Library to make writing a vnc server easy
CentOS Sources
2019-01-15 8bed4c4e81fb5fcdf3023a71c0cfa295a8551ae0
import libvncserver-0.9.9-13.el7_6
3 files added
1 files modified
221 ■■■■■ changed files
SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch 82 ●●●●● patch | view | raw | blame | history
SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch 76 ●●●●● patch | view | raw | blame | history
SPECS/libvncserver.spec 23 ●●●●● patch | view | raw | blame | history
SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch
New file
@@ -0,0 +1,82 @@
From d9a832a2edbf95d664b07791f77a22ac3dfb95f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 10 Jan 2019 12:11:04 +0100
Subject: [PATCH] Fix CVE-2018-15127 (Heap out-of-bounds write in
 rfbserver.c:rfbProcessFileTransferReadBuffer())
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch contains the following three upstream patches squashed
together and ported to 0.9.11 version:
    commit 502821828ed00b4a2c4bef90683d0fd88ce495de
    Author: Christian Beier <dontmind@freeshell.org>
    Date:   Sun Oct 21 20:21:30 2018 +0200
    LibVNCServer: fix heap out-of-bound write access
    Closes #243
    commit 15bb719c03cc70f14c36a843dcb16ed69b405707
    Author: Christian Beier <dontmind@freeshell.org>
    Date:   Sun Jan 6 15:13:56 2019 +0100
    Error out in rfbProcessFileTransferReadBuffer if length can not be allocated
    re #273
    commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec
    Author: Petr Písař <ppisar@redhat.com>
    Date:   Mon Jan 7 10:40:01 2019 +0100
    Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer()
    This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
    out-of-bound write access in rfbProcessFileTransferReadBuffer() when
    reading a transfered file content in a server. The former fix did not
    work on platforms with a 32-bit int type (expected by rfbReadExact()).
    CVE-2018-15127
    <https://github.com/LibVNC/libvncserver/issues/243>
    <https://github.com/LibVNC/libvncserver/issues/273>
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 libvncserver/rfbserver.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index b50a7f4..1b4dd97 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -1471,11 +1471,24 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
     int   n=0;
     FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
+
     /*
-    rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
+       We later alloc length+1, which might wrap around on 32-bit systems if length equals
+       0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
+       will safely be allocated since this check will never trigger and malloc() can digest length+1
+       without problems as length is a uint32_t.
+       We also later pass length to rfbReadExact() that expects a signed int type and
+       that might wrap on platforms with a 32-bit int type if length is bigger
+       than 0X7FFFFFFF.
     */
+    if(length == SIZE_MAX || length > INT_MAX) {
+    rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
+    rfbCloseClient(cl);
+    return NULL;
+    }
+
     if (length>0) {
-        buffer=malloc(length+1);
+        buffer=malloc((size_t)length+1);
         if (buffer!=NULL) {
             if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
                 if (n != 0)
--
2.17.2
SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
New file
@@ -0,0 +1,40 @@
From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 6 Mar 2018 11:58:02 +0100
Subject: [PATCH] Limit client cut text length to 1 MB
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch constrains client text length to 1 MB. Otherwise a client
could make server allocate 2 GB of memory and that seems to be to much
to classify it as denial of service.
I keep the previous checks for maximal type values intentionally as
a course of defensive coding. (You cannot never know how small the
types are. And as a warning for people patching out this change not to
introduce CVE-2018-7225 again.)
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 libvncserver/rfbserver.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index a9561fc..0027343 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
      * argument. Here we check that the value fits into all of them to
      * prevent from misinterpretation and thus from accessing uninitialized
      * memory. CVE-2018-7225 */
-    if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
+    /* But first to prevent from a denial-of-service by allocating to much
+     * memory in the server, we impose a limit of 1 MB. */
+    if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
         rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
             msg.cct.length);
         rfbCloseClient(cl);
--
2.13.6
SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch
New file
@@ -0,0 +1,76 @@
From 0073e4f694d5a51bb72ff12a5e8364b6e752e094 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 26 Feb 2018 13:48:00 +0100
Subject: [PATCH] Validate client cut text length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Client-provided unsigned 32-bit cut text length is passed to various
functions that expects argument of a different type.
