From ulrich.sibiller@gmail.com  Thu May 21 08:43:58 2015
Received: (at submit) by bugs.x2go.org; 21 May 2015 06:44:00 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
	T_DKIM_INVALID autolearn=ham version=3.3.2
Received: from mail-la0-f53.google.com (mail-la0-f53.google.com [209.85.215.53])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 70DDD5DA84
	for <submit@bugs.x2go.org>; Thu, 21 May 2015 08:43:58 +0200 (CEST)
Received: by lagr1 with SMTP id r1so95310670lag.0
        for <submit@bugs.x2go.org>; Wed, 20 May 2015 23:43:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=fJibvKLUABCiC+Gv/YPAqcLRCgPkU+TvP3/REBjdjgw=;
        b=EWb/iK8+2Hc3L/phNNKi0Gl8jUUWfMofbfuAqJ3Jv2v5pf1Ph3gwEn7XVQIrSkIQ2c
         KLbJSrhiefGJ5HTwGQs2dm1htmzkl4BzDqmt/oLJDWjdzpGH68gGoIAsq6Z/ogYDYTTX
         1Xq3eSbb3c2DXDwxU+Ek5DoaRmDq4YWZ6ZlxUcm2UGfDx4YXpHeQHyp3iDH2anMl9bpg
         AiNcANacNB/uCugKVUFRFNntNkL/rZEEZSsOUNW8MOmkGjTYsPrV8XQ4axKLvFFEm2tY
         We/A8nlUtmxd5KMy4TV82rvaiBe3hIBiSufO93ih9hpxGGuKtBcP8SAZG2JYm3lnNAvU
         NtWg==
X-Received: by 10.112.125.33 with SMTP id mn1mr935607lbb.82.1432190637530;
 Wed, 20 May 2015 23:43:57 -0700 (PDT)
MIME-Version: 1.0
Sender: ulrich.sibiller@gmail.com
Received: by 10.112.11.201 with HTTP; Wed, 20 May 2015 23:43:37 -0700 (PDT)
In-Reply-To: <CANVnVYLk9DguVwj55uMF_b=PhhPHu+Uo=UXUEw4qHFeShf5URA@mail.gmail.com>
References: <CANVnVYLk9DguVwj55uMF_b=PhhPHu+Uo=UXUEw4qHFeShf5URA@mail.gmail.com>
From: Ulrich Sibiller <uli42@gmx.de>
Date: Thu, 21 May 2015 08:43:37 +0200
X-Google-Sender-Auth: XQD-nrbrv9L88VwggZaXQJitVMI
Message-ID: <CANVnVYJUyx6xQm30idJa6iV+DAy4NjxxByyv4MimbhYDf5suMA@mail.gmail.com>
Subject: Re: CVE backports incomplete or wrong
To: submit@bugs.x2go.org
Content-Type: text/plain; charset=UTF-8

Package: nx-libs

Recently a lot of CVE fixes have been added to nx-libs.

E.g.
debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch
and
debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
add missing checks to nx-X11/programs/Xserver/render/render.c.

However, there's a file called
nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from
render.c and in that file those checks are missing, too.

(I suspect the original render/render.c is not used at all in favour
of hw/nxagent/NXrender.c but I am not 100% sure here.)

If render.c is used a all (I am not sure) the patches should be
extended to also fix NXrender.c.
If render.c is not used it should be removed and the patches should be
applied to NXrender.c instead.

There might be more cases like this, I only picked this one as an example.