From e2dfc543558de6162625aefe7869af0a6e85dec0 Mon Sep 17 00:00:00 2001
From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
Date: Wed, 17 Jun 2020 19:26:12 +0000
Subject: user/libvncserver: [CVE] Update to 0.9.13

---
 user/libvncserver/APKBUILD             | 18 ++++++--------
 user/libvncserver/CVE-2018-15127.patch | 44 ----------------------------------
 user/libvncserver/CVE-2019-15681.patch | 23 ------------------
 user/libvncserver/CVE-2019-15690.patch | 36 ----------------------------
 4 files changed, 7 insertions(+), 114 deletions(-)
 delete mode 100644 user/libvncserver/CVE-2018-15127.patch
 delete mode 100644 user/libvncserver/CVE-2019-15681.patch
 delete mode 100644 user/libvncserver/CVE-2019-15690.patch

(limited to 'user')

diff --git a/user/libvncserver/APKBUILD b/user/libvncserver/APKBUILD
index 7058ad208..7be15d41d 100644
--- a/user/libvncserver/APKBUILD
+++ b/user/libvncserver/APKBUILD
@@ -2,8 +2,8 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libvncserver
-pkgver=0.9.12
-pkgrel=1
+pkgver=0.9.13
+pkgrel=0
 pkgdesc="Library to make writing a vnc server easy"
 url="https://libvnc.github.io/"
 arch="all"
@@ -14,11 +14,7 @@ depends_dev="libgcrypt-dev libjpeg-turbo-dev gnutls-dev libpng-dev
 	libxi-dev libxinerama-dev libxrandr-dev libxtst-dev"
 makedepends="$depends_dev cmake"
 subpackages="$pkgname-dev"
-source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz
-	CVE-2018-15127.patch
-	CVE-2019-15681.patch
-	CVE-2019-15690.patch
-	"
+source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz"
 builddir="$srcdir"/libvncserver-LibVNCServer-$pkgver
 
 # secfixes:
@@ -30,6 +26,9 @@ builddir="$srcdir"/libvncserver-LibVNCServer-$pkgver
 #   0.9.12-r1:
 #     - CVE-2019-15681
 #     - CVE-2019-15690
+#   0.9.13-r0:
+#     - CVE-2019-20788
+#     - CVE-2020-14401
 
 build() {
 	if [ "$CBUILD" != "$CHOST" ]; then
@@ -54,7 +53,4 @@ package() {
 	make install DESTDIR="$pkgdir"
 }
 
