diff --git a/SOURCES/libvncserver-0.9.11-CVE-2019-20840.patch b/SOURCES/libvncserver-0.9.11-CVE-2019-20840.patch
new file mode 100644
index 0000000..b32616f
--- /dev/null
+++ b/SOURCES/libvncserver-0.9.11-CVE-2019-20840.patch
@@ -0,0 +1,40 @@
+Backport of:
+From 0cf1400c61850065de590d403f6d49e32882fd76 Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eike@sf-mail.de>
+Date: Tue, 28 May 2019 18:30:46 +0200
+Subject: [PATCH] fix crash because of unaligned accesses in
+ hybiReadAndDecode()
+
+[Ubuntu note: patch backported to apply on libvncserver/websockets.c instead of
+libvncserver/ws_decode.c
+ -- Avital]
+
+---
+ libvncserver/ws_decode.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/libvncserver/websockets.c
++++ b/libvncserver/websockets.c
+@@ -880,7 +880,6 @@ hybiReadAndDecode(rfbClientPtr cl, char
+ int bufsize;
+ int nextRead;
+ unsigned char *data;
+- uint32_t *data32;
+ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
+
+ /* if data was carried over, copy to start of buffer */
+@@ -938,10 +937,12 @@ hybiReadAndDecode(rfbClientPtr cl, char
+ /* for a possible base64 decoding, we decode multiples of 4 bytes until
+ * the whole frame is received and carry over any remaining bytes in the carry buf*/
+ data = (unsigned char *)hybiPayloadStart(wsctx);
+- data32= (uint32_t *)data;
+
+ for (i = 0; i < (toDecode >> 2); i++) {
+- data32[i] ^= wsctx->header.mask.u;
++ uint32_t tmp;
++ memcpy(&tmp, data + i * sizeof(tmp), sizeof(tmp));
++ tmp ^= wsctx->header.mask.u;
++ memcpy(data + i * sizeof(tmp), &tmp, sizeof(tmp));
+ }
+ rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);
+
diff --git a/SOURCES/libvncserver-0.9.9-CVE-2017-18922.patch b/SOURCES/libvncserver-0.9.9-CVE-2017-18922.patch
new file mode 100644
index 0000000..1280706
--- /dev/null
+++ b/SOURCES/libvncserver-0.9.9-CVE-2017-18922.patch
@@ -0,0 +1,703 @@
+From 92b5cebffa50577bfa9b192926cfd2210f6881c4 Mon Sep 17 00:00:00 2001
+From: Andreas Weigel <andreaswe@securepoint.de>
+Date: Wed, 15 Feb 2017 12:31:05 +0100
+Subject: [PATCH 3/3] fix overflow and refactor websockets decode (Hybi)
+
+fix critical heap-based buffer overflow which allowed easy modification
+of a return address via an overwritten function pointer
+
+fix bug causing connections to fail due a "one websocket frame = one
+ws_read" assumption, which failed with LibVNCServer-0.9.11
+
+refactor websocket Hybi decode to use a simple state machine for
+decoding of websocket frames
+---
+ libvncserver/websockets.c | 609 +++++++++++++++++++++++++++++---------
+ 1 file changed, 476 insertions(+), 133 deletions(-)
+
+diff --git a/libvncserver/websockets.c b/libvncserver/websockets.c
+index 3c8e99aa..d81b23a8 100644
+--- a/libvncserver/websockets.c
++++ b/libvncserver/websockets.c
+@@ -53,6 +53,9 @@
+
+ #define B64LEN(__x) (((__x + 2) / 3) * 12 / 3)
+ #define WSHLENMAX 14 /* 2 + sizeof(uint64_t) + sizeof(uint32_t) */
++#define WS_HYBI_MASK_LEN 4
++
++#define ARRAYSIZE(a) ((sizeof(a) / sizeof((a[0]))) / (size_t)(!(sizeof(a) % sizeof((a[0])))))
+
+ enum {
+ WEBSOCKETS_VERSION_HIXIE,
+@@ -69,19 +72,19 @@ static int gettid() {
+ typedef int (*wsEncodeFunc)(rfbClientPtr cl, const char *src, int len, char **dst);
+ typedef int (*wsDecodeFunc)(rfbClientPtr cl, char *dst, int len);
+
+-typedef struct ws_ctx_s {
+- char codeBuf[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
+- char readbuf[8192];
+- int readbufstart;
+- int readbuflen;
+- int dblen;
+- char carryBuf[3]; /* For base64 carry-over */
+- int carrylen;
+- int version;
+- int base64;
+- wsEncodeFunc encode;
+- wsDecodeFunc decode;
+-} ws_ctx_t;
++enum {
++ /* header not yet received completely */
++ WS_HYBI_STATE_HEADER_PENDING,
++ /* data available */
++ WS_HYBI_STATE_DATA_AVAILABLE,
++ WS_HYBI_STATE_DATA_NEEDED,
++ /* received a complete frame */
++ WS_HYBI_STATE_FRAME_COMPLETE,
