diff --git a/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch b/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch new file mode 100644 index 0000000..87edf44 --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch @@ -0,0 +1,44 @@ +From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Sun, 17 Nov 2019 17:18:35 +0100 +Subject: [PATCH] libvncclient/cursor: limit width/height input values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoids a possible heap overflow reported by Pavel Cheremushkin +. + +re #275 + +Signed-off-by: Petr Písař +--- + libvncclient/cursor.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c +index 67f45726..40ffb3b0 100644 +--- a/libvncclient/cursor.c ++++ b/libvncclient/cursor.c +@@ -28,6 +28,8 @@ + #define OPER_SAVE 0 + #define OPER_RESTORE 1 + ++#define MAX_CURSOR_SIZE 1024 ++ + #define RGB24_TO_PIXEL(bpp,r,g,b) \ + ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \ + << client->format.redShift | \ +@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h + if (width * height == 0) + return TRUE; + ++ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE) ++ return FALSE; ++ + /* Allocate memory for pixel data and temporary mask data. */ + if(client->rcSource) + free(client->rcSource); +-- +2.21.1 + diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec index d10a199..2d89e5f 100644 --- a/SPECS/libvncserver.spec +++ b/SPECS/libvncserver.spec @@ -6,7 +6,7 @@ Summary: Library to make writing a vnc server easy Name: libvncserver Version: 0.9.9 -Release: 13%{?dist} +Release: 14%{?dist} # NOTE: --with-tightvnc-filetransfer => GPLv2 License: GPLv2+ Group: System Environment/Libraries @@ -40,12 +40,16 @@ Patch10: libvncserver-0.9.11-Validate-client-cut-text-length.patch # 2/2 Fix CVE-2018-7225, bug #1548441 Patch11: libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch # Fix CVE-2018-15127 (Heap out-of-bounds write in -# rfbserver.c:rfbProcessFileTransferReadBuffer()), bug #1662995, upstream bugs +# rfbserver.c:rfbProcessFileTransferReadBuffer()), bug #1662996, upstream bugs # # # # fixed in upstream after 0.9.12 Patch12: libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch +# Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client), +# bug #1814339, , +# in upstream after 0.9.12 +Patch13: libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch # upstream name Obsoletes: LibVNCServer < 0.9.1 @@ -101,6 +105,7 @@ rm -f common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 # fix encoding for file in AUTHORS ChangeLog ; do @@ -169,9 +174,13 @@ rm -rf %{buildroot} %changelog +* Wed Mar 18 2020 Petr Pisar - 0.9.9-14 +- Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client) + (bug #1814339) + * Thu Jan 10 2019 Petr Pisar - 0.9.9-13 - Fix CVE-2018-15127 (Heap out-of-bounds write in - rfbserver.c:rfbProcessFileTransferReadBuffer()) (bug #1662995) + rfbserver.c:rfbProcessFileTransferReadBuffer()) (bug #1662996) * Mon Feb 26 2018 Petr Pisar - 0.9.9-12 - Fix CVE-2018-7225 (improper client cut text length sanitization) (bug #1548441)