Skip to content

N
nx-libs
Commit 6b9df6ca authored by Mike Gabriel's avatar Mike Gabriel Committed by Mihai Moldovan
Browse files
Options

Security fixes: X.Org CVE-2015-3418:

v3: backport to 3.5.0.x branch. (Mihai Moldovan) Adds: - 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
parent a17bd57e
Hide whitespace changes
Inline Side-by-side
Showing with 33 additions and 0 deletions
debian/changelog
View file @ 6b9df6ca
...@@ -160,6 +160,9 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low ...@@ -160,6 +160,9 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
* nxcompshad: Prevent underlinking by linking to libNX_Xext. * nxcompshad: Prevent underlinking by linking to libNX_Xext.
Adds: Adds:
- 0650_nxcompshad_link-to-NX_Xext.full.patch - 0650_nxcompshad_link-to-NX_Xext.full.patch
* Security fixes:
- X.Org CVE-2015-3418:
1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
-- X2Go Release Manager <git-admin@x2go.org> Tue, 17 Mar 2015 19:19:32 +0100 -- X2Go Release Manager <git-admin@x2go.org> Tue, 17 Mar 2015 19:19:32 +0100
......
debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch 0 → 100644
View file @ 6b9df6ca
commit dba779d9f99ab2fc6bf05c78515dbdd82840cadd
Author: Keith Packard <keithp@keithp.com>
Date: Fri May 1 13:09:24 2015 +0200
dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Fix for regression introduced by fix for CVE-2014-8092.
v2: backports to nx-libs 3.6.x (Mike Gabriel)
Signed-off-by: Keith Packard <keithp@keithp.com>
diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
index 5ad2f5a..ab10640 100644
--- a/nx-X11/programs/Xserver/dix/dispatch.c
+++ b/nx-X11/programs/Xserver/dix/dispatch.c
@@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
debian/patches/series
View file @ 6b9df6ca
...@@ -132,5 +132,6 @@ ...@@ -132,5 +132,6 @@
1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch
1104-xkb-Check-strings-length-against-request-size.full.patch 1104-xkb-Check-strings-length-against-request-size.full.patch
1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
0016_nx-X11_install-location.debian.patch 0016_nx-X11_install-location.debian.patch
0102_xserver-xext_set-securitypolicy-path.debian.patch 0102_xserver-xext_set-securitypolicy-path.debian.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment