X2Go Bug report logs - #879
CVE backports incomplete or wrong

version graph

Package: nx-libs; Maintainer for nx-libs is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Ulrich Sibiller <uli42@gmx.de>

Date: Thu, 21 May 2015 06:45:01 UTC

Severity: normal

Tags: fixed-upstream

Fixed in version

Forwarded to https://github.com/ArcticaProject/nx-libs/issues/29

Full log

Message #10 received at 879@bugs.x2go.org (full text, mbox, reply):

Received: (at 879) by bugs.x2go.org; 21 May 2015 08:19:24 +0000
From mike@das-netzwerkteam.de  Thu May 21 10:19:22 2015
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 1878C5DA84;
	Thu, 21 May 2015 10:19:21 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id A4751FA6;
	Thu, 21 May 2015 10:19:21 +0200 (CEST)
Received: from localhost (localhost [])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 6C1613BAE9;
	Thu, 21 May 2015 10:19:21 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([])
	by localhost (grimnir.das-netzwerkteam.de []) (amavisd-new, port 10024)
	with ESMTP id 9eLjM-56Vdz6; Thu, 21 May 2015 10:19:21 +0200 (CEST)
Received: from localhost (localhost [])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 297A33BAD9;
	Thu, 21 May 2015 10:19:21 +0200 (CEST)
Received: from localhost (localhost [])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id D7C103BAE9;
	Thu, 21 May 2015 10:19:20 +0200 (CEST)
Received: from minobo.das-netzwerkteam.de (localhost [])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id B35043BAD9;
	Thu, 21 May 2015 10:19:18 +0200 (CEST)
Received: by minobo.das-netzwerkteam.de (Postfix, from userid 1000)
	id 8E4E5BB1C3; Thu, 21 May 2015 10:02:10 +0200 (CEST)
Date: Thu, 21 May 2015 10:02:10 +0200
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Ulrich Sibiller <uli42@gmx.de>, 879@bugs.x2go.org
Cc: submit@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#879: CVE backports incomplete or wrong
Message-ID: <20150521080207.GA23374@minobo.das-netzwerkteam.de>
References: <CANVnVYLk9DguVwj55uMF_b=PhhPHu+Uo=UXUEw4qHFeShf5URA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr"
Content-Disposition: inline
In-Reply-To: <CANVnVYJUyx6xQm30idJa6iV+DAy4NjxxByyv4MimbhYDf5suMA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
[Message part 1 (text/plain, inline)]
Control: forwarded -1 https://github.com/ArcticaProject/nx-libs/issues/29

On Thu, May 21, 2015 at 08:43:37AM +0200, Ulrich Sibiller wrote:
> Package: nx-libs
> Recently a lot of CVE fixes have been added to nx-libs.
> E.g.
> debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch
> and
> debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
> add missing checks to nx-X11/programs/Xserver/render/render.c.
> However, there's a file called
> nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from
> render.c and in that file those checks are missing, too.
> (I suspect the original render/render.c is not used at all in favour
> of hw/nxagent/NXrender.c but I am not 100% sure here.)
> If render.c is used a all (I am not sure) the patches should be
> extended to also fix NXrender.c.
> If render.c is not used it should be removed and the patches should be
> applied to NXrender.c instead.
> There might be more cases like this, I only picked this one as an example.

Forwarded to nx-libs bug tracker [1] for nx-libs 3.6.x on Github.

@Mike#2: I assigned you to this task on Github. If you are not available
for this, please assign me again.

What Ulrich and I realized (in private comm) lately is that there are some files in hw/nxagent/ that are actually Xlib (extension) copies-of-code.

Thus, we need to double-maintain those code sections (I know, it is a mess and needs to be cleared up finally).

  o step A: build against libX* from X.Org
  o step B: be aware for code passages being libX* code, but copied to
    hw/nxagent/ and maintain those passages in hw/nxagent/ for now


[1] https://github.com/ArcticaProject/nx-libs/issues/29


mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Tue Aug 4 09:01:20 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.