From 125254d35483d0e645f935b27d3ba8cf52786a36 Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Tue, 2 Jun 2015 18:11:24 +0200 Subject: Security fixes: X.Org CVE-2014-8092: v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: - 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch --- debian/changelog | 6 ++++++ ...r-overflow-in-ProcPutImage-CVE-2014-8.full.patch | 21 ++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index d02711295..4d03fc415 100644 --- a/debian/changelog +++ b/debian/changelog @@ -169,6 +169,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: + 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch + * Security fixes: + - X.Org CVE-2014-8092: + v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) + v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Changes: + + 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch [ Bernard Cafarelli ] * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'. diff --git a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch index 05d491941..6d48ceed1 100644 --- a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch +++ b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch @@ -12,6 +12,9 @@ pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) +v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) +v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) + Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith Reviewed-by: Peter Hutterer @@ -22,8 +25,6 @@ Conflicts: nx-X11/programs/Xserver/dix/dispatch.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c -index 6941456..5ad2f5a 100644 --- a/nx-X11/programs/Xserver/dix/dispatch.c +++ b/nx-X11/programs/Xserver/dix/dispatch.c @@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client) @@ -37,6 +38,16 @@ index 6941456..5ad2f5a 100644 if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + (sizeof(xPutImageReq) >> 2)) != client->req_len) return BadLength; --- -2.1.4 - +--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c ++++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +@@ -2630,7 +2630,9 @@ ProcPutImage(register ClientPtr client) + + tmpImage = (char *)&stuff[1]; + lengthProto = length; +- ++ if (lengthProto >= (INT32_MAX / stuff->height)) ++ return BadLength; ++ + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + + (sizeof(xPutImageReq) >> 2)) != client->req_len) + return BadLength; -- cgit v1.2.3