X2Go Bug report logs - #879
CVE backports incomplete or wrong

version graph

Package: nx-libs; Maintainer for nx-libs is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Ulrich Sibiller <uli42@gmx.de>

Date: Thu, 21 May 2015 06:45:01 UTC

Severity: normal

Tags: fixed-upstream

Fixed in version 3.5.99.0

Done: Stefan Baur <X2Go-ML-1@baur-itcs.de>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/ArcticaProject/nx-libs/issues/29

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.x2go.org
From: owner@bugs.x2go.org (X2Go Bug Tracking System)
Subject: Bug#879 closed by Stefan Baur <X2Go-ML-1@baur-itcs.de>
 (Closing/Archiving)
Message-ID: <handler.879.q879.170665193020503.notifdone@bugs.x2go.org>
References: <14325158-76e9-4f38-aa45-5a9913814262@baur-itcs.de>
X-X2go-PR-Keywords: fixed-upstream
X-X2go-PR-Message: they-closed 879
X-X2go-PR-Package: nx-libs
Date: Tue, 30 Jan 2024 22:00:07 +0000
Content-Type: multipart/mixed; boundary="----------=_1706652007-20768-0"

[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your Bug report
which was filed against the nx-libs package:

#879: CVE backports incomplete or wrong

It has been closed by Stefan Baur <X2Go-ML-1@baur-itcs.de>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Stefan Baur <X2Go-ML-1@baur-itcs.de> by
replying to this email.


-- 
879: https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=879
X2Go Bug Tracking System
Contact owner@bugs.x2go.org with problems

[Message part 2 (message/rfc822, inline)]
From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
To: 879-quiet@bugs.x2go.org
Subject: Closing/Archiving
Date: Tue, 30 Jan 2024 22:58:45 +0100
Control: close -1
Control: archive -1

This bug has long since been moved to the Arctica Project Github issue 
tracker.

Kind Regards,
Stefan Baur
-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243


[Message part 3 (message/rfc822, inline)]
From: Ulrich Sibiller <uli42@gmx.de>
To: submit@bugs.x2go.org
Subject: Re: CVE backports incomplete or wrong
Date: Thu, 21 May 2015 08:43:37 +0200
Package: nx-libs

Recently a lot of CVE fixes have been added to nx-libs.

E.g.
debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch
and
debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
add missing checks to nx-X11/programs/Xserver/render/render.c.

However, there's a file called
nx-X11/programs/Xserver/hw/nxagent/NXrender.c which is derived from
render.c and in that file those checks are missing, too.

(I suspect the original render/render.c is not used at all in favour
of hw/nxagent/NXrender.c but I am not 100% sure here.)

If render.c is used a all (I am not sure) the patches should be
extended to also fix NXrender.c.
If render.c is not used it should be removed and the patches should be
applied to NXrender.c instead.

There might be more cases like this, I only picked this one as an example.

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri May 3 13:13:33 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.