From 07ca881ce05ff22fec1b3d0a20679c6978e43753 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 18 2021 06:40:59 +0000 Subject: import libvncserver-0.9.11-17.el8 --- diff --git a/SOURCES/libvncserver-0.9.11-CVE-2018-21247.patch b/SOURCES/libvncserver-0.9.11-CVE-2018-21247.patch new file mode 100644 index 0000000..1cc92b6 --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-CVE-2018-21247.patch @@ -0,0 +1,35 @@ +From d87d25516b3992e52cf79e3cd6bd331b0baceecf Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Sun, 17 Nov 2019 16:21:18 +0100 +Subject: [PATCH] When connecting to a repeater, make sure to not leak memory + +Really closes #253 +--- + examples/repeater.c | 1 + + libvncclient/rfbproto.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/examples/repeater.c b/examples/repeater.c +index cf0350ff..7047578d 100644 +--- a/examples/repeater.c ++++ b/examples/repeater.c +@@ -23,6 +23,7 @@ int main(int argc,char** argv) + "Usage: %s []\n", argv[0]); + exit(1); + } ++ memset(id, 0, sizeof(id)); + snprintf(id, sizeof(id) - 1, "ID:%s", argv[1]); + repeaterHost = argv[2]; + repeaterPort = argc < 4 ? 5500 : atoi(argv[3]); +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index 6c07d97e..675248fa 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -402,6 +402,7 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep + + rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor); + ++ memset(tmphost, 0, sizeof(tmphost)); + snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort); + if (!WriteToRFBServer(client, tmphost, sizeof(tmphost))) + return FALSE; diff --git a/SOURCES/libvncserver-0.9.11-CVE-2019-20839.patch b/SOURCES/libvncserver-0.9.11-CVE-2019-20839.patch new file mode 100644 index 0000000..1f3b61a --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-CVE-2019-20839.patch @@ -0,0 +1,25 @@ +From 3fd03977c9b35800d73a865f167338cb4d05b0c1 Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Sat, 6 Apr 2019 20:23:12 +0200 +Subject: [PATCH] libvncclient: bail out if unix socket name would overflow + +Closes #291 +--- + libvncclient/sockets.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libvncclient/sockets.c b/libvncclient/sockets.c +index f042472f..821f85ca 100644 +--- a/libvncclient/sockets.c ++++ b/libvncclient/sockets.c +@@ -461,6 +461,10 @@ ConnectClientToUnixSock(const char *sockFile) + int sock; + struct sockaddr_un addr; + addr.sun_family = AF_UNIX; ++ if(strlen(sockFile) + 1 > sizeof(addr.sun_path)) { ++ rfbClientErr("ConnectToUnixSock: socket file name too long\n"); ++ return -1; ++ } + strcpy(addr.sun_path, sockFile); + + sock = socket(AF_UNIX, SOCK_STREAM, 0); diff --git a/SOURCES/libvncserver-0.9.11-CVE-2020-14397.patch b/SOURCES/libvncserver-0.9.11-CVE-2020-14397.patch new file mode 100644 index 0000000..17c3be7 --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-CVE-2020-14397.patch @@ -0,0 +1,80 @@ +From 416d7662a3f3ac5131014c6011bf1364d57a27e2 Mon Sep 17 00:00:00 2001 +From: Tobias Junghans +Date: Tue, 3 Nov 2020 13:58:36 -0600 +Subject: [PATCH] libvncserver: add missing NULL pointer checks + +--- + libvncserver/rfbregion.c | 26 ++++++++++++++++---------- + libvncserver/rfbserver.c | 4 +++- + 2 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/libvncserver/rfbregion.c b/libvncserver/rfbregion.c +index 1947d7c4..1e59646a 