full+lite.patch
991_fix-hr-typos.full.patch
|