CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f

fs_read_query_info() parses a reply from the font server.  The reply
contains embedded length fields, none of which are validated.  This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.

CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read from xorg/lib/libXfont commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b

fs_get_reply() would take any reply size, multiply it by 4 and pass to
_fs_start_read.  If that size was bigger than the current reply buffer
size, _fs_start_read would add it to the existing buffer size plus the
buffer size increment constant and realloc the buffer to that result.

This math could overflow, causing the code to allocate a smaller
buffer than the amount it was about to read into that buffer from
the network.  It could also succeed, allowing the remote font server
to cause massive allocations in the X server, possibly using up all
the address space in a 32-bit X server, allowing the triggering of
other bugs in code that fails to handle malloc failure properly.

This patch protects against both problems, by disconnecting any
font server trying to feed us more than (the somewhat arbitrary)
64 mb in a single reply.

CVE-2014-0210: unvalidated lengths when reading replies from font server from xorg/lib/libXfont commit cbb64aef35960b2882be721f4b8fbaa0fb649d12

Functions to handle replies to font server requests were casting replies
from the generic form to reply specific structs without first checking
that the reply was at least as long as the struct being cast to.

Don't crash when we receive an FS_Error from the font server (Guillem Jover). from xorg/lib/libXfont commit bfb8a71f4f7e5c5ed4278cb3ee271bf9990d276d

CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d

The connection setup reply from the font server can include a list
of alternate servers to contact if this font server stops working.

The reply specifies a total size of all the font server names, and
then provides a list of names. _fs_recv_conn_setup() allocated the
specified total size for copying the names to, but didn't check to
make sure it wasn't copying more data to that buffer than the size
it had allocated.

CVE-2014-0209: integer overflow of realloc() size in lexAlias() from xorg/lib/libXfont commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc

lexAlias() reads from a file in a loop. It does this by starting with a
64 byte buffer.  If that size limit is hit, it does a realloc of the
buffer size << 1, basically doubling the needed length every time the
length limit is hit.

Eventually, this will shift out to 0 (for a length of ~4gig), and that
length will be passed on to realloc().  A length of 0 (with a valid
pointer) causes realloc to free the buffer on most POSIX platforms,
but the caller will still have a pointer to it, leading to use after
free issues.

CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() from xorg/lib/libXfont commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e

FontFileReadDirectory() opens a fonts.dir file, and reads over every
line in an fscanf loop.  For each successful entry read (font name,
file name) a call is made to FontFileAddFontFile().

FontFileAddFontFile() will add a font file entry (for the font name
and file) each time it’s called, by calling FontFileAddEntry().
FontFileAddEntry() will do the actual adding.  If the table it has
to add to is full, it will do a realloc, adding 100 more entries
to the table size without checking to see if that will overflow the
int used to store the size.

CVE-2013-6462: unlimited sscanf overflows stack buffer in bdfReadCharacters() from xorg/lib/libXfont http://lists.x.org/archives/xorg-announce/2014-January/002389.html

Fixes cppcheck warning:
 [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
  scanf without field width limits can crash with huge input data.

Avoid use-after-free in dix/dixfonts.c: doImageText() [CVE-2013-4396] from xorg/Xserver http://lists.x.org/archives/xorg-announce/2013-October/002332.html

Save a pointer to the passed in closure structure before copying it
and overwriting the *c pointer to point to our copy instead of the
original.  If we hit an error, once we free(c), reset c to point to
the original structure before jumping to the cleanup code that
references *c.

Since one of the errors being checked for is whether the server was
able to malloc(c->nChars * itemSize), the client can potentially pass
a number of characters chosen to cause the malloc to fail and the
error path to be taken, resulting in the read from freed memory.

Since the memory is accessed almost immediately afterwards, and the
X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.

Fix CVE-2011-4028: File disclosure vulnerability. upstream xorg/xserver commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34

use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file.

LZW decompress: fix for CVE-2011-2895 From xorg/lib/Xfont commit d11ee5886e9d9ec610051a206b135a4cdc1e09a0

    Specially crafted LZW stream can crash an application using libXfont
    that is used to open untrusted font files.  With X server, this may
    allow privilege escalation when exploited

  Adapted packaging scripts:

   debian/roll-tarballs.sh
   nx-libs.spec

  Affected packagings scripts:

    debian/roll-tarballs.sh
    debian/rules
    nx-libs.spec

  The installation process copies NX wrapper scripts into
  $(srcbase)/bin/ before build time.

  Those wrapper scripts are now in place natively and need not
  to be copied prior to building NX.

  Packaging scripts with adaptation:

   debian/roll-tarballs.sh
   debian/rules
   debian/*.docs
   nx-libs.spec

  This makes it obsolete to add changes to debian/changelog. We document
  our changes in Git (3.6.x branch and other related branches). On
  release, we generate an upstream ChangeLog from Git history.

  Only on the 3.5.0.x, we continue maintaining our changes in
  debian/changelog (to be compliant with current nx-libs release workflow
  in X2Go).

  The following packaging scripts needed adaptations to this change:

    debian/roll-tarballs.sh
    debian/rules
    nx-libs.spec

VERSION file: master VERSION file is in base folder, symlinked from nx*/VERSION and hw/nxagent/VERSION.

