diff --git a/SOURCES/libvncserver-0.9.11-CVE-2019-20840.patch b/SOURCES/libvncserver-0.9.11-CVE-2019-20840.patch new file mode 100644 index 0000000..b32616f --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-CVE-2019-20840.patch @@ -0,0 +1,40 @@ +Backport of: +From 0cf1400c61850065de590d403f6d49e32882fd76 Mon Sep 17 00:00:00 2001 +From: Rolf Eike Beer +Date: Tue, 28 May 2019 18:30:46 +0200 +Subject: [PATCH] fix crash because of unaligned accesses in + hybiReadAndDecode() + +[Ubuntu note: patch backported to apply on libvncserver/websockets.c instead of +libvncserver/ws_decode.c + -- Avital] + +--- + libvncserver/ws_decode.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/libvncserver/websockets.c ++++ b/libvncserver/websockets.c +@@ -880,7 +880,6 @@ hybiReadAndDecode(rfbClientPtr cl, char + int bufsize; + int nextRead; + unsigned char *data; +- uint32_t *data32; + ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx; + + /* if data was carried over, copy to start of buffer */ +@@ -938,10 +937,12 @@ hybiReadAndDecode(rfbClientPtr cl, char + /* for a possible base64 decoding, we decode multiples of 4 bytes until + * the whole frame is received and carry over any remaining bytes in the carry buf*/ + data = (unsigned char *)hybiPayloadStart(wsctx); +- data32= (uint32_t *)data; + + for (i = 0; i < (toDecode >> 2); i++) { +- data32[i] ^= wsctx->header.mask.u; ++ uint32_t tmp; ++ memcpy(&tmp, data + i * sizeof(tmp), sizeof(tmp)); ++ tmp ^= wsctx->header.mask.u; ++ memcpy(data + i * sizeof(tmp), &tmp, sizeof(tmp)); + } + rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode); + diff --git a/SOURCES/libvncserver-0.9.9-CVE-2017-18922.patch b/SOURCES/libvncserver-0.9.9-CVE-2017-18922.patch new file mode 100644 index 0000000..1280706 --- /dev/null +++ b/SOURCES/libvncserver-0.9.9-CVE-2017-18922.patch @@ -0,0 +1,703 @@ +From 92b5cebffa50577bfa9b192926cfd2210f6881c4 Mon Sep 17 00:00:00 2001 +From: Andreas Weigel +Date: Wed, 15 Feb 2017 12:31:05 +0100 +Subject: [PATCH 3/3] fix overflow and refactor websockets decode (Hybi) + +fix critical heap-based buffer overflow which allowed easy modification +of a return address via an overwritten function pointer + +fix bug causing connections to fail due a "one websocket frame = one +ws_read" assumption, which failed with LibVNCServer-0.9.11 + +refactor websocket Hybi decode to use a simple state machine for +decoding of websocket frames +--- + libvncserver/websockets.c | 609 +++++++++++++++++++++++++++++--------- + 1 file changed, 476 insertions(+), 133 deletions(-) + +diff --git a/libvncserver/websockets.c b/libvncserver/websockets.c +index 3c8e99aa..d81b23a8 100644 +--- a/libvncserver/websockets.c ++++ b/libvncserver/websockets.c +@@ -53,6 +53,9 @@ + + #define B64LEN(__x) (((__x + 2) / 3) * 12 / 3) + #define WSHLENMAX 14 /* 2 + sizeof(uint64_t) + sizeof(uint32_t) */ ++#define WS_HYBI_MASK_LEN 4 ++ ++#define ARRAYSIZE(a) ((sizeof(a) / sizeof((a[0]))) / (size_t)(!(sizeof(a) % sizeof((a[0]))))) + + enum { + WEBSOCKETS_VERSION_HIXIE, +@@ -69,19 +72,19 @@ static int gettid() { + typedef int (*wsEncodeFunc)(rfbClientPtr cl, const char *src, int len, char **dst); + typedef int (*wsDecodeFunc)(rfbClientPtr cl, char *dst, int len); + +-typedef struct ws_ctx_s { +- char codeBuf[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */ +- char readbuf[8192]; +- int readbufstart; +- int readbuflen; +- int dblen; +- char carryBuf[3]; /* For base64 carry-over */ +- int carrylen; +- int version; +- int base64; +- wsEncodeFunc encode; +- wsDecodeFunc decode; +-} ws_ctx_t; ++enum { ++ /* header not yet received completely */ ++ WS_HYBI_STATE_HEADER_PENDING, ++ /* data available */ ++ WS_HYBI_STATE_DATA_AVAILABLE, ++ WS_HYBI_STATE_DATA_NEEDED, ++ /* received a complete frame */ ++ WS_HYBI_STATE_FRAME_COMPLETE, ++ /* received part of a 'close' frame */ ++ WS_HYBI_STATE_CLOSE_REASON_PENDING, ++ /* */ ++ WS_HYBI_STATE_ERR ++}; + + typedef union ws_mask_s { + char c[4]; +@@ -109,6 +112,38 @@ typedef struct __attribute__ ((__packed__)) ws_header_s { + } u; + } ws_header_t; + ++typedef struct ws_header_data_s { ++ ws_header_t *data; ++ /** bytes read */ ++ int nRead; ++ /** mask value */ ++ ws_mask_t mask; ++ /** length of frame header including payload len, but without mask */ ++ int headerLen; ++ /** length of the payload data */ ++ int payloadLen; ++ /** opcode */ ++ unsigned char opcode; ++} ws_header_data_t; ++ ++typedef struct ws_ctx_s { ++ char codeBufDecode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */ ++ char codeBufEncode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */ ++ char *writePos; ++ unsigned char *readPos; ++ int readlen; ++ int hybiDecodeState; ++ char carryBuf[3]; /* For base64 carry-over */ ++ int carrylen; ++ int version; ++ int base64; ++ ws_header_data_t header; ++ int nReadRaw; ++ int nToRead; ++ wsEncodeFunc encode; ++ wsDecodeFunc decode; ++} ws_ctx_t; ++ + enum + { + WS_OPCODE_CONTINUATION = 0x0, +@@ -164,6 +199,8 @@ static int webSocketsEncodeHixie(rfbClientPtr cl, const char *src, int len, char + static int webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len); + static int webSocketsDecodeHixie(rfbClientPtr cl, char *dst, int len); + ++static void hybiDecodeCleanup(ws_ctx_t *wsctx); ++ + static int + min (int a, int b) { + return a < b ? a : b; +@@ -421,10 +458,11 @@ webSocketsHandshake(rfbClientPtr cl, char *scheme) + wsctx->decode = webSocketsDecodeHixie; + } + wsctx->base64 = base64; ++ hybiDecodeCleanup(wsctx); + cl->wsctx = (wsCtx *)wsctx; + return TRUE; + } +- ++ + void + webSocketsGenMd5(char * target, char *key1, char *key2, char *key3) + { +@@ -616,146 +654,438 @@ webSocketsDecodeHixie(rfbClientPtr cl, char *dst, int len) + } + + static int +-webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len) ++hybiRemaining(ws_ctx_t *wsctx) + { +- char *buf, *payload; +- uint32_t *payload32; +- int ret = -1, result = -1; +- int total = 0; +- ws_mask_t mask; +- ws_header_t *header; +- int i; +- unsigned char opcode; +- ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx; +- int flength, fhlen; +- /* int fin; */ /* not used atm */ +- +- // rfbLog(" <== %s[%d]: %d cl: %p, wsctx: %p-%p (%d)\n", __func__, gettid(), len, cl, wsctx, (char *)wsctx + sizeof(ws_ctx_t), sizeof(ws_ctx_t)); +- +- if (wsctx->readbuflen) { +- /* simply return what we have */ +- if (wsctx->readbuflen > len) { +- memcpy(dst, wsctx->readbuf + wsctx->readbufstart, len); +- result = len; +- wsctx->readbuflen -= len; +- wsctx->readbufstart += len; +- } else { +- memcpy(dst, wsctx->readbuf + wsctx->readbufstart, wsctx->readbuflen); +- result = wsctx->readbuflen; +- wsctx->readbuflen = 0; +- wsctx->readbufstart = 0; +- } +- goto spor; +- } +- +- buf = wsctx->codeBuf; +- header = (ws_header_t *)wsctx->codeBuf; ++ return wsctx->nToRead - wsctx->nReadRaw; ++} + +- ret = ws_peek(cl, buf, B64LEN(len) + WSHLENMAX); ++static void ++hybiDecodeCleanup(ws_ctx_t *wsctx) ++{ ++ wsctx->header.payloadLen = 0; ++ wsctx->header.mask.u = 0; ++ wsctx->nReadRaw = 0; ++ wsctx->nToRead= 0; ++ wsctx->carrylen = 0; ++ wsctx->readPos = (unsigned char *)wsctx->codeBufDecode; ++ wsctx->readlen = 0; ++ wsctx->hybiDecodeState = WS_HYBI_STATE_HEADER_PENDING; ++ wsctx->writePos = NULL; ++ rfbLog("cleaned up wsctx\n"); ++} + +- if (ret < 2) { +- /* save errno because rfbErr() will tamper it */ +- if (-1 == ret) { +- int olderrno = errno; +- rfbErr("%s: peek; %m\n", __func__); +- errno = olderrno; +- } else if (0 == ret) { +- result = 0; +- } else { +- errno = EAGAIN; +- } +- goto spor; ++/** ++ * Return payload data that has been decoded/unmasked from ++ * a websocket frame. ++ * ++ * @param[out] dst destination buffer ++ * @param[in] len bytes to copy to destination buffer ++ * @param[in,out] wsctx internal state of decoding procedure ++ * @param[out] number of bytes actually written to dst buffer ++ * @return next hybi decoding state ++ */ ++static int ++hybiReturnData(char *dst, int len, ws_ctx_t *wsctx, int *nWritten) ++{ ++ int nextState = WS_HYBI_STATE_ERR; ++ ++ /* if we have something already decoded copy and return */ ++ if (wsctx->readlen > 0) { ++ /* simply return what we have */ ++ if (wsctx->readlen > len) { ++ rfbLog("copy to %d bytes to dst buffer; readPos=%p, readLen=%d\n", len, wsctx->readPos, wsctx->readlen); ++ memcpy(dst, wsctx->readPos, len); ++ *nWritten = len; ++ wsctx->readlen -= len; ++ wsctx->readPos += len; ++ nextState = WS_HYBI_STATE_DATA_AVAILABLE; ++ } else { ++ rfbLog("copy to %d bytes to dst buffer; readPos=%p, readLen=%d\n", wsctx->readlen, wsctx->readPos, wsctx->readlen); ++ memcpy(dst, wsctx->readPos, wsctx->readlen); ++ *nWritten = wsctx->readlen; ++ wsctx->readlen = 0; ++ wsctx->readPos = NULL; ++ if (hybiRemaining(wsctx) == 0) { ++ nextState = WS_HYBI_STATE_FRAME_COMPLETE; ++ } else { ++ nextState = WS_HYBI_STATE_DATA_NEEDED; ++ } + } ++ rfbLog("after copy: readPos=%p, readLen=%d\n", wsctx->readPos, wsctx->readlen); ++ } else if (wsctx->hybiDecodeState == WS_HYBI_STATE_CLOSE_REASON_PENDING) { ++ nextState = WS_HYBI_STATE_CLOSE_REASON_PENDING; ++ } ++ return nextState; ++} + +- opcode = header->b0 & 0x0f; +- /* fin = (header->b0 & 0x80) >> 7; */ /* not used atm */ +- flength = header->b1 & 0x7f; +- +- /* +- * 4.3. Client-to-Server Masking +- * +- * The client MUST mask all frames sent to the server. A server MUST +- * close the connection upon receiving a frame with the MASK bit set to 0. +- **/ +- if (!(header->b1 & 0x80)) { +- rfbErr("%s: got frame without mask\n", __func__, ret); +- errno = EIO; +- goto spor; +- } +- +- if (flength < 126) { +- fhlen = 2; +- mask = header->m; +- } else if (flength == 126 && 4 <= ret) { +- flength = WS_NTOH16(header->l16); +- fhlen = 4; +- mask = header->m16; +- } else if (flength == 127 && 10 <= ret) { +- flength = WS_NTOH64(header->l64); +- fhlen = 10; +- mask = header->m64; ++/** ++ * Read an RFC 6455 websocket frame (IETF hybi working group). ++ * ++ * Internal state is updated according to bytes received and the ++ * decoding of header information. ++ * ++ * @param[in] cl client ptr with ptr to raw socket and ws_ctx_t ptr ++ * @param[out] sockRet emulated recv return value ++ * @return next hybi decoding state; WS_HYBI_STATE_HEADER_PENDING indicates ++ * that the header was not received completely. ++ */ ++static int ++hybiReadHeader(rfbClientPtr cl, int *sockRet) ++{ ++ int ret; ++ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx; ++ char *headerDst = wsctx->codeBufDecode + wsctx->nReadRaw; ++ int n = WSHLENMAX - wsctx->nReadRaw; ++ ++ rfbLog("header_read to %p with len=%d\n", headerDst, n); ++ ret = ws_read(cl, headerDst, n); ++ rfbLog("read %d bytes from socket\n", ret); ++ if (ret <= 0) { ++ if (-1 == ret) { ++ /* save errno because rfbErr() will tamper it */ ++ int olderrno = errno; ++ rfbErr("%s: peek; %m\n", __func__); ++ errno = olderrno; ++ *sockRet = -1; + } else { +- /* Incomplete frame header */ +- rfbErr("%s: incomplete frame header\n", __func__, ret); +- errno = EIO; +- goto spor; ++ *sockRet = 0; + } ++ return WS_HYBI_STATE_ERR; ++ } ++ ++ wsctx->nReadRaw += ret; ++ if (wsctx->nReadRaw < 2) { ++ /* cannot decode header with less than two bytes */ ++ errno = EAGAIN; ++ *sockRet = -1; ++ return WS_HYBI_STATE_HEADER_PENDING; ++ } ++ ++ /* first two header bytes received; interpret header data and get rest */ ++ wsctx->header.data = (ws_header_t *)wsctx->codeBufDecode; ++ ++ wsctx->header.opcode = wsctx->header.data->b0 & 0x0f; ++ ++ /* fin = (header->b0 & 0x80) >> 7; */ /* not used atm */ ++ wsctx->header.payloadLen = wsctx->header.data->b1 & 0x7f; ++ rfbLog("first header bytes received; opcode=%d lenbyte=%d\n", wsctx->header.opcode, wsctx->header.payloadLen); ++ ++ /* ++ * 4.3. Client-to-Server Masking ++ * ++ * The client MUST mask all frames sent to the server. A server MUST ++ * close the connection upon receiving a frame with the MASK bit set to 0. ++ **/ ++ if (!