X2Go Bug report logs - #741
Default keystrokes are not fully overwritten

version graph

Package: nxagent; Maintainer for nxagent is X2Go Developers <x2go-dev@lists.x2go.org>; Source for nxagent is src:nx-libs.

Reported by: Alexander Lochmann <alexander.lochmann@tu-dortmund.de>

Date: Mon, 12 Jan 2015 20:50:01 UTC

Severity: normal

Tags: pending

Found in version 2:3.5.0.28-0x2go1+git20141113.546+wheezy.main.1

Fixed in version 2:3.5.0.29

Done: X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#741; Package nxagent. (Mon, 12 Jan 2015 20:50:02 GMT) (full text, mbox, link).


Acknowledgement sent to Alexander Lochmann <alexander.lochmann@tu-dortmund.de>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 12 Jan 2015 20:50:02 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Alexander Lochmann <alexander.lochmann@tu-dortmund.de>
To: submit@bugs.x2go.org
Cc: Horst Schirmeier <horst.schirmeier@tu-dortmund.de>
Subject: Default keystrokes are not fully overwritten
Date: Mon, 12 Jan 2015 21:39:16 +0100
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: nxagent
Version: 2:3.5.0.28-0x2go1+git20141113.546+wheezy.main.1
Server: Debian 7.8; 32bit userland; 64bit kernel
x2goserver: Version: 4.0.1.18-0x2go1+git20141006.949+wheezy.main.1
Client: Actually, it does not matter on which os i run the client to
reprocude this bug.

I commented out the following lines in /usr/bin/x2goagent:
NXAGENT_KEYSTROKEFILE=/etc/x2go/keystrokes.cfg
export NXAGENT_KEYSTROKEFILE

Furthermore, i modified the keystroke.cfg in /etc/nxagent. I attached
my version.
The keys work properly except the default keystrokes are *not* disbaled.
According to
	http://code.x2go.org/gitweb?p=nx-libs.git;a=blob;f=debian/patches/320_nxagent_configurable-keystrokes.full.patch;h=ae1897d143231a4120c502766c6a28367db38a4d;hb=3fa67b6732e108c67cd415a31e94ccd6b0b3bc64

the default map should be fully overwritten by
/etx/nxagent/keystrokes.cfg. But they are not...

Greetings,
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUtDD0AAoJEFk+7QW8Pvb92bIP/2qnchUZ3CsDWJiGnBWsUhXM
QCj9PXN1SVpZXKZ9Z2RFncR++oyjlKvy+lWMXTwyoOAUNzN0YxsjAfdaaSdWuvw+
1u9CMVHHl/8lLFHMuxziJz0cy39nQ39A8VdBgabej0zX3PuoQdgXzOM0EzoDgtDH
gzIHqQHnxuFDIo99Mbd0S6Xsv538knw5LRrltQSkXXEOiEMRrdV9qdsgm12l9Wip
2uJcKnBkCgTR67QzstbENgjvD84g+ZlRH7fd6oXezJmV3GD/Cb+T1Ja9AS30+SXW
GmGVe3FJbjo/abcQf4IAhuOwg526owrzeGfdsoXEWbW8cRojDJYiSHkW9iaMY/yU
tNhs9dWolp2/bv62DesU+KZ6m73IIEv+je7b/EPAMcDbh9huDEu0Hfw7Qpfy0BgE
nQmlbyLJqpFne3G6w8CqkS1yw3mruq8NI3OYlbjsjHGWK8nL6NoT8In17DuiUgA+
DFAwlt6q0GmK9zZJrGDp8GMlsBEwvIfZ9Nxju1ZP3t3pKBe03CDigjZ3zCrb4DuA
AKh67ZezJAa/mAtghI7aox8CP/811z2grVdv54ygtCvqikwTmLMGkXEHSoLcUl1/
mX6q4ji/FMU/kazCmiCZ9bfUomvWUMeuW4MW9Ijl5h43gMI2Gnf2U5Oz6soBIcpN
BEDImaHq8WdIpHrQocsi
=tDI+
-----END PGP SIGNATURE-----
[keystrokes.cfg (text/html, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#741; Package nxagent. (Mon, 12 Jan 2015 22:40:02 GMT) (full text, mbox, link).


Acknowledgement sent to Horst Schirmeier <horst@schirmeier.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 12 Jan 2015 22:40:02 GMT) (full text, mbox, link).


Message #10 received at 741@bugs.x2go.org (full text, mbox, reply):

From: Horst Schirmeier <horst@schirmeier.com>
To: 741@bugs.x2go.org
Subject: [PATCH] fix typo in 320_nxagent_configurable-keystrokes.full.patch
Date: Mon, 12 Jan 2015 23:32:52 +0100
This suble parenthesis typo made the R_OK check for
/etc/nxagent/keystrokes.cfg always fail.  As a consequence, only
~/.nx/config/keystrokes.cfg could be used for custom keystrokes.

This should fix bug #741.
---
 debian/patches/320_nxagent_configurable-keystrokes.full.patch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/patches/320_nxagent_configurable-keystrokes.full.patch b/debian/patches/320_nxagent_configurable-keystrokes.full.patch
index ae1897d..bcb8ef2 100644
--- a/debian/patches/320_nxagent_configurable-keystrokes.full.patch
+++ b/debian/patches/320_nxagent_configurable-keystrokes.full.patch
@@ -481,7 +481,7 @@ Description: Make nxagent-specific keyboard bindings configurable
 +    {
 +      /* empty */
 +    }
-+    else if (access(etcfile, R_OK == 0))
++    else if (access(etcfile, R_OK) == 0)
 +    {
 +      if (filename)
 +        free(filename);

-- 
PGP-Key 0xD40E0E7A


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#741; Package nxagent. (Tue, 13 Jan 2015 04:40:01 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 13 Jan 2015 04:40:02 GMT) (full text, mbox, link).


Message #15 received at 741@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 741-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 741@bugs.x2go.org
Subject: X2Go issue (in src:nx-libs) has been marked as pending for release
Date: Tue, 13 Jan 2015 05:36:41 +0100 (CET)
tag #741 pending
fixed #741 2:3.5.0.29
thanks

Hello,

X2Go issue #741 (src:nx-libs) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=nx-libs.git;a=commitdiff;h=c09580a

The issue will most likely be fixed in src:nx-libs (2:3.5.0.29).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit c09580a52050af52c159566062092f4d0f1efb21
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Tue Jan 13 05:36:24 2015 +0100

    Update 320_nxagent_configurable-keystrokes.full.patch. Fix a typo that prevented the /etc/nxagent/keystrokes.cfg file to be parsed. (Fixes: #741).

diff --git a/debian/changelog b/debian/changelog
index ff324f7..edd6fde 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,9 @@ nx-libs (2:3.5.0.29-0x2go1) UNRELEASED; urgency=medium
   * nx-libs.spec:
     + The gpg-offline bin:package is not available in our SLE repo. We can do
       without.
+    + Update 320_nxagent_configurable-keystrokes.full.patch. Fix a typo that
+      prevented the /etc/nxagent/keystrokes.cfg file to be parsed. (Fixes:
+      #741).
 