++ /* received part of a 'close' frame */
++ WS_HYBI_STATE_CLOSE_REASON_PENDING,
++ /* */
++ WS_HYBI_STATE_ERR
++};
+
+ typedef union ws_mask_s {
+ char c[4];
+@@ -109,6 +112,38 @@ typedef struct __attribute__ ((__packed__)) ws_header_s {
+ } u;
+ } ws_header_t;
+
++typedef struct ws_header_data_s {
++ ws_header_t *data;
++ /** bytes read */
++ int nRead;
++ /** mask value */
++ ws_mask_t mask;
++ /** length of frame header including payload len, but without mask */
++ int headerLen;
++ /** length of the payload data */
++ int payloadLen;
++ /** opcode */
++ unsigned char opcode;
++} ws_header_data_t;
++
++typedef struct ws_ctx_s {
++ char codeBufDecode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
++ char codeBufEncode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
++ char *writePos;
++ unsigned char *readPos;
++ int readlen;
++ int hybiDecodeState;
++ char carryBuf[3]; /* For base64 carry-over */
++ int carrylen;
++ int version;
++ int base64;
++ ws_header_data_t header;
++ int nReadRaw;
++ int nToRead;
++ wsEncodeFunc encode;
++ wsDecodeFunc decode;
++} ws_ctx_t;
++
+ enum
+ {
+ WS_OPCODE_CONTINUATION = 0x0,
+@@ -164,6 +199,8 @@ static int webSocketsEncodeHixie(rfbClientPtr cl, const char *src, int len, char
+ static int webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len);
+ static int webSocketsDecodeHixie(rfbClientPtr cl, char *dst, int len);
+
++static void hybiDecodeCleanup(ws_ctx_t *wsctx);
++
+ static int
+ min (int a, int b) {
+ return a < b ? a : b;
+@@ -421,10 +458,11 @@ webSocketsHandshake(rfbClientPtr cl, char *scheme)
+ wsctx->decode = webSocketsDecodeHixie;
+ }
+ wsctx->base64 = base64;
++ hybiDecodeCleanup(wsctx);
+ cl->wsctx = (wsCtx *)wsctx;
+ return TRUE;
+ }
+-
++
+ void
+ webSocketsGenMd5(char * target, char *key1, char *key2, char *key3)
+ {
+@@ -616,146 +654,438 @@ webSocketsDecodeHixie(rfbClientPtr cl, char *dst, int len)
+ }
+
+ static int
+-webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len)
++hybiRemaining(ws_ctx_t *wsctx)
+ {
+- char *buf, *payload;
+- uint32_t *payload32;
+- int ret = -1, result = -1;
+- int total = 0;
+- ws_mask_t mask;
+- ws_header_t *header;
+- int i;
+- unsigned char opcode;
+- ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
+- int flength, fhlen;
+- /* int fin; */ /* not used atm */
+-
+- // rfbLog(" <== %s[%d]: %d cl: %p, wsctx: %p-%p (%d)\n", __func__, gettid(), len, cl, wsctx, (char *)wsctx + sizeof(ws_ctx_t), sizeof(ws_ctx_t));
+-
+- if (wsctx->readbuflen) {
+- /* simply return what we have */
+- if (wsctx->readbuflen > len) {
+- memcpy(dst, wsctx->readbuf + wsctx->readbufstart, len);
+- result = len;
+- wsctx->readbuflen -= len;
+- wsctx->readbufstart += len;
+- } else {
+- memcpy(dst, wsctx->readbuf + wsctx->readbufstart, wsctx->readbuflen);
+- result = wsctx->readbuflen;
+- wsctx->readbuflen = 0;
+- wsctx->readbufstart = 0;
+- }
+- goto spor;
+- }
+-
+- buf = wsctx->codeBuf;
+- header = (ws_header_t *)wsctx->codeBuf;
++ return wsctx->nToRead - wsctx->nReadRaw;
++}
+
+- ret = ws_peek(cl, buf, B64LEN(len) + WSHLENMAX);
++static void
++hybiDecodeCleanup(ws_ctx_t *wsctx)
++{
++ wsctx->header.payloadLen = 0;
++ wsctx->header.mask.u = 0;
++ wsctx->nReadRaw = 0;
++ wsctx->nToRead= 0;
++ wsctx->carrylen = 0;
++ wsctx->readPos = (unsigned char *)wsctx->codeBufDecode;
++ wsctx->readlen = 0;
++ wsctx->hybiDecodeState = WS_HYBI_STATE_HEADER_PENDING;
++ wsctx->writePos = NULL;
++ rfbLog("cleaned up wsctx\n");
++}
+
+- if (ret < 2) {
+- /* save errno because rfbErr() will tamper it */
+- if (-1 == ret) {
+- int olderrno = errno;
+- rfbErr("%s: peek; %m\n", __func__);
+- errno = olderrno;
+- } else if (0 == ret) {
+- result = 0;
+- } else {
+- errno = EAGAIN;
+- }
+- goto spor;
++/**
++ * Return payload data that has been decoded/unmasked from
++ * a websocket frame.
