Security fixes: X.Org CVE-2014-8092:

v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Changes: - 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch

Security fixes: X.Org CVE-2014-8092:
125254d3 · Mihai Moldovan · 4fb35326 · 125254d3 · 125254d3
Commit 125254d3 authored Jun 02, 2015 by Mihai Moldovan
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 5 deletions

changelog debian/changelog +6 -0

1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch ...ix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch +16 -5

No files found.
--- a/debian/changelog
+++ b/debian/changelog
@@ -169,6 +169,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
      v3: backport v2 to nx-libs 3.5.0.x (Mihai Moldovan)
      Changes:
      + 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
+  * Security fixes:
+    - X.Org CVE-2014-8092:
+      v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
+      v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
+      Changes:
+      + 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch

  [ Bernard Cafarelli ]
  * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'.

--- a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
+++ b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
@@ -12,6 +12,9 @@ pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
 on 32-bit systems (since the length is stored in a long int variable).

 v2: backport to nx-libs 3.6.x (Mike DePaulo)
+v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
+v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
+
 Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
@@ -22,8 +25,6 @@ Conflicts:
 nx-X11/programs/Xserver/dix/dispatch.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

-diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
-index 6941456..5ad2f5a 100644
 --- a/nx-X11/programs/Xserver/dix/dispatch.c
 +++ b/nx-X11/programs/Xserver/dix/dispatch.c
 @@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client)
@@ -37,6 +38,16 @@ index 6941456..5ad2f5a 100644
     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
 	(sizeof(xPutImageReq) >> 2)) != client->req_len)
 	return BadLength;
-- 
-2.1.4
-
+--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+@@ -2630,7 +2630,9 @@ ProcPutImage(register ClientPtr client)
+ 
+     tmpImage = (char *)&stuff[1];
+     lengthProto = length;
+-	
+    if (lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;
+
+     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
+ 	(sizeof(xPutImageReq) >> 2)) != client->req_len)
+ 	return BadLength;