   [ Mihai Moldovan ]
   * Change string "X2go" to "X2Go" where appropriate.


Added tag(s) pending. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Tue, 13 Jan 2015 04:40:03 GMT) (full text, mbox, link).


Marked as fixed in versions 2:3.5.0.29. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Tue, 13 Jan 2015 04:40:03 GMT) (full text, mbox, link).


Message sent on to Alexander Lochmann <alexander.lochmann@tu-dortmund.de>:
Bug#741. (Tue, 13 Jan 2015 04:40:04 GMT) (full text, mbox, link).


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#741; Package nxagent. (Fri, 13 Mar 2015 15:00:07 GMT) (full text, mbox, link).


Acknowledgement sent to X2Go Release Manager <git-admin@x2go.org>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 13 Mar 2015 15:00:07 GMT) (full text, mbox, link).


Message #27 received at 741@bugs.x2go.org (full text, mbox, reply):

From: X2Go Release Manager <git-admin@x2go.org>
To: 741-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 741@bugs.x2go.org
Subject: X2Go issue (in src:nx-libs) has been marked as closed
Date: Fri, 13 Mar 2015 15:56:10 +0100 (CET)
close #741
thanks

Hello,

we are very hopeful that X2Go issue #741 reported by you
has been resolved in the new release (2:3.5.0.29) of the
X2Go source project »src:nx-libs«.

You can view the complete changelog entry of src:nx-libs (2:3.5.0.29)
below, and you can use the following link to view all the code changes
between this and the last release of src:nx-libs.

    http://code.x2go.org/gitweb?p=nx-libs.git;a=commitdiff;h=b3aadd99d26c25ed5f015b324d1677af122c2246;hp=c69789464eaf6db4775b636eabb7b315c9525924

