aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* debian/changelog: fix wrong signature.Mihai Moldovan2015-03-151-1/+1
|
* debian/changelog: merge with 3.5.0.x release branch.Mihai Moldovan2015-03-151-4/+43
|
* README.md: Fix typo, update date.Mike Gabriel2015-03-131-2/+2
|
* README.md markdown fixupMike Gabriel2015-03-131-15/+16
|
* README.md: Add 3.6.x release goals.Mike Gabriel2015-03-131-0/+12
|
* Makefile: clean-up auto-generated nxversion.def in clean rule (not in build ↵Mike Gabriel2015-03-051-3/+5
| | | | rule).
* nx-X11/**: Drop non-imake Makefile* files.Mike Gabriel2015-03-047-951/+0
|
* nx-X11/config/cf/X11.tmpl: Fix imake warning ("UseInstalledOnCrossCompile" ↵Mike Gabriel2015-03-041-0/+2
| | | | is not defined).
* Merge pull request #4 from sunweaver/feature/libxpm-cleanupMike Gabriel2015-03-0441-9722/+26
|\ | | | | | | | | | | | | | | | | | | | | | | library clean-up: Don't build libNX_Xpm anymore. Use system's libXpm shared library. One release goal for version 3.6.x of nx-libs is dropping as many bundled libraries as possible that haven't been adapted to nx-libs. Starting with libNX_Xpm here. The libNX_Xpm library is only referenced once (nx-X11/programs/Xserver/hw/nxagent/Holder.c). When grepping through Xserver/hw/nxagent the suspicion comes up, that the libXpm linkage is not needed at all, because none of the provided functions are used inside the nxagent Xserver.
| * library clean-up: Don't build libNX_Xpm anymore. Use system's libXpm shared ↵Mike Gabriel2015-03-0341-9722/+26
|/ | | | library.
* Drop unused .cvsignore filesMike DePaulo2015-02-183-73/+0
|
* Update changelog for the CVE-2015-0255 commit and its 3 prereq commitsMike DePaulo2015-02-181-0/+8
|
* Fix symlink to renamed README.md.Mike Gabriel2015-02-181-1/+1
|
* README.md: Mention the TheQVD project as collaborator on NX.Mike Gabriel2015-02-181-2/+6
|
* rename README.txt to README.mdMike Gabriel2015-02-181-0/+0
|
* switch symlink and real fileMike Gabriel2015-02-182-33/+33
|
* Add README.txt symlink to README.NX-development (to have it shown on the ↵Mike Gabriel2015-02-181-0/+1
| | | | Github summary page).
* xkb: Check strings length against request sizeOlivier Fourdan2015-02-171-25/+41
| | | | | | | | | | | | | | | Ensure that the given strings length in an XkbSetGeometry request remain within the limits of the size of the request. v3: backport to nx-libs 3.6.x because this is the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43) (cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1) Signed-off-by: Julien Cristau <jcristau@debian.org>
* xkb: Don't swap XkbSetGeometry data in the input bufferOlivier Fourdan2015-02-171-16/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | The XkbSetGeometry request embeds data which needs to be swapped when the server and the client have different endianess. _XkbSetGeometry() invokes functions that swap these data directly in the input buffer. However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once (if there is more than one keyboard), thus causing on swapped clients the same data to be swapped twice in memory, further causing a server crash because the strings lengths on the second time are way off bounds. To allow _XkbSetGeometry() to run reliably more than once with swapped clients, do not swap the data in the buffer, use variables instead. v3: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd) (cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945) Signed-off-by: Julien Cristau <jcristau@debian.org> index 2405090..7db0959 100644
* include: introduce byte counting functions.Peter Hutterer2015-02-171-0/+30
| | | | | | | | | | | | | | | | | | | | This patch adds the following three functions: bits_to_bytes(bits) - the number of bytes needed to hold 'bits' bytes_to_int32(bytes) - the number of 4-byte units to hold 'bytes' pad_to_int32(bytes) - the closest multiple of 4 equal to or larger than 'bytes'. All three operations are common in protocol processing and currently the server has ((foo + 7)/8 + 3)/4 operations all over the place. A common set of functions reduce the error rate of these (albeit simple) calculations and improve readability of the code. The functions do not check for overflow. v2: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
* Coverity #844, #845, #846: Fix memory leaks.Daniel Stone2015-02-171-3/+19
| | | | | v2: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo)
* Merge pull request #3 from sunweaver/feature/nxagent-version-v2Mike Gabriel2015-02-178-6/+93
|\ | | | | Make nxagent aware of its NX'ish version string (and number).
| * Make nxagent process aware of its current NX'ish version.Mike Gabriel2015-02-177-5/+93
| | | | | | | | | | | | | | | | | | | | | | This feature copies the way how X.Org version string and number are propagated at build time. First use case: if people start nxagent, it reports its version number on stderr. This is about being human-friendly. Second use case: None, so far. But it will now be easy to use the NXAGENT_VERSION_STRING in later feature add-ons.
| * nx-X11/programs/Xserver/hw/nxagent/: Drop unused VERSION file.Mike Gabriel2015-02-161-1/+0
|/
* Do proper input validation to fix for CVE-2011-2895.Joerg Sonnenberger2015-02-161-14/+17
| | | | | | | | | | | | It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com>
* Revert "Do proper input validation to fix for CVE-2011-2895."Mike Gabriel2015-02-161-17/+14
| | | | This reverts commit 6acafc9334828da22446380c81af81bde14b5d86.