++ *
++ * @param[out] dst destination buffer
++ * @param[in] len bytes to copy to destination buffer
++ * @param[in,out] wsctx internal state of decoding procedure
++ * @param[out] number of bytes actually written to dst buffer
++ * @return next hybi decoding state
++ */
++static int
++hybiReturnData(char *dst, int len, ws_ctx_t *wsctx, int *nWritten)
++{
++ int nextState = WS_HYBI_STATE_ERR;
++
++ /* if we have something already decoded copy and return */
++ if (wsctx->readlen > 0) {
++ /* simply return what we have */
++ if (wsctx->readlen > len) {
++ rfbLog("copy to %d bytes to dst buffer; readPos=%p, readLen=%d\n", len, wsctx->readPos, wsctx->readlen);
++ memcpy(dst, wsctx->readPos, len);
++ *nWritten = len;
++ wsctx->readlen -= len;
++ wsctx->readPos += len;
++ nextState = WS_HYBI_STATE_DATA_AVAILABLE;
++ } else {
++ rfbLog("copy to %d bytes to dst buffer; readPos=%p, readLen=%d\n", wsctx->readlen, wsctx->readPos, wsctx->readlen);
++ memcpy(dst, wsctx->readPos, wsctx->readlen);
++ *nWritten = wsctx->readlen;
++ wsctx->readlen = 0;
++ wsctx->readPos = NULL;
++ if (hybiRemaining(wsctx) == 0) {
++ nextState = WS_HYBI_STATE_FRAME_COMPLETE;
++ } else {
++ nextState = WS_HYBI_STATE_DATA_NEEDED;
++ }
+ }
++ rfbLog("after copy: readPos=%p, readLen=%d\n", wsctx->readPos, wsctx->readlen);
++ } else if (wsctx->hybiDecodeState == WS_HYBI_STATE_CLOSE_REASON_PENDING) {
++ nextState = WS_HYBI_STATE_CLOSE_REASON_PENDING;
++ }
++ return nextState;
++}
+
+- opcode = header->b0 & 0x0f;
+- /* fin = (header->b0 & 0x80) >> 7; */ /* not used atm */
+- flength = header->b1 & 0x7f;
+-
+- /*
+- * 4.3. Client-to-Server Masking
+- *
+- * The client MUST mask all frames sent to the server. A server MUST
+- * close the connection upon receiving a frame with the MASK bit set to 0.
+- **/
+- if (!(header->b1 & 0x80)) {
+- rfbErr("%s: got frame without mask\n", __func__, ret);
+- errno = EIO;
+- goto spor;
+- }
+-
+- if (flength < 126) {
+- fhlen = 2;
+- mask = header->m;
+- } else if (flength == 126 && 4 <= ret) {
+- flength = WS_NTOH16(header->l16);
+- fhlen = 4;
+- mask = header->m16;
+- } else if (flength == 127 && 10 <= ret) {
+- flength = WS_NTOH64(header->l64);
+- fhlen = 10;
+- mask = header->m64;
++/**
++ * Read an RFC 6455 websocket frame (IETF hybi working group).
++ *
++ * Internal state is updated according to bytes received and the
++ * decoding of header information.
++ *
++ * @param[in] cl client ptr with ptr to raw socket and ws_ctx_t ptr
++ * @param[out] sockRet emulated recv return value
++ * @return next hybi decoding state; WS_HYBI_STATE_HEADER_PENDING indicates
++ * that the header was not received completely.
++ */
++static int
++hybiReadHeader(rfbClientPtr cl, int *sockRet)
++{
++ int ret;
++ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
++ char *headerDst = wsctx->codeBufDecode + wsctx->nReadRaw;
++ int n = WSHLENMAX - wsctx->nReadRaw;
++
++ rfbLog("header_read to %p with len=%d\n", headerDst, n);
++ ret = ws_read(cl, headerDst, n);
++ rfbLog("read %d bytes from socket\n", ret);
++ if (ret <= 0) {
++ if (-1 == ret) {
++ /* save errno because rfbErr() will tamper it */
++ int olderrno = errno;
++ rfbErr("%s: peek; %m\n", __func__);
++ errno = olderrno;
++ *sockRet = -1;
+ } else {
+- /* Incomplete frame header */
+- rfbErr("%s: incomplete frame header\n", __func__, ret);
+- errno = EIO;
+- goto spor;
++ *sockRet = 0;
+ }
++ return WS_HYBI_STATE_ERR;
++ }
++
++ wsctx->nReadRaw += ret;
++ if (wsctx->nReadRaw < 2) {
++ /* cannot decode header with less than two bytes */
++ errno = EAGAIN;
++ *sockRet = -1;
++ return WS_HYBI_STATE_HEADER_PENDING;
++ }
++
++ /* first two header bytes received; interpret header data and get rest */
++ wsctx->header.data = (ws_header_t *)wsctx->codeBufDecode;
++
++ wsctx->header.opcode = wsctx->header.data->b0 & 0x0f;
++
++ /* fin = (header->b0 & 0x80) >> 7; */ /* not used atm */
++ wsctx->header.payloadLen = wsctx->header.data->b1 & 0x7f;
++ rfbLog("first header bytes received; opcode=%d lenbyte=%d\n", wsctx->header.opcode, wsctx->header.payloadLen);
++
++ /*
++ * 4.3. Client-to-Server Masking
++ *
++ * The client MUST mask all frames sent to the server. A server MUST
++ * close the connection upon receiving a frame with the MASK bit set to 0.