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:nx-libs.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:nx-libs
Version: 2:3.5.0.29-0x2go2
Status: RELEASE
Date: Fri, 13 Mar 2015 15:50:00 +0100
Fixes: 741 744
Changes: 
 nx-libs (2:3.5.0.29-0x2go2) RELEASED; urgency=medium
 .
     [ Mike Gabriel ]
   * Update 0320_nxagent_configurable-keystrokes.full.patch. Fix patch header
     referring to keystrokes.cfg (plural), not keystroke.cfg.
   * Allow sysadmins to manipulate nxagent's / x2goagent's rgb file by placing
     it into /etc/nxagent or /etc/x2go.
   * Provide support for separate .keyboard files for nxagent/x2goagent.
   * Modify 0101_nxagent_set-rgb-path.full.patch. Allow configurable rgb files.
   * Extend 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch. Let rgb
     file shipped with x2goagent supersede rgb file shipped with nxagent.
     FIXME: a better approach would be to decide at runtime if to use
     /etc/x2go/rgb or /etc/nxagent/rgb.
   * Extend 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch. Allow
     separate .keyboard files for x2goagent and nxagent.
   * Update 0600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch. Don't
     patch files that get removed during code reduction.
   * Add 0991_fix-hr-typos.full+lite.patch and 991_fix-hr-typos.full.patch.
     Fix several typos in upstream code detected by lintian.
   * Makefile.nx-libs: Don't allow symlinks to point into buildroot.
   * Makefile.nx-libs: Install man pages via main Makefile.
   * Add Description: and Author: fields to various patch headers.
   * Makefile.nx-libs: Run make install for nxproxy first, then create the
     wrapper script.
   * Make install-lite rule in Makefile.nx-libs more predictable and not
     rely on nxproxy/Makefile.in.
   * Makefile.nx-libs: Fix uninstall-lite rule. The nxproxy and nxcomp
     uninstallation has to be in uninstall-lite, not in uninstall-full.
   * Update 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch.
     Fix broken comment paragraph, whitespace fix.
 .
   * NX code reduction efforts (from 93Mb to 41Mb):
     - Drop more unused code in nx-X11/programs/Xserver/hw/. Do this in
       roll-tarball.sh and in debian/rules alike.
     - Stop shipping unused / very old xterm code.
     - Drop nx-X11/programs/Xserver/hw/xfree86 except of four files symlinked
       to other locations in the source tree at build time.
     - More source tree size reduction by analyzing what exactly of the Mesa
       source code in nx-X11/extras/ is used and what not.
     - Drop more unused folders from tarball release / before .deb package build:
       .  nx-X11/programs/Xserver/miext/shadow/
       .  nx-X11/programs/Xserver/XpConfig/
       .  nx-X11/programs/Xserver/Xprint/
     - Makefile.nx-libs: Don't install Mesa header files into DESTDIR anymore.
     - Unify source tree reduction (debian/rules vs. roll-tarball.sh) via file/
       folder lists in text files named debian/CODE-REDUCTION_*.
     - Update 0991_fix-hr-typos.full.patch. Don't patch files that get removed by
       the NX code reduction effort.
     - Drop 0604_nx-X11_recent-freetype-API.full.patch. Not used in current build
       process.
     - Update 0600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch. Don't
       patch files matter to the NX code reduction efforts.
     - Update 0031_nx-X11_parallel-make.full.patch. Don't patch .original files
       in NX code tree.
     - Drop patches: 0017_nx-X11_update-autotools-helper-files.full.patch,
       0018_nx-X11_update-libtool-ltmain-script.full.patch,
       0019_nx-X11_expat-build-against-system-libxmltok.full.patch. They patch
       files that are not used at build time.
 .
   * Patch system:
     - Prepend a "0" to every patch file name in debian/patches/. The patch
       order is now given by a 4 digit ID. Adapt only this changelog stanza to
       this modification.
 .
   * Debian/Ubuntu packaging:
     + Fully rework the way nx-libs gets packaged for Debian/Ubuntu.
     + Split up libnx-x11 into individual packages.
     + Provide dbg:packages for each bin:package containing binaries.
     + Use Makefile logic to install files into DESTDIR.
     + Provide dev:packages for each lib:package individually.
     + Provide nx-x11proto-*-dev packages for all libnx-* libraries.
     + Install _all_ library files (*.so*) to /usr/lib/<triplet>/, so
       no extra settings of LD_LIBRARY_PATH is necessary.
     + Add Multi-Arch support for Debian based distro versions that
       support Multi-Arch.
     + Support hardened builds for nxcomp* libraries.
     + Support hardened builds for nxagent and libNX_*.so files.
     + Add debian/*.symbols files for shared nx-X11 libraries.
     + Support .symbols for 64bit and 32bit alike.
     + Provide CDBS-generated debian/copyright.in file.
 .
   * debian/rules:
     + Backup nxcomp/VERSION file from NoMachine before replacing it with
       a symlink to debian/VERSION. Recreate the original file when cleaning
       up.
     + Fix removal of unused code (that part of the code that we know of so
       far). (The debian/rules file is a Makefile and Makefiles don't understand
       shell globbing with curly braces).
     + Correctly link config files (etc/rgb, etc/nxagent.keyboard,
       etc/x2goagent.keyboard) before dh_auto_build.
     + Add to B-D: expat.
     + Install upstream ChangeLogs into bin:packages.
     + Remove upstream nx-libs ChangeLog during override_dh_clean.
     + Use proper quoting on build flag vars (they may contain spaces).
 .
   * nx-libs.spec:
     + The gpg-offline bin:package is not available in our SLE repo. We can do
       without.
     + Update .spec file to meet changes in tarball size reduction and
       restructuring.
     + Use SONAME based library package naming scheme.
     + Mention NX technology in every package description.
     + Install man pages into bin:packages.
     + Make libNX_X11-6 and libXinerama1 compliant to Shared Library Policy.
     + Add Obsoletes: fields to all shared libs for marking the non-versioned
       library package (names) as obsolete.
     + Don't depend on nx-libs base package with fixed version.
     + Don't fail if removing *.a files fails due to the files being non-present.
     + Set PREFIX=%{_prefix} USRLIBDIR=%{_libdir} SHLIBDIR=%{_libdir} at build
       time.
     + Assure that BuildRoot: is set.
     + On SLE 11.x: libX* packages are prefixed with "xorg-x11-".
     + Install "%{_libdir}/nx/bin" into nxproxy package.
 .
   * debian/roll-tarball.sh:
     + Install etc/ files into etc/ subfolder (rgb, nxagent.keyboard,
       x2goagent.keyboard).
 .
   [ Horst Schirmeier ]
   * Update 0320_nxagent_configurable-keystrokes.full.patch. Fix a typo that
     prevented the /etc/nxagent/keystrokes.cfg file from being parsed. (Fixes:
     #741).
   * Add 0321_nxagent_x2go-specific-keystroke-config.full.patch. If nxagent is
     launched as x2goagent, use X2Go-specific paths for the keystrokes.cfg file.
     (Fixes: #744).
 .
   [ Michael DePaulo ]
   * Security Fixes:
     - Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not
       all patches from a CVE patch series appear here, then it means that
       the affected file/code is not used in NX at build time.
 .
     - X.Org CVE-2011-2895:
         1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
     - X.Org CVE-2011-4028:
         1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
     - X.Org CVE-2013-4396:
         1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
     - X.Org CVE-2013-6462:
         1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
     - X.Org CVE-2014-0209:
         1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
         1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
     - X.Org CVE-2014-0210:
         1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
         1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
         1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
         1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
         1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
         1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
         1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
     - X.Org CVE-2014-0211:
         1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
         1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
         1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
         1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
     - X.Org CVE-2014-8092:
         1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
         1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
         1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
         1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
     - X.Org CVE-2014-8097:
         1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
     - X.Org CVE-2014-8095:
         1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
     - X.Org CVE-2014-8096:
         1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
     - X.Org CVE-2014-8099:
         1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
     - X.Org CVE-2014-8100:
         1027-render-check-request-size-before-reading-it-CVE-2014.patch
         1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
     - X.Org CVE-2014-8102:
         1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
     - X.Org CVE-2014-8101:
         1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
     - X.Org CVE-2014-8093:
         1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
         1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
         1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
         1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
         1036-glx-Integer-overflow-protection-for-non-generated-re.patch
     - X.Org CVE-2014-8098:
         1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
         1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
         1038-glx-Length-checking-for-non-generated-single-request.patch
         1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
         1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
     - X.org CVE-2015-0255
         1104-xkb-Check-strings-length-against-request-size.patch
 .
     - Security fixes with no assigned CVE:
         1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
 .
     - Rebase the following patches that are prerequisites for the
       CVE-2015-0255 patch:
         1101-Coverity-844-845-846-Fix-memory-leaks.patch
         1102-include-introduce-byte-counting-functions.patch
         1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
 .
     - Fix FTBFS due to the nxproxy executable already existing under
       /usr/lib/nx/bin/nx/
 .
   [ Mihai Moldovan ]
   * Change string "X2go" to "X2Go" where appropriate.
   * CVE security review:
     - Update 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch.
       Use xfree() instead of free() in nx-libs.
     - Update 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch.
       Apply correctly on nx-libs 3.6.x.
     - Update 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch.
       Human-readable version of "1 MB".
     - Add 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch.
       Initialize remaining bufleft variables (nx-X11/lib/font/fc/fserve.c).
     - Add 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch.
       Do proper input validation to fix for CVE-2011-2895.


Marked Bug as done Request was from X2Go Release Manager <git-admin@x2go.org> to control@bugs.x2go.org. (Fri, 13 Mar 2015 15:00:12 GMT) (full text, mbox, link).


Notification sent to Alexander Lochmann <alexander.lochmann@tu-dortmund.de>:
Bug acknowledged by developer. (Fri, 13 Mar 2015 15:00:12 GMT) (full text, mbox, link).


Message sent on to Alexander Lochmann <alexander.lochmann@tu-dortmund.de>:
Bug#741. (Fri, 13 Mar 2015 15:00:25 GMT) (full text, mbox, link).


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#741; Package nxagent. (Fri, 13 Mar 2015 15:05:07 GMT) (full text, mbox, link).


Acknowledgement sent to X2Go Release Manager <git-admin@x2go.org>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 13 Mar 2015 15:05:07 GMT) (full text, mbox, link).


Message #39 received at 741@bugs.x2go.org (full text, mbox, reply):

From: X2Go Release Manager <git-admin@x2go.org>
To: 741-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 741@bugs.x2go.org
Subject: X2Go issue (in src:nx-libs) has been marked as closed
Date: Fri, 13 Mar 2015 16:02:38 +0100 (CET)
close #741
thanks

Hello,

we are very hopeful that X2Go issue #741 reported by you
has been resolved in the new release (2:3.5.0.29) of the
X2Go source project »src:nx-libs«.

You can view the complete changelog entry of src:nx-libs (2:3.5.0.29)
below, and you can use the following link to view all the code changes
between this and the last release of src:nx-libs.

    http://code.x2go.org/gitweb?p=nx-libs.git;a=commitdiff;h=b3aadd99d26c25ed5f015b324d1677af122c2246;hp=c69789464eaf6db4775b636eabb7b315c9525924

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:nx-libs.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:nx-libs
Version: 2:3.5.0.29-0x2go2
Status: RELEASE
Date: Fri, 13 Mar 2015 15:50:00 +0100
Fixes: 741 744
Changes: 
 nx-libs (2:3.5.0.29-0x2go2) RELEASED; urgency=medium
 .
     [ Mike Gabriel ]
   * Update 0320_nxagent_configurable-keystrokes.full.patch. Fix patch header
     referring to keystrokes.cfg (plural), not keystroke.cfg.
   * Allow sysadmins to manipulate nxagent's / x2goagent's rgb file by placing
     it into /etc/nxagent or /etc/x2go.
   * Provide support for separate .keyboard files for nxagent/x2goagent.
   * Modify 0101_nxagent_set-rgb-path.full.patch. Allow configurable rgb files.
   * Extend 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch. Let rgb
     file shipped with x2goagent supersede rgb file shipped with nxagent.
     FIXME: a better approach would be to decide at runtime if to use
     /etc/x2go/rgb or /etc/nxagent/rgb.
   * Extend 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch. Allow
     separate .keyboard files for x2goagent and nxagent.
   * Update 0600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch. Don't
     patch files that get removed during code reduction.
   * Add 0991_fix-hr-typos.full+lite.patch and 991_fix-hr-typos.full.patch.
     Fix several typos in upstream code detected by lintian.
   * Makefile.nx-libs: Don't allow symlinks to point into buildroot.
   * Makefile.nx-libs: Install man pages via main Makefile.
   * Add Description: and Author: fields to various patch headers.
   * Makefile.nx-libs: Run make install for nxproxy first, then create the
     wrapper script.
   * Make install-lite rule in Makefile.nx-libs more predictable and not
     rely on nxproxy/Makefile.in.
   * Makefile.nx-libs: Fix uninstall-lite rule. The nxproxy and nxcomp
     uninstallation has to be in uninstall-lite, not in uninstall-full.
   * Update 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch.
     Fix broken comment paragraph, whitespace fix.
 .
   * NX code reduction efforts (from 93Mb to 41Mb):
     - Drop more unused code in nx-X11/programs/Xserver/hw/. Do this in
       roll-tarball.sh and in debian/rules alike.
     - Stop shipping unused / very old xterm code.
     - Drop nx-X11/programs/Xserver/hw/xfree86 except of four files symlinked
       to other locations in the source tree at build time.
     - More source tree size reduction by analyzing what exactly of the Mesa
       source code in nx-X11/extras/ is used and what not.
     - Drop more unused folders from tarball release / before .deb package build:
       .  nx-X11/programs/Xserver/miext/shadow/
       .  nx-X11/programs/Xserver/XpConfig/
       .  nx-X11/programs/Xserver/Xprint/
     - Makefile.nx-libs: Don't install Mesa header files into DESTDIR anymore.
     - Unify source tree reduction (debian/rules vs. roll-tarball.sh) via file/
       folder lists in text files named debian/CODE-REDUCTION_*.
     - Update 0991_fix-hr-typos.full.patch. Don't patch files that get removed by
       the NX code reduction effort.
     - Drop 0604_nx-X11_recent-freetype-API.full.patch. Not used in current build
       process.
     - Update 0600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch. Don't
       patch files matter to the NX code reduction efforts.
     - Update 0031_nx-X11_parallel-make.full.patch. Don't patch .original files
       in NX code tree.
     - Drop patches: 0017_nx-X11_update-autotools-helper-files.full.patch,
       0018_nx-X11_update-libtool-ltmain-script.full.patch,
       0019_nx-X11_expat-build-against-system-libxmltok.full.patch. They patch
       files that are not used at build time.
 .
   * Patch system:
     - Prepend a "0" to every patch file name in debian/patches/. The patch
       order is now given by a 4 digit ID. Adapt only this changelog stanza to
       this modification.
 .
   * Debian/Ubuntu packaging:
     + Fully rework the way nx-libs gets packaged for Debian/Ubuntu.
     + Split up libnx-x11 into individual packages.
     + Provide dbg:packages for each bin:package containing binaries.
     + Use Makefile logic to install files into DESTDIR.
     + Provide dev:packages for each lib:package individually.
     + Provide nx-x11proto-*-dev packages for all libnx-* libraries.
     + Install _all_ library files (*.so*) to /usr/lib/<triplet>/, so
       no extra settings of LD_LIBRARY_PATH is necessary.
     + Add Multi-Arch support for Debian based distro versions that
       support Multi-Arch.
     + Support hardened builds for nxcomp* libraries.
     + Support hardened builds for nxagent and libNX_*.so files.
     + Add debian/*.symbols files for shared nx-X11 libraries.
     + Support .symbols for 64bit and 32bit alike.
     + Provide CDBS-generated debian/copyright.in file.
 .
   * debian/rules:
     + Backup nxcomp/VERSION file from NoMachine before replacing it with
       a symlink to debian/VERSION. Recreate the original file when cleaning
       up.
     + Fix removal of unused code (that part of the code that we know of so
       far). (The debian/rules file is a Makefile and Makefiles don't understand
       shell globbing with curly braces).
     + Correctly link config files (etc/rgb, etc/nxagent.keyboard,
       etc/x2goagent.keyboard) before dh_auto_build.
     + Add to B-D: expat.
     + Install upstream ChangeLogs into bin:packages.
     + Remove upstream nx-libs ChangeLog during override_dh_clean.
     + Use proper quoting on build flag vars (they may contain spaces).
 .
   * nx-libs.spec:
     + The gpg-offline bin:package is not available in our SLE repo. We can do
       without.
     + Update .spec file to meet changes in tarball size reduction and
       restructuring.
     + Use SONAME based library package naming scheme.
     + Mention NX technology in every package description.
     + Install man pages into bin:packages.
     + Make libNX_X11-6 and libXinerama1 compliant to Shared Library Policy.
     + Add Obsoletes: fields to all shared libs for marking the non-versioned
       library package (names) as obsolete.
     + Don't depend on nx-libs base package with fixed version.
     + Don't fail if removing *.a files fails due to the files being non-present.
     + Set PREFIX=%{_prefix} USRLIBDIR=%{_libdir} SHLIBDIR=%{_libdir} at build
       time.
     + Assure that BuildRoot: is set.
     + On SLE 11.x: libX* packages are prefixed with "xorg-x11-".
     + Install "%{_libdir}/nx/bin" into nxproxy package.
 .
   * debian/roll-tarball.sh:
     + Install etc/ files into etc/ subfolder (rgb, nxagent.keyboard,
       x2goagent.keyboard).
 .
   [ Horst Schirmeier ]
   * Update 0320_nxagent_configurable-keystrokes.full.patch. Fix a typo that
     prevented the /etc/nxagent/keystrokes.cfg file from being parsed. (Fixes:
     #741).
   * Add 0321_nxagent_x2go-specific-keystroke-config.full.patch. If nxagent is
     launched as x2goagent, use X2Go-specific paths for the keystrokes.cfg file.
     (Fixes: #744).
 .
   [ Michael DePaulo ]
   * Security Fixes:
     - Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not
       all patches from a CVE patch series appear here, then it means that
       the affected file/code is not used in NX at build time.
 .
     - X.Org CVE-2011-2895:
         1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
     - X.Org CVE-2011-4028:
         1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
     - X.Org CVE-2013-4396:
         1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
     - X.Org CVE-2013-6462:
         1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
     - X.Org CVE-2014-0209:
         1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
         1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
     - X.Org CVE-2014-0210:
         1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
         1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
         1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
         1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
         1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
         1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
         1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
     - X.Org CVE-2014-0211:
         1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
         1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
         1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
         1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
     - X.Org CVE-2014-8092:
         1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
         1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
         1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
         1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
     - X.Org CVE-2014-8097:
         1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
     - X.Org CVE-2014-8095:
         1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
     - X.Org CVE-2014-8096:
         1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
     - X.Org CVE-2014-8099:
         1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
     - X.Org CVE-2014-8100:
         1027-render-check-request-size-before-reading-it-CVE-2014.patch
         1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
     - X.Org CVE-2014-8102:
         1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
     - X.Org CVE-2014-8101:
         1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
     - X.Org CVE-2014-8093:
         1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
         1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
         1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
         1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
         1036-glx-Integer-overflow-protection-for-non-generated-re.patch
     - X.Org CVE-2014-8098:
         1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
         1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
         1038-glx-Length-checking-for-non-generated-single-request.patch
         1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
         1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
     - X.org CVE-2015-0255
         1104-xkb-Check-strings-length-against-request-size.patch
 .
     - Security fixes with no assigned CVE:
         1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
 .
     - Rebase the following patches that are prerequisites for the
       CVE-2015-0255 patch:
         1101-Coverity-844-845-846-Fix-memory-leaks.patch
         1102-include-introduce-byte-counting-functions.patch
         1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
 .
     - Fix FTBFS due to the nxproxy executable already existing under
       /usr/lib/nx/bin/nx/
 .
   [ Mihai Moldovan ]
   * Change string "X2go" to "X2Go" where appropriate.
   * CVE security review:
     - Update 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch.
       Use xfree() instead of free() in nx-libs.
     - Update 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch.
       Apply correctly on nx-libs 3.6.x.
     - Update 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch.
       Human-readable version of "1 MB".
     - Add 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch.
       Initialize remaining bufleft variables (nx-X11/lib/font/fc/fserve.c).
     - Add 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch.
       Do proper input validation to fix for CVE-2011-2895.


