aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/programs
Commit message (Collapse)AuthorAgeFilesLines
* xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]Alan Coopersmith2015-02-141-0/+1
| | | | | | | | | | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> v2: backport to nx-libs 3.6.x (Mike DePaulo) Conflicts: xfixes/select.c
* render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]Alan Coopersmith2015-02-141-1/+16
| | | | | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: render/render.c
* render: check request size before reading it [CVE-2014-8100 1/2]Julien Cristau2015-02-141-1/+2
| | | | | | | | | | | | | Otherwise we may be reading outside of the client request. v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Conflicts: render/render.c
* Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]Alan Coopersmith2015-02-141-0/+20
| | | | | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: Xext/xvdisp.c
* xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]Alan Coopersmith2015-02-141-0/+1
| | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
* Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]Alan Coopersmith2015-02-144-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Multiple functions in the Xinput extension handling of requests from clients failed to check that the length of the request sent by the client was large enough to perform all the required operations and thus could read or write to memory outside the bounds of the request buffer. This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE macro in include/dix.h for the common case of needing to ensure a request is large enough to include both the request itself and a minimum amount of extra data following the request header. v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: Xi/chgdctl.c Xi/chgfctl.c Xi/xiallowev.c Xi/xichangecursor.c Xi/xichangehierarchy.c Xi/xigetclientpointer.c Xi/xigrabdev.c Xi/xipassivegrab.c Xi/xiproperty.c Xi/xiquerydevice.c Xi/xiquerypointer.c Xi/xiselectev.c Xi/xisetclientpointer.c Xi/xisetdevfocus.c Xi/xiwarppointer.c [RHEL5: Xi/xi* files are XI2 ]
* dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]Alan Coopersmith2015-02-141-3/+8
| | | | | | | | | | | | | | | | | | | | | | ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read from a buffer. The length is never validated, which can lead to out of bound reads, and possibly returning the data read from out of bounds to the misbehaving client via an X Error packet. SProcDbeSwapBuffers() swaps data (for correct endianness) before handing it off to the real proc. While doing the swapping, the length field is not validated, which can cause memory corruption. v2: reorder checks to avoid compilers optimizing out checks for overflow that happen after we'd already have done the overflowing multiplications. v3: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dbe/dbe.c
* dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]Alan Coopersmith2015-02-141-1/+4
| | | | | | | | | | | | | Force use of 64-bit integers when evaluating data provided by clients in 32-bit fields which can overflow when added or multiplied during checks. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> RHEL5: add #include <stdint.h> for uint64_t v3: backport to nx-libs 3.6.x (Mike DePaulo)
* dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]Alan Coopersmith2015-02-142-15/+34
| | | | | | | | | | | | | | | | | | RegionSizeof contains several integer overflows if a large length value is passed in. Once we fix it to return 0 on overflow, we also have to fix the callers to handle this error condition v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. v3: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org> Conflicts: dix/region.c include/regionstr.h
* dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]Alan Coopersmith2015-02-141-0/+6
| | | | | | | | | | | | | | | | | | | | GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c
* dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]Alan Coopersmith2015-02-141-1/+3
| | | | | | | | | | | | | | | | | ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dix/dispatch.c
* unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]Alan Coopersmith2015-02-141-0/+4
| | | | | | | | | | | | | | | | | | authdes_ezdecode() calls malloc() using a length provided by the connection handshake sent by a newly connected client in order to authenticate to the server, so should be treated as untrusted. It didn't check if malloc() failed before writing to the newly allocated buffer, so could lead to a server crash if the server fails to allocate memory (up to UINT16_MAX bytes, since the len field is a CARD16 in the X protocol). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/rpcauth.c
* Avoid use-after-free in dix/dixfonts.c: doImageText() [CVE-2013-4396] from ↵Mike DePaulo2015-02-141-0/+5
| | | | | | | | | | | | | | | | | | | | | xorg/Xserver http://lists.x.org/archives/xorg-announce/2013-October/002332.html Save a pointer to the passed in closure structure before copying it and overwriting the *c pointer to point to our copy instead of the original. If we hit an error, once we free(c), reset c to point to the original structure before jumping to the cleanup code that references *c. Since one of the errors being checked for is whether the server was able to malloc(c->nChars * itemSize), the client can potentially pass a number of characters chosen to cause the malloc to fail and the error path to be taken, resulting in the read from freed memory. Since the memory is accessed almost immediately afterwards, and the X server is mostly single threaded, the odds of the free memory having invalid contents are low with most malloc implementations when not using memory debugging features, but some allocators will definitely overwrite the memory there, leading to a likely crash.