  This commit removes the debian/VERSION file at makes it now unnecessary to
  copy/symlink the VERSION file at build time. These build scripts got adapted:

    debian/roll-tarballs.sh
    debian/rules
    nx-libs.spec

  Furthermore, all NX component now use the main VERSION file as reference.

    typechange: nxcomp/VERSION
    typechange: nxcompext/VERSION
    typechange: nxcompshad/VERSION
    typechange: nxproxy/VERSION

    debian/roll-tarballs.sh
    debian/rules
    nx-libs.spec

This reverts commit 4436e979.

  NoMachine kept all original X.Org 6.9 files in the nx-X11 source
  tree. These files have been removed in Feb 2015 during a major
  code cleanup.

  For later studying we provide all diffs of the changes that
  NoMachine employed on the original X.Org X11 code tree in the
  doc/nx-X11_vs_XOrg69_patches folder.

Unbrand NX Agent Startup Screen / Brand X2Go Agent Startup Screen (999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch).

  When launched with NX Agent flavour, the startup screen gets unbranded by
  this patch (the !M logo does not get shown).

  When launched with X2Go Agent flavour, the startup screen gets branded
  with the X2GO logo.

  Former patch file names:
  991_fix-hr-typos.full+lite.patch
  991_fix-hr-typos.full.patch

  (1) In nx-X11/programs/Xserver/dix:

  Fix several compile errors when specifying -DDEBUG globally. Previous GCC
  versions were more liberal and the code thus compiled.

  Also initialize/reset a count variable correctly.

  (2) In nx-X11/programs/Xserver/hw/nxagent/Render.c:

  Check for pSrc->pDrawable to exist instead of having nxagent segfault when
  it does not.

  This enables the possibility of compiling all nxagent modules in TEST mode.

Detection for Mac OS X's launchd service on Mac OS X 10.10 and beyond (607_nxcomp_macosx-X11-launcher-in-private-tmp.full+lite.patch).

In Types.h, don't use STL internals on libc++ (605_nxcomp_Types.h-dont-use-STL-internals-on-libc++.full+lite.patch).

  The nx-libs-lite package does not compile on OS X Mavericks because
  Apple's clang compilers now default to compiling against the libc++ STL
  rather than (their outdated copy of) libstdc++.

  While the compiler still allows changing that, we should not rely on
  this being possible forever.

  The compiler chokes in Types.h, specifically the clear() methods in
  subclasses of vectors that use implementation details of the GNU STL.
  The attached patch fixes these compilation issues by not overriding the
  clear() method when compiling against libc++, since the libc++ headers
  seem to do essentially the same as the overriden method.

Be compliant with POS36-C: Observe correct revocation order while relinquishing privileges (602_nx-X11_initgroups.full.patch).

  The Fedora review of NX (redistributed) caught the following rpmlint issue:

  This executable is calling setuid and setgid without setgroups or initgroups.
  There is a high probability this mean it didn't relinquish all groups, and this
  would be a potential security issue to be fixed. Seek POS36-C on the web for
  details about the problem.

  Ref POS36-C:
  https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges

  This patch adds initgroups() calls to the code to initialize the supplemental group list.

Do not build bundled libraries (601_nx-X11_build-option-changes-to-not-use-bundled-libraries.full.patch).

  This commit has been submitted by Orion in two
  portions. One was submitted to X2Go BTS and created
  on Wed, 10 Jul 2013.

  The other portion has been taken from the Fedora
  package by Mike Gabriel and worked into this
  patch on Fri, 06 Dec 2013.

  We really want to make use of rpm's automatic dependency finding.
  Binaries are scanned for DT_NEEDED entries, the latter of which are
  then used for populating the "Requires"-type deps. The "nxagent"
  binary for example would require libX11.so.6. That incurs problems:

  1. A package manager told to install nxagent could select xorg-x11
  rather than nx-libs, even though nxagent depends on the NX version.

  2. A package manager told to install $some_program could select nx-libs
  rather than xorg-x11 (since both provide libX11.so.6), but, since
  the NX library is in an obscure directory, running $some_program
  would fail as libX11.so.6 is not found.

  To solve this, give the NX libraries unique names different from the
  Xorg ones.

Adapt paths of keystrokes.cfg if nxagent runs as x2goagent (321_nxagent_x2go-specific-keystroke-config.full.patch).

Make nxagent-specific keyboard bindings configurable (320_nxagent_configurable-keystrokes.full.patch).

  Replaces the hardcoded nxagent keybindings by a configurable
  table of keybindings. The default configuration is the same as the
  original one, to maintain compatibility. A user/administrator can either
  specify a command line parameter, environment variable or place a file
  in ~/.nx/config/keystrokes.cfg or /etc/nxagent/keystrokes.cfg to reconfigure
  these keybindings.

  The configuration file format is XML, a dependency on libxml2 is added
  to allow parsing the configuration.

Test for xkb/rules/base instead of xkb/keymap.dir for setting XkbBaseDir (302_nx-X11_xkbbasedir-detection.full.patch).

  In recent (as of 2014/06) X.org release, the keymap.dir file
  has become obsolete. Let's test for the xkb/rules/base file
  instead.