Update to 0.9.12 phase 2

5 years ago · 6d0c01c615
parent 69c1237250
commit 6d0c01c615
8 changed files with 72 additions and 226 deletions
--- a/CVE-2018-15127.patch
+++ b/CVE-2018-15127.patch
@ -0,0 +1,44 @@
 From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Mon, 7 Jan 2019 10:40:01 +0100
 Subject: [PATCH] Limit lenght to INT_MAX bytes in
 rfbProcessFileTransferReadBuffer()
 This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
 out-of-bound write access in rfbProcessFileTransferReadBuffer() when
 reading a transfered file content in a server. The former fix did not
 work on platforms with a 32-bit int type (expected by rfbReadExact()).
 CVE-2018-15127
 <https://github.com/LibVNC/libvncserver/issues/243>
 <https://github.com/LibVNC/libvncserver/issues/273>
 ---
 libvncserver/rfbserver.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
 index 7af84906..f2edbeea 100644
 --- a/libvncserver/rfbserver.c
 +++ b/libvncserver/rfbserver.c
@@ -88,6 +88,8 @@
 #include <errno.h>
 /* strftime() */
 #include <time.h>
 +/* INT_MAX */
 +#include <limits.h>
 #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
 #include "rfbssl.h"
@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
        0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
        will safely be allocated since this check will never trigger and malloc() can digest length+1
        without problems as length is a uint32_t.
 +       We also later pass length to rfbReadExact() that expects a signed int type and
 +       that might wrap on platforms with a 32-bit int type if length is bigger
 +       than 0X7FFFFFFF.
     */
 -    if(length == SIZE_MAX) {
 +    if(length == SIZE_MAX || length > INT_MAX) {
 	rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
 	rfbCloseClient(cl);
 	return NULL;
--- a/CVE-2019-15681.patch
+++ b/CVE-2019-15681.patch
@ -0,0 +1,23 @@
 From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
 From: Christian Beier <dontmind@freeshell.org>
 Date: Mon, 19 Aug 2019 22:32:25 +0200
 Subject: [PATCH] rfbserver: don't leak stack memory to the remote
 Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
 ---
 libvncserver/rfbserver.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
 index 3bacc891..310e5487 100644
 --- a/libvncserver/rfbserver.c
 +++ b/libvncserver/rfbserver.c
@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
     rfbServerCutTextMsg sct;
     rfbClientIteratorPtr iterator;
 +    memset((char *)&sct, 0, sizeof(sct));
 +
     iterator = rfbGetClientIterator(rfbScreen);
     while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
         sct.type = rfbServerCutText;
--- a/libvncserver-0.9.1-multilib.patch
+++ b/libvncserver-0.9.1-multilib.patch
@ -1,20 +0,0 @@
 diff -up LibVNCServer-0.9.1/libvncserver-config.in.multilib LibVNCServer-0.9.1/libvncserver-config.in
 --- LibVNCServer-0.9.1/libvncserver-config.in.multilib	2007-05-26 21:28:25.000000000 -0500
 +++ LibVNCServer-0.9.1/libvncserver-config.in	2008-01-22 14:51:08.000000000 -0600
@@ -4,7 +4,6 @@ prefix=@prefix@
 exec_prefix=@exec_prefix@
 exec_prefix_set=no
 includedir=@includedir@
 -libdir=@libdir@
 # if this script is in the same directory as libvncserver-config.in, assume not installed
 if [ -f "`dirname "$0"`/libvncserver-config.in" ]; then
@@ -63,7 +62,7 @@ while test $# -gt 0; do
           libs="$libs -R$dir"
         fi
       done
 -      echo "$libs" -lvncserver -lvncclient @LIBS@ @WSOCKLIB@
 +      echo "$libs" -lvncserver -lvncclient
       ;;
     --link)
       echo @CC@
--- a/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
+++ b/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
@ -1,40 +0,0 @@
 From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Tue, 6 Mar 2018 11:58:02 +0100
 Subject: [PATCH] Limit client cut text length to 1 MB
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This patch constrains client text length to 1 MB. Otherwise a client
 could make server allocate 2 GB of memory and that seems to be to much
 to classify it as denial of service.
 I keep the previous checks for maximal type values intentionally as
 a course of defensive coding. (You cannot never know how small the
 types are. And as a warning for people patching out this change not to
 introduce CVE-2018-7225 again.)