++ **/
++ if (!(wsctx->header.data->b1 & 0x80)) {
++ rfbErr("%s: got frame without mask ret=%d\n", __func__, ret);
++ errno = EIO;
++ *sockRet = -1;
++ return WS_HYBI_STATE_ERR;
++ }
++
++ if (wsctx->header.payloadLen < 126 && wsctx->nReadRaw >= 6) {
++ wsctx->header.headerLen = 2 + WS_HYBI_MASK_LEN;
++ wsctx->header.mask = wsctx->header.data->u.m;
++ } else if (wsctx->header.payloadLen == 126 && 8 <= wsctx->nReadRaw) {
++ wsctx->header.headerLen = 4 + WS_HYBI_MASK_LEN;
++ wsctx->header.payloadLen = WS_NTOH16(wsctx->header.data->u.s16.l16);
++ wsctx->header.mask = wsctx->header.data->u.s16.m16;
++ } else if (wsctx->header.payloadLen == 127 && 14 <= wsctx->nReadRaw) {
++ wsctx->header.headerLen = 10 + WS_HYBI_MASK_LEN;
++ wsctx->header.payloadLen = WS_NTOH64(wsctx->header.data->u.s64.l64);
++ wsctx->header.mask = wsctx->header.data->u.s64.m64;
++ } else {
++ /* Incomplete frame header, try again */
++ rfbErr("%s: incomplete frame header; ret=%d\n", __func__, ret);
++ errno = EAGAIN;
++ *sockRet = -1;
++ return WS_HYBI_STATE_HEADER_PENDING;
++ }
++
++ /* absolute length of frame */
++ wsctx->nToRead = wsctx->header.headerLen + wsctx->header.payloadLen;
++
++ /* set payload pointer just after header */
++ wsctx->writePos = wsctx->codeBufDecode + wsctx->nReadRaw;
++
++ wsctx->readPos = (unsigned char *)(wsctx->codeBufDecode + wsctx->header.headerLen);
++
++ rfbLog("header complete: state=%d flen=%d writeTo=%p\n", wsctx->hybiDecodeState, wsctx->nToRead, wsctx->writePos);
++
++ return WS_HYBI_STATE_DATA_NEEDED;
++}
++
++static int
++hybiWsFrameComplete(ws_ctx_t *wsctx)
++{
++ return wsctx != NULL && hybiRemaining(wsctx) == 0;
++}
+
+- /* absolute length of frame */
+- total = fhlen + flength + 4;
+- payload = buf + fhlen + 4; /* header length + mask */
++static char *
++hybiPayloadStart(ws_ctx_t *wsctx)
++{
++ return wsctx->codeBufDecode + wsctx->header.headerLen;
++}
+
+- if (-1 == (ret = ws_read(cl, buf, total))) {
++/**
++ * Read the remaining payload bytes from associated raw socket.
++ *
++ * - try to read remaining bytes from socket
++ * - unmask all multiples of 4
++ * - if frame incomplete but some bytes are left, these are copied to
++ * the carry buffer
++ * - if opcode is TEXT: Base64-decode all unmasked received bytes
++ * - set state for reading decoded data
++ * - reset write position to begin of buffer (+ header)
++ * --> before we retrieve more data we let the caller clear all bytes
++ * from the reception buffer
++ * - execute return data routine
++ *
++ * Sets errno corresponding to what it gets from the underlying
++ * socket or EIO if some internal sanity check fails.
++ *
++ * @param[in] cl client ptr with raw socket reference
++ * @param[out] dst destination buffer
++ * @param[in] len size of destination buffer
++ * @param[out] sockRet emulated recv return value
++ * @return next hybi decode state
++ */
++static int
++hybiReadAndDecode(rfbClientPtr cl, char *dst, int len, int *sockRet)
++{
++ int n;
++ int i;
++ int toReturn;
++ int toDecode;
++ int bufsize;
++ int nextRead;
++ unsigned char *data;
++ uint32_t *data32;
++ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
++
++ /* if data was carried over, copy to start of buffer */
++ memcpy(wsctx->writePos, wsctx->carryBuf, wsctx->carrylen);
++ wsctx->writePos += wsctx->carrylen;
++
++ /* -1 accounts for potential '\0' terminator for base64 decoding */
++ bufsize = wsctx->codeBufDecode + ARRAYSIZE(wsctx->codeBufDecode) - wsctx->writePos - 1;
++ if (hybiRemaining(wsctx) > bufsize) {
++ nextRead = bufsize;
++ } else {
++ nextRead = hybiRemaining(wsctx);
++ }
++
++ rfbLog("calling read with buf=%p and len=%d (decodebuf=%p headerLen=%d\n)", wsctx->writePos, nextRead, wsctx->codeBufDecode, wsctx->header.headerLen);
++
++ if (wsctx->nReadRaw < wsctx->nToRead) {
++ /* decode more data */
++ if (-1 == (n = ws_read(cl, wsctx->writePos, nextRead))) {
+ int olderrno = errno;
+ rfbErr("%s: read; %m", __func__);
+ errno = olderrno;
+- return ret;
+- } else if (ret < total) {
+- /* GT TODO: hmm? */
+- rfbLog("%s: read; got partial data\n", __func__);
+- } else {
+- buf[ret] = '\0';
++ *sockRet = -1;
++ return WS_HYBI_STATE_ERR;
++ } else if (n == 0) {
++ *sockRet = 0;
++ return WS_HYBI_STATE_ERR;
+ }
+-
+- /* process 1 frame (32 bit op) */
+- payload32 = (uint32_t *)payload;
+- for (i = 0; i < flength / 4; i++) {
+- payload32[i] ^= mask.u;
++ wsctx->nReadRaw += n;
++ rfbLog("read %d bytes from socket; nRead=%d\n", n, wsctx->nReadRaw);
++ } else {
++ n = 0;
++ }
++
++ wsctx->writePos += n;
++
++ if (wsctx->nReadRaw >= wsctx->nToRead) {
++ if (wsctx->nReadRaw > wsctx->nToRead) {
++ rfbErr("%s: internal error, read past websocket frame", __func__);
++ errno=EIO;
++ *sockRet = -1;
++ return WS_HYBI_STATE_ERR;
+ }
++ }
++
++ toDecode = wsctx->writePos - hybiPayloadStart(wsctx);
++ rfbLog("toDecode=%d from n=%d carrylen=%d headerLen=%d\n", toDecode, n, wsctx->carrylen, wsctx->header.headerLen);
++ if (toDecode < 0) {
++ rfbErr("%s: internal error; negative number of bytes to decode: %d", __func__, toDecode);
++ errno=EIO;
++ *sockRet = -1;
++ return WS_HYBI_STATE_ERR;
++ }
++
++ /* for a possible base64 decoding, we decode multiples of 4 bytes until
++ * the whole frame is received and carry over any remaining bytes in the carry buf*/
++ data = (unsigned char *)hybiPayloadStart(wsctx);
++ data32= (uint32_t *)data;
++
++ for (i = 0; i < (toDecode >> 2); i++) {
++ data32[i] ^= wsctx->header.mask.u;
++ }
++ rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);
++
++ if (wsctx->hybiDecodeState == WS_HYBI_STATE_FRAME_COMPLETE) {
+ /* process the remaining bytes (if any) */
+- for (i*=4; i < flength; i++) {
+- payload[i] ^= mask.c[i % 4];
+- }
+-
+- switch (opcode) {
+- case WS_OPCODE_CLOSE:
+- rfbLog("got closure, reason %d\n", WS_NTOH16(((uint16_t *)payload)[0]));
+- errno = ECONNRESET;
+- break;
+- case WS_OPCODE_TEXT_FRAME:
+- if (-1 == (flength = __b64_pton(payload, (unsigned char *)wsctx->codeBuf, sizeof(wsctx->codeBuf)))) {
+- rfbErr("%s: Base64 decode error; %m\n", __func__);
+- break;
+- }
+- payload = wsctx->codeBuf;
+- /* fall through */
+- case WS_OPCODE_BINARY_FRAME:
+- if (flength > len) {
+- memcpy(wsctx->readbuf, payload + len, flength - len);
+- wsctx->readbufstart = 0;
+- wsctx->readbuflen = flength - len;
+- flength = len;
+- }
+- memcpy(dst, payload, flength);
+- result = flength;
+- break;
++ for (i*=4; i < toDecode; i++) {
++ data[i] ^= wsctx->header.mask.c[i % 4];
++ }
++
++ /* all data is here, no carrying */
++ wsctx->carrylen = 0;
++ } else {
++ /* carry over remaining, non-multiple-of-four bytes */
++ wsctx->carrylen = toDecode - (i * 4);
++ if (wsctx->carrylen < 0 || wsctx->carrylen > ARRAYSIZE(wsctx->carryBuf)) {
++ rfbErr("%s: internal error, invalid carry over size: carrylen=%d, toDecode=%d, i=%d", __func__, wsctx->carrylen, toDecode, i);
++ *sockRet = -1;
++ errno = EIO;
++ return WS_HYBI_STATE_ERR;
++ }
++ rfbLog("carrying over %d bytes from %p to %p\n", wsctx->carrylen, wsctx->writePos + (i * 4), wsctx->carryBuf);
++ memcpy(wsctx->carryBuf, data + (i * 4), wsctx->carrylen);
++ }
++
++ toReturn = toDecode - wsctx->carrylen;
++
++ switch (wsctx->header.opcode) {
++ case WS_OPCODE_CLOSE:
++
++ /* this data is not returned as payload data */
++ if (hybiWsFrameComplete(wsctx)) {
++ rfbLog("got closure, reason %d\n", WS_NTOH16(((uint16_t *)data)[0]));
++ errno = ECONNRESET;
++ *sockRet = -1;
++ return WS_HYBI_STATE_FRAME_COMPLETE;
++ } else {
++ rfbErr("%s: close reason with long frame not supported", __func__);
++ errno = EIO;
++ *sockRet = -1;
++ return WS_HYBI_STATE_ERR;
++ }
++ break;
++ case WS_OPCODE_TEXT_FRAME:
++ data[toReturn] = '\0';
++ rfbLog("Initiate Base64 decoding in %p with max size %d and '\\0' at %p\n", data, bufsize, data + toReturn);
++ if (-1 == (wsctx->readlen = b64_pton((char *)data, data, bufsize))) {
++ rfbErr("Base64 decode error in %s; data=%p bufsize=%d", __func__, data, bufsize);
++ rfbErr("%s: Base64 decode error; %m\n", __func__);
++ }
++ wsctx->writePos = hybiPayloadStart(wsctx);
++ break;
++ case WS_OPCODE_BINARY_FRAME:
++ wsctx->readlen = toReturn;
++ wsctx->writePos = hybiPayloadStart(wsctx);
++ break;
++ default:
++ rfbErr("%s: unhandled opcode %d, b0: %02x, b1: %02x\n", __func__, (int)wsctx->header.opcode, wsctx->header.data->b0, wsctx->header.data->b1);
++ }
++ wsctx->readPos = data;
++
++ return hybiReturnData(dst, len, wsctx, sockRet);
++}
++
++/**
++ * Read function for websocket-socket emulation.
