rpms / libvncserver

Clone
Source Code
GIT

Blame SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c7-beta
  2.   SOURCES
  3.   libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch
Blob History Raw
e0f39d 
From d9a832a2edbf95d664b07791f77a22ac3dfb95f5 Mon Sep 17 00:00:00 2001
e0f39d 
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
e0f39d 
Date: Thu, 10 Jan 2019 12:11:04 +0100
e0f39d 
Subject: [PATCH] Fix CVE-2018-15127 (Heap out-of-bounds write in
e0f39d 
 rfbserver.c:rfbProcessFileTransferReadBuffer())
e0f39d 
MIME-Version: 1.0
e0f39d 
Content-Type: text/plain; charset=UTF-8
e0f39d 
Content-Transfer-Encoding: 8bit
e0f39d
e0f39d 
This patch contains the following three upstream patches squashed
e0f39d 
together and ported to 0.9.11 version:
e0f39d
e0f39d 
    commit 502821828ed00b4a2c4bef90683d0fd88ce495de
e0f39d 
    Author: Christian Beier <dontmind@freeshell.org>
e0f39d 
    Date:   Sun Oct 21 20:21:30 2018 +0200
e0f39d
e0f39d 
	LibVNCServer: fix heap out-of-bound write access
e0f39d
e0f39d 
	Closes #243
e0f39d
e0f39d 
    commit 15bb719c03cc70f14c36a843dcb16ed69b405707
e0f39d 
    Author: Christian Beier <dontmind@freeshell.org>
e0f39d 
    Date:   Sun Jan 6 15:13:56 2019 +0100
e0f39d
e0f39d 
	Error out in rfbProcessFileTransferReadBuffer if length can not be allocated
e0f39d
e0f39d 
	re #273
e0f39d
e0f39d 
    commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec
e0f39d 
    Author: Petr Písař <ppisar@redhat.com>
e0f39d 
    Date:   Mon Jan 7 10:40:01 2019 +0100
e0f39d
e0f39d 
	Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer()
e0f39d
e0f39d 
	This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
e0f39d 
	out-of-bound write access in rfbProcessFileTransferReadBuffer() when
e0f39d 
	reading a transfered file content in a server. The former fix did not
e0f39d 
	work on platforms with a 32-bit int type (expected by rfbReadExact()).
e0f39d
e0f39d 
	CVE-2018-15127
e0f39d 
	<https://github.com/LibVNC/libvncserver/issues/243>
e0f39d 
	<https://github.com/LibVNC/libvncserver/issues/273>
e0f39d
e0f39d 
Signed-off-by: Petr Písař <ppisar@redhat.com>
e0f39d 
---
e0f39d 
 libvncserver/rfbserver.c | 17 +++++++++++++++--
e0f39d 
 1 file changed, 15 insertions(+), 2 deletions(-)
e0f39d
e0f39d 
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
e0f39d 
index b50a7f4..1b4dd97 100644
e0f39d 
--- a/libvncserver/rfbserver.c
e0f39d 
+++ b/libvncserver/rfbserver.c
e0f39d 
@@ -1471,11 +1471,24 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
e0f39d 
     int   n=0;
e0f39d
e0f39d 
     FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
e0f39d 
+
e0f39d 
     /*
e0f39d 
-    rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
e0f39d 
+       We later alloc length+1, which might wrap around on 32-bit systems if length equals
e0f39d 
+       0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
e0f39d 
+       will safely be allocated since this check will never trigger and malloc() can digest length+1
e0f39d 
+       without problems as length is a uint32_t.
e0f39d 
+       We also later pass length to rfbReadExact() that expects a signed int type and
e0f39d 
+       that might wrap on platforms with a 32-bit int type if length is bigger
e0f39d 
+       than 0X7FFFFFFF.
e0f39d 
     */
e0f39d 
+    if(length == SIZE_MAX || length > INT_MAX) {
e0f39d 
+	rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
e0f39d 
+	rfbCloseClient(cl);
e0f39d 
+	return NULL;
e0f39d 
+    }
e0f39d 
+
e0f39d 
     if (length>0) {
e0f39d 
-        buffer=malloc(length+1);
e0f39d 
+        buffer=malloc((size_t)length+1);
e0f39d 
         if (buffer!=NULL) {
e0f39d 
             if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
e0f39d 
                 if (n != 0)
e0f39d 
--
e0f39d 
2.17.2
e0f39d

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation