import libvncserver-0.9.11-14.el8

2020-04-23 23:55:19 +00:00 · 2020-04-23 23:55:19 +00:00 · 19823743e6
commit 19823743e6
parent 188df7c846
2 changed files with 54 additions and 1 deletions
--- a/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch
+++ b/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch
@ -0,0 +1,44 @@
+From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 17 Nov 2019 17:18:35 +0100
+Subject: [PATCH] libvncclient/cursor: limit width/height input values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoids a possible heap overflow reported by Pavel Cheremushkin
+<Pavel.Cheremushkin@kaspersky.com>.
+
+re #275
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libvncclient/cursor.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
+index 67f45726..40ffb3b0 100644
+--- a/libvncclient/cursor.c
+++ b/libvncclient/cursor.c
+@@ -28,6 +28,8 @@
+ #define OPER_SAVE     0
+ #define OPER_RESTORE  1
+ 
+#define MAX_CURSOR_SIZE 1024
+
+ #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
+    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255             \
+     << client->format.redShift |                                              \
+@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
+   if (width * height == 0)
+     return TRUE;
+ 
+  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
+    return FALSE;
+
+   /* Allocate memory for pixel data and temporary mask data. */
+   if(client->rcSource)
+     free(client->rcSource);
+-- 
+2.21.1
+
--- a/SPECS/libvncserver.spec
+++ b/SPECS/libvncserver.spec
@ -1,7 +1,7 @@
 Summary:    Library to make writing a VNC server easy
 Name:       libvncserver
 Version:    0.9.11
-Release:    13%{?dist}
+Release:    14%{?dist}

 # NOTE: --with-filetransfer => GPLv2
 License:    GPLv2+
@ -37,6 +37,10 @@ Patch105:     libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
 # <https://github.com/LibVNC/libvncserver/issues/276>
 # fixed in upstream after 0.9.12
 Patch106:     libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch
+# Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client),
+# bug #1814343, <https://github.com/LibVNC/libvncserver/issues/275>,
+# in upstream after 0.9.12
+Patch107:     libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch

 BuildRequires:  autoconf
 BuildRequires:  automake
@ -108,6 +112,7 @@ developing applications that use %{name}.
 %patch104 -p1
 %patch105 -p1
 %patch106 -p1
+%patch107 -p1

 # Fix encoding
 for file in ChangeLog ; do
@ -167,6 +172,10 @@ make -C test test ||:


 %changelog
+* Wed Mar 18 2020 Petr Pisar <ppisar@redhat.com> - 0.9.11-14
+- Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client)
+  (bug #1814343)
+
 * Thu Nov 28 2019 Jonas Ådahl <jadahl@redhat.com> - 0.9.11-13
 - Manually apply new patch
  Resolves: #1684729