summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Tsoy <alexander@tsoy.me>2020-06-29 10:52:36 +0300
committerAaron Bauman <bman@gentoo.org>2020-06-29 13:29:20 -0400
commit3cc06e5fd4889a3fd2d77d6a411efe0f82f37777 (patch)
tree0f119d4890e2eb677c9ceb9550d6e14612f3c63d /net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch
parentdev-ruby/asciimath: add missing test dep (diff)
downloadgentoo-3cc06e5fd4889a3fd2d77d6a411efe0f82f37777.tar.gz
gentoo-3cc06e5fd4889a3fd2d77d6a411efe0f82f37777.tar.bz2
gentoo-3cc06e5fd4889a3fd2d77d6a411efe0f82f37777.zip
net-libs/libvncserver: Security cleanup
Bug: https://bugs.gentoo.org/728594 Signed-off-by: Alexander Tsoy <alexander@tsoy.me> Closes: https://github.com/gentoo/gentoo/pull/16483 Signed-off-by: Aaron Bauman <bman@gentoo.org>
Diffstat (limited to 'net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch')
-rw-r--r--net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch47
1 files changed, 0 insertions, 47 deletions
diff --git a/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch
deleted file mode 100644
index 55f122d12584..000000000000
--- a/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 7 Jan 2019 10:40:01 +0100
-Subject: [PATCH 01/51] Limit lenght to INT_MAX bytes in
- rfbProcessFileTransferReadBuffer()
-
-This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
-out-of-bound write access in rfbProcessFileTransferReadBuffer() when
-reading a transfered file content in a server. The former fix did not
-work on platforms with a 32-bit int type (expected by rfbReadExact()).
-
-CVE-2018-15127
-<https://github.com/LibVNC/libvncserver/issues/243>
-<https://github.com/LibVNC/libvncserver/issues/273>
----
- libvncserver/rfbserver.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
-index 7af8490..f2edbee 100644
---- a/libvncserver/rfbserver.c
-+++ b/libvncserver/rfbserver.c
-@@ -88,6 +88,8 @@
- #include <errno.h>
- /* strftime() */
- #include <time.h>
-+/* INT_MAX */
-+#include <limits.h>
-
- #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
- #include "rfbssl.h"
-@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
- 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
- will safely be allocated since this check will never trigger and malloc() can digest length+1
- without problems as length is a uint32_t.
-+ We also later pass length to rfbReadExact() that expects a signed int type and
-+ that might wrap on platforms with a 32-bit int type if length is bigger
-+ than 0X7FFFFFFF.
- */
-- if(length == SIZE_MAX) {
-+ if(length == SIZE_MAX || length > INT_MAX) {
- rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
- rfbCloseClient(cl);
- return NULL;
---
-2.23.0
-