* Fix CVE-2011-4028: File disclosure vulnerability. upstream xorg/xserver ↵Mike DePaulo2015-02-141-1/+1
| | | | | | | | commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34 use O_NOFOLLOW to open the existing lock file, so symbolic links aren't followed, thus avoid revealing if it point to an existing file.
* VERSION file: master VERSION file is in base folder, symlinked from ↵Mike Gabriel2015-02-141-0/+1
| | | | | | | | | | | | | | | | | | nx*/VERSION and hw/nxagent/VERSION. This commit removes the debian/VERSION file at makes it now unnecessary to copy/symlink the VERSION file at build time. These build scripts got adapted: debian/roll-tarballs.sh debian/rules nx-libs.spec Furthermore, all NX component now use the main VERSION file as reference. typechange: nxcomp/VERSION typechange: nxcompext/VERSION typechange: nxcompshad/VERSION typechange: nxproxy/VERSION
* Unbrand NX Agent Startup Screen / Brand X2Go Agent Startup Screen ↵Oleksandr Shneyder2015-02-135-77/+158
| | | | | | | | | | (999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch). When launched with NX Agent flavour, the startup screen gets unbranded by this patch (the !M logo does not get shown). When launched with X2Go Agent flavour, the startup screen gets branded with the X2GO logo.
* Several fixes for building debug versions of NX ↵Mihai Moldovan2015-02-134-7/+8
| | | | | | | | | | | | | | | | | | (990_fix-DEBUG-and-TEST-builds.full.patch). (1) In nx-X11/programs/Xserver/dix: Fix several compile errors when specifying -DDEBUG globally. Previous GCC versions were more liberal and the code thus compiled. Also initialize/reset a count variable correctly. (2) In nx-X11/programs/Xserver/hw/nxagent/Render.c: Check for pSrc->pDrawable to exist instead of having nxagent segfault when it does not. This enables the possibility of compiling all nxagent modules in TEST mode.
* Provide build support for aarch64 architecture ↵Orion Poplawski2015-02-131-0/+22
| | | | (606_nx-X11_build-on-aarch64.full.patch).
* Handle some serious compilation warnings ↵Mirraz Mirraz2015-02-131-0/+6
| | | | (603_nx-X11_compilation_warnings.full.patch).
* Be compliant with POS36-C: Observe correct revocation order while ↵Orion Poplawski2015-02-131-0/+7
| | | | | | | | | | | | | | | | relinquishing privileges (602_nx-X11_initgroups.full.patch). The Fedora review of NX (redistributed) caught the following rpmlint issue: This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this mean it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem. Ref POS36-C: https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges This patch adds initgroups() calls to the code to initialize the supplemental group list.
* Unique Library Names Patch ↵Jan Engelhardt2015-02-131-9/+9
| | | | | | | | | | | | | | | | | | | | (600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch). We really want to make use of rpm's automatic dependency finding. Binaries are scanned for DT_NEEDED entries, the latter of which are then used for populating the "Requires"-type deps. The "nxagent" binary for example would require libX11.so.6. That incurs problems: 1. A package manager told to install nxagent could select xorg-x11 rather than nx-libs, even though nxagent depends on the NX version. 2. A package manager told to install $some_program could select nx-libs rather than xorg-x11 (since both provide libX11.so.6), but, since the NX library is in an obscure directory, running $some_program would fail as libX11.so.6 is not found. To solve this, give the NX libraries unique names different from the Xorg ones.
* Adapt paths of keystrokes.cfg if nxagent runs as x2goagent ↵Horst Schirmeier2015-02-131-0/+6
| | | | (321_nxagent_x2go-specific-keystroke-config.full.patch).
* Make nxagent-specific keyboard bindings configurable ↵Alexander Wuerstlein2015-02-136-237/+546
| | | | | | | | | | | | | | (320_nxagent_configurable-keystrokes.full.patch). Replaces the hardcoded nxagent keybindings by a configurable table of keybindings. The default configuration is the same as the original one, to maintain compatibility. A user/administrator can either specify a command line parameter, environment variable or place a file in ~/.nx/config/keystrokes.cfg or /etc/nxagent/keystrokes.cfg to reconfigure these keybindings. The configuration file format is XML, a dependency on libxml2 is added to allow parsing the configuration.
