Re: [X2Go-Dev] Status of fixing CVE-2015-0255 (2015-02-10)

Tue, 17 Feb 2015 18:32:02 -0800 

Hi MIke#1 & Mihai,

On Tue, Feb 17, 2015 at 4:34 PM, Mike Gabriel
<mike.gabr...@das-netzwerkteam.de> wrote:
> Hi Mike#2,
>
>
> On  Di 17 Feb 2015 18:48:26 CET, Mihai Moldovan wrote:
>
>> On 17.02.2015 02:39 PM, Michael DePaulo wrote:
>>>
>>> On Mon, Feb 16, 2015 at 8:14 AM, Michael DePaulo <mikedep...@gmail.com>
>>> wrote:
>>>>
>>>> I am looking into fixing the recently announced X.org vulnerability
>>>> (CVE-2015-0255) in nx-libs.
>>>> http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
>>>>
>>>> It looks like nx-libs is affected.
>>>>
>>>> It also looks like some distros (Fedora, Debian) have fixed it, while
>>>> others (RHEL 5, 6 and 7, Debian LTS) have not.
>>>>
>>>> It also looks like the X.org 1.16.x commits are easier to apply to
>>>> nx-libs than the X.org 1.17.x commits are. The 1.17.x commits are
>>>> linked to on that advisory page.
>>>>
>>>> The X.org 1.16.x commits are here:
>>>> the branch:
>>>> http://cgit.freedesktop.org/xorg/xserver/log/?h=server-1.16-branch
>>>> the prereq:
>>>>
>>>> http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=747cea16c4de1f48e838e1388301a2e24a3da6c4
>>>> the fix itself:
>>>>
>>>> http://cgit.freedesktop.org/xorg/xserver/commit/?h=server-1.16-branch&id=8f61533b16635a0a13f4048235246edb138fa40b
>>>>
>>>> -Mike#2
>>>
>>> Status Update:
>>>
>>> I managed to backport the prereq commit to nx-libs 3.6.x.
>>>
>>> http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=a1cd16d6d05b197fff110d26b458d8bd6cf3c560
>>
>>
>> LGTM, thanks!
>>
>>
>>
>> Mihai
>
>
> Please directly apply the patch on top of the 3.6.x code and push to 3.6.x
> branches (Arctica/X2Go nx-libs repo).
>
> I will backport the patch to the 3.5.0.x branch for X2Go (and Arctica) (or
> you may do it yourself: Please use the Git commit from the 3.6.x branch in
> debian/patches/ for this). Similar to how I backported the other 40 patches
> you provided.
>
> Thanks+Greets,
> Mike

Done.

I had to backport 2 more commits as prereqs. However, they are non-intrusive.

I will wait for review (e.g., from Mihai) before backporting from
3.6.x to 3.5.0.x.

I did do a test build successfully (on Ubuntu 14.04 64-bit.)

-Mike
_______________________________________________
x2go-dev mailing list
x2go-dev@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-dev

Reply via email to