Package: nxagent; Maintainer for nxagent is X2Go Developers <x2go-dev@lists.x2go.org>; Source for nxagent is src:nx-libs.
Reported by: Alexander Lochmann <alexander.lochmann@tu-dortmund.de>
Date: Mon, 12 Jan 2015 20:50:01 UTC
Severity: normal
Tags: pending
Found in version 2:3.5.0.28-0x2go1+git20141113.546+wheezy.main.1
Fixed in version 2:3.5.0.29
Done: X2Go Release Manager <git-admin@x2go.org>
Bug is archived. No further changes may be made.
🔗 View this message in rfc822 format
MIME-Version: 1.0 X-Mailer: MIME-tools 5.502 (Entity 5.502) X-Loop: owner@bugs.x2go.org From: owner@bugs.x2go.org (X2Go Bug Tracking System) Subject: Bug#741 closed by X2Go Release Manager <git-admin@x2go.org> (X2Go issue (in src:nx-libs) has been marked as closed) Message-ID: <handler.741.c.142625861225483.notifdone@bugs.x2go.org> References: <20150313145610.CC07F5E15E@ymir.das-netzwerkteam.de> X-X2go-PR-Keywords: pending X-X2go-PR-Message: they-closed 741 X-X2go-PR-Package: nxagent X-X2go-PR-Source: nx-libs Date: Fri, 13 Mar 2015 15:00:12 +0000 Content-Type: multipart/mixed; boundary="----------=_1426258812-26002-0"
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your Bug report which was filed against the nxagent package: #741: Default keystrokes are not fully overwritten It has been closed by X2Go Release Manager <git-admin@x2go.org>. Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact X2Go Release Manager <git-admin@x2go.org> by replying to this email. -- X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems
[Message part 2 (message/rfc822, inline)]
From: X2Go Release Manager <git-admin@x2go.org>To: 741-submitter@bugs.x2go.orgCc: control@bugs.x2go.org, 741@bugs.x2go.orgSubject: X2Go issue (in src:nx-libs) has been marked as closedDate: Fri, 13 Mar 2015 15:56:10 +0100 (CET)close #741 thanks Hello, we are very hopeful that X2Go issue #741 reported by you has been resolved in the new release (2:3.5.0.29) of the X2Go source project »src:nx-libs«. You can view the complete changelog entry of src:nx-libs (2:3.5.0.29) below, and you can use the following link to view all the code changes between this and the last release of src:nx-libs. http://code.x2go.org/gitweb?p=nx-libs.git;a=commitdiff;h=b3aadd99d26c25ed5f015b324d1677af122c2246;hp=c69789464eaf6db4775b636eabb7b315c9525924 If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:nx-libs. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:nx-libs Version: 2:3.5.0.29-0x2go2 Status: RELEASE Date: Fri, 13 Mar 2015 15:50:00 +0100 Fixes: 741 744 Changes: nx-libs (2:3.5.0.29-0x2go2) RELEASED; urgency=medium . [ Mike Gabriel ] * Update 0320_nxagent_configurable-keystrokes.full.patch. Fix patch header referring to keystrokes.cfg (plural), not keystroke.cfg. * Allow sysadmins to manipulate nxagent's / x2goagent's rgb file by placing it into /etc/nxagent or /etc/x2go. * Provide support for separate .keyboard files for nxagent/x2goagent. * Modify 0101_nxagent_set-rgb-path.full.patch. Allow configurable rgb files. * Extend 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch. Let rgb file shipped with x2goagent supersede rgb file shipped with nxagent. FIXME: a better approach would be to decide at runtime if to use /etc/x2go/rgb or /etc/nxagent/rgb. * Extend 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch. Allow separate .keyboard files for x2goagent and nxagent. * Update 0600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch. Don't patch files that get removed during code reduction. * Add 0991_fix-hr-typos.full+lite.patch and 991_fix-hr-typos.full.patch. Fix several typos in upstream code detected by lintian. * Makefile.nx-libs: Don't allow symlinks to point into buildroot. * Makefile.nx-libs: Install man pages via main Makefile. * Add Description: and Author: fields to various patch headers. * Makefile.nx-libs: Run make install for nxproxy first, then create the wrapper script. * Make install-lite rule in Makefile.nx-libs more predictable and not rely on nxproxy/Makefile.in. * Makefile.nx-libs: Fix uninstall-lite rule. The nxproxy and nxcomp uninstallation has to be in uninstall-lite, not in uninstall-full. * Update 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch. Fix broken comment paragraph, whitespace fix. . * NX code reduction efforts (from 93Mb to 41Mb): - Drop more unused code in nx-X11/programs/Xserver/hw/. Do this in roll-tarball.sh and in debian/rules alike. - Stop shipping unused / very old xterm code. - Drop nx-X11/programs/Xserver/hw/xfree86 except of four files symlinked to other locations in the source tree at build time. - More source tree size reduction by analyzing what exactly of the Mesa source code in nx-X11/extras/ is used and what not. - Drop more unused folders from tarball release / before .deb