* Test for xkb/rules/base instead of xkb/keymap.dir for setting XkbBaseDir ↵Mike Gabriel2015-02-131-16/+16
| | | | | | | | (302_nx-X11_xkbbasedir-detection.full.patch). In recent (as of 2014/06) X.org release, the keymap.dir file has become obsolete. Let's test for the xkb/rules/base file instead.
* Use shared libraries (301_nx-X11_use-shared-libs.full.patch).Jan Engelhardt2015-02-102-4/+4
| | | | | | | | | | | | Many distributions have a policy to reduce code duplications. One means to avoid such duplications is to use shared libraries instead of using libs that are ofter shipped for convenience. Fedora: http://fedoraproject.org/wiki/Packaging:Guidelines#Shared_Libraries Debian (Section 10.7.4 of Debian policy): http://www.debian.org/doc/debian-policy/ch-files.html
* Set WM_CLASS to X2GoAgent/NXAgent (300_nxagent_set-wm-class.full.patch).Oleksandr Shneyder2015-02-101-0/+36
| | | | | | | | | | | | | | Depending on the binary name of the agent either NXAgent or X2GoAgent is set as WM_Class. This is needed for some window managers (like the one shipped with Maemo) The original WM_CLASS patch has been taken from the FreeNX patch series, author unknown. The nxagent/x2goagent has been done by the X2Go Project, author see below.
* Save session state in file.Oleksandr Shneyder2015-02-105-1/+51
| | | | | | | | | 210_nxagent_save_session_state.full.patch 210_nxcomp_save_session_state.full+lite.patch This patch adds a "state" option to NX (agent) which allows one to specify a file where nxagent will write its session state into.
* Add x2goagent man page (209_x2goagent_add-man-page.full.patch).Mike Gabriel2015-02-101-0/+35
|
* Fix XFIXES selection handling (copy and paste via middle mouse button) ↵Ulrich Sibiller2015-02-101-4/+8
| | | | | | | | | | | (207_nxagent_fix-xfixes-selection.full.patch). When nxagent has the XFIXES extension enabled copy and paste from outside applications to applications within the session that rely on XFixesSelectSelectionInput (e.g. qt applications like konsole) did never receive any notifications because the nxagent did not register itself at the real X server to receive them. Fixes X2Go Bug #585 (http://bugs.x2go.org/585).
* Add -clipboard cmdline option to nxagent ↵Mike Gabriel2015-02-101-2/+25
| | | | (206_nxagent_clipboard-as-nxoption.full.patch).
* Fix refresh errors on Win2012 RDP connections with speed=ADS ↵Oleksandr Shneyder2015-02-101-1/+1
| | | | (205_nxagent_refresh-adsl.full.patch).
* Fix repainting of SolidFill pictures with libcairo > 1.12.x ↵Oleksandr Shneyder2015-02-103-5/+16
| | | | (204_nxagent_repaint-solidpict.full.patch).
* Add -norootlessexit cmdline option to nxagent ↵Oleksandr Shneyder2015-02-104-1/+16
| | | | | | | | | | (203_nxagent_disable-rootless-exit.full.patch). This change enables to launch an nxagent in rootless mode that waits forever for Xclients to appear. This feature got added when X2Go introduced Published Applications support.
* Enable Xinerama support for NX (202_nx-X11_enable-xinerama.full.patch).Oleksandr Shneyder2015-02-105-24/+21
| | | | | | | | This patch adds Xinerama awareness to NX agent windows. The advantage of Xinerama awareness is that an NX session window will only maximize to the dimensions of the active physical display.
* X2Go icon when run with x2goagent flavour ↵Oleksandr Shneyder2015-02-103-3/+171
| | | | | | | (201_nxagent_set-x2go-icon-if-x2goagent-flavour.full.patch). Depending on the binary name of the agent either nxagent.xpm or x2go.xpm is used as window icon.