(wsctx->header.data->b1 & 0x80)) { ++ rfbErr("%s: got frame without mask ret=%d\n", __func__, ret); ++ errno = EIO; ++ *sockRet = -1; ++ return WS_HYBI_STATE_ERR; ++ } ++ ++ if (wsctx->header.payloadLen < 126 && wsctx->nReadRaw >= 6) { ++ wsctx->header.headerLen = 2 + WS_HYBI_MASK_LEN; ++ wsctx->header.mask = wsctx->header.data->u.m; ++ } else if (wsctx->header.payloadLen == 126 && 8 <= wsctx->nReadRaw) { ++ wsctx->header.headerLen = 4 + WS_HYBI_MASK_LEN; ++ wsctx->header.payloadLen = WS_NTOH16(wsctx->header.data->u.s16.l16); ++ wsctx->header.mask = wsctx->header.data->u.s16.m16; ++ } else if (wsctx->header.payloadLen == 127 && 14 <= wsctx->nReadRaw) { ++ wsctx->header.headerLen = 10 + WS_HYBI_MASK_LEN; ++ wsctx->header.payloadLen = WS_NTOH64(wsctx->header.data->u.s64.l64); ++ wsctx->header.mask = wsctx->header.data->u.s64.m64; ++ } else { ++ /* Incomplete frame header, try again */ ++ rfbErr("%s: incomplete frame header; ret=%d\n", __func__, ret); ++ errno = EAGAIN; ++ *sockRet = -1; ++ return WS_HYBI_STATE_HEADER_PENDING; ++ } ++ ++ /* absolute length of frame */ ++ wsctx->nToRead = wsctx->header.headerLen + wsctx->header.payloadLen; ++ ++ /* set payload pointer just after header */ ++ wsctx->writePos = wsctx->codeBufDecode + wsctx->nReadRaw; ++ ++ wsctx->readPos = (unsigned char *)(wsctx->codeBufDecode + wsctx->header.headerLen); ++ ++ rfbLog("header complete: state=%d flen=%d writeTo=%p\n", wsctx->hybiDecodeState, wsctx->nToRead, wsctx->writePos); ++ ++ return WS_HYBI_STATE_DATA_NEEDED; ++} ++ ++static int ++hybiWsFrameComplete(ws_ctx_t *wsctx) ++{ ++ return wsctx != NULL && hybiRemaining(wsctx) == 0; ++} + +- /* absolute length of frame */ +- total = fhlen + flength + 4; +- payload = buf + fhlen + 4; /* header length + mask */ ++static char * ++hybiPayloadStart(ws_ctx_t *wsctx) ++{ ++ return wsctx->codeBufDecode + wsctx->header.headerLen; ++} + +- if (-1 == (ret = ws_read(cl, buf, total))) { ++/** ++ * Read the remaining payload bytes from associated raw socket. ++ * ++ * - try to read remaining bytes from socket ++ * - unmask all multiples of 4 ++ * - if frame incomplete but some bytes are left, these are copied to ++ * the carry buffer ++ * - if opcode is TEXT: Base64-decode all unmasked received bytes ++ * - set state for reading decoded data ++ * - reset write position to begin of buffer (+ header) ++ * --> before we retrieve more data we let the caller clear all bytes ++ * from the reception buffer ++ * - execute return data routine ++ * ++ * Sets errno corresponding to what it gets from the underlying ++ * socket or EIO if some internal sanity check fails. ++ * ++ * @param[in] cl client ptr with raw socket reference ++ * @param[out] dst destination buffer ++ * @param[in] len size of destination buffer ++ * @param[out] sockRet emulated recv return value ++ * @return next hybi decode state ++ */ ++static int ++hybiReadAndDecode(rfbClientPtr cl, char *dst, int len, int *sockRet) ++{ ++ int n; ++ int i; ++ int toReturn; ++ int toDecode; ++ int bufsize; ++ int nextRead; ++ unsigned char *data; ++ uint32_t *data32; ++ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx; ++ ++ /* if data was carried over, copy to start of buffer */ ++ memcpy(wsctx->writePos, wsctx->carryBuf, wsctx->carrylen); ++ wsctx->writePos += wsctx->carrylen; ++ ++ /* -1 accounts for potential '\0' terminator for base64 decoding */ ++ bufsize = wsctx->codeBufDecode + ARRAYSIZE(wsctx->codeBufDecode) - wsctx->writePos - 1; ++ if (hybiRemaining(wsctx) > bufsize) { ++ nextRead = bufsize; ++ } else { ++ nextRead = hybiRemaining(wsctx); ++ } ++ ++ rfbLog("calling read with buf=%p and len=%d (decodebuf=%p headerLen=%d\n)", wsctx->writePos, nextRead, wsctx->codeBufDecode, wsctx->header.headerLen); ++ ++ if (wsctx->nReadRaw < wsctx->nToRead) { ++ /* decode more data */ ++ if (-1 == (n = ws_read(cl, wsctx->writePos, nextRead))) { + int olderrno = errno; + rfbErr("%s: read; %m", __func__); + errno = olderrno; +- return ret; +- } else if (ret < total) { +- /* GT TODO: hmm? */ +- rfbLog("%s: read; got partial data\n", __func__); +- } else { +- buf[ret] = '\0'; ++ *sockRet = -1; ++ return WS_HYBI_STATE_ERR; ++ } else if (n == 0) { ++ *sockRet = 0; ++ return WS_HYBI_STATE_ERR; + } +- +- /* process 1 frame (32 bit op) */ +- payload32 = (uint32_t *)payload; +- for (i = 0; i < flength / 4; i++) { +- payload32[i] ^= mask.u; ++ wsctx->nReadRaw += n; ++ rfbLog("read %d bytes from socket; nRead=%d\n", n, wsctx->nReadRaw); ++ } else { ++ n = 0; ++ } ++ ++ wsctx->writePos += n; ++ ++ if (wsctx->nReadRaw >= wsctx->nToRead) { ++ if (wsctx->nReadRaw > wsctx->nToRead) { ++ rfbErr("%s: internal error, read past websocket frame", __func__); ++ errno=EIO; ++ *sockRet = -1; ++ return WS_HYBI_STATE_ERR; + } ++ } ++ ++ toDecode = wsctx->writePos - hybiPayloadStart(wsctx); ++ rfbLog("toDecode=%d from n=%d carrylen=%d headerLen=%d\n", toDecode, n, wsctx->carrylen, wsctx->header.headerLen); ++ if (toDecode < 0) { ++ rfbErr("%s: internal error; negative number of bytes to decode: %d", __func__, toDecode); ++ errno=EIO; ++ *sockRet = -1; ++ return WS_HYBI_STATE_ERR; ++ } ++ ++ /* for a possible base64 decoding, we decode multiples of 4 bytes until ++ * the whole frame is received and carry over any remaining bytes in the carry buf*/ ++ data = (unsigned char *)hybiPayloadStart(wsctx); ++ data32= (uint32_t *)data; ++ ++ for (i = 0; i < (toDecode >> 2); i++) { ++ data32[i] ^= wsctx->header.mask.u; ++ } ++ rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode); ++ ++ if (wsctx->hybiDecodeState == WS_HYBI_STATE_FRAME_COMPLETE) { + /* process the remaining bytes (if any) */ +- for (i*=4; i < flength; i++) { +- payload[i] ^= mask.c[i % 4]; +- } +- +- switch (opcode) { +- case WS_OPCODE_CLOSE: +- rfbLog("got closure, reason %d\n", WS_NTOH16(((uint16_t *)payload)[0])); +- errno = ECONNRESET; +- break; +- case WS_OPCODE_TEXT_FRAME: +- if (-1 == (flength = __b64_pton(payload, (unsigned char *)wsctx->codeBuf, sizeof(wsctx->codeBuf)))) { +- rfbErr("%s: Base64 decode error; %m\n", __func__); +- break; +- } +- payload = wsctx->codeBuf; +- /* fall through */ +- case WS_OPCODE_BINARY_FRAME: +- if (flength > len) { +- memcpy(wsctx->readbuf, payload + len, flength - len); +- wsctx->readbufstart = 0; +- wsctx->readbuflen = flength - len; +- flength = len; +- } +- memcpy(dst, payload, flength); +- result = flength; +- break; ++ for (i*=4; i < toDecode; i++) { ++ data[i] ^= wsctx->header.mask.c[i % 4]; ++ } ++ ++ /* all data is here, no carrying */ ++ wsctx->carrylen = 0; ++ } else { ++ /* carry over remaining, non-multiple-of-four bytes */ ++ wsctx->carrylen = toDecode - (i * 4); ++ if (wsctx->carrylen < 0 || wsctx->carrylen > ARRAYSIZE(wsctx->carryBuf)) { ++ rfbErr("%s: internal error, invalid carry over size: carrylen=%d, toDecode=%d, i=%d", __func__, wsctx->carrylen, toDecode, i); ++ *sockRet = -1; ++ errno = EIO; ++ return WS_HYBI_STATE_ERR; ++ } ++ rfbLog("carrying over %d bytes from %p to %p\n", wsctx->carrylen, wsctx->writePos + (i * 4), wsctx->carryBuf); ++ memcpy(wsctx->carryBuf, data + (i * 4), wsctx->carrylen); ++ } ++ ++ toReturn = toDecode - wsctx->carrylen; ++ ++ switch (wsctx->header.opcode) { ++ case WS_OPCODE_CLOSE: ++ ++ /* this data is not returned as payload data */ ++ if (hybiWsFrameComplete(wsctx)) { ++ rfbLog("got closure, reason %d\n", WS_NTOH16(((uint16_t *)data)[0])); ++ errno = ECONNRESET; ++ *sockRet = -1; ++ return WS_HYBI_STATE_FRAME_COMPLETE; ++ } else { ++ rfbErr("%s: close reason with long frame not supported", __func__); ++ errno = EIO; ++ *sockRet = -1; ++ return WS_HYBI_STATE_ERR; ++ } ++ break; ++ case WS_OPCODE_TEXT_FRAME: ++ data[toReturn] = '\0'; ++ rfbLog("Initiate Base64 decoding in %p with max size %d and '\\0' at %p\n", data, bufsize, data + toReturn); ++ if (-1 == (wsctx->readlen = b64_pton((char *)data, data, bufsize))) { ++ rfbErr("Base64 decode error in %s; data=%p bufsize=%d", __func__, data, bufsize); ++ rfbErr("%s: Base64 decode error; %m\n", __func__); ++ } ++ wsctx->writePos = hybiPayloadStart(wsctx); ++ break; ++ case WS_OPCODE_BINARY_FRAME: ++ wsctx->readlen = toReturn; ++ wsctx->writePos = hybiPayloadStart(wsctx); ++ break; ++ default: ++ rfbErr("%s: unhandled opcode %d, b0: %02x, b1: %02x\n", __func__, (int)wsctx->header.opcode, wsctx->header.data->b0, wsctx->header.data->b1); ++ } ++ wsctx->readPos = data; ++ ++ return hybiReturnData(dst, len, wsctx, sockRet); ++} ++ ++/** ++ * Read function for websocket-socket emulation. ++ * ++ * 0 1 2 3 ++ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ++ * +-+-+-+-+-------+-+-------------+-------------------------------+ ++ * |F|R|R|R| opcode|M| Payload len | Extended payload length | ++ * |I|S|S|S| (4) |A| (7) | (16/64) | ++ * |N|V|V|V| |S| | (if payload len==126/127) | ++ * | |1|2|3| |K| | | ++ * +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - + ++ * | Extended payload length continued, if payload len == 127 | ++ * + - - - - - - - - - - - - - - - +-------------------------------+ ++ * | |Masking-key, if MASK set to 1 | ++ * +-------------------------------+-------------------------------+ ++ * | Masking-key (continued) | Payload Data | ++ * +-------------------------------- - - - - - - - - - - - - - - - + ++ * : Payload Data continued ... : ++ * + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ++ * | Payload Data continued ... | ++ * +---------------------------------------------------------------+ ++ * ++ * Using the decode buffer, this function: ++ * - reads the complete header from the underlying socket ++ * - reads any remaining data bytes ++ * - unmasks the payload data using the provided mask ++ * - decodes Base64 encoded text data ++ * - copies len bytes of decoded payload data into dst ++ * ++ * Emulates a read call on a socket. ++ */ ++static int ++webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len) ++{ ++ int result = -1; ++ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx; ++ /* int fin; */ /* not used atm */ ++ ++ /* rfbLog(" <== %s[%d]: %d cl: %p, wsctx: %p-%p (%d)\n", __func__, gettid(), len, cl, wsctx, (char *)wsctx + sizeof(ws_ctx_t), sizeof(ws_ctx_t)); */ ++ rfbLog("%s_enter: len=%d; " ++ "CTX: readlen=%d readPos=%p " ++ "writeTo=%p " ++ "state=%d toRead=%d remaining=%d " ++ " nReadRaw=%d carrylen=%d carryBuf=%p\n", ++ __func__, len, ++ wsctx->readlen, wsctx->readPos, ++ wsctx->writePos, ++ wsctx->hybiDecodeState, wsctx->nToRead, hybiRemaining(wsctx), ++ wsctx->nReadRaw, wsctx->carrylen, wsctx->carryBuf); ++ ++ switch (wsctx->hybiDecodeState){ ++ case WS_HYBI_STATE_HEADER_PENDING: ++ wsctx->hybiDecodeState = hybiReadHeader(cl, &result); ++ if (wsctx->hybiDecodeState == WS_HYBI_STATE_ERR) { ++ goto spor; ++ } ++ if (wsctx->hybiDecodeState != WS_HYBI_STATE_HEADER_PENDING) { ++ ++ /* when header is complete, try to read some more data */ ++ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result); ++ } ++ break; ++ case WS_HYBI_STATE_DATA_AVAILABLE: ++ wsctx->hybiDecodeState = hybiReturnData(dst, len, wsctx, &result); ++ break; ++ case WS_HYBI_STATE_DATA_NEEDED: ++ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result); ++ break; ++ case WS_HYBI_STATE_CLOSE_REASON_PENDING: ++ wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result); ++ break; + default: +- rfbErr("%s: unhandled opcode %d, b0: %02x, b1: %02x\n", __func__, (int)opcode, header->b0, header->b1); ++ /* invalid state */ ++ rfbErr("%s: called with invalid state %d\n", wsctx->hybiDecodeState); ++ result = -1; ++ errno = EIO; ++ wsctx->hybiDecodeState = WS_HYBI_STATE_ERR; + } + + /* single point of return, if someone has questions :-) */ + spor: + /* rfbLog("%s: ret: %d/%d\n", __func__, result, len); */ ++ if (wsctx->hybiDecodeState == WS_HYBI_STATE_FRAME_COMPLETE) { ++ rfbLog("frame received successfully, cleaning up: read=%d