X2Go Bug report logs - #879
CVE backports incomplete or wrong

version graph

Package: nx-libs; Maintainer for nx-libs is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Ulrich Sibiller <uli42@gmx.de>

Date: Thu, 21 May 2015 06:45:01 UTC

Severity: normal

Tags: fixed-upstream

Fixed in version 3.5.99.0

Forwarded to https://github.com/ArcticaProject/nx-libs/issues/29

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#879; Package nx-libs. (Thu, 21 May 2015 06:45:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ulrich Sibiller <uli42@gmx.de>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Thu, 21 May 2015 06:45:02 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Ulrich Sibiller <uli42@gmx.de>
To: submit@bugs.x2go.org
Subject: Re: CVE backports incomplete or wrong
Date: Thu, 21 May 2015 08:43:37 +0200
Package: nx-libs

Recently a lot of CVE fixes have been added to nx-libs.

E.g.
debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch
and
debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
add missing checks to nx-X11/programs/Xserver/render/render.c.

However, there's a file called
nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from
render.c and in that file those checks are missing, too.

(I suspect the original render/render.c is not used at all in favour
of hw/nxagent/NXrender.c but I am not 100% sure here.)

If render.c is used a all (I am not sure) the patches should be
extended to also fix NXrender.c.
If render.c is not used it should be removed and the patches should be
applied to NXrender.c instead.

There might be more cases like this, I only picked this one as an example.


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#879; Package nx-libs. (Thu, 21 May 2015 08:20:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Thu, 21 May 2015 08:20:03 GMT) Full text and rfc822 format available.

Message #10 received at 879@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Ulrich Sibiller <uli42@gmx.de>, 879@bugs.x2go.org
Cc: submit@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#879: CVE backports incomplete or wrong
Date: Thu, 21 May 2015 10:02:10 +0200
[Message part 1 (text/plain, inline)]
Control: forwarded -1 https://github.com/ArcticaProject/nx-libs/issues/29

On Thu, May 21, 2015 at 08:43:37AM +0200, Ulrich Sibiller wrote:
> Package: nx-libs
> 
> Recently a lot of CVE fixes have been added to nx-libs.
> 
> E.g.
> debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch
> and
> debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
> add missing checks to nx-X11/programs/Xserver/render/render.c.
> 
> However, there's a file called
> nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from
> render.c and in that file those checks are missing, too.
> 
> (I suspect the original render/render.c is not used at all in favour
> of hw/nxagent/NXrender.c but I am not 100% sure here.)
> 
> If render.c is used a all (I am not sure) the patches should be
> extended to also fix NXrender.c.
> If render.c is not used it should be removed and the patches should be
> applied to NXrender.c instead.
> 
> There might be more cases like this, I only picked this one as an example.

Forwarded to nx-libs bug tracker [1] for nx-libs 3.6.x on Github.

@Mike#2: I assigned you to this task on Github. If you are not available
for this, please assign me again.

What Ulrich and I realized (in private comm) lately is that there are some files in hw/nxagent/ that are actually Xlib (extension) copies-of-code.

Thus, we need to double-maintain those code sections (I know, it is a mess and needs to be cleared up finally).

  o step A: build against libX* from X.Org
  o step B: be aware for code passages being libX* code, but copied to
    hw/nxagent/ and maintain those passages in hw/nxagent/ for now

Greets,
Mike

[1] https://github.com/ArcticaProject/nx-libs/issues/29

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[signature.asc (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'https://github.com/ArcticaProject/nx-libs/issues/29'. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 879-submit@bugs.x2go.org. (Thu, 21 May 2015 08:20:03 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#879; Package nx-libs. (Thu, 21 May 2015 11:30:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ulrich Sibiller <uli42@gmx.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Thu, 21 May 2015 11:30:02 GMT) Full text and rfc822 format available.

Message #17 received at 879@bugs.x2go.org (full text, mbox):

From: Ulrich Sibiller <uli42@gmx.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: 879@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#879: CVE backports incomplete or wrong
Date: Thu, 21 May 2015 13:29:05 +0200
On Thu, May 21, 2015 at 10:02 AM, Mike Gabriel
<mike.gabriel@das-netzwerkteam.de> wrote:
> Control: forwarded -1 https://github.com/ArcticaProject/nx-libs/issues/29

> Thus, we need to double-maintain those code sections (I know, it is a mess and needs to be cleared up finally).
>
>   o step A: build against libX* from X.Org
>   o step B: be aware for code passages being libX* code, but copied to
>     hw/nxagent/ and maintain those passages in hw/nxagent/ for now

I don't think this is limited to the X11 libraries. The mentioned
render.c is for the RENDER extension not the libXrender, I think. It
is built to render.o and included in librender.a. NXrender.c contains
the same functions (+ more) and is compiled to NXrender.o and included
into libnxagent.a. The nxagent binary is finally linked against
libnxagent.a and not librender.a (at least I have not found where that
could happen).

Uli


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#879; Package nx-libs. (Sat, 20 Feb 2016 19:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sat, 20 Feb 2016 19:45:04 GMT) Full text and rfc822 format available.

Message #22 received at 879@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Ulrich Sibiller <uli42@gmx.de>
Cc: 879@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#879: CVE backports incomplete or wrong
Date: Sat, 20 Feb 2016 19:40:58 +0000
[Message part 1 (text/plain, inline)]
Control: fixed -1 3.5.99.0
Control: tag -1 fixed-upstream

On  Do 21 Mai 2015 13:29:05 CEST, Ulrich Sibiller wrote:

> On Thu, May 21, 2015 at 10:02 AM, Mike Gabriel
> <mike.gabriel@das-netzwerkteam.de> wrote:
>> Control: forwarded -1 https://github.com/ArcticaProject/nx-libs/issues/29
>
>> Thus, we need to double-maintain those code sections (I know, it is  
>> a mess and needs to be cleared up finally).
>>
>>   o step A: build against libX* from X.Org
>>   o step B: be aware for code passages being libX* code, but copied to
>>     hw/nxagent/ and maintain those passages in hw/nxagent/ for now
>
> I don't think this is limited to the X11 libraries. The mentioned
> render.c is for the RENDER extension not the libXrender, I think. It
> is built to render.o and included in librender.a. NXrender.c contains
> the same functions (+ more) and is compiled to NXrender.o and included
> into libnxagent.a. The nxagent binary is finally linked against
> libnxagent.a and not librender.a (at least I have not found where that
> could happen).
>
> Uli

Just for the record. This issue has been resolved on the 3.6.x branch  
of nx-libs.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
[Message part 2 (application/pgp-signature, inline)]

Marked as fixed in versions 3.5.99.0. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 879-submit@bugs.x2go.org. (Sat, 20 Feb 2016 19:45:05 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 879-submit@bugs.x2go.org. (Sat, 20 Feb 2016 19:45:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Dec 13 13:35:27 2018; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.