user/libvncserver: patch CVE-2019-15681 and CVE-2019-15690

author: Max Rees <maxcrees@me.com> 2020-03-18 15:23:00 -0500
committer: Max Rees <maxcrees@me.com> 2020-03-19 22:21:25 -0500
commit: 9c855993eb92e8d569e35698fb4f632e2e4de52c (patch)
tree: 9581221c8cba97f70301d9b7db416bb215ec14cc /user/libvncserver
parent: 91d7404926e640ca6663b2865ee3e125a4adead2 (diff)
download: packages-9c855993eb92e8d569e35698fb4f632e2e4de52c.tar.gz
packages-9c855993eb92e8d569e35698fb4f632e2e4de52c.tar.bz2
packages-9c855993eb92e8d569e35698fb4f632e2e4de52c.tar.xz
packages-9c855993eb92e8d569e35698fb4f632e2e4de52c.zip
3 files changed, 70 insertions, 3 deletions
diff --git a/user/libvncserver/APKBUILD b/user/libvncserver/APKBUILD
index 2b42311c2..7058ad208 100644
--- a/user/libvncserver/APKBUILD
+++ b/user/libvncserver/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libvncserver
 pkgver=0.9.12
-pkgrel=0
+pkgrel=1
 pkgdesc="Library to make writing a vnc server easy"
 url="https://libvnc.github.io/"
 arch="all"
@@ -15,7 +15,10 @@ depends_dev="libgcrypt-dev libjpeg-turbo-dev gnutls-dev libpng-dev
 makedepends="$depends_dev cmake"
 subpackages="$pkgname-dev"
 source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz
-	CVE-2018-15127.patch"
+	CVE-2018-15127.patch
+	CVE-2019-15681.patch
+	CVE-2019-15690.patch
+	"
 builddir="$srcdir"/libvncserver-LibVNCServer-$pkgver
 
 # secfixes:
@@ -24,6 +27,9 @@ builddir="$srcdir"/libvncserver-LibVNCServer-$pkgver
 #     - CVE-2016-9942
 #   0.9.12-r0:
 #     - CVE-2018-15127
+#   0.9.12-r1:
+#     - CVE-2019-15681
+#     - CVE-2019-15690
 
 build() {
 	if [ "$CBUILD" != "$CHOST" ]; then
@@ -49,4 +55,6 @@ package() {
 }
 
 sha512sums="60ff1cc93a937d6f8f97449bc58b763095846207112f7b1b3c43eb2d74448b595d6da949903a764bd484ee54e38ff6277e882adbe965dd6d26ba15ef6ff6fcb8  LibVNCServer-0.9.12.tar.gz
-8b5b6742e6c3a181c60652484b15ec42cc0a3acc1e82cef38e82b61f43f1de456d09731976f4e5dfab44abf3e551e22aaf4300cb8418cd8e136d705fcb2a7dbe  CVE-2018-15127.patch"
+8b5b6742e6c3a181c60652484b15ec42cc0a3acc1e82cef38e82b61f43f1de456d09731976f4e5dfab44abf3e551e22aaf4300cb8418cd8e136d705fcb2a7dbe  CVE-2018-15127.patch
+5ecb5a26813f3f07440ef6c54eebaca4e9b4f7c1cf2ba13375e3b23b950a9b818d068d4eef5532d7ea4d7ae084c4356af7257c45426101ff51afe2b7da338a1f  CVE-2019-15681.patch
+52f62a65c3e91b7c7a11b5ad6e1432d697e1314bf6c938b5cb0c9cc8bdffbf1c25612c33e05282c11d59c6523e208b882f963fca8bcd34a5c72dd476427e7542  CVE-2019-15690.patch"
diff --git a/user/libvncserver/CVE-2019-15681.patch b/user/libvncserver/CVE-2019-15681.patch
new file mode 100644
index 000000000..e328d8792
--- /dev/null
+++ b/user/libvncserver/CVE-2019-15681.patch
@@ -0,0 +1,23 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+---
+ libvncserver/rfbserver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index 3bacc891..310e5487 100644
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
+     rfbServerCutTextMsg sct;
+     rfbClientIteratorPtr iterator;
+ 
++    memset((char *)&sct, 0, sizeof(sct));
++
+     iterator = rfbGetClientIterator(rfbScreen);
+     while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
+         sct.type = rfbServerCutText;
diff --git a/user/libvncserver/CVE-2019-15690.patch b/user/libvncserver/CVE-2019-15690.patch
new file mode 100644
index 000000000..7fe36e454
--- /dev/null
+++ b/user/libvncserver/CVE-2019-15690.patch
@@ -0,0 +1,36 @@
+From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 17 Nov 2019 17:18:35 +0100
+Subject: [PATCH] libvncclient/cursor: limit width/height input values
+
+Avoids a possible heap overflow reported by Pavel Cheremushkin
+<Pavel.Cheremushkin@kaspersky.com>.
+
+re #275
+---
+ libvncclient/cursor.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
+index 67f45726..40ffb3b0 100644
+--- a/libvncclient/cursor.c
++++ b/libvncclient/cursor.c
+@@ -28,6 +28,8 @@
+ #define OPER_SAVE     0
+ #define OPER_RESTORE  1
+ 
++#define MAX_CURSOR_SIZE 1024
++
+ #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
+    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255             \
+     << client->format.redShift |                                              \
+@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
+   if (width * height == 0)
+     return TRUE;
+ 
++  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
++    return FALSE;
++
+   /* Allocate memory for pixel data and temporary mask data. */
+   if(client->rcSource)
+     free(client->rcSource);
author	Max Rees <maxcrees@me.com>	2020-03-18 15:23:00 -0500
committer	Max Rees <maxcrees@me.com>	2020-03-19 22:21:25 -0500
commit	9c855993eb92e8d569e35698fb4f632e2e4de52c (patch)
tree	9581221c8cba97f70301d9b7db416bb215ec14cc /user/libvncserver
parent	91d7404926e640ca6663b2865ee3e125a4adead2 (diff)
download	packages-9c855993eb92e8d569e35698fb4f632e2e4de52c.tar.gz packages-9c855993eb92e8d569e35698fb4f632e2e4de52c.tar.bz2 packages-9c855993eb92e8d569e35698fb4f632e2e4de52c.tar.xz packages-9c855993eb92e8d569e35698fb4f632e2e4de52c.zip