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#741; Package nxagent. (Fri, 13 Mar 2015 15:05:08 GMT) (full text, mbox, link).


Acknowledgement sent to X2Go Release Manager <git-admin@x2go.org>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 13 Mar 2015 15:05:08 GMT) (full text, mbox, link).


Message #44 received at 741@bugs.x2go.org (full text, mbox, reply):

From: X2Go Release Manager <git-admin@x2go.org>
To: 741-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 741@bugs.x2go.org
Subject: X2Go issue (in src:nx-libs) has been marked as closed
Date: Fri, 13 Mar 2015 16:02:52 +0100 (CET)
close #741
thanks

Hello,

we are very hopeful that X2Go issue #741 reported by you
has been resolved in the new release (2:3.5.0.29) of the
X2Go source project »src:nx-libs«.

You can view the complete changelog entry of src:nx-libs (2:3.5.0.29)
below, and you can use the following link to view all the code changes
between this and the last release of src:nx-libs.

    http://code.x2go.org/gitweb?p=nx-libs.git;a=commitdiff;h=0db9c76dde03552579ef46385f80fc7076b80a36;hp=c69789464eaf6db4775b636eabb7b315c9525924

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:nx-libs.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:nx-libs
Version: 2:3.5.0.29-0x2go2
Status: RELEASE
Date: Fri, 13 Mar 2015 15:50:00 +0100
Fixes: 741 744
Changes: 
 nx-libs (2:3.5.0.29-0x2go2) RELEASED; urgency=medium
 .
     [ Mike Gabriel ]
   * Update 0320_nxagent_configurable-keystrokes.full.patch. Fix patch header
     referring to keystrokes.cfg (plural), not keystroke.cfg.
   * Allow sysadmins to manipulate nxagent's / x2goagent's rgb file by placing
     it into /etc/nxagent or /etc/x2go.
   * Provide support for separate .keyboard files for nxagent/x2goagent.
   * Modify 0101_nxagent_set-rgb-path.full.patch. Allow configurable rgb files.
   * Extend 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch. Let rgb
     file shipped with x2goagent supersede rgb file shipped with nxagent.
     FIXME: a better approach would be to decide at runtime if to use
     /etc/x2go/rgb or /etc/nxagent/rgb.
   * Extend 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch. Allow
     separate .keyboard files for x2goagent and nxagent.
   * Update 0600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch. Don't
     patch files that get removed during code reduction.
   * Add 0991_fix-hr-typos.full+lite.patch and 991_fix-hr-typos.full.patch.
     Fix several typos in upstream code detected by lintian.
   * Makefile.nx-libs: Don't allow symlinks to point into buildroot.
   * Makefile.nx-libs: Install man pages via main Makefile.
   * Add Description: and Author: fields to various patch headers.
   * Makefile.nx-libs: Run make install for nxproxy first, then create the
     wrapper script.
   * Make install-lite rule in Makefile.nx-libs more predictable and not
     rely on nxproxy/Makefile.in.
   * Makefile.nx-libs: Fix uninstall-lite rule. The nxproxy and nxcomp
     uninstallation has to be in uninstall-lite, not in uninstall-full.
   * Update 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch.
     Fix broken comment paragraph, whitespace fix.
 .
   * NX code reduction efforts (from 93Mb to 41Mb):
     - Drop more unused code in nx-X11/programs/Xserver/hw/. Do this in
       roll-tarball.sh and in debian/rules alike.
     - Stop shipping unused / very old xterm code.
     - Drop nx-X11/programs/Xserver/hw/xfree86 except of four files symlinked
       to other locations in the source tree at build time.
     - More source tree size reduction by analyzing what exactly of the Mesa
       source code in nx-X11/extras/ is used and what not.
     - Drop more unused folders from tarball release / before .deb package build:
       .  nx-X11/programs/Xserver/miext/shadow/
       .  nx-X11/programs/Xserver/XpConfig/
       .  nx-X11/programs/Xserver/Xprint/
     - Makefile.nx-libs: Don't install Mesa header files into DESTDIR anymore.
     - Unify source tree reduction (debian/rules vs. roll-tarball.sh) via file/
       folder lists in text files named debian/CODE-REDUCTION_*.
     - Update 0991_fix-hr-typos.full.patch. Don't patch files that get removed by
       the NX code reduction effort.
     - Drop 0604_nx-X11_recent-freetype-API.full.patch. Not used in current build
       process.
     - Update 0600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch. Don't
       patch files matter to the NX code reduction efforts.
     - Update 0031_nx-X11_parallel-make.full.patch. Don't patch .original files
       in NX code tree.
     - Drop patches: 0017_nx-X11_update-autotools-helper-files.full.patch,
       0018_nx-X11_update-libtool-ltmain-script.full.patch,
       0019_nx-X11_expat-build-against-system-libxmltok.full.patch. They patch
       files that are not used at build time.
 .
   * Patch system:
     - Prepend a "0" to every patch file name in debian/patches/. The patch
       order is now given by a 4 digit ID. Adapt only this changelog stanza to
       this modification.
 .
   * Debian/Ubuntu packaging:
     + Fully rework the way nx-libs gets packaged for Debian/Ubuntu.
     + Split up libnx-x11 into individual packages.
     + Provide dbg:packages for each bin:package containing binaries.
     + Use Makefile logic to install files into DESTDIR.
     + Provide dev:packages for each lib:package individually.
     + Provide nx-x11proto-*-dev packages for all libnx-* libraries.
     + Install _all_ library files (*.so*) to /usr/lib/<triplet>/, so
       no extra settings of LD_LIBRARY_PATH is necessary.
     + Add Multi-Arch support for Debian based distro versions that
       support Multi-Arch.
     + Support hardened builds for nxcomp* libraries.
     + Support hardened builds for nxagent and libNX_*.so files.
     + Add debian/*.symbols files for shared nx-X11 libraries.
     + Support .symbols for 64bit and 32bit alike.
     + Provide CDBS-generated debian/copyright.in file.
 .
   * debian/rules:
     + Backup nxcomp/VERSION file from NoMachine before replacing it with
       a symlink to debian/VERSION. Recreate the original file when cleaning
       up.
     + Fix removal of unused code (that part of the code that we know of so
       far). (The debian/rules file is a Makefile and Makefiles don't understand
       shell globbing with curly braces).