++ *
++ * 0 1 2 3
++ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++ * +-+-+-+-+-------+-+-------------+-------------------------------+
++ * |F|R|R|R| opcode|M| Payload len | Extended payload length |
++ * |I|S|S|S| (4) |A| (7) | (16/64) |
++ * |N|V|V|V| |S| | (if payload len==126/127) |
++ * | |1|2|3| |K| | |
++ * +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
++ * | Extended payload length continued, if payload len == 127 |
++ * + - - - - - - - - - - - - - - - +-------------------------------+
++ * | |Masking-key, if MASK set to 1 |
++ * +-------------------------------+-------------------------------+
++ * | Masking-key (continued) | Payload Data |
++ * +-------------------------------- - - - - - - - - - - - - - - - +
++ * : Payload Data continued ... :
++ * + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
++ * | Payload Data continued ... |
++ * +---------------------------------------------------------------+
++ *
++ * Using the decode buffer, this function:
++ * - reads the complete header from the underlying socket
++ * - reads any remaining data bytes
++ * - unmasks the payload data using the provided mask
++ * - decodes Base64 encoded text data
++ * - copies len bytes of decoded payload data into dst
++ *
++ * Emulates a read call on a socket.
++ */
++static int
++webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len)
++{
++ int result = -1;
++ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
++ /* int fin; */ /* not used atm */
++
++ /* rfbLog(" <== %s[%d]: %d cl: %p, wsctx: %p-%p (%d)\n", __func__, gettid(), len, cl, wsctx, (char *)wsctx + sizeof(ws_ctx_t), sizeof(ws_ctx_t)); */
++ rfbLog("%s_enter: len=%d; "
++ "CTX: readlen=%d readPos=%p "
++ "writeTo=%p "
++ "state=%d toRead=%d remaining=%d "
++ " nReadRaw=%d carrylen=%d carryBuf=%p\n",
++ __func__, len,
++ wsctx->readlen, wsctx->readPos,
++ wsctx->writePos,
++ wsctx->hybiDecodeState, wsctx->nToRead, hybiRemaining(wsctx),
++ wsctx->nReadRaw, wsctx->carrylen, wsctx->carryBuf);
++
++ switch (wsctx->hybiDecodeState){
++ case WS_HYBI_STATE_HEADER_PENDING:
++ wsctx->hybiDecodeState = hybiReadHeader(cl, &result);
++ if (wsctx->hybiDecodeState == WS_HYBI_STATE_ERR) {
++ goto spor;
++ }
++ if (wsctx->hybiDecodeState != WS_HYBI_STATE_HEADER_PENDING) {
++
++ /* when header is complete, try to read some more data */
++ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
++ }
++ break;
++ case WS_HYBI_STATE_DATA_AVAILABLE:
++ wsctx->hybiDecodeState = hybiReturnData(dst, len, wsctx, &result);
++ break;
++ case WS_HYBI_STATE_DATA_NEEDED:
++ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
++ break;
++ case WS_HYBI_STATE_CLOSE_REASON_PENDING:
++ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
++ break;
+ default:
+- rfbErr("%s: unhandled opcode %d, b0: %02x, b1: %02x\n", __func__, (int)opcode, header->b0, header->b1);
++ /* invalid state */
++ rfbErr("%s: called with invalid state %d\n", wsctx->hybiDecodeState);
++ result = -1;
++ errno = EIO;
++ wsctx->hybiDecodeState = WS_HYBI_STATE_ERR;
+ }
+
+ /* single point of return, if someone has questions :-) */
+ spor:
+ /* rfbLog("%s: ret: %d/%d\n", __func__, result, len); */
++ if (wsctx->hybiDecodeState == WS_HYBI_STATE_FRAME_COMPLETE) {
++ rfbLog("frame received successfully, cleaning up: read=%d hlen=%d plen=%d\n", wsctx->header.nRead, wsctx->header.headerLen, wsctx->header.payloadLen);
++ /* frame finished, cleanup state */
++ hybiDecodeCleanup(wsctx);
++ } else if (wsctx->hybiDecodeState == WS_HYBI_STATE_ERR) {
++ hybiDecodeCleanup(wsctx);
++ }
++ rfbLog("%s_exit: len=%d; "
++ "CTX: readlen=%d readPos=%p "
++ "writePos=%p "
++ "state=%d toRead=%d remaining=%d "
++ "nRead=%d carrylen=%d carryBuf=%p "
++ "result=%d\n",
++ __func__, len,
++ wsctx->readlen, wsctx->readPos,
++ wsctx->writePos,
