Control: forwarded -1 https://github.com/ArcticaProject/nx-libs/issues/29 On Thu, May 21, 2015 at 08:43:37AM +0200, Ulrich Sibiller wrote: > Package: nx-libs > > Recently a lot of CVE fixes have been added to nx-libs. > > E.g. > debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch > and > debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch > add missing checks to nx-X11/programs/Xserver/render/render.c. > > However, there's a file called > nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from > render.c and in that file those checks are missing, too. > > (I suspect the original render/render.c is not used at all in favour > of hw/nxagent/NXrender.c but I am not 100% sure here.) > > If render.c is used a all (I am not sure) the patches should be > extended to also fix NXrender.c. > If render.c is not used it should be removed and the patches should be > applied to NXrender.c instead. > > There might be more cases like this, I only picked this one as an example. Forwarded to nx-libs bug tracker [1] for nx-libs 3.6.x on Github. @Mike#2: I assigned you to this task on Github. If you are not available for this, please assign me again. What Ulrich and I realized (in private comm) lately is that there are some files in hw/nxagent/ that are actually Xlib (extension) copies-of-code. Thus, we need to double-maintain those code sections (I know, it is a mess and needs to be cleared up finally). o step A: build against libX* from X.Org o step B: be aware for code passages being libX* code, but copied to hw/nxagent/ and maintain those passages in hw/nxagent/ for now Greets, Mike [1] https://github.com/ArcticaProject/nx-libs/issues/29 -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de