aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]Alan Coopersmith2015-05-301-1/+3
| | | | | | | | | | | | | | | | | | | ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dix/dispatch.c
* Avoid use-after-free in dix/dixfonts.c: doImageText() [CVE-2013-4396] from ↵Mike DePaulo2015-05-301-0/+5
| | | | | | | | | | | | | | | | | | | | | | | xorg/Xserver http://lists.x.org/archives/xorg-announce/2013-October/002332.html Save a pointer to the passed in closure structure before copying it and overwriting the *c pointer to point to our copy instead of the original. If we hit an error, once we free(c), reset c to point to the original structure before jumping to the cleanup code that references *c. Since one of the errors being checked for is whether the server was able to malloc(c->nChars * itemSize), the client can potentially pass a number of characters chosen to cause the malloc to fail and the error path to be taken, resulting in the read from freed memory. Since the memory is accessed almost immediately afterwards, and the X server is mostly single threaded, the odds of the free memory having invalid contents are low with most malloc implementations when not using memory debugging features, but some allocators will definitely overwrite the memory there, leading to a likely crash. v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo)
* nxcomp/README.on-retroactive-DXPC-license: Some layout and interpunctuation ↵Mike Gabriel2015-05-291-1/+1
| | | | fixes.
* nxcomp/Misc.cpp: fix build failure introduced in ↵Mihai Moldovan2015-05-281-3/+3
| | | | 1f44331574bdbe4069d13e4c26df18094b49e658.
* Merge branch 'sunweaver-pr/DXPC-re-license-retroactively' into arctica-3.6.xMihai Moldovan2015-05-264-6/+4097
|\ | | | | | | Attributes GH PR #31: https://github.com/ArcticaProject/nx-libs/pull/31
| * Document retroactive re-licensing of the original DXPC code (closes #30).Mike Gabriel2015-05-264-6/+4097
| | | | | | | | | | | | | | | | | | | | | | * Update nxcomp/LICENSE. * Add nxcomp/README.on-retroactive-DXPC-license, giving a short overview of the flow of discussions * Add "modified or unmodified" to the license information printed out to stdout in nxcomp/Misc.cpp * Fix copyright year (2006->2003) for Gian Filippo Pinzari (and move him to the GPL-2 section). * Add the complete .mbox file of Debian bug #748565.
* | Merge pull request #36 from ArcticaProject/pr/render-cve-fixesMike Gabriel2015-05-261-2/+18
|\ \ | |/ |/| XRender CVE fixes for nxagent (X.Org CVE-2014-8100)
| * render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]pr/render-cve-fixesAlan Coopersmith2015-05-241-1/+16
| | | | | | | | | | | | | | | | | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: render/render.c
| * render: check request size before reading it [CVE-2014-8100 1/2]Julien Cristau2015-05-241-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise we may be reading outside of the client request. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Conflicts: render/render.c
* | Merge branch 'sunweaver-pr/libxrandr-cleanup' into arctica-3.6.xMihai Moldovan2015-05-2529-2893/+32
|\ \ | | | | | | | | | Attributes GH PR #21: https://github.com/ArcticaProject/nx-libs/pull/21
| * | hw/nxagent clean-up: Drop NXrandr.{c|h} client lib copy-of-code from nxagent ↵Mike Gabriel2015-05-204-1033/+3
| | | | | | | | | | | | hardware driver.
| * | library clean-up: Don't build libNX_Xrandr anymore. Use system's libXrandr ↵Mike Gabriel2015-05-2025-1860/+29
| | | | | | | | | | | | shared library.
* | | README.md: replace simple link with a text link, capitalization.Mihai Moldovan2015-05-221-1/+1
| | |
* | | Merge branch 'nitomartinez-qindel-readme' into arctica-3.6.xMihai Moldovan2015-05-221-1/+1
|\ \ \ | |/ / |/| | | | | Attributes GH PR #34: https://github.com/ArcticaProject/nx-libs/pull/34
| * | Update the Qindel Company name (Qindel is without u ;-))Nito Martinez2015-05-211-1/+1
| | |
* | | README.md: mark the iOS support for nxproxy/nxcomp as completed.Mike Gabriel2015-05-161-1/+1
| | |
* | | Merge pull request #26 from nitomartinez/fix_developer_debuggingMike Gabriel2015-05-163-3/+3
|\ \ \ | | | | | | | | This patch is some code fixes to allow developer debuging by using TEST macros in the NX code
| * | | This patch is some code fixes to debug some debuging macro usage in the NX code.Nito Martinez2015-05-153-3/+3
| |/ / | | | | | | | | | Particularly the following macros have been tested -DTEST -DDEBUG -DDUMP -DFLUSH -DTOKEN -DSPLIT -DPING -DMIXED -DMATCH -DTIME
* | | Merge pull request #25 from nitomartinez/nxtranscleanup_for_reconnectMike Gabriel2015-05-163-0/+36
|\ \ \ | | | | | | | | This patch allows to cleanup the nxcomp resources to allow for a seco…
| * | | This patch allows to cleanup the nxcomp resources to allow for a second ↵Nito Martinez2015-05-153-0/+36
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | connection inside the same process, instead of a new process as is the nxproxy case. This involves creating a new API call void NXTransCleanupForReconnect(void); which basically cleans up the global state for the connection but does not exit the process. Background ========== This is needed for the IOS platform, where the nxproxy model of forking does not work. Also NX handles most of the errors with an "exit" call which in IOS cannot be easily handled.