     + Correctly link config files (etc/rgb, etc/nxagent.keyboard,
       etc/x2goagent.keyboard) before dh_auto_build.
     + Add to B-D: expat.
     + Install upstream ChangeLogs into bin:packages.
     + Remove upstream nx-libs ChangeLog during override_dh_clean.
     + Use proper quoting on build flag vars (they may contain spaces).
 .
   * nx-libs.spec:
     + The gpg-offline bin:package is not available in our SLE repo. We can do
       without.
     + Update .spec file to meet changes in tarball size reduction and
       restructuring.
     + Use SONAME based library package naming scheme.
     + Mention NX technology in every package description.
     + Install man pages into bin:packages.
     + Make libNX_X11-6 and libXinerama1 compliant to Shared Library Policy.
     + Add Obsoletes: fields to all shared libs for marking the non-versioned
       library package (names) as obsolete.
     + Don't depend on nx-libs base package with fixed version.
     + Don't fail if removing *.a files fails due to the files being non-present.
     + Set PREFIX=%{_prefix} USRLIBDIR=%{_libdir} SHLIBDIR=%{_libdir} at build
       time.
     + Assure that BuildRoot: is set.
     + On SLE 11.x: libX* packages are prefixed with "xorg-x11-".
     + Install "%{_libdir}/nx/bin" into nxproxy package.
 .
   * debian/roll-tarball.sh:
     + Install etc/ files into etc/ subfolder (rgb, nxagent.keyboard,
       x2goagent.keyboard).
 .
   [ Horst Schirmeier ]
   * Update 0320_nxagent_configurable-keystrokes.full.patch. Fix a typo that
     prevented the /etc/nxagent/keystrokes.cfg file from being parsed. (Fixes:
     #741).
   * Add 0321_nxagent_x2go-specific-keystroke-config.full.patch. If nxagent is
     launched as x2goagent, use X2Go-specific paths for the keystrokes.cfg file.
     (Fixes: #744).
 .
   [ Michael DePaulo ]
   * Security Fixes:
     - Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not
       all patches from a CVE patch series appear here, then it means that
       the affected file/code is not used in NX at build time.
 .
     - X.Org CVE-2011-2895:
         1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
     - X.Org CVE-2011-4028:
         1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
     - X.Org CVE-2013-4396:
         1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
     - X.Org CVE-2013-6462:
         1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
     - X.Org CVE-2014-0209:
         1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
         1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
     - X.Org CVE-2014-0210:
         1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
         1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
         1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
         1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
         1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
         1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
         1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
     - X.Org CVE-2014-0211:
         1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
         1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
         1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
         1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
     - X.Org CVE-2014-8092:
         1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
         1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
         1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
         1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
     - X.Org CVE-2014-8097:
         1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
     - X.Org CVE-2014-8095:
         1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
     - X.Org CVE-2014-8096:
         1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
     - X.Org CVE-2014-8099:
         1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
     - X.Org CVE-2014-8100:
         1027-render-check-request-size-before-reading-it-CVE-2014.patch
         1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
     - X.Org CVE-2014-8102:
         1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
     - X.Org CVE-2014-8101:
         1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
     - X.Org CVE-2014-8093:
         1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
         1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
         1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
         1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
         1036-glx-Integer-overflow-protection-for-non-generated-re.patch
     - X.Org CVE-2014-8098:
         1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
         1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
         1038-glx-Length-checking-for-non-generated-single-request.patch
         1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
         1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
     - X.org CVE-2015-0255
         1104-xkb-Check-strings-length-against-request-size.patch
 .
     - Security fixes with no assigned CVE:
         1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
 .
     - Rebase the following patches that are prerequisites for the
       CVE-2015-0255 patch:
         1101-Coverity-844-845-846-Fix-memory-leaks.patch
         1102-include-introduce-byte-counting-functions.patch
         1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
 .
     - Fix FTBFS due to the nxproxy executable already existing under
       /usr/lib/nx/bin/nx/
 .
   [ Mihai Moldovan ]
   * Change string "X2go" to "X2Go" where appropriate.
   * CVE security review:
     - Update 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch.
       Use xfree() instead of free() in nx-libs.
     - Update 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch.
       Apply correctly on nx-libs 3.6.x.
     - Update 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch.
       Human-readable version of "1 MB".
     - Add 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch.
       Initialize remaining bufleft variables (nx-X11/lib/font/fc/fserve.c).
     - Add 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch.
       Do proper input validation to fix for CVE-2011-2895.


