From e39311160dc0457d6bd03803fdbeb63eab1338b6 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 15 2019 08:18:23 +0000
Subject: import libvncserver-0.9.9-13.el7_6


---

diff --git a/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch b/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch
new file mode 100644
index 0000000..3140fcb
--- /dev/null
+++ b/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch
@@ -0,0 +1,82 @@
+From d9a832a2edbf95d664b07791f77a22ac3dfb95f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 10 Jan 2019 12:11:04 +0100
+Subject: [PATCH] Fix CVE-2018-15127 (Heap out-of-bounds write in
+ rfbserver.c:rfbProcessFileTransferReadBuffer())
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch contains the following three upstream patches squashed
+together and ported to 0.9.11 version:
+
+    commit 502821828ed00b4a2c4bef90683d0fd88ce495de
+    Author: Christian Beier <dontmind@freeshell.org>
+    Date:   Sun Oct 21 20:21:30 2018 +0200
+
+	LibVNCServer: fix heap out-of-bound write access
+
+	Closes #243
+
+    commit 15bb719c03cc70f14c36a843dcb16ed69b405707
+    Author: Christian Beier <dontmind@freeshell.org>
+    Date:   Sun Jan 6 15:13:56 2019 +0100
+
+	Error out in rfbProcessFileTransferReadBuffer if length can not be allocated
+
+	re #273
+
+    commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec
+    Author: Petr Písař <ppisar@redhat.com>
+    Date:   Mon Jan 7 10:40:01 2019 +0100
+
+	Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer()
+
+	This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
+	out-of-bound write access in rfbProcessFileTransferReadBuffer() when
+	reading a transfered file content in a server. The former fix did not
+	work on platforms with a 32-bit int type (expected by rfbReadExact()).
+
+	CVE-2018-15127
+	<https://github.com/LibVNC/libvncserver/issues/243>
+	<https://github.com/LibVNC/libvncserver/issues/273>
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libvncserver/rfbserver.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index b50a7f4..1b4dd97 100644
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -1471,11 +1471,24 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
+     int   n=0;
+ 
+     FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
++
+     /*
+-    rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
++       We later alloc length+1, which might wrap around on 32-bit systems if length equals
++       0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
++       will safely be allocated since this check will never trigger and malloc() can digest length+1
++       without problems as length is a uint32_t.
++       We also later pass length to rfbReadExact() that expects a signed int type and
++       that might wrap on platforms with a 32-bit int type if length is bigger
++       than 0X7FFFFFFF.
+     */
++    if(length == SIZE_MAX || length > INT_MAX) {
++	rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
++	rfbCloseClient(cl);
++	return NULL;
++    }
++
+     if (length>0) {
+-        buffer=malloc(length+1);
++        buffer=malloc((size_t)length+1);
+         if (buffer!=NULL) {
+             if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
+                 if (n != 0)
+-- 
+2.17.2
+
diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec
index 3e8a171..d10a199 100644
--- a/SPECS/libvncserver.spec
+++ b/SPECS/libvncserver.spec
@@ -6,7 +6,7 @@
 Summary: Library to make writing a vnc server easy
 Name:    libvncserver
 Version: 0.9.9
-Release: 12%{?dist}
+Release: 13%{?dist}
 # NOTE: --with-tightvnc-filetransfer => GPLv2
 License: GPLv2+
 Group:   System Environment/Libraries
@@ -35,10 +35,17 @@ Patch8: LibVNCServer-0.9.10-CVE-2014-6055.patch
 # after 0.9.9,
 # <https://sourceforge.net/p/libvncserver/mailman/message/29358128/>
 Patch9: LibVNCServer-0.9.9-libvncserver-sockets.c-do-not-segfault-when-listenSo.patch
-# 1/2 Fix CVE-2018-7225, bug #1548440
+# 1/2 Fix CVE-2018-7225, bug #1548441
 Patch10:    libvncserver-0.9.11-Validate-client-cut-text-length.patch
-# 2/2 Fix CVE-2018-7225, bug #1548440
+# 2/2 Fix CVE-2018-7225, bug #1548441
 Patch11:    libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
+# Fix CVE-2018-15127 (Heap out-of-bounds write in
+# rfbserver.c:rfbProcessFileTransferReadBuffer()), bug #1662995, upstream bugs
+# <https://github.com/LibVNC/libvncserver/issues/243>
+# <https://github.com/LibVNC/libvncserver/issues/273>
+# <https://github.com/LibVNC/libvncserver/issues/276>
+# fixed in upstream after 0.9.12
+Patch12:    libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch
 
 # upstream name
 Obsoletes: LibVNCServer < 0.9.1
@@ -93,6 +100,7 @@ rm -f common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 # fix encoding
 for file in AUTHORS ChangeLog ; do
@@ -161,8 +169,12 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Thu Jan 10 2019 Petr Pisar <ppisar@redhat.com> - 0.9.9-13
+- Fix CVE-2018-15127 (Heap out-of-bounds write in
+  rfbserver.c:rfbProcessFileTransferReadBuffer()) (bug #1662995)
+
 * Mon Feb 26 2018 Petr Pisar <ppisar@redhat.com> - 0.9.9-12
-- Fix CVE-2018-7225 (improper client cut text length sanitization) (bug #1548440)
+- Fix CVE-2018-7225 (improper client cut text length sanitization) (bug #1548441)
 
 * Fri Sep 15 2017 Petr Pisar <ppisar@redhat.com> - 0.9.9-11
 - Fix a crash in the VNC server library on connecting an IPv4 client if the