From unknown Mon May 18 17:35:30 2026
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.x2go.org
From: owner@bugs.x2go.org (X2Go Bug Tracking System)
Subject: Bug#879 closed by Stefan Baur <X2Go-ML-1@baur-itcs.de>
 (Closing/Archiving)
Message-ID: <handler.879.q879.170665193020503.notifdone@bugs.x2go.org>
References: <14325158-76e9-4f38-aa45-5a9913814262@baur-itcs.de>
X-X2go-PR-Keywords: fixed-upstream
X-X2go-PR-Message: they-closed 879
X-X2go-PR-Package: nx-libs
Date: Tue, 30 Jan 2024 22:00:07 +0000
Content-Type: multipart/mixed; boundary="----------=_1706652007-20768-0"

This is a multi-part message in MIME format...

------------=_1706652007-20768-0
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=utf-8

This is an automatic notification regarding your Bug report
which was filed against the nx-libs package:

#879: CVE backports incomplete or wrong

It has been closed by Stefan Baur <X2Go-ML-1@baur-itcs.de>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Stefan Baur <X2Go-ML-1=
@baur-itcs.de> by
replying to this email.


--=20
879: https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=3D879
X2Go Bug Tracking System
Contact owner@bugs.x2go.org with problems

------------=_1706652007-20768-0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 879-quiet) by bugs.x2go.org; 30 Jan 2024 21:58:50 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=ham autolearn_force=no version=3.4.2
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id EC15C5DA21
	for <879-quiet@bugs.x2go.org>; Tue, 30 Jan 2024 22:58:46 +0100 (CET)
Received: from [192.168.0.25] ([178.202.75.45]) by mrelayeu.kundenserver.de
 (mreue012 [213.165.67.97]) with ESMTPSA (Nemesis) id 1MpCz1-1qhoba2hTT-00qkhj
 for <879-quiet@bugs.x2go.org>; Tue, 30 Jan 2024 22:58:46 +0100
Message-ID: <14325158-76e9-4f38-aa45-5a9913814262@baur-itcs.de>
Date: Tue, 30 Jan 2024 22:58:45 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
Content-Language: en-US
To: 879-quiet@bugs.x2go.org
Subject: Closing/Archiving
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K1:Xd37LpYJKOp+FqUJnqqo8P3fKpUUGq71gw2HtppmhTRKNlsU+eZ
 iq1dnlh6+LHWB4DF+RnUyrW3XDQCJUs7f4ufGaRQcYgwrRASxfF2AUlpLve56ZTdlplj6Xj
 Eotc+BIqVlO0IZQQPbcjlDdKi1PsmXABAvIlwvG8QsT7RYLbtYmSsSk1SzZqMd3J3a27QgO
 R1sPT1h4UdlKQFzfG2+Tg==
UI-OutboundReport: notjunk:1;M01:P0:Rees1vfGqDc=;c/Lakk/QAGn+K2Vm751m4C/D2O5
 oAc5UCbhZLzP2QC5LdEU6Ie1yGpr4IhRarG8b3NnWkpwTJk3SdTmBzFzqrenFRaics9D0Bec1
 YXrdmTZC1yE3NV4r4qsnt6vjPmQ7Yu92ldLyKW6QC9Wx6w/LNZ8067LNVd+o2WB6Yjejc/Z3q
 j+T25a2n0/OC75t0qmQsR8GfW4Zopn1f2TaQliZ01+xMqNOsPtIRo+V4KbEFAYMrzftLcK1bi
 8P/X15hT3xplkO69/6TsVq/8ZwOXRqqx0GaqKnYMrAgF3cGHdPTJm9vorPXv+5L2Zz7PRLBsP
 DnlKSdMxg3DJR51zfTPrOI0V2+zBxYzdDUw+HkxQ0oPbC9FQpVx+ptie353KAB1g8K2ycX/oZ
 Zldn7wP8bWHyoTUwMtw27KOyPmesnpI8loAjA/INZYikh5Z9UkHe/gViMQQzgHnqYdnbrE24Z
 ZNsq9aq0JRQxXCA0rXm6SjH/hla85o0HjMcDzBeZq2DK8LgQKRuaeDfneKkOb4EzwR8rL1BQX
 pH7bEoYdnnt2qWEbnMTflf7myccUOHeG76cqHgxrJJ7/NtGmVmC6T7CLokIvswb9rujm6uxm4
 K3LnCsjaNfHhWRXMZuWzc1jdhZINXLnD2QpcOSJDbbJ+f9SVBU20XHxrAWTbML7u3HAILvmQK
 0nV11iW3l/HkU94ru9S5b2rakHo2kywGBQIMz2QdSq34+O+LAw31oKfSssSUdZnqZL+MnjUUq
 nfupUlfCyqquWWhNYhfpydKUwomddlLNpYzInoSlVu+sCw4zceTfHf1QsO7YJOGyTh3/V20pa
 N2LD3LQrp2YMJGsZsWY6k/oGhnqhr5/X7dOu6D+oh6O9LtnRzpRyUrD445qBfQrYLq/D+rSLV
 TnDFyMQQjWgcF+A==

Control: close -1
Control: archive -1

This bug has long since been moved to the Arctica Project Github issue 
tracker.

Kind Regards,
Stefan Baur
-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243


------------=_1706652007-20768-0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by bugs.x2go.org; 21 May 2015 06:44:00 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
	T_DKIM_INVALID autolearn=ham version=3.3.2
Received: from mail-la0-f53.google.com (mail-la0-f53.google.com [209.85.215.53])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 70DDD5DA84
	for <submit@bugs.x2go.org>; Thu, 21 May 2015 08:43:58 +0200 (CEST)
Received: by lagr1 with SMTP id r1so95310670lag.0
        for <submit@bugs.x2go.org>; Wed, 20 May 2015 23:43:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=fJibvKLUABCiC+Gv/YPAqcLRCgPkU+TvP3/REBjdjgw=;
        b=EWb/iK8+2Hc3L/phNNKi0Gl8jUUWfMofbfuAqJ3Jv2v5pf1Ph3gwEn7XVQIrSkIQ2c
         KLbJSrhiefGJ5HTwGQs2dm1htmzkl4BzDqmt/oLJDWjdzpGH68gGoIAsq6Z/ogYDYTTX
         1Xq3eSbb3c2DXDwxU+Ek5DoaRmDq4YWZ6ZlxUcm2UGfDx4YXpHeQHyp3iDH2anMl9bpg
         AiNcANacNB/uCugKVUFRFNntNkL/rZEEZSsOUNW8MOmkGjTYsPrV8XQ4axKLvFFEm2tY
         We/A8nlUtmxd5KMy4TV82rvaiBe3hIBiSufO93ih9hpxGGuKtBcP8SAZG2JYm3lnNAvU
         NtWg==
X-Received: by 10.112.125.33 with SMTP id mn1mr935607lbb.82.1432190637530;
 Wed, 20 May 2015 23:43:57 -0700 (PDT)
MIME-Version: 1.0
Sender: ulrich.sibiller@gmail.com
Received: by 10.112.11.201 with HTTP; Wed, 20 May 2015 23:43:37 -0700 (PDT)
In-Reply-To: <CANVnVYLk9DguVwj55uMF_b=PhhPHu+Uo=UXUEw4qHFeShf5URA@mail.gmail.com>
References: <CANVnVYLk9DguVwj55uMF_b=PhhPHu+Uo=UXUEw4qHFeShf5URA@mail.gmail.com>
From: Ulrich Sibiller <uli42@gmx.de>
Date: Thu, 21 May 2015 08:43:37 +0200
X-Google-Sender-Auth: XQD-nrbrv9L88VwggZaXQJitVMI
Message-ID: <CANVnVYJUyx6xQm30idJa6iV+DAy4NjxxByyv4MimbhYDf5suMA@mail.gmail.com>
Subject: Re: CVE backports incomplete or wrong
To: submit@bugs.x2go.org
Content-Type: text/plain; charset=UTF-8

Package: nx-libs

Recently a lot of CVE fixes have been added to nx-libs.

E.g.
debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch
and
debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
add missing checks to nx-X11/programs/Xserver/render/render.c.

However, there's a file called
nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from
render.c and in that file those checks are missing, too.

(I suspect the original render/render.c is not used at all in favour
of hw/nxagent/NXrender.c but I am not 100% sure here.)

If render.c is used a all (I am not sure) the patches should be
extended to also fix NXrender.c.
If render.c is not used it should be removed and the patches should be
applied to NXrender.c instead.

There might be more cases like this, I only picked this one as an example.

------------=_1706652007-20768-0--