From 5ae4ada68cdf7aa131d7a50c9305b55ba14fcd43 Mon Sep 17 00:00:00 2001 From: Alexander Tsoy Date: Thu, 31 Oct 2019 21:41:58 +0300 Subject: net-libs/libvncserver: Add a bunch of upstream fixes * fix CVE-2018-20750 (the fix for CVE-2018-15127 was incomplete) * fix CVE-2019-15681 * fix libdir in pkgconfig files * fix regression in Tight/Raw decoding Bug: https://bugs.gentoo.org/699036 Closes: https://bugs.gentoo.org/676942 Closes: https://bugs.gentoo.org/691848 Package-Manager: Portage-2.3.76, Repoman-2.3.16 Signed-off-by: Alexander Tsoy Closes: https://github.com/gentoo/gentoo/pull/13509 Signed-off-by: Joonas Niilola --- .../files/libvncserver-0.9.12-CVE-2018-20750.patch | 47 ++++++++++++++++++++++ .../files/libvncserver-0.9.12-CVE-2019-15681.patch | 26 ++++++++++++ .../files/libvncserver-0.9.12-cmake-libdir.patch | 32 +++++++++++++-- ...ibvncserver-0.9.12-fix-tight-raw-decoding.patch | 40 ++++++++++++++++++ .../libvncserver-0.9.12-pkgconfig-libdir.patch | 41 +++++++++++++++++++ 5 files changed, 182 insertions(+), 4 deletions(-) create mode 100644 net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch create mode 100644 net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15681.patch create mode 100644 net-libs/libvncserver/files/libvncserver-0.9.12-fix-tight-raw-decoding.patch create mode 100644 net-libs/libvncserver/files/libvncserver-0.9.12-pkgconfig-libdir.patch (limited to 'net-libs/libvncserver/files') diff --git a/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch new file mode 100644 index 000000000000..55f122d12584 --- /dev/null +++ b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2018-20750.patch @@ -0,0 +1,47 @@ +From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 7 Jan 2019 10:40:01 +0100 +Subject: [PATCH 01/51] Limit lenght to INT_MAX bytes in + rfbProcessFileTransferReadBuffer() + +This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap +out-of-bound write access in rfbProcessFileTransferReadBuffer() when +reading a transfered file content in a server. The former fix did not +work on platforms with a 32-bit int type (expected by rfbReadExact()). + +CVE-2018-15127 + + +--- + libvncserver/rfbserver.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 7af8490..f2edbee 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -88,6 +88,8 @@ + #include + /* strftime() */ + #include ++/* INT_MAX */ ++#include + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF + will safely be allocated since this check will never trigger and malloc() can digest length+1 + without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ +- if(length == SIZE_MAX) { ++ if(length == SIZE_MAX || length > INT_MAX) { + rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); + rfbCloseClient(cl); + return NULL; +-- +2.23.0 + diff --git a/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15681.patch b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15681.patch new file mode 100644 index 000000000000..301d1340d14c --- /dev/null +++ b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15681.patch @@ -0,0 +1,26 @@ +From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Mon, 19 Aug 2019 22:32:25 +0200 +Subject: [PATCH 48/51] rfbserver: don't leak stack memory to the remote + +Thanks go to Pavel Cheremushkin of Kaspersky for reporting. +--- + libvncserver/rfbserver.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 3bacc89..310e548 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len) + rfbServerCutTextMsg sct; + rfbClientIteratorPtr iterator; + ++ memset((char *)&sct, 0, sizeof(sct)); ++ + iterator = rfbGetClientIterator(rfbScreen); + while ((cl = rfbClientIteratorNext(iterator)) != NULL) { + sct.type = rfbServerCutText; +-- +2.23.0 + diff --git a/net-libs/libvncserver/files/libvncserver-0.9.12-cmake-libdir.patch b/net-libs/libvncserver/files/libvncserver-0.9.12-cmake-libdir.patch index 35ee26dc7b04..cc6e4bdc9097 100644 --- a/net-libs/libvncserver/files/libvncserver-0.9.12-cmake-libdir.patch +++ b/net-libs/libvncserver/files/libvncserver-0.9.12-cmake-libdir.patch @@ -1,6 +1,27 @@ ---- libvncserver-LibVNCServer-0.9.12/CMakeLists.txt -+++ libvncserver-LibVNCServer-0.9.12/CMakeLists.txt -@@ -666,8 +666,8 @@ +From 3348a7e42e86dfb98dd7458ad29def476cf6096f Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Sat, 