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#741; Package nxagent. (Fri, 13 Mar 2015 15:05:09 GMT) (full text, mbox, link).


Acknowledgement sent to X2Go Release Manager <git-admin@x2go.org>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 13 Mar 2015 15:05:09 GMT) (full text, mbox, link).


Message #49 received at 741@bugs.x2go.org (full text, mbox, reply):

From: X2Go Release Manager <git-admin@x2go.org>
To: 741-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 741@bugs.x2go.org
Subject: X2Go issue (in src:nx-libs) has been marked as closed
Date: Fri, 13 Mar 2015 16:02:46 +0100 (CET)
close #741
thanks

Hello,

we are very hopeful that X2Go issue #741 reported by you
has been resolved in the new release (2:3.5.0.29) of the
X2Go source project »src:nx-libs«.

You can view the complete changelog entry of src:nx-libs (2:3.5.0.29)
below, and you can use the following link to view all the code changes
between this and the last release of src:nx-libs.

    http://code.x2go.org/gitweb?p=nx-libs.git;a=commitdiff;h=3e4f8c722194feb520717493745bc864f78742a2;hp=c69789464eaf6db4775b636eabb7b315c9525924

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:nx-libs.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:nx-libs
Version: 2:3.5.0.29-0x2go2
Status: RELEASE
Date: Fri, 13 Mar 2015 15:50:00 +0100
Fixes: 741 744
Changes: 
 nx-libs (2:3.5.0.29-0x2go2) RELEASED; urgency=medium
 .
     [ Mike Gabriel ]
   * Update 0320_nxagent_configurable-keystrokes.full.patch. Fix patch header
     referring to keystrokes.cfg (plural), not keystroke.cfg.
   * Allow sysadmins to manipulate nxagent's / x2goagent's rgb file by placing
     it into /etc/nxagent or /etc/x2go.
   * Provide support for separate .keyboard files for nxagent/x2goagent.
   * Modify 0101_nxagent_set-rgb-path.full.patch. Allow configurable rgb files.
   * Extend 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch. Let rgb
     file shipped with x2goagent supersede rgb file shipped with nxagent.
     FIXME: a better approach would be to decide at runtime if to use
     /etc/x2go/rgb or /etc/nxagent/rgb.
   * Extend 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch. Allow
     separate .keyboard files for x2goagent and nxagent.
   * Update 0600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch. Don't
     patch files that get removed during code reduction.
   * Add 0991_fix-hr-typos.full+lite.patch and 991_fix-hr-typos.full.patch.
     Fix several typos in upstream code detected by lintian.
   * Makefile.nx-libs: Don't allow symlinks to point into buildroot.
   * Makefile.nx-libs: Install man pages via main Makefile.
   * Add Description: and Author: fields to various patch headers.
   * Makefile.nx-libs: Run make install for nxproxy first, then create the
     wrapper script.
   * Make install-lite rule in Makefile.nx-libs more predictable and not
     rely on nxproxy/Makefile.in.
   * Makefile.nx-libs: Fix uninstall-lite rule. The nxproxy and nxcomp
     uninstallation has to be in uninstall-lite, not in uninstall-full.
   * Update 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch.
     Fix broken comment paragraph, whitespace fix.
 .
   * NX code reduction efforts (from 93Mb to 41Mb):
     - Drop more unused code in nx-X11/programs/Xserver/hw/. Do this in
       roll-tarball.sh and in debian/rules alike.
     - Stop shipping unused / very old xterm code.
     - Drop nx-X11/programs/Xserver/hw/xfree86 except of four files symlinked
       to other locations in the source tree at build time.
     - More source tree size reduction by analyzing what exactly of the Mesa
       source code in nx-X11/extras/ is used and what not.
     - Drop more unused folders from tarball release / before .deb package build:
       .  nx-X11/programs/Xserver/miext/shadow/
       .  nx-X11/programs/Xserver/XpConfig/
       .  nx-X11/programs/Xserver/Xprint/
     - Makefile.nx-libs: Don't install Mesa header files into DESTDIR anymore.
     - Unify source tree reduction (debian/rules vs. roll-tarball.sh) via file/
       folder lists in text files named debian/CODE-REDUCTION_*.
     - Update 0991_fix-hr-typos.full.patch. Don't patch files that get removed by
       the NX code reduction effort.
     - Drop 0604_nx-X11_recent-freetype-API.full.patch. Not used in current build
       process.
     - Update 0600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch. Don't
       patch files matter to the NX code reduction efforts.
     - Update 0031_nx-X11_parallel-make.full.patch. Don't patch .original files
       in NX code tree.
     - Drop patches: 0017_nx-X11_update-autotools-helper-files.full.patch,
       0018_nx-X11_update-libtool-ltmain-script.full.patch,
       0019_nx-X11_expat-build-against-system-libxmltok.full.patch. They patch
       files that are not used at build time.
 .
   * Patch system:
     - Prepend a "0" to every patch file name in debian/patches/. The patch
       order is now given by a 4 digit ID. Adapt only this changelog stanza to
       this modification.
 .
   * Debian/Ubuntu packaging:
     + Fully rework the way nx-libs gets packaged for Debian/Ubuntu.
     + Split up libnx-x11 into individual packages.
     + Provide dbg:packages for each bin:package containing binaries.
     + Use Makefile logic to install files into DESTDIR.
     + Provide dev:packages for each lib:package individually.
     + Provide nx-x11proto-*-dev packages for all libnx-* libraries.
     + Install _all_ library files (*.so*) to /usr/lib/<triplet>/, so
       no extra settings of LD_LIBRARY_PATH is necessary.
     + Add Multi-Arch support for Debian based distro versions that
       support Multi-Arch.
     + Support hardened builds for nxcomp* libraries.
     + Support hardened builds for nxagent and libNX_*.so files.
     + Add debian/*.symbols files for shared nx-X11 libraries.
     + Support .symbols for 64bit and 32bit alike.
     + Provide CDBS-generated debian/copyright.in file.
 .
   * debian/rules:
     + Backup nxcomp/VERSION file from NoMachine before replacing it with
       a symlink to debian/VERSION. Recreate the original file when cleaning
       up.
     + Fix removal of unused code (that part of the code that we know of so
       far). (The debian/rules file is a Makefile and Makefiles don't understand
       shell globbing with curly braces).
     + Correctly link config files (etc/rgb, etc/nxagent.keyboard,
       etc/x2goagent.keyboard) before dh_auto_build.
     + Add to B-D: expat.
     + Install upstream ChangeLogs into bin:packages.
     + Remove upstream nx-libs ChangeLog during override_dh_clean.
     + Use proper quoting on build flag vars (they may contain spaces).