* fix 3.5.0.29 changelog entryMike Gabriel2015-02-161-12/+12
|
* debian/changelog: fix too-long linesMike Gabriel2015-02-161-6/+6
|
* Makefile.nx-libs: Fix uninstall-lite rule. The nxproxy and nxcomp ↵Mike Gabriel2015-02-162-5/+11
| | | | uninstallation has to be in uninstall-lite, not in uninstall-full.
* Make install-lite rule in Makefile.nx-libs more predictable and not rely on ↵Mike Gabriel2015-02-162-5/+12
| | | | nxproxy/Makefile.in.
* Install "%{_libdir}/nx/bin" into nxproxy package.Mike Gabriel2015-02-162-0/+3
|
* nx-libs.spec: Typo fix in comment.Mike Gabriel2015-02-161-1/+1
|
* Fix FTBFS due to the nxproxy executable already existing under ↵Mike DePaulo2015-02-162-4/+67
| | | | | | | /usr/lib/nx/bin/nx Conflicts (resolved by Mike Gabriel): debian/changelog
* Do proper input validation to fix for CVE-2011-2895.Joerg Sonnenberger2015-02-161-14/+17
| | | | | | | | | | | It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com>
* nx-X11/lib/font/fc/fserve.c: initialize remaining bufleft variables.Mihai Moldovan2015-02-161-2/+2
|
* dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]Alan Coopersmith2015-02-161-0/+6
| | | | | | | | | | | | | | | | | | | | | GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: human-readable version of "1 MB" (Mihai Moldovan) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c
* Revert "dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]"Mihai Moldovan2015-02-161-6/+0
| | | | This reverts commit d4c76981f7fddb364166464c571ed8d3de3086cd.
* CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from ↵Mike DePaulo2015-02-161-3/+18
| | | | | | | | | | | | | | | xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated. v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan)
* Revert "CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from ↵Mihai Moldovan2015-02-161-18/+3
| | | | | | xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d" This reverts commit 94c6de0649cd295044b1e4ff7265949c9c787519.
* CVE-2014-0210: unvalidated length fields in fs_read_query_info() from ↵Mike DePaulo2015-02-162-8/+54
| | | | | | | | | | | xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply. v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan)
* Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() ↵Mihai Moldovan2015-02-162-52/+7
| | | | | | from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f" This reverts commit c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7.
* glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3)Adam Jackson2015-02-144-107/+121
| | | | | | | | | | | | | | | | v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) v3: RHEL5 backport v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8] (v3)Adam Jackson2015-02-142-46/+71
| | | | | | | | | | | | | | | | | | | | | This is a half-measure until we start passing request length into the varsize function, but it's better than the nothing we had before. v2: Verify that there's at least a large render header's worth of dataBytes (Julien Cristau) v3: backport to RHEL5 v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fixup swap
* glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]Adam Jackson2015-02-144-20/+52
| | | | | | | | | | | | | | | | | | | | | | v2: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v3: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fix safe_Add
* glx: Top-level length checking for swapped VendorPrivate requests ↵Adam Jackson2015-02-141-0/+4
| | | | | | | | | | | | | | | [CVE-2014-8098 4/8] v2: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Integer overflow protection for non-generated render requests (v3) ↵Adam Jackson2015-02-141-31/+37
| | | | | | | | | | | | | | | | | | | | | [CVE-2014-8093 5/6] v2: Fix constants in __glXMap2fReqSize (Michal Srb) Validate w/h/d for proxy targets too (Keith Packard) v3: Fix Map[12]Size to correctly reject order == 0 (Julien Cristau) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8] (v3)Julien Cristau2015-02-142-20/+20
| | | | | | | | | | | | | | | | | v2: Remove can't-happen comparison for cmdlen < 0 (Michal Srb) v3: backport to RHEL5 hit old paths v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] (v4)Adam Jackson2015-02-141-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | These are paranoid about integer overflow, and will return -1 if their operation would overflow a (signed) integer or if either argument is negative. Note that RenderLarge requests are sized with a uint32_t so in principle this could be sketchy there, but dix limits bigreqs to 128M so you shouldn't ever notice, and honestly if you're sending more than 2G of rendering commands you're already doing something very wrong. v2: Use INT_MAX for consistency with the rest of the server (jcristau) v3: Reject negative arguments (anholt) v4: RHEL5: add limits.h, use inline v5: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER ↵Adam Jackson2015-02-141-1/+2
| | | | | | | | | | | | | | | | | | | (v2) [CVE-2014-8093 3/6] If the computed reply size is negative, something went wrong, treat it as an error. v2: Be more careful about size_t being unsigned (Matthieu Herrb) v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]Adam Jackson2015-02-142-14/+14
| | | | | | | | | | | | | | | | | | Before this we'd just clamp the image size to 0, which was just hideously stupid; if the parameters were such that they'd overflow an integer, you'd allocate a small buffer, then pass huge values into (say) ReadPixels, and now you're scribbling over arbitrary server memory. v2: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>