Security fixes: X.Org CVE-2013-4396:

v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo) v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: - 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch

Security fixes: X.Org CVE-2013-4396:
4fb35326 · Mihai Moldovan · 86937b86 · 4fb35326 · 4fb35326
Commit 4fb35326 authored Jun 02, 2015 by Mihai Moldovan
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 5 deletions

changelog debian/changelog +6 -0

1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch ...void-use-after-free-in-dix-dixfonts.c-doImageT.full.patch +46 -5

No files found.
--- a/debian/changelog
+++ b/debian/changelog
@@ -163,6 +163,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
    Backported from Arctica GH 3.6.x branch.
    Affects:
    - 9900-dxpc-license-history.full+lite.patch
+  * Security fixes:
+    - X.Org CVE-2013-4396:
+      v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo)
+      v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan)
+      Changes:
+      + 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch

  [ Bernard Cafarelli ]
  * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'.

--- a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
+++ b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
@@ -21,12 +21,14 @@ X server is mostly single threaded, the odds of the free memory having
 invalid contents are low with most malloc implementations when not using
 memory debugging features, but some allocators will definitely overwrite
 the memory there, leading to a likely crash.
+
+v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo)
+v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan)
+
 ---
 nx-X11/programs/Xserver/dix/dixfonts.c | 5 +++++
 1 file changed, 5 insertions(+)

-diff --git a/nx-X11/programs/Xserver/dix/dixfonts.c b/nx-X11/programs/Xserver/dix/dixfonts.c
-index 193f555..42fd647 100644
 --- a/nx-X11/programs/Xserver/dix/dixfonts.c
 +++ b/nx-X11/programs/Xserver/dix/dixfonts.c
 @@ -1559,6 +1559,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
@@ -69,6 +71,45 @@ index 193f555..42fd647 100644
 		err = BadAlloc;
 		goto bail;
 	    }
-- 
-2.1.4
-
+--- a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c
+@@ -1711,6 +1711,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ 	    GC *pGC;
+ 	    unsigned char *data;
+ 	    ITclosurePtr new_closure;
+	    ITclosurePtr old_closure;
+ 
+ 	    /* We're putting the client to sleep.  We need to
+ 	       save some state.  Similar problem to that handled
+@@ -1723,6 +1724,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ 		err = BadAlloc;
+ 		goto bail;
+ 	    }
+	    old_closure = c;
+ 	    *new_closure = *c;
+ 	    c = new_closure;
+ 
+@@ -1730,6 +1732,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ 	    if (!data)
+ 	    {
+ 		xfree(c);
+		c = old_closure;
+ 		err = BadAlloc;
+ 		goto bail;
+ 	    }
+@@ -1741,6 +1744,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ 	    {
+ 		xfree(c->data);
+ 		xfree(c);
+		c = old_closure;
+ 		err = BadAlloc;
+ 		goto bail;
+ 	    }
+@@ -1759,6 +1763,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ 		FreeScratchGC(pGC);
+ 		xfree(c->data);
+ 		xfree(c);
+		c = old_closure;
+ 		err = BadAlloc;
+ 		goto bail;
+ 	    }