* Detect nxagent/x2goagent flavour ↵Oleksandr Shneyder2015-02-102-0/+30
| | | | | | | | | | (200_nxagent_check-binary-x2go-flavour.full.patch). Whether the agent runs in X2Go or NX mode is decide by the name of the binary that executes the code. Binary name equal to nxagent -> (Free)NX flavour Binary name equal to x2goagent -> X2Go flavour
* Avoid large pixmaps (110_nxagent_createpixmap-bounds-check.full.patch).Mike Gabriel2015-02-101-0/+17
| | | | | | | | | | | | | | | | | It is allowed to try and allocate a pixmap which is larger than 32767 in either dimension. However, all of the framebuffer code is buggy and does not reliably draw to such big pixmaps, basically because the Region data structure operates with signed shorts for the rectangles in it. Furthermore, several places in the X server computes the size in bytes of the pixmap and tries to store it in an integer. This integer can overflow and cause the allocated size to be much smaller. So, such big pixmaps are rejected here with a BadAlloc Originally contributed by FreeNX Team
* Wine Close Delay (108_nxagent_wine-close-delay.full.patch).Mike Gabriel2015-02-101-0/+30
| | | | | | Wine close delay. Originally contributed by FreeNX team (dimbor).
* Prevent sending COMPOUND_TEXT ↵Mike Gabriel2015-02-102-3/+11
| | | | | | | | (107_nxagent_clipboard-compound-text+small-bed-sheets.full.patch). Do not send COMPOUND_TEXT to client. Originally contributed by FreeNX Team (dimbor).
* UTF-8 Clipboard copying (106_nxagent_utf8-copy-clipboard.full.patch).Mike Gabriel2015-02-101-4/+12
| | | | | | Enable UTF-8 clipboard copies. Originally contributed by FreeNX Team (dimbor).
* Export remote keyboard configuration to session directory ↵Marcelo Boveto Shima2015-02-103-1/+48
| | | | | | | (105_nxagent_export-remote-keyboard-config.full.patch) Let nxagent write the keyboard configuration to <session_directory>/keyboard and make it available within the NX session.
* FHS path fix for keyboard config file ↵Mike Gabriel2015-02-101-6/+3
| | | | | | | | | (103_nxagent_set-X0-config-path.full.patch). This patch is needed for Tarball installation and on Distros like Debian, not reporting this path addition to upstream. Originally contributed by FreeNX Team.
* FHS path fix for SecurityPolicy file ↵Marcelo Boveto Shima2015-02-101-1/+1
| | | | | | | (102_xserver-xext_set-securitypolicy-path.full.patch). This patch is needed for Tarball installation mode of NX (redistributed) only, not reporting this path change to upstream.
* FHS path fix for rgb fileMarcelo Boveto Shima2015-02-101-1/+1
| | | | | | | This patch is needed on Debian only, not reporting this path addition to upstream. Patch was modified by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
* Create Windows and fix drawing issues on Big Endian 64bit systems ↵Mihai Moldovan2015-02-102-4/+16
| | | | | | | | | | | | | | | | | | | (057_nx-X11_sanitize-eventmasks.full.patch). Multiple endiannes issues were setting incorrect event masks when creating and drawing X11 windows. This time, a smaller integer has been casted to a bigger one and passed to some function actually setting its value. This meant, that garbage from stack was attached to the smaller integer value, putting unknown memory into the lower bytes of the bigger integer. Fix this by creating a big, initialized temporary variable, let the function do its magic on that one and pass the value back to the smaller variable--and cross your fingers the smaller variable can hold it without overrunning. (The last bit is a design issue we can't really fix and has been around even before this patch.)
* Fix -Werror=format-security errors ↵Orion Poplawski2015-02-095-7/+7
| | | | | | | | (056_nx-X11_Werror-format-security.full.patch). The below patch fixes more -Werror=format-security errors. Interestingly, most of the errors only showed up on our arm builds. No idea why.
* Description: Enable parallel make (031_nx-X11_parallel-make.full.patch).Jan Engelhardt2015-02-091-2/+2
| | | | | | Restore ability to build things in parallel. (${MAKE} must always appear in the rule directly, and not be hidden through expansions of other variables to get this to work.)
* Allow to pass in configure args (030_nx-X11_configure-args.full.patch).Jan Engelhardt2015-02-091-1/+3
|
* Work on man pages.Mike Gabriel2015-02-092-21/+58
| | | | | | 009_nxproxy_add-man-page.full+lite.patch 009_nxagent_add-man-page.full.patch 010_nxauth_fix-binary-name-in-man-page.full.patch
* Description: Fix build on Debian (004_nx-X11_fix-nxcompshad-build.full.patch)Mike Gabriel2015-02-091-1/+1
| | | | | | By an unknown reason this patch currently is needed to build nx-X11, nxcomp, nxcompshad and nxcompext with dpkg-buildpackage and debuild.