Sérgio M. Basto
5 years ago
parent
69c1237250
commit
6d0c01c615
@ -0,0 +1,44 @@
|
||||
From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 7 Jan 2019 10:40:01 +0100
|
||||
Subject: [PATCH] Limit lenght to INT_MAX bytes in
|
||||
rfbProcessFileTransferReadBuffer()
|
||||
|
||||
This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
|
||||
out-of-bound write access in rfbProcessFileTransferReadBuffer() when
|
||||
reading a transfered file content in a server. The former fix did not
|
||||
work on platforms with a 32-bit int type (expected by rfbReadExact()).
|
||||
|
||||
CVE-2018-15127
|
||||
<https://github.com/LibVNC/libvncserver/issues/243>
|
||||
<https://github.com/LibVNC/libvncserver/issues/273>
|
||||
---
|
||||
libvncserver/rfbserver.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
||||
index 7af84906..f2edbeea 100644
|
||||
--- a/libvncserver/rfbserver.c
|
||||
+++ b/libvncserver/rfbserver.c
|
||||
@@ -88,6 +88,8 @@
|
||||
#include <errno.h>
|
||||
/* strftime() */
|
||||
#include <time.h>
|
||||
+/* INT_MAX */
|
||||
+#include <limits.h>
|
||||
|
||||
#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
|
||||
#include "rfbssl.h"
|
||||
@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
|
||||
0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
|
||||
will safely be allocated since this check will never trigger and malloc() can digest length+1
|
||||
without problems as length is a uint32_t.
|
||||
+ We also later pass length to rfbReadExact() that expects a signed int type and
|
||||
+ that might wrap on platforms with a 32-bit int type if length is bigger
|
||||
+ than 0X7FFFFFFF.
|
||||
*/
|
||||
- if(length == SIZE_MAX) {
|
||||
+ if(length == SIZE_MAX || length > INT_MAX) {
|
||||
rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
|
||||
rfbCloseClient(cl);
|
||||
return NULL;
|
||||
@ -0,0 +1,23 @@
|
||||
From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
|
||||
From: Christian Beier <dontmind@freeshell.org>
|
||||
Date: Mon, 19 Aug 2019 22:32:25 +0200
|
||||
Subject: [PATCH] rfbserver: don't leak stack memory to the remote
|
||||
|
||||
Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
|
||||
---
|
||||
libvncserver/rfbserver.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
||||
index 3bacc891..310e5487 100644
|
||||
--- a/libvncserver/rfbserver.c
|
||||
+++ b/libvncserver/rfbserver.c
|
||||
@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
|
||||
rfbServerCutTextMsg sct;
|
||||
rfbClientIteratorPtr iterator;
|
||||
|
||||
+ memset((char *)&sct, 0, sizeof(sct));
|
||||
+
|
||||
iterator = rfbGetClientIterator(rfbScreen);
|
||||
while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
|
||||
sct.type = rfbServerCutText;
|
||||
@ -1,20 +0,0 @@
|
||||
diff -up LibVNCServer-0.9.1/libvncserver-config.in.multilib LibVNCServer-0.9.1/libvncserver-config.in
|
||||
--- LibVNCServer-0.9.1/libvncserver-config.in.multilib 2007-05-26 21:28:25.000000000 -0500
|
||||
+++ LibVNCServer-0.9.1/libvncserver-config.in 2008-01-22 14:51:08.000000000 -0600
|
||||
@@ -4,7 +4,6 @@ prefix=@prefix@
|
||||
exec_prefix=@exec_prefix@
|
||||
exec_prefix_set=no
|
||||
includedir=@includedir@
|
||||
-libdir=@libdir@
|
||||
|
||||
# if this script is in the same directory as libvncserver-config.in, assume not installed
|
||||
if [ -f "`dirname "$0"`/libvncserver-config.in" ]; then
|
||||
@@ -63,7 +62,7 @@ while test $# -gt 0; do
|
||||
libs="$libs -R$dir"
|
||||
fi
|
||||
done
|
||||
- echo "$libs" -lvncserver -lvncclient @LIBS@ @WSOCKLIB@
|
||||
+ echo "$libs" -lvncserver -lvncclient
|
||||
;;
|
||||
--link)
|
||||
echo @CC@
|
||||
@ -1,40 +0,0 @@
|
||||
From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Tue, 6 Mar 2018 11:58:02 +0100
|
||||
Subject: [PATCH] Limit client cut text length to 1 MB
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch constrains client text length to 1 MB. Otherwise a client
|
||||
could make server allocate 2 GB of memory and that seems to be to much
|
||||
to classify it as denial of service.
|
||||
|
||||
I keep the previous checks for maximal type values intentionally as
|
||||
a course of defensive coding. (You cannot never know how small the
|
||||
types are. And as a warning for people patching out this change not to
|
||||
introduce CVE-2018-7225 again.)
