diff --git a/CVE-2018-15127.patch b/CVE-2018-15127.patch new file mode 100644 index 0000000..1462436 --- /dev/null +++ b/CVE-2018-15127.patch @@ -0,0 +1,44 @@ +From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 7 Jan 2019 10:40:01 +0100 +Subject: [PATCH] Limit lenght to INT_MAX bytes in + rfbProcessFileTransferReadBuffer() + +This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap +out-of-bound write access in rfbProcessFileTransferReadBuffer() when +reading a transfered file content in a server. The former fix did not +work on platforms with a 32-bit int type (expected by rfbReadExact()). + +CVE-2018-15127 + + +--- + libvncserver/rfbserver.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 7af84906..f2edbeea 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -88,6 +88,8 @@ + #include + /* strftime() */ + #include ++/* INT_MAX */ ++#include + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF + will safely be allocated since this check will never trigger and malloc() can digest length+1 + without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ +- if(length == SIZE_MAX) { ++ if(length == SIZE_MAX || length > INT_MAX) { + rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); + rfbCloseClient(cl); + return NULL; diff --git a/CVE-2019-15681.patch b/CVE-2019-15681.patch new file mode 100644 index 0000000..e328d87 --- /dev/null +++ b/CVE-2019-15681.patch @@ -0,0 +1,23 @@ +From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Mon, 19 Aug 2019 22:32:25 +0200 +Subject: [PATCH] rfbserver: don't leak stack memory to the remote + +Thanks go to Pavel Cheremushkin of Kaspersky for reporting. +--- + libvncserver/rfbserver.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 3bacc891..310e5487 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len) + rfbServerCutTextMsg sct; + rfbClientIteratorPtr iterator; + ++ memset((char *)&sct, 0, sizeof(sct)); ++ + iterator = rfbGetClientIterator(rfbScreen); + while ((cl = rfbClientIteratorNext(iterator)) != NULL) { + sct.type = rfbServerCutText; diff --git a/libvncserver-0.9.1-multilib.patch b/libvncserver-0.9.1-multilib.patch deleted file mode 100644 index d54a470..0000000 --- a/libvncserver-0.9.1-multilib.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up LibVNCServer-0.9.1/libvncserver-config.in.multilib LibVNCServer-0.9.1/libvncserver-config.in ---- LibVNCServer-0.9.1/libvncserver-config.in.multilib 2007-05-26 21:28:25.000000000 -0500 -+++ LibVNCServer-0.9.1/libvncserver-config.in 2008-01-22 14:51:08.000000000 -0600 -@@ -4,7 +4,6 @@ prefix=@prefix@ - exec_prefix=@exec_prefix@ - exec_prefix_set=no - includedir=@includedir@ --libdir=@libdir@ - - # if this script is in the same directory as libvncserver-config.in, assume not installed - if [ -f "`dirname "$0"`/libvncserver-config.in" ]; then -@@ -63,7 +62,7 @@ while test $# -gt 0; do - libs="$libs -R$dir" - fi - done -- echo "$libs" -lvncserver -lvncclient @LIBS@ @WSOCKLIB@ -+ echo "$libs" -lvncserver -lvncclient - ;; - --link) - echo @CC@ diff --git a/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch b/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch deleted file mode 100644 index 2a71f7f..0000000 --- a/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch +++ /dev/null @@ -1,40 +0,0 @@ -From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Tue, 6 Mar 2018 11:58:02 +0100 -Subject: [PATCH] Limit client cut text length to 1 MB -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch constrains client text length to 1 MB. Otherwise a client -could make server allocate 2 GB of memory and that seems to be to much -to classify it as denial of service. - -I keep the previous checks for maximal type values intentionally as -a course of defensive coding. (You cannot never know how small the -types are. And as a warning for people patching out this change not to -introduce CVE-2018-7225 again.) - -Signed-off-by: Petr Písař ---- - libvncserver/rfbserver.