From 9c855993eb92e8d569e35698fb4f632e2e4de52c Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 18 Mar 2020 15:23:00 -0500 Subject: user/libvncserver: patch CVE-2019-15681 and CVE-2019-15690 --- user/libvncserver/APKBUILD | 14 ++++++++++--- user/libvncserver/CVE-2019-15681.patch | 23 ++++++++++++++++++++++ user/libvncserver/CVE-2019-15690.patch | 36 ++++++++++++++++++++++++++++++++++ 3 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 user/libvncserver/CVE-2019-15681.patch create mode 100644 user/libvncserver/CVE-2019-15690.patch (limited to 'user/libvncserver') diff --git a/user/libvncserver/APKBUILD b/user/libvncserver/APKBUILD index 2b42311c2..7058ad208 100644 --- a/user/libvncserver/APKBUILD +++ b/user/libvncserver/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: A. Wilcox pkgname=libvncserver pkgver=0.9.12 -pkgrel=0 +pkgrel=1 pkgdesc="Library to make writing a vnc server easy" url="https://libvnc.github.io/" arch="all" @@ -15,7 +15,10 @@ depends_dev="libgcrypt-dev libjpeg-turbo-dev gnutls-dev libpng-dev makedepends="$depends_dev cmake" subpackages="$pkgname-dev" source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz - CVE-2018-15127.patch" + CVE-2018-15127.patch + CVE-2019-15681.patch + CVE-2019-15690.patch + " builddir="$srcdir"/libvncserver-LibVNCServer-$pkgver # secfixes: @@ -24,6 +27,9 @@ builddir="$srcdir"/libvncserver-LibVNCServer-$pkgver # - CVE-2016-9942 # 0.9.12-r0: # - CVE-2018-15127 +# 0.9.12-r1: +# - CVE-2019-15681 +# - CVE-2019-15690 build() { if [ "$CBUILD" != "$CHOST" ]; then @@ -49,4 +55,6 @@ package() { } sha512sums="60ff1cc93a937d6f8f97449bc58b763095846207112f7b1b3c43eb2d74448b595d6da949903a764bd484ee54e38ff6277e882adbe965dd6d26ba15ef6ff6fcb8 LibVNCServer-0.9.12.tar.gz -8b5b6742e6c3a181c60652484b15ec42cc0a3acc1e82cef38e82b61f43f1de456d09731976f4e5dfab44abf3e551e22aaf4300cb8418cd8e136d705fcb2a7dbe CVE-2018-15127.patch" +8b5b6742e6c3a181c60652484b15ec42cc0a3acc1e82cef38e82b61f43f1de456d09731976f4e5dfab44abf3e551e22aaf4300cb8418cd8e136d705fcb2a7dbe CVE-2018-15127.patch +5ecb5a26813f3f07440ef6c54eebaca4e9b4f7c1cf2ba13375e3b23b950a9b818d068d4eef5532d7ea4d7ae084c4356af7257c45426101ff51afe2b7da338a1f CVE-2019-15681.patch +52f62a65c3e91b7c7a11b5ad6e1432d697e1314bf6c938b5cb0c9cc8bdffbf1c25612c33e05282c11d59c6523e208b882f963fca8bcd34a5c72dd476427e7542 CVE-2019-15690.patch" diff --git a/user/libvncserver/CVE-2019-15681.patch b/user/libvncserver/CVE-2019-15681.patch new file mode 100644 index 000000000..e328d8792 --- /dev/null +++ b/user/libvncserver/CVE-2019-15681.patch @@ -0,0 +1,23 @@ +From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Mon, 19 Aug 2019 22:32:25 +0200 +Subject: [PATCH] rfbserver: don't leak stack memory to the remote + +Thanks go to Pavel Cheremushkin of Kaspersky for reporting. +--- + libvncserver/rfbserver.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 3bacc891..310e5487 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len) + rfbServerCutTextMsg sct; + rfbClientIteratorPtr iterator; + ++ memset((char *)&sct, 0, sizeof(sct)); ++ + iterator = rfbGetClientIterator(rfbScreen); + while ((cl = rfbClientIteratorNext(iterator)) != NULL) { + sct.type = rfbServerCutText; diff --git a/user/libvncserver/CVE-2019-15690.patch b/user/libvncserver/CVE-2019-15690.patch new file mode 100644 index 000000000..7fe36e454 --- /dev/null +++ b/user/libvncserver/CVE-2019-15690.patch @@ -0,0 +1,36 @@ +From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Sun, 17 Nov 2019 17:18:35 +0100 +Subject: [PATCH] libvncclient/cursor: limit width/height input values + +Avoids a possible heap overflow reported by Pavel Cheremushkin +. + +re #275 +--- + libvncclient/cursor.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c +index 67f45726..40ffb3b0 100644 +--- a/libvncclient/cursor.c ++++ b/libvncclient/cursor.c +@@ -28,6 +28,8 @@ + #define OPER_SAVE 0 + #define OPER_RESTORE 1 + ++#define MAX_CURSOR_SIZE 1024 ++ + #define RGB24_TO_PIXEL(bpp,r,g,b) \ + ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \ + << client->format.redShift | \ +@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h + if (width * height == 0) + return TRUE; + ++ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE) ++ return FALSE; ++ + /* Allocate memory for pixel data and temporary mask data. */ + if(client->rcSource) + free(client->rcSource); -- cgit v1.2.3-60-g2f50