From c2b050e3003e70b453e212236bcd4e50ee9f9fa7 Mon Sep 17 00:00:00 2001 From: Ulrich Sibiller Date: Thu, 9 Mar 2017 08:24:28 +0100 Subject: nx-X11: Backport CVE-2017-2624 (timingsafe_memcmp) Backported from Arctica GH 3.6.x branch. v2: backport to nx-libs 3.6.x (Ulrich Sibiller) v3: backport to nx-libs 3.5.0.x (Mihai Moldovan) --- debian/changelog | 8 + ...2017-2624-Use-timingsafe_memcmp-to-c.full.patch | 162 +++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 171 insertions(+) create mode 100644 debian/patches/1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch diff --git a/debian/changelog b/debian/changelog index 1c5cc5ba5..19284e254 100644 --- a/debian/changelog +++ b/debian/changelog @@ -36,6 +36,14 @@ nx-libs (2:3.5.0.33-0x2go1) UNRELEASED; urgency=low not libnx-xinerama1). Backported from Arctica GH 3.6.x branch. + [ Ulrich Sibiller ] + * nx-X11: Backport CVE-2017-2624 (timingsafe_memcmp) + Backported from Arctica GH 3.6.x branch. + v2: backport to nx-libs 3.6.x (Ulrich Sibiller) + v3: backport to nx-libs 3.5.0.x (Mihai Moldovan) + Adds: + - 1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch + -- X2Go Release Manager Sat, 04 Jul 2015 06:29:19 +0200 nx-libs (2:3.5.0.32-0x2go1) unstable; urgency=low diff --git a/debian/patches/1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch b/debian/patches/1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch new file mode 100644 index 000000000..799777c42 --- /dev/null +++ b/debian/patches/1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch @@ -0,0 +1,162 @@ +commit 65c5d8ad7a46a83338c23dee66e208a014c3d3d2 +Author: Ulrich Sibiller +Date: Fri Mar 3 22:46:33 2017 +0100 + + Backport CVE-2017-2624 (timingsafe_memcmp) + + Fixes ArcticaProject/nx-libs#365 + + These two commits: + + commit 5c44169caed811e59a65ba346de1cadb46d266ec + Author: Adam Jackson + Date: Thu Mar 2 17:20:30 2017 -0500 + + os: Squash missing declaration warning for timingsafe_memcmp + + timingsafe_memcmp.c:21:1: warning: no previous prototype for ‘timingsafe_memcmp’ [-Wmissing-prototypes] + timingsafe_memcmp(const void *b1, const void *b2, size_t len) + + Signed-off-by: Adam Jackson + + commit d7ac755f0b618eb1259d93c8a16ec6e39a18627c + Author: Matthieu Herrb + Date: Tue Feb 28 19:18:25 2017 +0100 + + Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES CVE-2017-2624 + + Provide the function definition for systems that don't have it. + + Signed-off-by: Matthieu Herrb + + Backported from Arctica GH 3.6.x branch. + + v2: backport to nx-libs 3.6.x (Ulrich Sibiller) + v3: backport to nx-libs 3.5.0.x (Mihai Moldovan) + +commit 22f542626cf9935fd55a899e21144111e481542c +Author: Ulrich Sibiller +Date: Sat Mar 4 16:10:38 2017 +0100 + + os: add timingsafe_memcmp to Imake + + There might be some library linking missing on platforms that deliver + timingsafe_memcmp but I cannot test that here. + + Backported from Arctica GH 3.6.x branch. + + v2: backport to nx-libs 3.5.0.x (Mihai Moldovan) +--- a/nx-X11/config/cf/Imake.tmpl ++++ b/nx-X11/config/cf/Imake.tmpl +@@ -484,6 +484,9 @@ XCOMM the platform-specific parameters - + #ifndef HasBasename + #define HasBasename YES + #endif ++#ifndef HasTimingsafeMemcmp ++#define HasTimingsafeMemcmp NO /* assume not */ ++#endif + #ifndef HasGetopt + # if !defined(Win32Architecture) && !defined(OS2Architecture) + # define HasGetopt YES +--- a/nx-X11/programs/Xserver/include/os.h ++++ b/nx-X11/programs/Xserver/include/os.h +@@ -480,6 +480,11 @@ extern void AbortDDX(void); + extern void ddxGiveUp(void); + extern int TimeSinceLastInputEvent(void); + ++#ifndef HAVE_TIMINGSAFE_MEMCMP ++extern _X_EXPORT int ++timingsafe_memcmp(const void *b1, const void *b2, size_t len); ++#endif ++ + /* Logging. */ + typedef enum _LogParameter { + XLOG_FLUSH, +--- a/nx-X11/programs/Xserver/os/Imakefile ++++ b/nx-X11/programs/Xserver/os/Imakefile +@@ -127,17 +127,22 @@ GETPEER_DEFINES = -DHAS_GETPEEREID + # endif + #endif + ++#if !HasTimingsafeMemcmp ++TMEMCMP_SRCS = timingsafe_memcmp.c ++TMEMCMP_OBJS = timingsafe_memcmp.o ++#endif ++ + BOOTSTRAPCFLAGS = + SRCS = WaitFor.c access.c connection.c io.c $(COLOR_SRCS) \ + osinit.c utils.c log.c auth.c mitauth.c secauth.c \ + $(XDMAUTHSRCS) $(RPCSRCS) $(KRB5SRCS) xdmcp.c OtherSources \ + transport.c $(SNPRINTF_SRCS) $(STRLCAT_SRCS) \ +- $(MALLOC_SRCS) $(LBX_SRCS) xprintf.c ++ $(MALLOC_SRCS) $(LBX_SRCS) xprintf.c $(TMEMCMP_SRCS) + OBJS = WaitFor.o access.o connection.o io.o $(COLOR_OBJS) \ + osinit.o utils.o log.o auth.o mitauth.o secauth.o \ + $(XDMAUTHOBJS) $(RPCOBJS) $(KRB5OBJS) xdmcp.o OtherObjects \ + transport.o $(SNPRINTF_OBJS) $(STRLCAT_OBJS) \ +- $(MALLOC_OBJS) $(LBX_OBJS) xprintf.o ++ $(MALLOC_OBJS) $(LBX_OBJS) xprintf.o $(TMEMCMP_OBJS) + + #if SpecialMalloc + MEM_DEFINES = -DSPECIAL_MALLOC +--- a/nx-X11/programs/Xserver/os/mitauth.c ++++ b/nx-X11/programs/Xserver/os/mitauth.c +@@ -84,7 +84,7 @@ MitCheckCookie ( + + for (auth = mit_auth; auth; auth=auth->next) { + if (data_length == auth->len && +- memcmp (data, auth->data, (int) data_length) == 0) ++ timingsafe_memcmp (data, auth->data, (int) data_length) == 0) + return auth->id; + } + *reason = "Invalid MIT-MAGIC-COOKIE-1 key"; +--- /dev/null ++++ b/nx-X11/programs/Xserver/os/timingsafe_memcmp.c +@@ -0,0 +1,47 @@ ++/* ++ * Copyright (c) 2014 Google Inc. ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ */ ++ ++#include ++#include ++#include ++#include "os.h" ++ ++int ++timingsafe_memcmp(const void *b1, const void *b2, size_t len) ++{ ++ const unsigned char *p1 = b1, *p2 = b2; ++ size_t i; ++ int res = 0, done = 0; ++ ++ for (i = 0; i < len; i++) { ++ /* lt is -1 if p1[i] < p2[i]; else 0. */ ++ int lt = (p1[i] - p2[i]) >> CHAR_BIT; ++ ++ /* gt is -1 if p1[i] > p2[i]; else 0. */ ++ int gt = (p2[i] - p1[i]) >> CHAR_BIT; ++ ++ /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */ ++ int cmp = lt - gt; ++ ++ /* set res = cmp if !done. */ ++ res |= cmp & ~done; ++ ++ /* set done if p1[i] != p2[i]. */ ++ done |= lt | gt; ++ } ++ ++ return (res); ++} diff --git a/debian/patches/series b/debian/patches/series index f0f7e6a8e..6a24429a4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -147,6 +147,7 @@ 1258_nx-X11_randr-Clean-up-compiler-warnings-about-u.full.patch 1259_nx-X11_Make-RANDR-_set_-timestamps-follow-clien.full.patch 1260_nx-X11_xserver-Avoid-sending-uninitialized-padd.full.patch +1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch 9900-dxpc-license-history.full+lite.patch 0016_nx-X11_install-location.debian.patch 0102_xserver-xext_set-securitypolicy-path.debian.patch -- cgit v1.2.3