From 79a4ed92dbae5089d3ddfcc0acec427ff057ad9b Mon Sep 17 00:00:00 2001
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Sun, 26 Apr 2015 21:51:23 +0200
Subject: Security fixes: X.Org CVE-2013-7439:

v2: backport to 3.5.0.x branch. (Mihai Moldovan)

Adds:
  - 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
---
 debian/changelog                                   |  5 ++
 ...39-MakeBigReq-don-t-move-the-last-wo.full.patch | 77 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 83 insertions(+)
 create mode 100644 debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch

diff --git a/debian/changelog b/debian/changelog
index 0534c5e91..079b2decb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,11 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
     Adds:
     - 0630_nx-X11_fix-underlinking-dlopen-dlsym.full.patch
 
+  [ Mike Gabriel ]
+  * Security fixes:
+    - X.Org CVE-2013-7439:
+      1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
+
  -- X2Go Release Manager <git-admin@x2go.org>  Tue, 17 Mar 2015 19:19:32 +0100
 
 nx-libs (2:3.5.0.31-0x2go1) unstable; urgency=low
diff --git a/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
new file mode 100644
index 000000000..6613d80d2
--- /dev/null
+++ b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
@@ -0,0 +1,77 @@
+commit ac9fbaabd6bdbca6dd1d94fa385aea41fdebf2c1
+Author: Karl Tomlinson <xmail@karlt.net>
+Date:   Wed Apr 15 10:16:18 2015 +0200
+
+    MakeBigReq: don't move the last word, already handled by Data32 (X.Org CVE-2013-7439).
+
+     MakeBigReq inserts a length field after the first 4 bytes of the request
+     (after req->length), pushing everything else back by 4 bytes.
+
+     The current memmove moves everything but the first 4 bytes back. If a
+     request aligns to the end of the buffer pointer when MakeBigReq is
+     invoked for that request, this runs over the buffer. Instead, we need to
+     memmove minus the first 4 bytes (which aren't moved), minus the last 4
+     bytes (so we still align to the previous tail).
+
+     The 4 bytes that fell out are already handled with Data32, which will
+     handle the buffermax correctly.
+
+     The case where req->length = 1 was already not functional.
+
+     Reported by Abhishek Arya <inferno@chromium.org> (against X.Org BTS).
+
+     https://bugzilla.mozilla.org/show_bug.cgi?id=803762
+
+     Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com>
+     Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+     Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+     Rebased-for-NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+
+--- a/nx-X11/lib/X11/Xlibint.h
++++ b/nx-X11/lib/X11/Xlibint.h
+@@ -561,6 +561,14 @@ extern LockInfoPtr _Xglobal_lock;
+ 	dpy->request++
+ #endif
+ 
++/*
++ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
++ * length, after req->length, before the data in the request. The new length
++ * includes the "n" extra 32-bit words.
++ *
++ * Do not use MakeBigReq if there is no data already in the request.
++ * req->length must already be >= 2.
++ */
+ #ifdef WORD64
+ #define MakeBigReq(req,n) \
+     { \
+@@ -580,7 +588,7 @@ extern LockInfoPtr _Xglobal_lock;
+     CARD32 _BRlen = req->length - 1; \
+     req->length = 0; \
+     _BRdat = ((CARD32 *)req)[_BRlen]; \
+-    memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++    memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+     ((CARD32 *)req)[1] = _BRlen + n + 2; \
+     Data32(dpy, &_BRdat, 4); \
+     }
+@@ -591,13 +599,20 @@ extern LockInfoPtr _Xglobal_lock;
+     CARD32 _BRlen = req->length - 1; \
+     req->length = 0; \
+     _BRdat = ((CARD32 *)req)[_BRlen]; \
+-    memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++    memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+     ((CARD32 *)req)[1] = _BRlen + n + 2; \
+     Data32(dpy, &_BRdat, 4); \
+     }
+ #endif
+ #endif
+ 
++/*
++ * SetReqLen increases the count of 32-bit words in the request by "n",
++ * or by "badlen" if "n" is too large.
++ *
++ * Do not use SetReqLen if "req" does not already have data after the
++ * xReq header. req->length must already be >= 2.
++ */
+ #define SetReqLen(req,n,badlen) \
+     if ((req->length + n) > (unsigned)65535) { \
+ 	if (dpy->bigreq_size) { \
diff --git a/debian/patches/series b/debian/patches/series
index f0870d926..2856cbe9b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -129,5 +129,6 @@
 1102-include-introduce-byte-counting-functions.patch
 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
 1104-xkb-Check-strings-length-against-request-size.patch
+1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
 0016_nx-X11_install-location.debian.patch
 0102_xserver-xext_set-securitypolicy-path.debian.patch
-- 
cgit v1.2.3