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
libvncserver/rfbserver.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
||||
index a9561fc..0027343 100644
|
||||
--- a/libvncserver/rfbserver.c
|
||||
+++ b/libvncserver/rfbserver.c
|
||||
@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
|
||||
* argument. Here we check that the value fits into all of them to
|
||||
* prevent from misinterpretation and thus from accessing uninitialized
|
||||
* memory. CVE-2018-7225 */
|
||||
- if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
|
||||
+ /* But first to prevent from a denial-of-service by allocating to much
|
||||
+ * memory in the server, we impose a limit of 1 MB. */
|
||||
+ if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
|
||||
rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
|
||||
msg.cct.length);
|
||||
rfbCloseClient(cl);
|
||||
--
|
||||
2.13.6
|
||||
|
||||
@ -1,76 +0,0 @@
|
||||
From 0073e4f694d5a51bb72ff12a5e8364b6e752e094 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 26 Feb 2018 13:48:00 +0100
|
||||
Subject: [PATCH] Validate client cut text length
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Client-provided unsigned 32-bit cut text length is passed to various
|
||||
functions that expects argument of a different type.
|
||||
|
||||
E.g. "RFB 003.003\n\001\006\0\0\0\xff\xff\xff\xff" string sent to the
|
||||
RFB server leads to 4294967295 msg.cct.length value that in turn is
|
||||
interpreted as -1 by rfbReadExact() and thus uninitialized str buffer
|
||||
with potentially sensitive data is passed to subsequent functions.
|
||||
|
||||
This patch fixes it by checking for a maximal value that still can be
|
||||
processed correctly. It also corrects accepting length value of zero
|
||||
(malloc(0) is interpreted on differnet systems differently).
|
||||
|
||||
Whether a client can make the server allocate up to 2 GB and cause
|
||||
a denial of service on memory-tight systems is kept without answer.
|
||||
A possible solution would be adding an arbitrary memory limit that is
|
||||
deemed safe.
|
||||
|
||||
CVE-2018-7225
|
||||
<https://github.com/LibVNC/libvncserver/issues/218>
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
libvncserver/rfbserver.c | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
|
||||
index 116c488..a9561fc 100644
|
||||
--- a/libvncserver/rfbserver.c
|
||||
+++ b/libvncserver/rfbserver.c
|
||||
@@ -88,6 +88,12 @@
|
||||
#include <errno.h>
|
||||
/* strftime() */
|
||||
#include <time.h>
|
||||
+/* SIZE_MAX */
|
||||
+#include <stdint.h>
|
||||
+/* PRIu32 */
|
||||
+#include <inttypes.h>
|
||||
+/* INT_MAX */
|
||||
+#include <limits.h>
|
||||
|
||||
#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
|
||||
#include "rfbssl.h"
|
||||
@@ -2575,7 +2581,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
|
||||
|
||||
msg.cct.length = Swap32IfLE(msg.cct.length);
|
||||
|
||||
- str = (char *)malloc(msg.cct.length);
|
||||
+ /* uint32_t input is passed to malloc()'s size_t argument,
|
||||
+ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
|
||||
+ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
|
||||
+ * argument. Here we check that the value fits into all of them to
|
||||
+ * prevent from misinterpretation and thus from accessing uninitialized
|
||||
+ * memory. CVE-2018-7225 */
|
||||
+ if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
|
||||
+ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
|
||||
+ msg.cct.length);
|
||||
+ rfbCloseClient(cl);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ /* Allow zero-length client cut text. */
|
||||
+ str = (char *)malloc(msg.cct.length ? msg.cct.length : 1);
|
||||
if (str == NULL) {
|
||||
rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
|
||||
rfbCloseClient(cl);
|
||||
--
|
||||
2.13.6
|
||||
|
||||
@ -1,22 +0,0 @@
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.soname libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.soname 2017-05-16 10:21:51.500768946 -0500
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am 2017-05-17 11:26:44.383312391 -0500
|
||||
@@ -25,5 +25,5 @@ EXTRA_DIST=corre.c hextile.c rre.c tight
|
||||
$(libvncclient_la_OBJECTS): ../rfb/rfbclient.h
|
||||
|
||||
lib_LTLIBRARIES=libvncclient.la
|
||||
-libvncclient_la_LDFLAGS = -version-info 1:0:0
|
||||
+libvncclient_la_LDFLAGS = -version-info 0:0:0
|
||||
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.soname libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.soname 2017-05-16 10:21:51.500768946 -0500
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am 2017-05-17 11:27:02.259459683 -0500
|
||||
@@ -66,7 +66,7 @@ libvncserver_la_LIBADD += $(LIBSYSTEMD_L
|
||||
endif
|
||||
|
||||
lib_LTLIBRARIES=libvncserver.la
|
||||
-libvncserver_la_LDFLAGS = -version-info 1:0:0
|
||||
+libvncserver_la_LDFLAGS = -version-info 0:0:0
|
||||
|
||||
if HAVE_RPM
|
||||
$(PACKAGE)-$(VERSION).tar.gz: dist
|
||||
@ -1,55 +0,0 @@
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.system_minilzo 2017-02-14 10:54:54.308402791 -0600
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am 2017-02-14 10:56:28.007379315 -0600
|
||||
@@ -13,8 +13,8 @@ endif
|
||||
endif
|
||||
|
||||
|
||||
-libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c ../common/minilzo.c $(TLSSRCS)
|
||||
-libvncclient_la_LIBADD=$(TLSLIBS)
|
||||
+libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c $(TLSSRCS)
|
||||
+libvncclient_la_LIBADD=$(TLSLIBS) -lminilzo
|
||||
|
||||
noinst_HEADERS=../common/lzodefs.h ../common/lzoconf.h ../common/minilzo.h tls.h
|
||||
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c.system_minilzo 2016-12-30 07:01:28.000000000 -0600
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c 2017-02-14 10:54:54.309402801 -0600
|
||||
@@ -66,7 +66,7 @@
|
||||
#include <gcrypt.h>
|
||||
#endif
|
||||
|
||||
-#include "minilzo.h"
|
||||
+#include <lzo/minilzo.h>
|
||||
#include "tls.h"
|
||||
|
||||
#ifdef _MSC_VER
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.system_minilzo 2017-02-14 10:54:54.309402801 -0600
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am 2017-02-14 10:57:28.495009713 -0600
|
||||
@@ -53,11 +53,11 @@ endif
|
||||
LIB_SRCS = main.c rfbserver.c rfbregion.c auth.c sockets.c $(WEBSOCKETSSRCS) \
|
||||
stats.c corre.c hextile.c rre.c translate.c cutpaste.c \
|
||||
httpd.c cursor.c font.c \
|
||||
- draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ../common/minilzo.c ultra.c scale.c \
|
||||
+ draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ultra.c scale.c \
|
||||
$(ZLIBSRCS) $(TIGHTSRCS) $(TIGHTVNCFILETRANSFERSRCS)
|
||||
|
||||
libvncserver_la_SOURCES=$(LIB_SRCS)
|
||||
-libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS)
|
||||
+libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS) -lminilzo
|
||||
|
||||
if WITH_SYSTEMD
|
||||
AM_CPPFLAGS += -DLIBVNCSERVER_WITH_SYSTEMD
|
||||
diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c
|
||||
--- libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c.system_minilzo 2016-12-30 07:01:28.000000000 -0600
|
||||
+++ libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c 2017-02-14 10:54:54.309402801 -0600
|
||||
@@ -8,7 +8,7 @@
|
||||
*/
|
||||
|
||||
#include <rfb/rfb.h>
|
||||
-#include "minilzo.h"
|
||||
+#include <lzo/minilzo.h>
|
||||
|
||||
/*
|
||||
* cl->beforeEncBuf contains pixel data in the client's format.
|
||||
Loading…
Reference in new issue