 .
   * nx-libs.spec:
     + The gpg-offline bin:package is not available in our SLE repo. We can do
       without.
     + Update .spec file to meet changes in tarball size reduction and
       restructuring.
     + Use SONAME based library package naming scheme.
     + Mention NX technology in every package description.
     + Install man pages into bin:packages.
     + Make libNX_X11-6 and libXinerama1 compliant to Shared Library Policy.
     + Add Obsoletes: fields to all shared libs for marking the non-versioned
       library package (names) as obsolete.
     + Don't depend on nx-libs base package with fixed version.
     + Don't fail if removing *.a files fails due to the files being non-present.
     + Set PREFIX=%{_prefix} USRLIBDIR=%{_libdir} SHLIBDIR=%{_libdir} at build
       time.
     + Assure that BuildRoot: is set.
     + On SLE 11.x: libX* packages are prefixed with "xorg-x11-".
     + Install "%{_libdir}/nx/bin" into nxproxy package.
 .
   * debian/roll-tarball.sh:
     + Install etc/ files into etc/ subfolder (rgb, nxagent.keyboard,
       x2goagent.keyboard).
 .
   [ Horst Schirmeier ]
   * Update 0320_nxagent_configurable-keystrokes.full.patch. Fix a typo that
     prevented the /etc/nxagent/keystrokes.cfg file from being parsed. (Fixes:
     #741).
   * Add 0321_nxagent_x2go-specific-keystroke-config.full.patch. If nxagent is
     launched as x2goagent, use X2Go-specific paths for the keystrokes.cfg file.
     (Fixes: #744).
 .
   [ Michael DePaulo ]
   * Security Fixes:
     - Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not
       all patches from a CVE patch series appear here, then it means that
       the affected file/code is not used in NX at build time.
 .
     - X.Org CVE-2011-2895:
         1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
     - X.Org CVE-2011-4028:
         1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
     - X.Org CVE-2013-4396:
         1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
     - X.Org CVE-2013-6462:
         1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
     - X.Org CVE-2014-0209:
         1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
         1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
     - X.Org CVE-2014-0210:
         1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
         1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
         1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
         1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
         1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
         1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
         1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
     - X.Org CVE-2014-0211:
         1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
         1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
         1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
         1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
     - X.Org CVE-2014-8092:
         1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
         1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
         1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
         1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
     - X.Org CVE-2014-8097:
         1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
     - X.Org CVE-2014-8095:
         1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
     - X.Org CVE-2014-8096:
         1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
     - X.Org CVE-2014-8099:
         1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
     - X.Org CVE-2014-8100:
         1027-render-check-request-size-before-reading-it-CVE-2014.patch
         1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
     - X.Org CVE-2014-8102:
         1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
     - X.Org CVE-2014-8101:
         1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
     - X.Org CVE-2014-8093:
         1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
         1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
         1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
         1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
         1036-glx-Integer-overflow-protection-for-non-generated-re.patch
     - X.Org CVE-2014-8098:
         1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
         1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
         1038-glx-Length-checking-for-non-generated-single-request.patch
         1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
         1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
     - X.org CVE-2015-0255
         1104-xkb-Check-strings-length-against-request-size.patch
 .
     - Security fixes with no assigned CVE:
         1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
 .
     - Rebase the following patches that are prerequisites for the
       CVE-2015-0255 patch:
         1101-Coverity-844-845-846-Fix-memory-leaks.patch
         1102-include-introduce-byte-counting-functions.patch
         1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch
 .
     - Fix FTBFS due to the nxproxy executable already existing under
       /usr/lib/nx/bin/nx/
 .
   [ Mihai Moldovan ]
   * Change string "X2go" to "X2Go" where appropriate.
   * CVE security review:
     - Update 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch.
       Use xfree() instead of free() in nx-libs.
     - Update 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch.
       Apply correctly on nx-libs 3.6.x.
     - Update 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch.
       Human-readable version of "1 MB".
     - Add 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch.
       Initialize remaining bufleft variables (nx-X11/lib/font/fc/fserve.c).
     - Add 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch.
       Do proper input validation to fix for CVE-2011-2895.


Message sent on to Alexander Lochmann <alexander.lochmann@tu-dortmund.de>:
Bug#741. (Fri, 13 Mar 2015 15:05:33 GMT) (full text, mbox, link).


Message sent on to Alexander Lochmann <alexander.lochmann@tu-dortmund.de>:
Bug#741. (Fri, 13 Mar 2015 15:05:35 GMT) (full text, mbox, link).


Message sent on to Alexander Lochmann <alexander.lochmann@tu-dortmund.de>:
Bug#741. (Fri, 13 Mar 2015 15:05:36 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.x2go.org> to internal_control@bugs.x2go.org. (Sat, 11 Apr 2015 05:24:01 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Sep 30 09:54:16 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.