| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(v2) [CVE-2014-8093 3/6]
If the computed reply size is negative, something went wrong, treat it
as an error.
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this we'd just clamp the image size to 0, which was just
hideously stupid; if the parameters were such that they'd overflow an
integer, you'd allocate a small buffer, then pass huge values into (say)
ReadPixels, and now you're scribbling over arbitrary server memory.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
v2: backport to RHEL5 - fix swap paths
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
fixup swaps
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Conflicts:
xfixes/select.c
|
|
|
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
render/render.c
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise we may be reading outside of the client request.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Conflicts:
render/render.c
|
|
|
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
Xext/xvdisp.c
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.
This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
Xi/chgdctl.c
Xi/chgfctl.c
Xi/xiallowev.c
Xi/xichangecursor.c
Xi/xichangehierarchy.c
Xi/xigetclientpointer.c
Xi/xigrabdev.c
Xi/xipassivegrab.c
Xi/xiproperty.c
Xi/xiquerydevice.c
Xi/xiquerypointer.c
Xi/xiselectev.c
Xi/xisetclientpointer.c
Xi/xisetdevfocus.c
Xi/xiwarppointer.c
[RHEL5: Xi/xi* files are XI2 ]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.
SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc. While doing the swapping, the
length field is not validated, which can cause memory corruption.
v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dbe/dbe.c
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
RHEL5: add #include <stdint.h> for uint64_t
v3: backport to nx-libs 3.6.x (Mike DePaulo)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Conflicts:
dix/region.c
include/regionstr.h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/access.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dix/dispatch.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/rpcauth.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/Xserver http://lists.x.org/archives/xorg-announce/2013-October/002332.html
Save a pointer to the passed in closure structure before copying it
and overwriting the *c pointer to point to our copy instead of the
original. If we hit an error, once we free(c), reset c to point to
the original structure before jumping to the cleanup code that
references *c.
Since one of the errors being checked for is whether the server was
able to malloc(c->nChars * itemSize), the client can potentially pass
a number of characters chosen to cause the malloc to fail and the
error path to be taken, resulting in the read from freed memory.
Since the memory is accessed almost immediately afterwards, and the
X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.
|
|
|
|
|
|
|
|
| |
commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nx*/VERSION and hw/nxagent/VERSION.
This commit removes the debian/VERSION file at makes it now unnecessary to
copy/symlink the VERSION file at build time. These build scripts got adapted:
debian/roll-tarballs.sh
debian/rules
nx-libs.spec
Furthermore, all NX component now use the main VERSION file as reference.
typechange: nxcomp/VERSION
typechange: nxcompext/VERSION
typechange: nxcompshad/VERSION
typechange: nxproxy/VERSION
|
|
|
|
|
|
|
|
|
|
| |
(999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch).
When launched with NX Agent flavour, the startup screen gets unbranded by
this patch (the !M logo does not get shown).
When launched with X2Go Agent flavour, the startup screen gets branded
with the X2GO logo.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(990_fix-DEBUG-and-TEST-builds.full.patch).
(1) In nx-X11/programs/Xserver/dix:
Fix several compile errors when specifying -DDEBUG globally. Previous GCC
versions were more liberal and the code thus compiled.
Also initialize/reset a count variable correctly.
(2) In nx-X11/programs/Xserver/hw/nxagent/Render.c:
Check for pSrc->pDrawable to exist instead of having nxagent segfault when
it does not.
This enables the possibility of compiling all nxagent modules in TEST mode.
|
|
|
|
| |
(606_nx-X11_build-on-aarch64.full.patch).
|
|
|
|
| |
(603_nx-X11_compilation_warnings.full.patch).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
relinquishing privileges (602_nx-X11_initgroups.full.patch).
The Fedora review of NX (redistributed) caught the following rpmlint issue:
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and this
would be a potential security issue to be fixed. Seek POS36-C on the web for
details about the problem.
Ref POS36-C:
https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges
This patch adds initgroups() calls to the code to initialize the supplemental group list.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch).
We really want to make use of rpm's automatic dependency finding.
Binaries are scanned for DT_NEEDED entries, the latter of which are
then used for populating the "Requires"-type deps. The "nxagent"
binary for example would require libX11.so.6. That incurs problems:
1. A package manager told to install nxagent could select xorg-x11
rather than nx-libs, even though nxagent depends on the NX version.
2. A package manager told to install $some_program could select nx-libs
rather than xorg-x11 (since both provide libX11.so.6), but, since
the NX library is in an obscure directory, running $some_program
would fail as libX11.so.6 is not found.
To solve this, give the NX libraries unique names different from the
Xorg ones.
|
|
|
|
| |
(321_nxagent_x2go-specific-keystroke-config.full.patch).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(320_nxagent_configurable-keystrokes.full.patch).
Replaces the hardcoded nxagent keybindings by a configurable
table of keybindings. The default configuration is the same as the
original one, to maintain compatibility. A user/administrator can either
specify a command line parameter, environment variable or place a file
in ~/.nx/config/keystrokes.cfg or /etc/nxagent/keystrokes.cfg to reconfigure
these keybindings.
The configuration file format is XML, a dependency on libxml2 is added
to allow parsing the configuration.
|
|
|
|
|
|
|
|
| |
(302_nx-X11_xkbbasedir-detection.full.patch).
