nx-X11: Backport CVE-2017-2624 (timingsafe_memcmp)

Backported from Arctica GH 3.6.x branch. v2: backport to nx-libs 3.6.x (Ulrich Sibiller) v3: backport to nx-libs 3.5.0.x (Mihai Moldovan)

nx-X11: Backport CVE-2017-2624 (timingsafe_memcmp)
c2b050e3 · Ulrich Sibiller · Mihai Moldovan · debe460b · c2b050e3 · c2b050e3
Commit c2b050e3 authored Mar 09, 2017 by Ulrich Sibiller Committed by Mihai Moldovan Mar 09, 2017
Showing with 171 additions and 0 deletions

changelog debian/changelog +8 -0

1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch ...x-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch +162 -0

series debian/patches/series +1 -0

No files found.
--- a/debian/changelog
+++ b/debian/changelog
@@ -36,6 +36,14 @@ nx-libs (2:3.5.0.33-0x2go1) UNRELEASED; urgency=low
    not libnx-xinerama1).
    Backported from Arctica GH 3.6.x branch.

+  [ Ulrich Sibiller ]
+  * nx-X11: Backport CVE-2017-2624 (timingsafe_memcmp)
+    Backported from Arctica GH 3.6.x branch.
+    v2: backport to nx-libs 3.6.x (Ulrich Sibiller)
+    v3: backport to nx-libs 3.5.0.x (Mihai Moldovan)
+    Adds:
+    - 1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch
+
 -- X2Go Release Manager <git-admin@x2go.org>  Sat, 04 Jul 2015 06:29:19 +0200