package build: . nx-X11/programs/Xserver/miext/shadow/ . nx-X11/programs/Xserver/XpConfig/ . nx-X11/programs/Xserver/Xprint/ - Makefile.nx-libs: Don't install Mesa header files into DESTDIR anymore. - Unify source tree reduction (debian/rules vs. roll-tarball.sh) via file/ folder lists in text files named debian/CODE-REDUCTION_*. - Update 0991_fix-hr-typos.full.patch. Don't patch files that get removed by the NX code reduction effort. - Drop 0604_nx-X11_recent-freetype-API.full.patch. Not used in current build process. - Update 0600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch. Don't patch files matter to the NX code reduction efforts. - Update 0031_nx-X11_parallel-make.full.patch. Don't patch .original files in NX code tree. - Drop patches: 0017_nx-X11_update-autotools-helper-files.full.patch, 0018_nx-X11_update-libtool-ltmain-script.full.patch, 0019_nx-X11_expat-build-against-system-libxmltok.full.patch. They patch files that are not used at build time. . * Patch system: - Prepend a "0" to every patch file name in debian/patches/. The patch order is now given by a 4 digit ID. Adapt only this changelog stanza to this modification. . * Debian/Ubuntu packaging: + Fully rework the way nx-libs gets packaged for Debian/Ubuntu. + Split up libnx-x11 into individual packages. + Provide dbg:packages for each bin:package containing binaries. + Use Makefile logic to install files into DESTDIR. + Provide dev:packages for each lib:package individually. + Provide nx-x11proto-*-dev packages for all libnx-* libraries. + Install _all_ library files (*.so*) to /usr/lib/<triplet>/, so no extra settings of LD_LIBRARY_PATH is necessary. + Add Multi-Arch support for Debian based distro versions that support Multi-Arch. + Support hardened builds for nxcomp* libraries. + Support hardened builds for nxagent and libNX_*.so files. + Add debian/*.symbols files for shared nx-X11 libraries. + Support .symbols for 64bit and 32bit alike. + Provide CDBS-generated debian/copyright.in file. . * debian/rules: + Backup nxcomp/VERSION file from NoMachine before replacing it with a symlink to debian/VERSION. Recreate the original file when cleaning up. + Fix removal of unused code (that part of the code that we know of so far). (The debian/rules file is a Makefile and Makefiles don't understand shell globbing with curly braces). + Correctly link config files (etc/rgb, etc/nxagent.keyboard, etc/x2goagent.keyboard) before dh_auto_build. + Add to B-D: expat. + Install upstream ChangeLogs into bin:packages. + Remove upstream nx-libs ChangeLog during override_dh_clean. + Use proper quoting on build flag vars (they may contain spaces). . * nx-libs.spec: + The gpg-offline bin:package is not available in our SLE repo. We can do without. + Update .spec file to meet changes in tarball size reduction and restructuring. + Use SONAME based library package naming scheme. + Mention NX technology in every package description. + Install man pages into bin:packages. + Make libNX_X11-6 and libXinerama1 compliant to Shared Library Policy. + Add Obsoletes: fields to all shared libs for marking the non-versioned library package (names) as obsolete. + Don't depend on nx-libs base package with fixed version. + Don't fail if removing *.a files fails due to the files being non-present. + Set PREFIX=%{_prefix} USRLIBDIR=%{_libdir} SHLIBDIR=%{_libdir} at build time. + Assure that BuildRoot: is set. + On SLE 11.x: libX* packages are prefixed with "xorg-x11-". + Install "%{_libdir}/nx/bin" into nxproxy package. . * debian/roll-tarball.sh: + Install etc/ files into etc/ subfolder (rgb, nxagent.keyboard, x2goagent.keyboard). . [ Horst Schirmeier ] * Update 0320_nxagent_configurable-keystrokes.full.patch. Fix a typo that prevented the /etc/nxagent/keystrokes.cfg file from being parsed. (Fixes: #741). * Add 0321_nxagent_x2go-specific-keystroke-config.full.patch. If nxagent is launched as x2goagent, use X2Go-specific paths for the keystrokes.cfg file. (Fixes: #744). . [ Michael DePaulo ] * Security Fixes: - Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not all patches from a CVE patch series appear here, then it means that the affected file/code is not used in NX at build time. . - X.Org CVE-2011-2895: 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch - X.Org CVE-2011-4028: 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch - X.Org CVE-2013-4396: 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch - X.Org CVE-2013-6462: 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch - X.Org CVE-2014-0209: 1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch 1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch - X.Org CVE-2014-0210: 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch 1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch - X.Org CVE-2014-0211: 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch 1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch 1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch - X.Org CVE-2014-8092: 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch - X.Org CVE-2014-8097: 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch - X.Org CVE-2014-8095: 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch - X.Org CVE-2014-8096: 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch - X.Org CVE-2014-8099: 1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch - X.Org CVE-2014-8100: 1027-render-check-request-size-before-reading-it-CVE-2014.patch 1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch - X.Org CVE-2014-8102: 1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch - X.Org CVE-2014-8101: 1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch - X.Org CVE-2014-8093: 1031-glx-Be-more-paranoid-about-variable-length-requests-.patch 1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch 1036-glx-Integer-overflow-protection-for-non-generated-re.patch - X.Org CVE-2014-8098: 1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch 1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch 1038-glx-Length-checking-for-non-generated-single-request.patch 1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch 1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch - X.org CVE-2015-0255 1104-xkb-Check-strings-length-against-request-size.patch . - Security fixes with no assigned CVE: 1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch . - Rebase the following patches that are prerequisites for the CVE-2015-0255 patch: 1101-Coverity-844-845-846-Fix-memory-leaks.patch 1102-include-introduce-byte-counting-functions.patch 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch . - Fix FTBFS due to the nxproxy executable already existing under /usr/lib/nx/bin/nx/ . [ Mihai Moldovan ] * Change string "X2go" to "X2Go" where appropriate. * CVE security review: - Update 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch. Use xfree() instead of free() in nx-libs. - Update 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch. Apply correctly on nx-libs 3.6.x. - Update 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch. Human-readable version of "1 MB". - Add 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch. Initialize remaining bufleft variables (nx-X11/lib/font/fc/fserve.c). - Add 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch. Do proper input validation to fix for CVE-2011-2895.
[Message part 3 (message/rfc822, inline)]
From: Alexander Lochmann <alexander.lochmann@tu-dortmund.de>To: submit@bugs.x2go.orgCc: Horst Schirmeier <horst.schirmeier@tu-dortmund.de>Subject: Default keystrokes are not fully overwrittenDate: Mon, 12 Jan 2015 21:39:16 +0100[Message part 4 (text/plain, inline)]-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package: nxagent Version: 2:3.5.0.28-0x2go1+git20141113.546+wheezy.main.1 Server: Debian 7.8; 32bit userland; 64bit kernel x2goserver: Version: 4.0.1.18-0x2go1+git20141006.949+wheezy.main.1 Client: Actually, it does not matter on which os i run the client to reprocude this bug. I commented out the following lines in /usr/bin/x2goagent: NXAGENT_KEYSTROKEFILE=/etc/x2go/keystrokes.cfg export NXAGENT_KEYSTROKEFILE Furthermore, i modified the keystroke.cfg in /etc/nxagent. I attached my version. The keys work properly except the default keystrokes are *not* disbaled. According to http://code.x2go.org/gitweb?p=nx-libs.git;a=blob;f=debian/patches/320_nxagent_configurable-keystrokes.full.patch;h=ae1897d143231a4120c502766c6a28367db38a4d;hb=3fa67b6732e108c67cd415a31e94ccd6b0b3bc64 the default map should be fully overwritten by /etx/nxagent/keystrokes.cfg. But they are not... Greetings, Alex -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUtDD0AAoJEFk+7QW8Pvb92bIP/2qnchUZ3CsDWJiGnBWsUhXM QCj9PXN1SVpZXKZ9Z2RFncR++oyjlKvy+lWMXTwyoOAUNzN0YxsjAfdaaSdWuvw+ 1u9CMVHHl/8lLFHMuxziJz0cy39nQ39A8VdBgabej0zX3PuoQdgXzOM0EzoDgtDH gzIHqQHnxuFDIo99Mbd0S6Xsv538knw5LRrltQSkXXEOiEMRrdV9qdsgm12l9Wip 2uJcKnBkCgTR67QzstbENgjvD84g+ZlRH7fd6oXezJmV3GD/Cb+T1Ja9AS30+SXW GmGVe3FJbjo/abcQf4IAhuOwg526owrzeGfdsoXEWbW8cRojDJYiSHkW9iaMY/yU tNhs9dWolp2/bv62DesU+KZ6m73IIEv+je7b/EPAMcDbh9huDEu0Hfw7Qpfy0BgE nQmlbyLJqpFne3G6w8CqkS1yw3mruq8NI3OYlbjsjHGWK8nL6NoT8In17DuiUgA+ DFAwlt6q0GmK9zZJrGDp8GMlsBEwvIfZ9Nxju1ZP3t3pKBe03CDigjZ3zCrb4DuA AKh67ZezJAa/mAtghI7aox8CP/811z2grVdv54ygtCvqikwTmLMGkXEHSoLcUl1/ mX6q4ji/FMU/kazCmiCZ9bfUomvWUMeuW4MW9Ijl5h43gMI2Gnf2U5Oz6soBIcpN BEDImaHq8WdIpHrQocsi =tDI+ -----END PGP SIGNATURE-----[keystrokes.cfg (text/html, attachment)]
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.