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 libvncserver/rfbserver.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
 index a9561fc..0027343 100644
 --- a/libvncserver/rfbserver.c
 +++ b/libvncserver/rfbserver.c
@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
 	 * argument. Here we check that the value fits into all of them to
 	 * prevent from misinterpretation and thus from accessing uninitialized
 	 * memory. CVE-2018-7225 */
 -	if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
 +	/* But first to prevent from a denial-of-service by allocating to much
 +	 * memory in the server, we impose a limit of 1 MB. */
 +	if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
 	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
 		    msg.cct.length);
 	    rfbCloseClient(cl);
 -- 
 2.13.6
--- a/libvncserver-0.9.11-Validate-client-cut-text-length.patch
+++ b/libvncserver-0.9.11-Validate-client-cut-text-length.patch
@ -1,76 +0,0 @@
 From 0073e4f694d5a51bb72ff12a5e8364b6e752e094 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Mon, 26 Feb 2018 13:48:00 +0100
 Subject: [PATCH] Validate client cut text length
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Client-provided unsigned 32-bit cut text length is passed to various
 functions that expects argument of a different type.
 E.g. "RFB 003.003\n\001\006\0\0\0\xff\xff\xff\xff" string sent to the
 RFB server leads to 4294967295 msg.cct.length value that in turn is
 interpreted as -1 by rfbReadExact() and thus uninitialized str buffer
 with potentially sensitive data is passed to subsequent functions.
 This patch fixes it by checking for a maximal value that still can be
 processed correctly. It also corrects accepting length value of zero
 (malloc(0) is interpreted on differnet systems differently).
 Whether a client can make the server allocate up to 2 GB and cause
 a denial of service on memory-tight systems is kept without answer.
 A possible solution would be adding an arbitrary memory limit that is
 deemed safe.
 CVE-2018-7225
 <https://github.com/LibVNC/libvncserver/issues/218>
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 libvncserver/rfbserver.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)
 diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
 index 116c488..a9561fc 100644
 --- a/libvncserver/rfbserver.c
 +++ b/libvncserver/rfbserver.c
@@ -88,6 +88,12 @@
 #include <errno.h>
 /* strftime() */
 #include <time.h>
 +/* SIZE_MAX */
 +#include <stdint.h>
 +/* PRIu32 */
 +#include <inttypes.h>
 +/* INT_MAX */
 +#include <limits.h>
 #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
 #include "rfbssl.h"
@@ -2575,7 +2581,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
 	msg.cct.length = Swap32IfLE(msg.cct.length);
 -	str = (char *)malloc(msg.cct.length);
 +	/* uint32_t input is passed to malloc()'s size_t argument,
 +	 * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
 +	 * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
 +	 * argument. Here we check that the value fits into all of them to
 +	 * prevent from misinterpretation and thus from accessing uninitialized
 +	 * memory. CVE-2018-7225 */
 +	if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
 +	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
 +		    msg.cct.length);
 +	    rfbCloseClient(cl);
 +	    return;
 +	}
 +
 +	/* Allow zero-length client cut text. */
 +	str = (char *)malloc(msg.cct.length ? msg.cct.length : 1);
 	if (str == NULL) {
 		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
 		rfbCloseClient(cl);
 -- 
 2.13.6
--- a/libvncserver-0.9.11-soname.patch
+++ b/libvncserver-0.9.11-soname.patch
@ -1,22 +0,0 @@
 diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.soname libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am
 --- libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.soname	2017-05-16 10:21:51.500768946 -0500
 +++ libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am	2017-05-17 11:26:44.383312391 -0500
@@ -25,5 +25,5 @@ EXTRA_DIST=corre.c hextile.c rre.c tight
 $(libvncclient_la_OBJECTS): ../rfb/rfbclient.h
 lib_LTLIBRARIES=libvncclient.la
 -libvncclient_la_LDFLAGS = -version-info 1:0:0
 +libvncclient_la_LDFLAGS = -version-info 0:0:0
 diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.soname libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am
 --- libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.soname	2017-05-16 10:21:51.500768946 -0500
 +++ libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am	2017-05-17 11:27:02.259459683 -0500
@@ -66,7 +66,7 @@ libvncserver_la_LIBADD += $(LIBSYSTEMD_L
 endif
 lib_LTLIBRARIES=libvncserver.la
 -libvncserver_la_LDFLAGS = -version-info 1:0:0
 +libvncserver_la_LDFLAGS = -version-info 0:0:0
 if HAVE_RPM
 $(PACKAGE)-$(VERSION).tar.gz: dist
--- a/libvncserver-0.9.11-system_minilzo.patch
+++ b/libvncserver-0.9.11-system_minilzo.patch
@ -1,55 +0,0 @@
 diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am
 --- libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.system_minilzo	2017-02-14 10:54:54.308402791 -0600
 +++ libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am	2017-02-14 10:56:28.007379315 -0600
@@ -13,8 +13,8 @@ endif
 endif
 -libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c ../common/minilzo.c $(TLSSRCS)
 -libvncclient_la_LIBADD=$(TLSLIBS)
 +libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c $(TLSSRCS)
 +libvncclient_la_LIBADD=$(TLSLIBS) -lminilzo
 noinst_HEADERS=../common/lzodefs.h ../common/lzoconf.h ../common/minilzo.h tls.h
 diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c
 --- libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c.system_minilzo	2016-12-30 07:01:28.000000000 -0600
 +++ libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c	2017-02-14 10:54:54.309402801 -0600
@@ -66,7 +66,7 @@
 #include <gcrypt.h>
 #endif
 -#include "minilzo.h"
 +#include <lzo/minilzo.h>
 #include "tls.h"
 #ifdef _MSC_VER
 diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am
 --- libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.system_minilzo	2017-02-14 10:54:54.309402801 -0600
 +++ libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am	2017-02-14 10:57:28.495009713 -0600
@@ -53,11 +53,11 @@ endif
 LIB_SRCS = main.c rfbserver.c rfbregion.c auth.c sockets.c $(WEBSOCKETSSRCS) \
 	stats.c corre.c hextile.c rre.c translate.c cutpaste.c \
 	httpd.c cursor.c font.c \
 -	draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ../common/minilzo.c ultra.c scale.c \
 +	draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ultra.c scale.c \
 	$(ZLIBSRCS) $(TIGHTSRCS) $(TIGHTVNCFILETRANSFERSRCS)
 libvncserver_la_SOURCES=$(LIB_SRCS)
 -libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS)
 +libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS) -lminilzo
 if WITH_SYSTEMD
 AM_CPPFLAGS += -DLIBVNCSERVER_WITH_SYSTEMD
 diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c
 --- libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c.system_minilzo	2016-12-30 07:01:28.000000000 -0600
 +++ libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c	2017-02-14 10:54:54.309402801 -0600
@@ -8,7 +8,7 @@
  */
 #include <rfb/rfb.h>
 -#include "minilzo.h"
 +#include <lzo/minilzo.h>
 /*
  * cl->beforeEncBuf contains pixel data in the client's format.
--- a/libvncserver.spec
+++ b/libvncserver.spec
@ -16,15 +16,10 @@ Patch10: 0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch
 Patch11: 0002-libvncserver-Add-channel-security-handlers.patch
 ## downstream patches
 Patch100:     libvncserver-0.9.11-system_minilzo.patch
 Patch101:     libvncserver-0.9.1-multilib.patch
 Patch102:     LibVNCServer-0.9.10-system-crypto-policy.patch
-# revert soname bump
+
-Patch103:     libvncserver-0.9.11-soname.patch
+Patch106:     CVE-2018-15127.patch
-# 1/2 Fix CVE-2018-7225, bug #1546860
+Patch107:     CVE-2019-15681.patch
 Patch104:     libvncserver-0.9.11-Validate-client-cut-text-length.patch
 # 2/2 Fix CVE-2018-7225, bug #1546860
 Patch105:     libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
 BuildRequires:  cmake
 BuildRequires:  pkgconfig(gnutls)
@ -89,19 +84,16 @@ developing applications that use %{name}.
 %setup -q -n %{name}-LibVNCServer-%{version}
 %patch1 -p1
 #patch4 -p1 -b .0004
 %patch10 -p1
 %patch11 -p1
 #patch100 -p1 -b .system_minilzo
 # Nuke bundled minilzo
 rm -fv common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c
 #patch101 -p1 -b .multilib
 %patch102 -p1
-#patch104 -p1
+%patch106 -p1
-#patch105 -p1
+%patch107 -p1
 # Fix encoding
 for file in ChangeLog ; do