9 Feb 2019 13:23:26 +0100 +Subject: [PATCH 02/51] CMake: replace hardcoded 'lib' with + ${CMAKE_INSTALL_LIBDIR} + +Closes #281 +--- + CMakeLists.txt | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 873cc7b..55f7e65 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -9,6 +9,7 @@ include(CheckTypeSize) + include(TestBigEndian) + include(CheckCSourceCompiles) + include(CheckCSourceRuns) ++include(GNUInstallDirs) + + enable_testing() + +@@ -666,8 +667,8 @@ get_link_libraries(PRIVATE_LIBS vncclient) configure_file(${CMAKE_CURRENT_SOURCE_DIR}/libvncclient.pc.cmakein ${CMAKE_CURRENT_BINARY_DIR}/libvncclient.pc @ONLY) @@ -11,7 +32,7 @@ install_files(/include/rfb FILES rfb/keysym.h rfb/rfb.h -@@ -677,7 +677,7 @@ +@@ -677,7 +678,7 @@ install_files(/include/rfb FILES rfb/rfbregion.h ) @@ -20,3 +41,6 @@ libvncserver.pc libvncclient.pc ) +-- +2.23.0 + diff --git a/net-libs/libvncserver/files/libvncserver-0.9.12-fix-tight-raw-decoding.patch b/net-libs/libvncserver/files/libvncserver-0.9.12-fix-tight-raw-decoding.patch new file mode 100644 index 000000000000..e862d634346f --- /dev/null +++ b/net-libs/libvncserver/files/libvncserver-0.9.12-fix-tight-raw-decoding.patch @@ -0,0 +1,40 @@ +From 6b87d6154200667a66212f80068f7468eaa0f048 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Sat, 28 Sep 2019 14:54:30 -0500 +Subject: [PATCH 50/51] LibVNCClient: Fix regression in Tight/Raw decoding + +Introduced by d7b1462 in LibVNCServer 0.9.12. This regression caused +the pixels in some RFB rectangles to become corrupted/garbled when the +Tight encoding was used, without the JPEG subencoding, with a 15-bit or +16-bit color depth. + +Fixes #335 +Fixes https://gitlab.com/Remmina/Remmina/issues/1824 +--- + libvncclient/tight.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libvncclient/tight.c b/libvncclient/tight.c +index df01812..0586f47 100644 +--- a/libvncclient/tight.c ++++ b/libvncclient/tight.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2017 D. R. Commander. All Rights Reserved. ++ * Copyright (C) 2017, 2019 D. R. Commander. All Rights Reserved. + * Copyright (C) 2004-2008 Sun Microsystems, Inc. All Rights Reserved. + * Copyright (C) 2004 Landmark Graphics Corporation. All Rights Reserved. + * Copyright (C) 2000, 2001 Const Kaplinsky. All Rights Reserved. +@@ -360,7 +360,8 @@ FilterCopyBPP (rfbClient* client, int srcx, int srcy, int numRows) + #endif + + for (y = 0; y < numRows; y++) +- memcpy (&dst[y*client->width], &client->buffer[y*client->rectWidth], ++ memcpy (&dst[y*client->width], ++ &client->buffer[y * client->rectWidth * (BPP / 8)], + client->rectWidth * (BPP / 8)); + } + +-- +2.23.0 + diff --git a/net-libs/libvncserver/files/libvncserver-0.9.12-pkgconfig-libdir.patch b/net-libs/libvncserver/files/libvncserver-0.9.12-pkgconfig-libdir.patch new file mode 100644 index 000000000000..6a50ac892064 --- /dev/null +++ b/net-libs/libvncserver/files/libvncserver-0.9.12-pkgconfig-libdir.patch @@ -0,0 +1,41 @@ +From 36a71279ed5b10effecd879caf6c3791842ca713 Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Thu, 28 Mar 2019 21:06:36 +0100 +Subject: [PATCH 03/51] CMake: replace 'lib' with ${CMAKE_INSTALL_LIBDIR} for + pkgconfig files as well + +Thanks to https://github.com/ikelos for spotting this ;-) + +Closes #290 +--- + libvncclient.pc.cmakein | 2 +- + libvncserver.pc.cmakein | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libvncclient.pc.cmakein b/libvncclient.pc.cmakein +index 169a8b7..445f7e7 100644 +--- a/libvncclient.pc.cmakein ++++ b/libvncclient.pc.cmakein +@@ -1,6 +1,6 @@ + prefix=@CMAKE_INSTALL_PREFIX@ + exec_prefix=@CMAKE_INSTALL_PREFIX@ +-libdir=@CMAKE_INSTALL_PREFIX@/lib ++libdir=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_LIBDIR@ + includedir=@CMAKE_INSTALL_PREFIX@/include + + Name: LibVNCClient +diff --git a/libvncserver.pc.cmakein b/libvncserver.pc.cmakein +index f38d74f..c689806 100644 +--- a/libvncserver.pc.cmakein ++++ b/libvncserver.pc.cmakein +@@ -1,6 +1,6 @@ + prefix=@CMAKE_INSTALL_PREFIX@ + exec_prefix=@CMAKE_INSTALL_PREFIX@ +-libdir=@CMAKE_INSTALL_PREFIX@/lib ++libdir=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_LIBDIR@ + includedir=@CMAKE_INSTALL_PREFIX@/include + + Name: LibVNCServer +-- +2.23.0 + -- cgit v1.2.3