In recent (as of 2014/06) X.org release, the keymap.dir file
has become obsolete. Let's test for the xkb/rules/base file
instead.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many distributions have a policy to reduce code duplications.
One means to avoid such duplications is to use shared libraries
instead of using libs that are ofter shipped for convenience.
Fedora:
http://fedoraproject.org/wiki/Packaging:Guidelines#Shared_Libraries
Debian (Section 10.7.4 of Debian policy):
http://www.debian.org/doc/debian-policy/ch-files.html
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the binary name of the agent either NXAgent
or X2GoAgent is set as WM_Class.
This is needed for some window managers (like the one shipped with
Maemo)
The original WM_CLASS patch has been taken from the FreeNX patch
series, author unknown.
The nxagent/x2goagent has been done by the X2Go Project, author
see below.
|
|
|
|
|
|
|
|
|
| |
210_nxagent_save_session_state.full.patch
210_nxcomp_save_session_state.full+lite.patch
This patch adds a "state" option to NX (agent) which
allows one to specify a file where nxagent will write
its session state into.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(207_nxagent_fix-xfixes-selection.full.patch).
When nxagent has the XFIXES extension enabled copy and
paste from outside applications to applications within the session
that rely on XFixesSelectSelectionInput (e.g. qt applications like
konsole) did never receive any notifications because the nxagent did
not register itself at the real X server to receive them. Fixes X2Go Bug
#585 (http://bugs.x2go.org/585).
|
|
|
|
| |
(206_nxagent_clipboard-as-nxoption.full.patch).
|
|
|
|
| |
(205_nxagent_refresh-adsl.full.patch).
|
|
|
|
| |
(204_nxagent_repaint-solidpict.full.patch).
|
|
|
|
|
|
|
|
|
|
| |
(203_nxagent_disable-rootless-exit.full.patch).
This change enables to launch an nxagent in rootless mode
that waits forever for Xclients to appear.
This feature got added when X2Go introduced Published Applications
support.
|
|
|
|
|
|
|
|
| |
This patch adds Xinerama awareness to NX agent windows.
The advantage of Xinerama awareness is that an NX session window
will only maximize to the dimensions of the active physical
display.
|
|
|
|
|
|
|
| |
(201_nxagent_set-x2go-icon-if-x2goagent-flavour.full.patch).
Depending on the binary name of the agent either nxagent.xpm
or x2go.xpm is used as window icon.
|
|
|
|
|
|
|
|
|
|
| |
(200_nxagent_check-binary-x2go-flavour.full.patch).
Whether the agent runs in X2Go or NX mode is decide by the
name of the binary that executes the code.
Binary name equal to nxagent -> (Free)NX flavour
Binary name equal to x2goagent -> X2Go flavour
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is allowed to try and allocate a pixmap which is larger than
32767 in either dimension. However, all of the framebuffer code
is buggy and does not reliably draw to such big pixmaps, basically
because the Region data structure operates with signed shorts
for the rectangles in it.
Furthermore, several places in the X server computes the
size in bytes of the pixmap and tries to store it in an
integer. This integer can overflow and cause the allocated size
to be much smaller.
So, such big pixmaps are rejected here with a BadAlloc
Originally contributed by FreeNX Team
|
|
|
|
|
|
| |
Wine close delay.
Originally contributed by FreeNX team (dimbor).
|
|
|
|
|
|
|
|
| |
(107_nxagent_clipboard-compound-text+small-bed-sheets.full.patch).
Do not send COMPOUND_TEXT to client.
Originally contributed by FreeNX Team (dimbor).
|
|
|
|
|
|
| |
Enable UTF-8 clipboard copies.
Originally contributed by FreeNX Team (dimbor).
|
|
|
|
|
|
|
| |
(105_nxagent_export-remote-keyboard-config.full.patch)
Let nxagent write the keyboard configuration to <session_directory>/keyboard
and make it available within the NX session.
|
|
|
|
|
|
|
|
|
| |
(103_nxagent_set-X0-config-path.full.patch).
This patch is needed for Tarball installation and on Distros like
Debian, not reporting this path addition to upstream.
Originally contributed by FreeNX Team.
|
|
|
|
|
|
|
| |
(102_xserver-xext_set-securitypolicy-path.full.patch).
This patch is needed for Tarball installation mode of NX (redistributed)
only, not reporting this path change to upstream.
|
|
|
|
|
|
|
| |
This patch is needed on Debian only, not reporting this path
addition to upstream.
Patch was modified by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(057_nx-X11_sanitize-eventmasks.full.patch).
Multiple endiannes issues were setting incorrect event masks when creating and
drawing X11 windows.
This time, a smaller integer has been casted to a bigger one and passed to some
function actually setting its value.
This meant, that garbage from stack was attached to the smaller integer value,
putting unknown memory into the lower bytes of the bigger integer.
Fix this by creating a big, initialized temporary variable, let the function do
its magic on that one and pass the value back to the smaller variable--and
cross your fingers the smaller variable can hold it without overrunning. (The
last bit is a design issue we can't really fix and has been around even before
this patch.)
|
|
|
|
|
|
|
|
| |
(056_nx-X11_Werror-format-security.full.patch).
The below patch fixes more -Werror=format-security errors.
Interestingly, most of the errors only showed up on our arm builds. No
idea why.
|