hlen=%d plen=%d\n", wsctx->header.nRead, wsctx->header.headerLen, wsctx->header.payloadLen); ++ /* frame finished, cleanup state */ ++ hybiDecodeCleanup(wsctx); ++ } else if (wsctx->hybiDecodeState == WS_HYBI_STATE_ERR) { ++ hybiDecodeCleanup(wsctx); ++ } ++ rfbLog("%s_exit: len=%d; " ++ "CTX: readlen=%d readPos=%p " ++ "writePos=%p " ++ "state=%d toRead=%d remaining=%d " ++ "nRead=%d carrylen=%d carryBuf=%p " ++ "result=%d\n", ++ __func__, len, ++ wsctx->readlen, wsctx->readPos, ++ wsctx->writePos, ++ wsctx->hybiDecodeState, wsctx->nToRead, hybiRemaining(wsctx), ++ wsctx->nReadRaw, wsctx->carrylen, wsctx->carryBuf, ++ result); + return result; + } + +@@ -896,3 +1226,16 @@ webSocketCheckDisconnect(rfbClientPtr cl) + return FALSE; + } + ++/* returns TRUE if there is data waiting to be read in our internal buffer ++ * or if is there any pending data in the buffer of the SSL implementation ++ */ ++rfbBool ++webSocketsHasDataInBuffer(rfbClientPtr cl) ++{ ++ ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx; ++ ++ if (wsctx && wsctx->readlen) ++ return TRUE; ++ ++ return (cl->sslctx && rfbssl_pending(cl) > 0); ++} +-- +2.26.2 + diff --git a/SOURCES/libvncserver-0.9.9-Work-around-a-gcc-bug-with-anonymous-structs-and-uni.patch b/SOURCES/libvncserver-0.9.9-Work-around-a-gcc-bug-with-anonymous-structs-and-uni.patch new file mode 100644 index 0000000..95d7f16 --- /dev/null +++ b/SOURCES/libvncserver-0.9.9-Work-around-a-gcc-bug-with-anonymous-structs-and-uni.patch @@ -0,0 +1,66 @@ +From a6e141517b86a866feba4d472ead02a9df569a9e Mon Sep 17 00:00:00 2001 +From: Raphael Kubo da Costa +Date: Tue, 11 Sep 2012 22:50:18 +0300 +Subject: [PATCH 1/3] Work around a gcc bug with anonymous structs and unions. + +GCC < 4.6 failed to parse the declaration of ws_header_t correctly because +it did not accept anonymous structs and unions. [1] + +Work around the bug by adding names to the unions and structs. Ugly, but +works. + +[1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=4784 +--- + libvncserver/websockets.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/libvncserver/websockets.c b/libvncserver/websockets.c +index 8cd96d38..937f6d4d 100644 +--- a/libvncserver/websockets.c ++++ b/libvncserver/websockets.c +@@ -88,6 +88,11 @@ typedef union ws_mask_s { + uint32_t u; + } ws_mask_t; + ++/* XXX: The union and the structs do not need to be named. ++ * We are working around a bug present in GCC < 4.6 which prevented ++ * it from recognizing anonymous structs and unions. ++ * See http://gcc.gnu.org/bugzilla/show_bug.cgi?id=4784 ++ */ + typedef struct __attribute__ ((__packed__)) ws_header_s { + unsigned char b0; + unsigned char b1; +@@ -95,13 +100,13 @@ typedef struct __attribute__ ((__packed__)) ws_header_s { + struct __attribute__ ((__packed__)) { + uint16_t l16; + ws_mask_t m16; +- }; ++ } s16; + struct __attribute__ ((__packed__)) { + uint64_t l64; + ws_mask_t m64; +- }; ++ } s64; + ws_mask_t m; +- }; ++ } u; + } ws_header_t; + + enum +@@ -792,11 +797,11 @@ webSocketsEncodeHybi(rfbClientPtr cl, const char *src, int len, char **dst) + sz = 2; + } else if (blen <= 65536) { + header->b1 = 0x7e; +- header->l16 = WS_HTON16((uint16_t)blen); ++ header->u.s16.l16 = WS_HTON16((uint16_t)blen); + sz = 4; + } else { + header->b1 = 0x7f; +- header->l64 = WS_HTON64(blen); ++ header->u.s64.l64 = WS_HTON64(blen); + sz = 10; + } + +-- +2.26.2 + diff --git a/SOURCES/libvncserver-0.9.9-fix-for-issue-81.patch b/SOURCES/libvncserver-0.9.9-fix-for-issue-81.patch new file mode 100644 index 0000000..c8cd461 --- /dev/null +++ b/SOURCES/libvncserver-0.9.9-fix-for-issue-81.patch @@ -0,0 +1,79 @@ +From 93fd4bc18a81a568f3329ee2aa22390ef75b05ed Mon Sep 17 00:00:00 2001 +From: plettix +Date: Tue, 7 Jul 2015 10:32:16 +0200 +Subject: [PATCH 2/3] fix for issue 81 use different buffers for decode and + encode + +--- + libvncserver/websockets.