++ wsctx->hybiDecodeState, wsctx->nToRead, hybiRemaining(wsctx),
++ wsctx->nReadRaw, wsctx->carrylen, wsctx->carryBuf,
++ result);
+ return result;
+ }
+
+@@ -896,3 +1226,16 @@ webSocketCheckDisconnect(rfbClientPtr cl)
+ return FALSE;
+ }
+
++/* returns TRUE if there is data waiting to be read in our internal buffer
++ * or if is there any pending data in the buffer of the SSL implementation
++ */
++rfbBool
++webSocketsHasDataInBuffer(rfbClientPtr cl)
++{
++ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
++
++ if (wsctx && wsctx->readlen)
++ return TRUE;
++
++ return (cl->sslctx && rfbssl_pending(cl) > 0);
++}
+--
+2.26.2
+
diff --git a/SOURCES/libvncserver-0.9.9-Work-around-a-gcc-bug-with-anonymous-structs-and-uni.patch b/SOURCES/libvncserver-0.9.9-Work-around-a-gcc-bug-with-anonymous-structs-and-uni.patch
new file mode 100644
index 0000000..95d7f16
--- /dev/null
+++ b/SOURCES/libvncserver-0.9.9-Work-around-a-gcc-bug-with-anonymous-structs-and-uni.patch
@@ -0,0 +1,66 @@
+From a6e141517b86a866feba4d472ead02a9df569a9e Mon Sep 17 00:00:00 2001
+From: Raphael Kubo da Costa <rakuco@FreeBSD.org>
+Date: Tue, 11 Sep 2012 22:50:18 +0300
+Subject: [PATCH 1/3] Work around a gcc bug with anonymous structs and unions.
+
+GCC < 4.6 failed to parse the declaration of ws_header_t correctly because
+it did not accept anonymous structs and unions. [1]
+
+Work around the bug by adding names to the unions and structs. Ugly, but
+works.
+
+[1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=4784
+---
+ libvncserver/websockets.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/libvncserver/websockets.c b/libvncserver/websockets.c
+index 8cd96d38..937f6d4d 100644
+--- a/libvncserver/websockets.c
++++ b/libvncserver/websockets.c
+@@ -88,6 +88,11 @@ typedef union ws_mask_s {
+ uint32_t u;
+ } ws_mask_t;
+
++/* XXX: The union and the structs do not need to be named.
++ * We are working around a bug present in GCC < 4.6 which prevented
++ * it from recognizing anonymous structs and unions.
++ * See http://gcc.gnu.org/bugzilla/show_bug.cgi?id=4784
++ */
+ typedef struct __attribute__ ((__packed__)) ws_header_s {
+ unsigned char b0;
+ unsigned char b1;
+@@ -95,13 +100,13 @@ typedef struct __attribute__ ((__packed__)) ws_header_s {
+ struct __attribute__ ((__packed__)) {
+ uint16_t l16;
+ ws_mask_t m16;
+- };
++ } s16;
+ struct __attribute__ ((__packed__)) {
+ uint64_t l64;
+ ws_mask_t m64;
+- };
++ } s64;
+ ws_mask_t m;
+- };
++ } u;
+ } ws_header_t;
+
+ enum
+@@ -792,11 +797,11 @@ webSocketsEncodeHybi(rfbClientPtr cl, const char *src, int len, char **dst)
+ sz = 2;
+ } else if (blen <= 65536) {
+ header->b1 = 0x7e;
+- header->l16 = WS_HTON16((uint16_t)blen);
++ header->u.s16.l16 = WS_HTON16((uint16_t)blen);
+ sz = 4;
+ } else {
+ header->b1 = 0x7f;
+- header->l64 = WS_HTON64(blen);
++ header->u.s64.l64 = WS_HTON64(blen);
+ sz = 10;
+ }
+
+--
+2.26.2
+
diff --git a/SOURCES/libvncserver-0.9.9-fix-for-issue-81.patch b/SOURCES/libvncserver-0.9.9-fix-for-issue-81.patch
new file mode 100644
index 0000000..c8cd461
--- /dev/null
+++ b/SOURCES/libvncserver-0.9.9-fix-for-issue-81.patch
@@ -0,0 +1,79 @@
+From 93fd4bc18a81a568f3329ee2aa22390ef75b05ed Mon Sep 17 00:00:00 2001
+From: plettix <plettix@gmail.com>
+Date: Tue, 7 Jul 2015 10:32:16 +0200
+Subject: [PATCH 2/3] fix for issue 81 use different buffers for decode and
+ encode
+
+---
+ libvncserver/websockets.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/libvncserver/websockets.c b/libvncserver/websockets.c
+index 937f6d4d..3c8e99aa 100644
+--- a/libvncserver/websockets.c
++++ b/libvncserver/websockets.c
+@@ -481,15 +481,15 @@ webSocketsEncodeHixie(rfbClientPtr cl, const char *src, int len, char **dst)
+ int sz = 0;
+ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
+
+- wsctx->codeBuf[sz++] = '\x00';
