diff --git a/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch b/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch
new file mode 100644
index 0000000..87edf44
--- /dev/null
+++ b/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch
@@ -0,0 +1,44 @@
+From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 17 Nov 2019 17:18:35 +0100
+Subject: [PATCH] libvncclient/cursor: limit width/height input values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoids a possible heap overflow reported by Pavel Cheremushkin
+<Pavel.Cheremushkin@kaspersky.com>.
+
+re #275
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libvncclient/cursor.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
+index 67f45726..40ffb3b0 100644
+--- a/libvncclient/cursor.c
++++ b/libvncclient/cursor.c
+@@ -28,6 +28,8 @@
+ #define OPER_SAVE 0
+ #define OPER_RESTORE 1
+
++#define MAX_CURSOR_SIZE 1024
++
+ #define RGB24_TO_PIXEL(bpp,r,g,b) \
+ ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \
+ << client->format.redShift | \
+@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
+ if (width * height == 0)
+ return TRUE;
+
++ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
++ return FALSE;
++
+ /* Allocate memory for pixel data and temporary mask data. */
+ if(client->rcSource)
+ free(client->rcSource);
+--
+2.21.1
+
diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec
index d10a199..2d89e5f 100644
--- a/SPECS/libvncserver.spec
+++ b/SPECS/libvncserver.spec
@@ -6,7 +6,7 @@
Summary: Library to make writing a vnc server easy
Name: libvncserver
Version: 0.9.9
-Release: 13%{?dist}
+Release: 14%{?dist}
# NOTE: --with-tightvnc-filetransfer => GPLv2
License: GPLv2+
Group: System Environment/Libraries
@@ -40,12 +40,16 @@ Patch10: libvncserver-0.9.11-Validate-client-cut-text-length.patch
# 2/2 Fix CVE-2018-7225, bug #1548441
Patch11: libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
# Fix CVE-2018-15127 (Heap out-of-bounds write in
-# rfbserver.c:rfbProcessFileTransferReadBuffer()), bug #1662995, upstream bugs
+# rfbserver.c:rfbProcessFileTransferReadBuffer()), bug #1662996, upstream bugs
# <https://github.com/LibVNC/libvncserver/issues/243>
# <https://github.com/LibVNC/libvncserver/issues/273>
# <https://github.com/LibVNC/libvncserver/issues/276>
# fixed in upstream after 0.9.12
Patch12: libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch
+# Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client),
+# bug #1814339, <https://github.com/LibVNC/libvncserver/issues/275>,
+# in upstream after 0.9.12
+Patch13: libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch
# upstream name
Obsoletes: LibVNCServer < 0.9.1
@@ -101,6 +105,7 @@ rm -f common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c
%patch10 -p1
%patch11 -p1
%patch12 -p1
+%patch13 -p1
# fix encoding
for file in AUTHORS ChangeLog ; do
@@ -169,9 +174,13 @@ rm -rf %{buildroot}
%changelog
+* Wed Mar 18 2020 Petr Pisar <ppisar@redhat.com> - 0.9.9-14
+- Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client)
+ (bug #1814339)
+
* Thu Jan 10 2019 Petr Pisar <ppisar@redhat.com> - 0.9.9-13
- Fix CVE-2018-15127 (Heap out-of-bounds write in
- rfbserver.c:rfbProcessFileTransferReadBuffer()) (bug #1662995)
+ rfbserver.c:rfbProcessFileTransferReadBuffer()) (bug #1662996)
* Mon Feb 26 2018 Petr Pisar <ppisar@redhat.com> - 0.9.9-12
- Fix CVE-2018-7225 (improper client cut text length sanitization) (bug #1548441)