* | | README.md: reword a few sections, whitespace fixes.Mihai Moldovan2015-05-151-8/+7
| | |
* | | README.md: grammar fixMike Gabriel2015-05-151-1/+1
| | |
* | | README.md: phase 2 release series will be 3.7.0.xMike Gabriel2015-05-151-2/+2
| | |
* | | update README.md with newest plans for nx-libs 3.6.xMike Gabriel2015-05-151-11/+30
| |/ |/|
* | Merge branch 'sunweaver-pr/libxdamage-cleanup' into arctica-3.6.xMihai Moldovan2015-05-1228-1061/+28
|\ \ | | | | | | | | | Attributes GH PR #18: https://github.com/ArcticaProject/nx-libs/pull/18
| * | debian/changelog: merge with master branch.Mihai Moldovan2015-05-121-0/+2
| | |
| * | debian/changelog: add entry for last change.Mihai Moldovan2015-05-121-0/+1
| | |
| * | debian/libnx-xinerama1.*: fix faulty logic when creating symlinks.Mihai Moldovan2015-05-121-3/+3
| | |
| * | library clean-up: Don't build libNX_Xdamage anymore. Use system's libXdamage ↵Mike Gabriel2015-05-0128-1061/+28
| | | | | | | | | | | | shared library. (Fixes ArcticaProject/nx-libs#6, X2GoBTS#826).
* | | debian/changelog: merge with master branch.Mihai Moldovan2015-05-051-0/+2
| | |
* | | debian/changelog: add entry for last change.Mihai Moldovan2015-05-051-0/+1
| | |
* | | debian/libnx-xinerama1.*: fix faulty logic when creating symlinks.Mihai Moldovan2015-05-051-3/+3
| | |
* | | Merge pull request #20 from sunweaver/pr/fix-CVE-2015-3418Mike DePaulo2015-05-011-1/+1
|\| | | | | | | | dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
| * | dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).Keith Packard2015-05-011-1/+1
|/ / | | | | | | | | | | | | | | | | | | | | | | The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. Fix for regression introduced by fix for CVE-2014-8092. v2: backports to nx-libs 3.6.x (Mike Gabriel) Signed-off-by: Keith Packard <keithp@keithp.com>
* | debian/changelog: sync with 3.5.0.x branch.Mihai Moldovan2015-04-301-0/+2
| |
* | nx-libs.spec: actually create libXinerama.so.1 symlink during build phase.Mihai Moldovan2015-04-301-0/+1
| |
* | debian/changelog: correctly sync with 3.5.0.x branch. Add latest entries.Mihai Moldovan2015-04-301-50/+57
| |
* | debian/libnx-xinerama1.*: move Xinerama dir back to nx-x11-common. Only ↵Mihai Moldovan2015-04-303-8/+14
| | | | | | | | delete known files. Fixes RPM build failures.
* | Merge pull request #19 from ↵Mike Gabriel2015-04-293-29/+36
|\ \ | | | | | | | | | | | | ArcticaProject/PR-ionic/libXinerama_symlink_to_libnx-xinerama1 debian/libnx-xinerama1.*: also create libXinerama symlink in libnx-xinerama1.postinst (and remove in libxinerama1.prerm).
| * | libnx-xinerama1: also create libXinerama symlink in postinst (and remove in ↵Mihai Moldovan2015-04-293-29/+36
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | prerm.) Due to the nx-x11-common package being a noarch/allarch package, creating the symlink in nx-libs' Makefile will lead to the symlink referencing the "default" architecture dpkg uses for building noarch/allarch packages. Incidentally, this worked fine for Debian, as amd64 seems to be the default architecture. On Ubuntu, however, the default architecture up to Vivid (15.04) was i386. For those builds, the symlink pointed to the 32 bit library of libNX_Xinerama.so.1 -- essentially breaking this feature. Move the symlink creation to the arch-sensitive libnx-xinerama1 package. The postinst and prerm scriptlets will work fine, unless someone installs the i386 package version *after* the amd64 version. Given that we already create symlinks to libNX_X11 and friends using that method, no new regression is introduced. Strictly speaking that's a bug, but we'll hopefully clean that up later...
* | Merge branch 'sunweaver-pr/imake-cleanup-nonpresent-buildlogic' into ↵Mihai Moldovan2015-04-2824-2685/+122
|\ \ | | | | | | | | | | | | | | | arctica-3.6.x Attributes GH PR #17: https://github.com/ArcticaProject/nx-libs/pull/17
| * | imake cleanup: Drop references to X11 build-logic that is not present in nx-X11.Mike Gabriel2015-04-2820-2679/+24
| | |
| * | imake cleanup: Break up multiple vars into invidual lines to ease further ↵Mike Gabriel2015-04-287-36/+128
|/ / | | | | | | work on patches / pull requests.
* | COPYING: Add Arctica Project to copyright holders.Mike Gabriel2015-04-271-0/+1
| |
* | debian/changelog: merge with 3.5.0.x branch.Mihai Moldovan2015-04-271-0/+134
| |
* | README.keystrokes: remove accidentally copied Dokuwiki syntax.Mihai Moldovan2015-04-271-1/+1
| |
* | etc/keystrokes.cfg: fix whitespace errors.Mihai Moldovan2015-04-271-16/+16
| |
* | README.keystrokes: add documentation for branding behavior.Mihai Moldovan2015-04-271-2/+10
| |
* | README.keystrokes: copy actions documentation from the wiki.Mihai Moldovan2015-04-271-0/+11
| |
* | debian/roll-tarballs.sh: don't escape last newline of a multiline command.Mihai Moldovan2015-04-261-1/+1
| | | | | | | | | | Worked out fine so far, because the next line was empty, but this can easily change...