+- len = __b64_ntop((unsigned char *)src, len, wsctx->codeBuf+sz, sizeof(wsctx->codeBuf) - (sz + 1));
++ wsctx->codeBufEncode[sz++] = '\x00';
++ len = __b64_ntop((unsigned char *)src, len, wsctx->codeBufEncode+sz, sizeof(wsctx->codeBufEncode) - (sz + 1));
+ if (len < 0) {
+ return len;
+ }
+ sz += len;
+
+- wsctx->codeBuf[sz++] = '\xff';
+- *dst = wsctx->codeBuf;
++ wsctx->codeBufEncode[sz++] = '\xff';
++ *dst = wsctx->codeBufEncode;
+ return sz;
+ }
+
+@@ -527,7 +527,7 @@ webSocketsDecodeHixie(rfbClientPtr cl, char *dst, int len)
+ char *buf, *end = NULL;
+ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
+
+- buf = wsctx->codeBuf;
++ buf = wsctx->codeBufDecode;
+
+ n = ws_peek(cl, buf, len*2+2);
+
+@@ -781,7 +781,7 @@ webSocketsEncodeHybi(rfbClientPtr cl, const char *src, int len, char **dst)
+ return 0;
+ }
+
+- header = (ws_header_t *)wsctx->codeBuf;
++ header = (ws_header_t *)wsctx->codeBufEncode;
+
+ if (wsctx->base64) {
+ opcode = WS_OPCODE_TEXT_FRAME;
+@@ -806,7 +806,7 @@ webSocketsEncodeHybi(rfbClientPtr cl, const char *src, int len, char **dst)
+ }
+
+ if (wsctx->base64) {
+- if (-1 == (ret = __b64_ntop((unsigned char *)src, len, wsctx->codeBuf + sz, sizeof(wsctx->codeBuf) - sz))) {
++ if (-1 == (ret = __b64_ntop((unsigned char *)src, len, wsctx->codeBufEncode + sz, sizeof(wsctx->codeBufEncode) - sz))) {
+ rfbErr("%s: Base 64 encode failed\n", __func__);
+ } else {
+ if (ret != blen)
+@@ -814,11 +814,12 @@ webSocketsEncodeHybi(rfbClientPtr cl, const char *src, int len, char **dst)
+ ret += sz;
+ }
+ } else {
+- memcpy(wsctx->codeBuf + sz, src, len);
++ memcpy(wsctx->codeBufEncode + sz, src, len);
+ ret = sz + len;
+ }
+
+- *dst = wsctx->codeBuf;
++ *dst = wsctx->codeBufEncode;
++
+ return ret;
+ }
+
+--
+2.26.2
+
diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec
index 2d89e5f..a4ab743 100644
--- a/SPECS/libvncserver.spec
+++ b/SPECS/libvncserver.spec
@@ -6,7 +6,7 @@
Summary: Library to make writing a vnc server easy
Name: libvncserver
Version: 0.9.9
-Release: 14%{?dist}
+Release: 14%{?dist}.1
# NOTE: --with-tightvnc-filetransfer => GPLv2
License: GPLv2+
Group: System Environment/Libraries
@@ -47,9 +47,17 @@ Patch11: libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
# fixed in upstream after 0.9.12
Patch12: libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch
# Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client),
-# bug #1814339, <https://github.com/LibVNC/libvncserver/issues/275>,
+# bug #1814745, <https://github.com/LibVNC/libvncserver/issues/275>,
# in upstream after 0.9.12
Patch13: libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch
+# https://github.com/LibVNC/libvncserver/commit/8f544bd276fcabc52d3816fb0814229805c8d198
+Patch14: libvncserver-0.9.9-Work-around-a-gcc-bug-with-anonymous-structs-and-uni.patch
+# https://github.com/LibVNC/libvncserver/issues/81
+Patch15: libvncserver-0.9.9-fix-for-issue-81.patch
+# https://github.com/LibVNC/libvncserver/commit/aac95a9dcf4bbba87b76c72706c3221a842ca433
+Patch16: libvncserver-0.9.9-CVE-2017-18922.patch
+# https://github.com/LibVNC/libvncserver/pull/308
+Patch17: libvncserver-0.9.11-CVE-2019-20840.patch
# upstream name
Obsoletes: LibVNCServer < 0.9.1
@@ -106,6 +114,10 @@ rm -f common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c
%patch11 -p1
%patch12 -p1
%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
# fix encoding
for file in AUTHORS ChangeLog ; do
@@ -174,9 +186,13 @@ rm -rf %{buildroot}
%changelog
+* Wed Jul 29 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 0.9.9-14.1
+- Fix CVE-2017-18922
+ Resolves: #1852509
+
* Wed Mar 18 2020 Petr Pisar <ppisar@redhat.com> - 0.9.9-14
- Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client)
- (bug #1814339)
+ (bug #1814745)
* Thu Jan 10 2019 Petr Pisar <ppisar@redhat.com> - 0.9.9-13
- Fix CVE-2018-15127 (Heap out-of-bounds write in