100644 +--- a/libvncserver/rfbregion.c ++++ b/libvncserver/rfbregion.c +@@ -50,24 +50,30 @@ sraSpanDup(const sraSpan *src) { + + static void + sraSpanInsertAfter(sraSpan *newspan, sraSpan *after) { +- newspan->_next = after->_next; +- newspan->_prev = after; +- after->_next->_prev = newspan; +- after->_next = newspan; ++ if (newspan && after) { ++ newspan->_next = after->_next; ++ newspan->_prev = after; ++ after->_next->_prev = newspan; ++ after->_next = newspan; ++ } + } + + static void + sraSpanInsertBefore(sraSpan *newspan, sraSpan *before) { +- newspan->_next = before; +- newspan->_prev = before->_prev; +- before->_prev->_next = newspan; +- before->_prev = newspan; ++ if (newspan && before) { ++ newspan->_next = before; ++ newspan->_prev = before->_prev; ++ before->_prev->_next = newspan; ++ before->_prev = newspan; ++ } + } + + static void + sraSpanRemove(sraSpan *span) { +- span->_prev->_next = span->_next; +- span->_next->_prev = span->_prev; ++ if (span) { ++ span->_prev->_next = span->_next; ++ span->_next->_prev = span->_prev; ++ } + } + + static void +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 1b4dd975..1f4230f2 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -218,6 +218,8 @@ rfbClientIteratorHead(rfbClientIteratorPtr i) + rfbClientPtr + rfbClientIteratorNext(rfbClientIteratorPtr i) + { ++ if (!i) ++ return NULL; + if(i->next == 0) { + LOCK(rfbClientListMutex); + i->next = i->screen->clientHead; +@@ -242,7 +244,7 @@ rfbClientIteratorNext(rfbClientIteratorPtr i) + void + rfbReleaseClientIterator(rfbClientIteratorPtr iterator) + { +- IF_PTHREADS(if(iterator->next) rfbDecrClientRef(iterator->next)); ++ IF_PTHREADS(if(iterator && iterator->next) rfbDecrClientRef(iterator->next)); + free(iterator); + } + +-- +2.28.0 + diff --git a/SOURCES/libvncserver-0.9.11-CVE-2020-14405.patch b/SOURCES/libvncserver-0.9.11-CVE-2020-14405.patch new file mode 100644 index 0000000..df80cbc --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-CVE-2020-14405.patch @@ -0,0 +1,38 @@ +From 483dd0834167b86833ec6d756168b426ff8b4304 Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Tue, 3 Nov 2020 13:44:14 -0600 +Subject: [PATCH] libvncclient/rfbproto: limit max textchat size + +Addresses GitHub Security Lab (GHSL) Vulnerability Report +`GHSL-2020-063`. + +Re #275 +--- + libvncclient/rfbproto.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index 94751a22..7ba00b55 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -73,6 +73,8 @@ + # define snprintf _snprintf /* MSVC went straight to the underscored syntax */ + #endif + ++#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */ ++ + /* + * rfbClientLog prints a time-stamped message to the log file (stderr). + */ +@@ -2285,6 +2287,8 @@ HandleRFBServerMessage(rfbClient* client) + client->HandleTextChat(client, (int)rfbTextChatFinished, NULL); + break; + default: ++ if(msg.tc.length > MAX_TEXTCHAT_SIZE) ++ return FALSE; + buffer=malloc(msg.tc.length+1); + if (!ReadFromRFBServer(client, buffer, msg.tc.length)) + { +-- +2.28.0 + diff --git a/SOURCES/libvncserver-0.9.11-CVE-2020-25708.patch b/SOURCES/libvncserver-0.9.11-CVE-2020-25708.patch new file mode 100644 index 0000000..7876eec --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-CVE-2020-25708.patch @@ -0,0 +1,24 @@ +From 673c07a75ed844d74676f3ccdcfdc706a7052dba Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Sun, 17 May 2020 13:47:21 +0200 +Subject: [PATCH] libvncserver/rfbserver: fix possible divide-by-zero + +Closes #409 +--- + libvncserver/rfbserver.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 269a0137..9cc29c52 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -3369,6 +3369,9 @@ rfbSendRectEncodingRaw(rfbClientPtr cl, + char *fbptr = (cl->scaledScreen->frameBuffer + (cl->scaledScreen->paddedWidthInBytes * y) + + (x * (cl->scaledScreen->bitsPerPixel / 8))); + ++ if(!h || !w) ++ return TRUE; /* nothing to send */ ++ + /* Flush the buffer to guarantee correct alignment for translateFn(). */ + if (cl->ublen > 0) { + if (!rfbSendUpdateBuf(cl)) diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec index 0d83e9f..a913ff6 100644 --- a/SPECS/libvncserver.spec +++ b/SPECS/libvncserver.spec @@ -1,7 +1,7 @@ Summary: Library to make writing a VNC server easy Name: libvncserver Version: 0.9.11 -Release: 15%{?dist}.1 +Release: 17%{?dist} # NOTE: --with-filetransfer => GPLv2 License: GPLv2+ @@ -45,6 +45,16 @@ Patch107: libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-v Patch108: libvncserver-0.9.11-CVE-2017-18922.patch # https://github.com/LibVNC/libvncserver/pull/308 Patch109: libvncserver-0.9.11-CVE-2019-20840.patch +# https://github.com/LibVNC/libvncserver/issues/291 +Patch110: libvncserver-0.9.11-CVE-2019-20839.patch +# https://github.com/LibVNC/libvncserver/issues/253 +Patch111: libvncserver-0.9.11-CVE-2018-21247.patch +# https://github.com/LibVNC/libvncserver/issues/275 +Patch112: libvncserver-0.9.11-CVE-2020-14405.patch +# https://github.com/LibVNC/libvncserver/pull/416 +Patch113: libvncserver-0.9.11-CVE-2020-14397.patch +# https://github.com/LibVNC/libvncserver/issues/409 +Patch114: libvncserver-0.9.11-CVE-2020-25708.patch BuildRequires: autoconf BuildRequires: automake @@ -92,33 +102,7 @@ developing applications that use %{name}. %prep -%setup -q -n %{name}-LibVNCServer-%{version} - -%patch4 -p1 -b .0004 - -%patch10 -p1 -%patch11 -p1 - -%patch12 -p1 - -%patch100 -p1 -b .system_minilzo -# Nuke bundled minilzo -#rm -fv common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c - -%patch101 -p1 -b .multilib -%patch102 -p1 -%if 0%{?fedora} < 26 -%patch103 -p1 -b .soname -%global soname 0 -%else -%global soname 1 -%endif -%patch104 -p1 -%patch105 -p1 -%patch106 -p1 -%patch107 -p1 -%patch108 -p1 -%patch109 -p1 +%autosetup -p1 -n %{name}-LibVNCServer-%{version} # Fix encoding for file in ChangeLog ; do @@ -165,8 +149,8 @@ make -C test test ||: %files %license COPYING %doc AUTHORS ChangeLog NEWS README TODO -%{_libdir}/libvncclient.so.%{soname}* -%{_libdir}/libvncserver.so.%{soname}* +%{_libdir}/libvncclient.so.0* +%{_libdir}/libvncserver.so.0* %files devel %{_bindir}/libvncserver-config @@ -178,9 +162,19 @@ make -C test test ||: %changelog -* Tue Jul 28 2020 Michael Catanzaro - 0.9.11-15.1 -- Fix NVR - Related: #1852356 +* Tue Nov 24 2020 Michael Catanzaro - 0.9.11-17 +- Fix CVE-2020-25708 + Resolves: #1898078 + +* Tue Nov 03 2020 Michael Catanzaro - 0.9.11-16 +- Fix CVE-2019-20839 + Resolves: #1851032 +- Fix CVE-2018-21247 + Resolves: #1852516 +- Fix CVE-2020-14405 + Resolves: #1860527 +- Fix CVE-2020-14397 + Resolves: #1861152 * Mon Jul 27 2020 Michael Catanzaro - 0.9.11-15 - Fix CVE-2017-18922