diff --git a/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch b/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch new file mode 100644 index 0000000..3140fcb --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch @@ -0,0 +1,82 @@ +From d9a832a2edbf95d664b07791f77a22ac3dfb95f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 10 Jan 2019 12:11:04 +0100 +Subject: [PATCH] Fix CVE-2018-15127 (Heap out-of-bounds write in + rfbserver.c:rfbProcessFileTransferReadBuffer()) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch contains the following three upstream patches squashed +together and ported to 0.9.11 version: + + commit 502821828ed00b4a2c4bef90683d0fd88ce495de + Author: Christian Beier + Date: Sun Oct 21 20:21:30 2018 +0200 + + LibVNCServer: fix heap out-of-bound write access + + Closes #243 + + commit 15bb719c03cc70f14c36a843dcb16ed69b405707 + Author: Christian Beier + Date: Sun Jan 6 15:13:56 2019 +0100 + + Error out in rfbProcessFileTransferReadBuffer if length can not be allocated + + re #273 + + commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec + Author: Petr Písař + Date: Mon Jan 7 10:40:01 2019 +0100 + + Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer() + + This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap + out-of-bound write access in rfbProcessFileTransferReadBuffer() when + reading a transfered file content in a server. The former fix did not + work on platforms with a 32-bit int type (expected by rfbReadExact()). + + CVE-2018-15127 + + + +Signed-off-by: Petr Písař +--- + libvncserver/rfbserver.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index b50a7f4..1b4dd97 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -1471,11 +1471,24 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + int n=0; + + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL); ++ + /* +- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); ++ We later alloc length+1, which might wrap around on 32-bit systems if length equals ++ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF ++ will safely be allocated since this check will never trigger and malloc() can digest length+1 ++ without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ ++ if(length == SIZE_MAX || length > INT_MAX) { ++ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); ++ rfbCloseClient(cl); ++ return NULL; ++ } ++ + if (length>0) { +- buffer=malloc(length+1); ++ buffer=malloc((size_t)length+1); + if (buffer!=NULL) { + if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { + if (n != 0) +-- +2.17.2 + diff --git a/SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch b/SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch new file mode 100644 index 0000000..2a71f7f --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch @@ -0,0 +1,40 @@ +From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Tue, 6 Mar 2018 11:58:02 +0100 +Subject: [PATCH] Limit client cut text length to 1 MB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch constrains client text length to 1 MB. Otherwise a client +could make server allocate 2 GB of memory and that seems to be to much +to classify it as denial of service. + +I keep the previous checks for maximal type values intentionally as +a course of defensive coding. (You cannot never know how small the +types are. And as a warning for people patching out this change not to +introduce CVE-2018-7225 again.) + +Signed-off-by: Petr Písař +--- + libvncserver/rfbserver.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index a9561fc..0027343 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + * argument. Here we check that the value fits into all of them to + * prevent from misinterpretation and thus from accessing uninitialized + * memory. CVE-2018-7225 */ +- if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { ++ /* But first to prevent from a denial-of-service by allocating to much ++ * memory in the server, we impose a limit of 1 MB. */ ++ if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { + rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", + msg.cct.length); + rfbCloseClient(cl); +-- +2.13.6 + diff --git a/SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch b/SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch new file mode 100644 index 0000000..dc89cdf --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch @@ -0,0 +1,76 @@ +From 0073e4f694d5a51bb72ff12a5e8364b6e752e094 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 26 Feb 2018 13:48:00 +0100 +Subject: [PATCH] Validate client cut text length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Client-provided unsigned 32-bit cut text length is passed to various +functions that expects argument of a different type. + +E.g. "RFB 003.003\n\001\006\0\0\0\xff\xff\xff\xff" string sent to the +RFB server leads to 4294967295 msg.cct.length value that in turn is +interpreted as -1 by rfbReadExact() and thus uninitialized str buffer +with potentially sensitive data is passed to subsequent functions. + +This patch fixes it by checking for a maximal value that still can be +processed correctly. It also corrects accepting length value of zero +(malloc(0) is interpreted on differnet systems differently). + +Whether a client can make the server allocate up to 2 GB and cause +a denial of service on memory-tight systems is kept without answer. +A possible solution would be adding an arbitrary memory limit that is +deemed safe. + +CVE-2018-7225 + + +Signed-off-by: Petr Písař +--- + libvncserver/rfbserver.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 116c488..a9561fc 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -88,6 +88,12 @@ + #include + /* strftime() */ + #include ++/* SIZE_MAX */ ++#include ++/* PRIu32 */ ++#include ++/* INT_MAX */ ++#include + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -2575,7 +2581,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)malloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we check that the value fits into all of them to ++ * prevent from misinterpretation and thus from accessing uninitialized ++ * memory. CVE-2018-7225 */ ++ if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseClient(cl); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)malloc(msg.cct.length ? msg.cct.length : 1); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); +-- +2.13.6 + diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec index 8a16a75..d10a199 100644 --- a/SPECS/libvncserver.spec +++ b/SPECS/libvncserver.spec @@ -6,7 +6,7 @@ Summary: Library to make writing a vnc server easy Name: libvncserver Version: 0.9.9 -Release: 11%{?dist} +Release: 13%{?dist} # NOTE: --with-tightvnc-filetransfer => GPLv2 License: GPLv2+ Group: System Environment/Libraries @@ -35,6 +35,17 @@ Patch8: LibVNCServer-0.9.10-CVE-2014-6055.patch # after 0.9.9, # Patch9: LibVNCServer-0.9.9-libvncserver-sockets.c-do-not-segfault-when-listenSo.patch +# 1/2 Fix CVE-2018-7225, bug #1548441 +Patch10: libvncserver-0.9.11-Validate-client-cut-text-length.patch +# 2/2 Fix CVE-2018-7225, bug #1548441 +Patch11: libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch +# Fix CVE-2018-15127 (Heap out-of-bounds write in +# rfbserver.c:rfbProcessFileTransferReadBuffer()), bug #1662995, upstream bugs +# +# +# +# fixed in upstream after 0.9.12 +Patch12: libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch # upstream name Obsoletes: LibVNCServer < 0.9.1 @@ -87,6 +98,9 @@ rm -f common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 # fix encoding for file in AUTHORS ChangeLog ; do @@ -155,6 +169,13 @@ rm -rf %{buildroot} %changelog +* Thu Jan 10 2019 Petr Pisar - 0.9.9-13 +- Fix CVE-2018-15127 (Heap out-of-bounds write in + rfbserver.c:rfbProcessFileTransferReadBuffer()) (bug #1662995) + +* Mon Feb 26 2018 Petr Pisar - 0.9.9-12 +- Fix CVE-2018-7225 (improper client cut text length sanitization) (bug #1548441) + * Fri Sep 15 2017 Petr Pisar - 0.9.9-11 - Fix a crash in the VNC server library on connecting an IPv4 client if the server could not start listening on an IPv6 socket (bug #1314814)