E.g. "RFB 003.003\n\001\006\0\0\0\xff\xff\xff\xff" string sent to the
RFB server leads to 4294967295 msg.cct.length value that in turn is
interpreted as -1 by rfbReadExact() and thus uninitialized str buffer
with potentially sensitive data is passed to subsequent functions.
This patch fixes it by checking for a maximal value that still can be
processed correctly. It also corrects accepting length value of zero
(malloc(0) is interpreted on differnet systems differently).
Whether a client can make the server allocate up to 2 GB and cause
a denial of service on memory-tight systems is kept without answer.
A possible solution would be adding an arbitrary memory limit that is
deemed safe.
CVE-2018-7225
<https://github.com/LibVNC/libvncserver/issues/218>
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 libvncserver/rfbserver.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 116c488..a9561fc 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -88,6 +88,12 @@
 #include <errno.h>
 /* strftime() */
 #include <time.h>
+/* SIZE_MAX */
+#include <stdint.h>
+/* PRIu32 */
+#include <inttypes.h>
+/* INT_MAX */
+#include <limits.h>
 #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
 #include "rfbssl.h"
@@ -2575,7 +2581,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
     msg.cct.length = Swap32IfLE(msg.cct.length);
-    str = (char *)malloc(msg.cct.length);
+    /* uint32_t input is passed to malloc()'s size_t argument,
+     * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
+     * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
+     * argument. Here we check that the value fits into all of them to
+     * prevent from misinterpretation and thus from accessing uninitialized
+     * memory. CVE-2018-7225 */
+    if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
+        rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
+            msg.cct.length);
+        rfbCloseClient(cl);
+        return;
+    }
+
+    /* Allow zero-length client cut text. */
+    str = (char *)malloc(msg.cct.length ? msg.cct.length : 1);
     if (str == NULL) {
         rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
         rfbCloseClient(cl);
--
2.13.6
SPECS/libvncserver.spec
@@ -6,7 +6,7 @@
Summary: Library to make writing a vnc server easy
Name:    libvncserver
Version: 0.9.9
Release: 11%{?dist}
Release: 13%{?dist}
# NOTE: --with-tightvnc-filetransfer => GPLv2
License: GPLv2+
Group:   System Environment/Libraries
@@ -35,6 +35,17 @@
# after 0.9.9,
# <https://sourceforge.net/p/libvncserver/mailman/message/29358128/>
Patch9: LibVNCServer-0.9.9-libvncserver-sockets.c-do-not-segfault-when-listenSo.patch
# 1/2 Fix CVE-2018-7225, bug #1548441
Patch10:    libvncserver-0.9.11-Validate-client-cut-text-length.patch
# 2/2 Fix CVE-2018-7225, bug #1548441
Patch11:    libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
# Fix CVE-2018-15127 (Heap out-of-bounds write in
# rfbserver.c:rfbProcessFileTransferReadBuffer()), bug #1662995, upstream bugs
# <https://github.com/LibVNC/libvncserver/issues/243>
# <https://github.com/LibVNC/libvncserver/issues/273>
# <https://github.com/LibVNC/libvncserver/issues/276>
# fixed in upstream after 0.9.12
Patch12:    libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch
# upstream name
Obsoletes: LibVNCServer < 0.9.1
@@ -87,6 +98,9 @@
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
# fix encoding
for file in AUTHORS ChangeLog ; do
@@ -155,6 +169,13 @@
%changelog
* Thu Jan 10 2019 Petr Pisar <ppisar@redhat.com> - 0.9.9-13
- Fix CVE-2018-15127 (Heap out-of-bounds write in
  rfbserver.c:rfbProcessFileTransferReadBuffer()) (bug #1662995)
* Mon Feb 26 2018 Petr Pisar <ppisar@redhat.com> - 0.9.9-12
- Fix CVE-2018-7225 (improper client cut text length sanitization) (bug #1548441)
* Fri Sep 15 2017 Petr Pisar <ppisar@redhat.com> - 0.9.9-11
- Fix a crash in the VNC server library on connecting an IPv4 client if the
  server could not start listening on an IPv6 socket (bug #1314814)