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/libvncserver/websockets.c b/libvncserver/websockets.c +index 937f6d4d..3c8e99aa 100644 +--- a/libvncserver/websockets.c ++++ b/libvncserver/websockets.c +@@ -481,15 +481,15 @@ webSocketsEncodeHixie(rfbClientPtr cl, const char *src, int len, char **dst) + int sz = 0; + ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx; + +- wsctx->codeBuf[sz++] = '\x00'; +- len = __b64_ntop((unsigned char *)src, len, wsctx->codeBuf+sz, sizeof(wsctx->codeBuf) - (sz + 1)); ++ wsctx->codeBufEncode[sz++] = '\x00'; ++ len = __b64_ntop((unsigned char *)src, len, wsctx->codeBufEncode+sz, sizeof(wsctx->codeBufEncode) - (sz + 1)); + if (len < 0) { + return len; + } + sz += len; + +- wsctx->codeBuf[sz++] = '\xff'; +- *dst = wsctx->codeBuf; ++ wsctx->codeBufEncode[sz++] = '\xff'; ++ *dst = wsctx->codeBufEncode; + return sz; + } + +@@ -527,7 +527,7 @@ webSocketsDecodeHixie(rfbClientPtr cl, char *dst, int len) + char *buf, *end = NULL; + ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx; + +- buf = wsctx->codeBuf; ++ buf = wsctx->codeBufDecode; + + n = ws_peek(cl, buf, len*2+2); + +@@ -781,7 +781,7 @@ webSocketsEncodeHybi(rfbClientPtr cl, const char *src, int len, char **dst) + return 0; + } + +- header = (ws_header_t *)wsctx->codeBuf; ++ header = (ws_header_t *)wsctx->codeBufEncode; + + if (wsctx->base64) { + opcode = WS_OPCODE_TEXT_FRAME; +@@ -806,7 +806,7 @@ webSocketsEncodeHybi(rfbClientPtr cl, const char *src, int len, char **dst) + } + + if (wsctx->base64) { +- if (-1 == (ret = __b64_ntop((unsigned char *)src, len, wsctx->codeBuf + sz, sizeof(wsctx->codeBuf) - sz))) { ++ if (-1 == (ret = __b64_ntop((unsigned char *)src, len, wsctx->codeBufEncode + sz, sizeof(wsctx->codeBufEncode) - sz))) { + rfbErr("%s: Base 64 encode failed\n", __func__); + } else { + if (ret != blen) +@@ -814,11 +814,12 @@ webSocketsEncodeHybi(rfbClientPtr cl, const char *src, int len, char **dst) + ret += sz; + } + } else { +- memcpy(wsctx->codeBuf + sz, src, len); ++ memcpy(wsctx->codeBufEncode + sz, src, len); + ret = sz + len; + } + +- *dst = wsctx->codeBuf; ++ *dst = wsctx->codeBufEncode; ++ + return ret; + } + +-- +2.26.2 + diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec index 2d89e5f..a4ab743 100644 --- a/SPECS/libvncserver.spec +++ b/SPECS/libvncserver.spec @@ -6,7 +6,7 @@ Summary: Library to make writing a vnc server easy Name: libvncserver Version: 0.9.9 -Release: 14%{?dist} +Release: 14%{?dist}.1 # NOTE: --with-tightvnc-filetransfer => GPLv2 License: GPLv2+ Group: System Environment/Libraries @@ -47,9 +47,17 @@ Patch11: libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch # fixed in upstream after 0.9.12 Patch12: libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch # Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client), -# bug #1814339, , +# bug #1814745, , # in upstream after 0.9.12 Patch13: libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch +# https://github.com/LibVNC/libvncserver/commit/8f544bd276fcabc52d3816fb0814229805c8d198 +Patch14: libvncserver-0.9.9-Work-around-a-gcc-bug-with-anonymous-structs-and-uni.patch +# https://github.com/LibVNC/libvncserver/issues/81 +Patch15: libvncserver-0.9.9-fix-for-issue-81.patch +# https://github.com/LibVNC/libvncserver/commit/aac95a9dcf4bbba87b76c72706c3221a842ca433 +Patch16: libvncserver-0.9.9-CVE-2017-18922.patch +# https://github.com/LibVNC/libvncserver/pull/308 +Patch17: libvncserver-0.9.11-CVE-2019-20840.patch # upstream name Obsoletes: LibVNCServer < 0.9.1 @@ -106,6 +114,10 @@ rm -f common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 # fix encoding for file in AUTHORS ChangeLog ; do @@ -174,9 +186,13 @@ rm -rf %{buildroot} %changelog +* Wed Jul 29 2020 Michael Catanzaro - 0.9.9-14.1 +- Fix CVE-2017-18922 + Resolves: #1852509 + * Wed Mar 18 2020 Petr Pisar - 0.9.9-14 - Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client) - (bug #1814339) + (bug #1814745) * Thu Jan 10 2019 Petr Pisar - 0.9.9-13 - Fix CVE-2018-15127 (Heap out-of-bounds write in