X2Go Bug report logs - #879
CVE backports incomplete or wrong

version graph

Package: nx-libs; Maintainer for nx-libs is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Ulrich Sibiller <uli42@gmx.de>

Date: Thu, 21 May 2015 06:45:01 UTC

Severity: normal

Tags: fixed-upstream

Fixed in version

Forwarded to https://github.com/ArcticaProject/nx-libs/issues/29

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#879: CVE backports incomplete or wrong
Reply-To: Ulrich Sibiller <uli42@gmx.de>, 879@bugs.x2go.org
Resent-From: Ulrich Sibiller <uli42@gmx.de>
Original-Sender: ulrich.sibiller@gmail.com
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Thu, 21 May 2015 06:45:01 +0000
Resent-Message-ID: <handler.879.B.14321906407768@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 879
X-X2Go-PR-Package: nx-libs
Received: via spool by submit@bugs.x2go.org id=B.14321906407768
          (code B); Thu, 21 May 2015 06:45:01 +0000
Received: (at submit) by bugs.x2go.org; 21 May 2015 06:44:00 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
	T_DKIM_INVALID autolearn=ham version=3.3.2
Received: from mail-la0-f53.google.com (mail-la0-f53.google.com [])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 70DDD5DA84
	for <submit@bugs.x2go.org>; Thu, 21 May 2015 08:43:58 +0200 (CEST)
Received: by lagr1 with SMTP id r1so95310670lag.0
        for <submit@bugs.x2go.org>; Wed, 20 May 2015 23:43:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
X-Received: by with SMTP id mn1mr935607lbb.82.1432190637530;
 Wed, 20 May 2015 23:43:57 -0700 (PDT)
MIME-Version: 1.0
Sender: ulrich.sibiller@gmail.com
Received: by with HTTP; Wed, 20 May 2015 23:43:37 -0700 (PDT)
In-Reply-To: <CANVnVYLk9DguVwj55uMF_b=PhhPHu+Uo=UXUEw4qHFeShf5URA@mail.gmail.com>
References: <CANVnVYLk9DguVwj55uMF_b=PhhPHu+Uo=UXUEw4qHFeShf5URA@mail.gmail.com>
From: Ulrich Sibiller <uli42@gmx.de>
Date: Thu, 21 May 2015 08:43:37 +0200
X-Google-Sender-Auth: XQD-nrbrv9L88VwggZaXQJitVMI
Message-ID: <CANVnVYJUyx6xQm30idJa6iV+DAy4NjxxByyv4MimbhYDf5suMA@mail.gmail.com>
To: submit@bugs.x2go.org
Content-Type: text/plain; charset=UTF-8
Package: nx-libs

Recently a lot of CVE fixes have been added to nx-libs.

add missing checks to nx-X11/programs/Xserver/render/render.c.

However, there's a file called
nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from
render.c and in that file those checks are missing, too.

(I suspect the original render/render.c is not used at all in favour
of hw/nxagent/NXrender.c but I am not 100% sure here.)

If render.c is used a all (I am not sure) the patches should be
extended to also fix NXrender.c.
If render.c is not used it should be removed and the patches should be
applied to NXrender.c instead.

There might be more cases like this, I only picked this one as an example.

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Oct 27 01:00:18 2021; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.