diff options
| author |   Alexander Tsoy <alexander@tsoy.me> | 2019-10-31 21:41:58 +0300 |
|---|---|---|
| committer |   Joonas Niilola <juippis@gentoo.org> | 2019-11-01 16:10:59 +0200 |
| commit | 5ae4ada68cdf7aa131d7a50c9305b55ba14fcd43 (patch) | |
| tree | f865e9b4113dd62f602718e26ffbd53caa4d313e /net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch | |
| parent | dev-libs/libdivecomputer: update BDEPEND for -9999 live ebuild (diff) | |
| download | gentoo-5ae4ada68cdf7aa131d7a50c9305b55ba14fcd43.tar.gz gentoo-5ae4ada68cdf7aa131d7a50c9305b55ba14fcd43.tar.bz2 gentoo-5ae4ada68cdf7aa131d7a50c9305b55ba14fcd43.zip | |
net-libs/libvncserver: Add a bunch of upstream fixes
* fix CVE-2018-20750 (the fix for CVE-2018-15127 was incomplete)
* fix CVE-2019-15681
* fix libdir in pkgconfig files
* fix regression in Tight/Raw decoding
Bug: https://bugs.gentoo.org/699036
Closes: https://bugs.gentoo.org/676942
Closes: https://bugs.gentoo.org/691848
Package-Manager: Portage-2.3.76, Repoman-2.3.16
Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
Closes: https://github.com/gentoo/gentoo/pull/13509
Signed-off-by: Joonas Niilola <juippis@gentoo.org>
Diffstat (limited to 'net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch')
| -rw-r--r-- | net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch new file mode 100644 index 000000000000..55f122d12584 --- /dev/null +++ b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch @@ -0,0 +1,47 @@ +From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Mon, 7 Jan 2019 10:40:01 +0100 +Subject: [PATCH 01/51] Limit lenght to INT_MAX bytes in + rfbProcessFileTransferReadBuffer() + +This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap +out-of-bound write access in rfbProcessFileTransferReadBuffer() when +reading a transfered file content in a server. The former fix did not +work on platforms with a 32-bit int type (expected by rfbReadExact()). + +CVE-2018-15127 +<https://github.com/LibVNC/libvncserver/issues/243> +<https://github.com/LibVNC/libvncserver/issues/273> +--- + libvncserver/rfbserver.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 7af8490..f2edbee 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -88,6 +88,8 @@ + #include <errno.h> + /* strftime() */ + #include <time.h> ++/* INT_MAX */ ++#include <limits.h> + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF + will safely be allocated since this check will never trigger and malloc() can digest length+1 + without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ +- if(length == SIZE_MAX) { ++ if(length == SIZE_MAX || length > INT_MAX) { + rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); + rfbCloseClient(cl); + return NULL; +-- +2.23.0 + |