X2Go Bug report logs - #879
CVE backports incomplete or wrong

version graph

Package: nx-libs; Maintainer for nx-libs is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Ulrich Sibiller <uli42@gmx.de>

Date: Thu, 21 May 2015 06:45:01 UTC

Severity: normal

Tags: fixed-upstream

Fixed in version 3.5.99.0

Forwarded to https://github.com/ArcticaProject/nx-libs/issues/29

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#879: CVE backports incomplete or wrong
Reply-To: Ulrich Sibiller <uli42@gmx.de>, 879@bugs.x2go.org
Resent-From: Ulrich Sibiller <uli42@gmx.de>
Original-Sender: ulrich.sibiller@gmail.com
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Thu, 21 May 2015 06:45:01 +0000
Resent-Message-ID: <handler.879.B.14321906407768@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 879
X-X2Go-PR-Package: nx-libs
X-X2Go-PR-Keywords: 
Received: via spool by submit@bugs.x2go.org id=B.14321906407768
          (code B); Thu, 21 May 2015 06:45:01 +0000
Received: (at submit) by bugs.x2go.org; 21 May 2015 06:44:00 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
	T_DKIM_INVALID autolearn=ham version=3.3.2
Received: from mail-la0-f53.google.com (mail-la0-f53.google.com [209.85.215.53])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 70DDD5DA84
	for <submit@bugs.x2go.org>; Thu, 21 May 2015 08:43:58 +0200 (CEST)
Received: by lagr1 with SMTP id r1so95310670lag.0
        for <submit@bugs.x2go.org>; Wed, 20 May 2015 23:43:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=fJibvKLUABCiC+Gv/YPAqcLRCgPkU+TvP3/REBjdjgw=;
        b=EWb/iK8+2Hc3L/phNNKi0Gl8jUUWfMofbfuAqJ3Jv2v5pf1Ph3gwEn7XVQIrSkIQ2c
         KLbJSrhiefGJ5HTwGQs2dm1htmzkl4BzDqmt/oLJDWjdzpGH68gGoIAsq6Z/ogYDYTTX
         1Xq3eSbb3c2DXDwxU+Ek5DoaRmDq4YWZ6ZlxUcm2UGfDx4YXpHeQHyp3iDH2anMl9bpg
         AiNcANacNB/uCugKVUFRFNntNkL/rZEEZSsOUNW8MOmkGjTYsPrV8XQ4axKLvFFEm2tY
         We/A8nlUtmxd5KMy4TV82rvaiBe3hIBiSufO93ih9hpxGGuKtBcP8SAZG2JYm3lnNAvU
         NtWg==
X-Received: by 10.112.125.33 with SMTP id mn1mr935607lbb.82.1432190637530;
 Wed, 20 May 2015 23:43:57 -0700 (PDT)
MIME-Version: 1.0
Sender: ulrich.sibiller@gmail.com
Received: by 10.112.11.201 with HTTP; Wed, 20 May 2015 23:43:37 -0700 (PDT)
In-Reply-To: <CANVnVYLk9DguVwj55uMF_b=PhhPHu+Uo=UXUEw4qHFeShf5URA@mail.gmail.com>
References: <CANVnVYLk9DguVwj55uMF_b=PhhPHu+Uo=UXUEw4qHFeShf5URA@mail.gmail.com>
From: Ulrich Sibiller <uli42@gmx.de>
Date: Thu, 21 May 2015 08:43:37 +0200
X-Google-Sender-Auth: XQD-nrbrv9L88VwggZaXQJitVMI
Message-ID: <CANVnVYJUyx6xQm30idJa6iV+DAy4NjxxByyv4MimbhYDf5suMA@mail.gmail.com>
To: submit@bugs.x2go.org
Content-Type: text/plain; charset=UTF-8
Package: nx-libs

Recently a lot of CVE fixes have been added to nx-libs.

E.g.
debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch
and
debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
add missing checks to nx-X11/programs/Xserver/render/render.c.

However, there's a file called
nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from
render.c and in that file those checks are missing, too.

(I suspect the original render/render.c is not used at all in favour
of hw/nxagent/NXrender.c but I am not 100% sure here.)

If render.c is used a all (I am not sure) the patches should be
extended to also fix NXrender.c.
If render.c is not used it should be removed and the patches should be
applied to NXrender.c instead.

There might be more cases like this, I only picked this one as an example.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Tue Aug 4 09:18:17 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.