 nx-libs (2:3.5.0.32-0x2go1) unstable; urgency=low

--- a/debian/patches/1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch
+++ b/debian/patches/1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch
+commit 65c5d8ad7a46a83338c23dee66e208a014c3d3d2
+Author: Ulrich Sibiller <uli42@gmx.de>
+Date:   Fri Mar 3 22:46:33 2017 +0100
+
+    Backport CVE-2017-2624 (timingsafe_memcmp)
+
+    Fixes ArcticaProject/nx-libs#365
+
+    These two commits:
+
+       commit 5c44169caed811e59a65ba346de1cadb46d266ec
+       Author: Adam Jackson <ajax@redhat.com>
+       Date:   Thu Mar 2 17:20:30 2017 -0500
+
+           os: Squash missing declaration warning for timingsafe_memcmp
+
+           timingsafe_memcmp.c:21:1: warning: no previous prototype for ‘timingsafe_memcmp’ [-Wmissing-prototypes]
+            timingsafe_memcmp(const void *b1, const void *b2, size_t len)
+
+           Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+       commit d7ac755f0b618eb1259d93c8a16ec6e39a18627c
+       Author: Matthieu Herrb <matthieu@herrb.eu>
+       Date:   Tue Feb 28 19:18:25 2017 +0100
+
+           Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES CVE-2017-2624
+
+           Provide the function definition for systems that don't have it.
+
+           Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+    Backported from Arctica GH 3.6.x branch.
+
+    v2: backport to nx-libs 3.6.x (Ulrich Sibiller)
+    v3: backport to nx-libs 3.5.0.x (Mihai Moldovan)
+
+commit 22f542626cf9935fd55a899e21144111e481542c
+Author: Ulrich Sibiller <uli42@gmx.de>
+Date:   Sat Mar 4 16:10:38 2017 +0100
+
+    os: add timingsafe_memcmp to Imake
+
+    There might be some library linking missing on platforms that deliver
+    timingsafe_memcmp but I cannot test that here.
+
+    Backported from Arctica GH 3.6.x branch.
+
+    v2: backport to nx-libs 3.5.0.x (Mihai Moldovan)
+--- a/nx-X11/config/cf/Imake.tmpl
+++ b/nx-X11/config/cf/Imake.tmpl
+@@ -484,6 +484,9 @@ XCOMM the platform-specific parameters -
+ #ifndef HasBasename
+ #define HasBasename		YES
+ #endif
+#ifndef HasTimingsafeMemcmp
+#define HasTimingsafeMemcmp	NO	/* assume not */
+#endif
+ #ifndef HasGetopt
+ # if !defined(Win32Architecture) && !defined(OS2Architecture)
+ #  define HasGetopt		YES
+--- a/nx-X11/programs/Xserver/include/os.h
+++ b/nx-X11/programs/Xserver/include/os.h
+@@ -480,6 +480,11 @@ extern void AbortDDX(void);
+ extern void ddxGiveUp(void);
+ extern int TimeSinceLastInputEvent(void);
+ 
+#ifndef HAVE_TIMINGSAFE_MEMCMP
+extern _X_EXPORT int
+timingsafe_memcmp(const void *b1, const void *b2, size_t len);
+#endif
+
+ /* Logging. */
+ typedef enum _LogParameter {
+     XLOG_FLUSH,
+--- a/nx-X11/programs/Xserver/os/Imakefile
+++ b/nx-X11/programs/Xserver/os/Imakefile
+@@ -127,17 +127,22 @@ GETPEER_DEFINES = -DHAS_GETPEEREID
+ # endif
+ #endif
+ 
+#if !HasTimingsafeMemcmp
+TMEMCMP_SRCS = timingsafe_memcmp.c
+TMEMCMP_OBJS = timingsafe_memcmp.o
+#endif
+
+ BOOTSTRAPCFLAGS = 
+            SRCS = WaitFor.c access.c connection.c io.c $(COLOR_SRCS) \
+                   osinit.c utils.c log.c auth.c mitauth.c secauth.c \
+                   $(XDMAUTHSRCS) $(RPCSRCS) $(KRB5SRCS) xdmcp.c OtherSources \
+                   transport.c $(SNPRINTF_SRCS) $(STRLCAT_SRCS) \
+-		  $(MALLOC_SRCS) $(LBX_SRCS) xprintf.c
+		  $(MALLOC_SRCS) $(LBX_SRCS) xprintf.c $(TMEMCMP_SRCS)
+            OBJS = WaitFor.o access.o connection.o io.o $(COLOR_OBJS) \
+                   osinit.o utils.o log.o auth.o mitauth.o secauth.o \
+                   $(XDMAUTHOBJS) $(RPCOBJS) $(KRB5OBJS) xdmcp.o OtherObjects \
+                   transport.o $(SNPRINTF_OBJS) $(STRLCAT_OBJS) \
+-		  $(MALLOC_OBJS) $(LBX_OBJS) xprintf.o
+		  $(MALLOC_OBJS) $(LBX_OBJS) xprintf.o $(TMEMCMP_OBJS)
+ 
+ #if SpecialMalloc
+      MEM_DEFINES = -DSPECIAL_MALLOC
+--- a/nx-X11/programs/Xserver/os/mitauth.c
+++ b/nx-X11/programs/Xserver/os/mitauth.c
+@@ -84,7 +84,7 @@ MitCheckCookie (
+ 
+     for (auth = mit_auth; auth; auth=auth->next) {
+         if (data_length == auth->len &&
+-	   memcmp (data, auth->data, (int) data_length) == 0)
+	   timingsafe_memcmp (data, auth->data, (int) data_length) == 0)
+ 	    return auth->id;
+     }
+     *reason = "Invalid MIT-MAGIC-COOKIE-1 key";
+--- /dev/null
+++ b/nx-X11/programs/Xserver/os/timingsafe_memcmp.c
+@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2014 Google Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <limits.h>
+#include <string.h>
+#include <nx-X11/Xfuncproto.h>
+#include "os.h"
+
+int
+timingsafe_memcmp(const void *b1, const void *b2, size_t len)
+{
+        const unsigned char *p1 = b1, *p2 = b2;
+        size_t i;
+        int res = 0, done = 0;
+
+        for (i = 0; i < len; i++) {
+                /* lt is -1 if p1[i] < p2[i]; else 0. */
+                int lt = (p1[i] - p2[i]) >> CHAR_BIT;
+
+                /* gt is -1 if p1[i] > p2[i]; else 0. */
+                int gt = (p2[i] - p1[i]) >> CHAR_BIT;
+
+                /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
+                int cmp = lt - gt;
+
+                /* set res = cmp if !done. */
+                res |= cmp & ~done;
+
+                /* set done if p1[i] != p2[i]. */
+                done |= lt | gt;
+        }
+
+        return (res);
+}
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -147,6 +147,7 @@
 1258_nx-X11_randr-Clean-up-compiler-warnings-about-u.full.patch
 1259_nx-X11_Make-RANDR-_set_-timestamps-follow-clien.full.patch
 1260_nx-X11_xserver-Avoid-sending-uninitialized-padd.full.patch
+1270_nx-X11_CVE-2017-2624-Use-timingsafe_memcmp-to-c.full.patch
 9900-dxpc-license-history.full+lite.patch
 0016_nx-X11_install-location.debian.patch
 0102_xserver-xext_set-securitypolicy-path.debian.patch