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c -index a9561fc..0027343 100644 ---- a/libvncserver/rfbserver.c -+++ b/libvncserver/rfbserver.c -@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) - * argument. Here we check that the value fits into all of them to - * prevent from misinterpretation and thus from accessing uninitialized - * memory. CVE-2018-7225 */ -- if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { -+ /* But first to prevent from a denial-of-service by allocating to much -+ * memory in the server, we impose a limit of 1 MB. */ -+ if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { - rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", - msg.cct.length); - rfbCloseClient(cl); --- -2.13.6 - diff --git a/libvncserver-0.9.11-Validate-client-cut-text-length.patch b/libvncserver-0.9.11-Validate-client-cut-text-length.patch deleted file mode 100644 index dc89cdf..0000000 --- a/libvncserver-0.9.11-Validate-client-cut-text-length.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 0073e4f694d5a51bb72ff12a5e8364b6e752e094 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Mon, 26 Feb 2018 13:48:00 +0100 -Subject: [PATCH] Validate client cut text length -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Client-provided unsigned 32-bit cut text length is passed to various -functions that expects argument of a different type. - -E.g. "RFB 003.003\n\001\006\0\0\0\xff\xff\xff\xff" string sent to the -RFB server leads to 4294967295 msg.cct.length value that in turn is -interpreted as -1 by rfbReadExact() and thus uninitialized str buffer -with potentially sensitive data is passed to subsequent functions. - -This patch fixes it by checking for a maximal value that still can be -processed correctly. It also corrects accepting length value of zero -(malloc(0) is interpreted on differnet systems differently). - -Whether a client can make the server allocate up to 2 GB and cause -a denial of service on memory-tight systems is kept without answer. -A possible solution would be adding an arbitrary memory limit that is -deemed safe. - -CVE-2018-7225 - - -Signed-off-by: Petr Písař ---- - libvncserver/rfbserver.c | 22 +++++++++++++++++++++- - 1 file changed, 21 insertions(+), 1 deletion(-) - -diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c -index 116c488..a9561fc 100644 ---- a/libvncserver/rfbserver.c -+++ b/libvncserver/rfbserver.c -@@ -88,6 +88,12 @@ - #include - /* strftime() */ - #include -+/* SIZE_MAX */ -+#include -+/* PRIu32 */ -+#include -+/* INT_MAX */ -+#include - - #ifdef LIBVNCSERVER_WITH_WEBSOCKETS - #include "rfbssl.h" -@@ -2575,7 +2581,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) - - msg.cct.length = Swap32IfLE(msg.cct.length); - -- str = (char *)malloc(msg.cct.length); -+ /* uint32_t input is passed to malloc()'s size_t argument, -+ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int -+ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int -+ * argument. Here we check that the value fits into all of them to -+ * prevent from misinterpretation and thus from accessing uninitialized -+ * memory. CVE-2018-7225 */ -+ if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { -+ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", -+ msg.cct.length); -+ rfbCloseClient(cl); -+ return; -+ } -+ -+ /* Allow zero-length client cut text. */ -+ str = (char *)malloc(msg.cct.length ? msg.cct.length : 1); - if (str == NULL) { - rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); - rfbCloseClient(cl); --- -2.13.6 - diff --git a/libvncserver-0.9.11-soname.patch b/libvncserver-0.9.11-soname.patch deleted file mode 100644 index 3b45b34..0000000 --- a/libvncserver-0.9.11-soname.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.soname libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am ---- libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.soname 2017-05-16 10:21:51.500768946 -0500 -+++ libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am 2017-05-17 11:26:44.383312391 -0500 -@@ -25,5 +25,5 @@ EXTRA_DIST=corre.c hextile.c rre.c tight - $(libvncclient_la_OBJECTS): ../rfb/rfbclient.h - - lib_LTLIBRARIES=libvncclient.la --libvncclient_la_LDFLAGS = -version-info 1:0:0 -+libvncclient_la_LDFLAGS = -version-info 0:0:0 - -diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.soname libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am ---- libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.soname 2017-05-16 10:21:51.500768946 -0500 -+++ libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am 2017-05-17 11:27:02.259459683 -0500 -@@ -66,7 +66,7 @@ libvncserver_la_LIBADD += $(LIBSYSTEMD_L - endif - - lib_LTLIBRARIES=libvncserver.la --libvncserver_la_LDFLAGS = -version-info 1:0:0 -+libvncserver_la_LDFLAGS = -version-info 0:0:0 - - if HAVE_RPM - $(PACKAGE)-$(VERSION).tar.gz: dist diff --git a/libvncserver-0.9.11-system_minilzo.patch b/libvncserver-0.9.11-system_minilzo.patch deleted file mode 100644 index c513c40..0000000 --- a/libvncserver-0.9.11-system_minilzo.patch +++ /dev/null @@ -1,55 +0,0 @@ -diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am ---- libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.system_minilzo 2017-02-14 10:54:54.308402791 -0600 -+++ libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am 2017-02-14 10:56:28.007379315 -0600 -@@ -13,8 +13,8 @@ endif - endif - - --libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c ../common/minilzo.c $(TLSSRCS) --libvncclient_la_LIBADD=$(TLSLIBS) -+libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c $(TLSSRCS) -+libvncclient_la_LIBADD=$(TLSLIBS) -lminilzo - - noinst_HEADERS=../common/lzodefs.h ../common/lzoconf.h ../common/minilzo.h tls.h - -diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c ---- libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c.system_minilzo 2016-12-30 07:01:28.000000000 -0600 -+++ libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c 2017-02-14 10:54:54.309402801 -0600 -@@ -66,7 +66,7 @@ - #include - #endif - --#include "minilzo.h" -+#include - #include "tls.h" - - #ifdef _MSC_VER -diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am ---- libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.system_minilzo 2017-02-14 10:54:54.309402801 -0600 -+++ libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am 2017-02-14 10:57:28.495009713 -0600 -@@ -53,11 +53,11 @@ endif - LIB_SRCS = main.c rfbserver.c rfbregion.c auth.c sockets.c $(WEBSOCKETSSRCS) \ - stats.c corre.c hextile.c rre.c translate.c cutpaste.c \ - httpd.c cursor.c font.c \ -- draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ../common/minilzo.c ultra.c scale.c \ -+ draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ultra.c scale.c \ - $(ZLIBSRCS) $(TIGHTSRCS) $(TIGHTVNCFILETRANSFERSRCS) - - libvncserver_la_SOURCES=$(LIB_SRCS) --libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS) -+libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS) -lminilzo - - if WITH_SYSTEMD - AM_CPPFLAGS += -DLIBVNCSERVER_WITH_SYSTEMD -diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c ---- libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c.system_minilzo 2016-12-30 07:01:28.000000000 -0600 -+++ libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c 2017-02-14 10:54:54.309402801 -0600 -@@ -8,7 +8,7 @@ - */ - - #include --#include "minilzo.h" -+#include - - /* - * cl->beforeEncBuf contains pixel data in the client's format. diff --git a/libvncserver.spec b/libvncserver.spec index 0394b4a..c0e6832 100644 --- a/libvncserver.spec +++ b/libvncserver.spec @@ -16,15 +16,10 @@ Patch10: 0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch Patch11: 0002-libvncserver-Add-channel-security-handlers.patch ## downstream patches -Patch100: libvncserver-0.9.11-system_minilzo.patch -Patch101: libvncserver-0.9.1-multilib.patch Patch102: LibVNCServer-0.9.10-system-crypto-policy.patch -# revert soname bump -Patch103: libvncserver-0.9.11-soname.patch -# 1/2 Fix CVE-2018-7225, bug #1546860 -Patch104: libvncserver-0.9.11-Validate-client-cut-text-length.patch -# 2/2 Fix CVE-2018-7225, bug #1546860 -Patch105: libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch + +Patch106: CVE-2018-15127.patch +Patch107: CVE-2019-15681.patch BuildRequires: cmake BuildRequires: pkgconfig(gnutls) @@ -89,19 +84,16 @@ developing applications that use %{name}. %setup -q -n %{name}-LibVNCServer-%{version} %patch1 -p1 -#patch4 -p1 -b .0004 %patch10 -p1 %patch11 -p1 -#patch100 -p1 -b .system_minilzo # Nuke bundled minilzo rm -fv common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c -#patch101 -p1 -b .multilib %patch102 -p1 -#patch104 -p1 -#patch105 -p1 +%patch106 -p1 +%patch107 -p1 # Fix encoding for file in ChangeLog ; do