-sha512sums="60ff1cc93a937d6f8f97449bc58b763095846207112f7b1b3c43eb2d74448b595d6da949903a764bd484ee54e38ff6277e882adbe965dd6d26ba15ef6ff6fcb8  LibVNCServer-0.9.12.tar.gz
-8b5b6742e6c3a181c60652484b15ec42cc0a3acc1e82cef38e82b61f43f1de456d09731976f4e5dfab44abf3e551e22aaf4300cb8418cd8e136d705fcb2a7dbe  CVE-2018-15127.patch
-5ecb5a26813f3f07440ef6c54eebaca4e9b4f7c1cf2ba13375e3b23b950a9b818d068d4eef5532d7ea4d7ae084c4356af7257c45426101ff51afe2b7da338a1f  CVE-2019-15681.patch
-52f62a65c3e91b7c7a11b5ad6e1432d697e1314bf6c938b5cb0c9cc8bdffbf1c25612c33e05282c11d59c6523e208b882f963fca8bcd34a5c72dd476427e7542  CVE-2019-15690.patch"
+sha512sums="18b0a1698d32bbdbfe6f65f76130b2a95860e3cc76e8adb904269663698c7c0ae982f451fda1f25e5461f096045d40a89d9014258f439366d5b4feaa4999d643  LibVNCServer-0.9.13.tar.gz"
diff --git a/user/libvncserver/CVE-2018-15127.patch b/user/libvncserver/CVE-2018-15127.patch
deleted file mode 100644
index 146243670..000000000
--- a/user/libvncserver/CVE-2018-15127.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 7 Jan 2019 10:40:01 +0100
-Subject: [PATCH] Limit lenght to INT_MAX bytes in
- rfbProcessFileTransferReadBuffer()
-
-This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
-out-of-bound write access in rfbProcessFileTransferReadBuffer() when
-reading a transfered file content in a server. The former fix did not
-work on platforms with a 32-bit int type (expected by rfbReadExact()).
-
-CVE-2018-15127
-<https://github.com/LibVNC/libvncserver/issues/243>
-<https://github.com/LibVNC/libvncserver/issues/273>
----
- libvncserver/rfbserver.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
-index 7af84906..f2edbeea 100644
---- a/libvncserver/rfbserver.c
-+++ b/libvncserver/rfbserver.c
-@@ -88,6 +88,8 @@
- #include <errno.h>
- /* strftime() */
- #include <time.h>
-+/* INT_MAX */
-+#include <limits.h>
- 
- #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
- #include "rfbssl.h"
-@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
-        0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
-        will safely be allocated since this check will never trigger and malloc() can digest length+1
-        without problems as length is a uint32_t.
-+       We also later pass length to rfbReadExact() that expects a signed int type and
-+       that might wrap on platforms with a 32-bit int type if length is bigger
-+       than 0X7FFFFFFF.
-     */
--    if(length == SIZE_MAX) {
-+    if(length == SIZE_MAX || length > INT_MAX) {
- 	rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
- 	rfbCloseClient(cl);
- 	return NULL;
diff --git a/user/libvncserver/CVE-2019-15681.patch b/user/libvncserver/CVE-2019-15681.patch
deleted file mode 100644
index e328d8792..000000000
--- a/user/libvncserver/CVE-2019-15681.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
-From: Christian Beier <dontmind@freeshell.org>
-Date: Mon, 19 Aug 2019 22:32:25 +0200
-Subject: [PATCH] rfbserver: don't leak stack memory to the remote
-
-Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
----
- libvncserver/rfbserver.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
-index 3bacc891..310e5487 100644
---- a/libvncserver/rfbserver.c
-+++ b/libvncserver/rfbserver.c
-@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
-     rfbServerCutTextMsg sct;
-     rfbClientIteratorPtr iterator;
- 
-+    memset((char *)&sct, 0, sizeof(sct));
-+
-     iterator = rfbGetClientIterator(rfbScreen);
-     while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
-         sct.type = rfbServerCutText;
diff --git a/user/libvncserver/CVE-2019-15690.patch b/user/libvncserver/CVE-2019-15690.patch
deleted file mode 100644
index 7fe36e454..000000000
--- a/user/libvncserver/CVE-2019-15690.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
-From: Christian Beier <dontmind@freeshell.org>
-Date: Sun, 17 Nov 2019 17:18:35 +0100
-Subject: [PATCH] libvncclient/cursor: limit width/height input values
-
-Avoids a possible heap overflow reported by Pavel Cheremushkin
-<Pavel.Cheremushkin@kaspersky.com>.
-
-re #275
----
- libvncclient/cursor.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
-index 67f45726..40ffb3b0 100644
---- a/libvncclient/cursor.c
-+++ b/libvncclient/cursor.c
-@@ -28,6 +28,8 @@
- #define OPER_SAVE     0
- #define OPER_RESTORE  1
- 
-+#define MAX_CURSOR_SIZE 1024
-+
- #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
-    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255             \
-     << client->format.redShift |                                              \
-@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
-   if (width * height == 0)
-     return TRUE;
- 
-+  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
-+    return FALSE;
-+
-   /* Allocate memory for pixel data and temporary mask data. */
-   if(client->rcSource)
-     free(client->rcSource);
-- 
cgit v1.2.3-60-g2f50