rpms/libvncserver
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libvncserver-0.9.11-17.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 02:40:59 -04:00 committed by Andrew Lukoshko
parent 8561bbafb7
commit 8845db0cf3
6 changed files with 229 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
SOURCES/libvncserver-0.9.11-CVE-2018-21247.patch Normal file
View File

@ -0,0 +1,35 @@
From d87d25516b3992e52cf79e3cd6bd331b0baceecf Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Sun, 17 Nov 2019 16:21:18 +0100
Subject: [PATCH] When connecting to a repeater, make sure to not leak memory
Really closes #253
---
examples/repeater.c | 1 +
libvncclient/rfbproto.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/examples/repeater.c b/examples/repeater.c
index cf0350ff..7047578d 100644
--- a/examples/repeater.c
+++ b/examples/repeater.c
@@ -23,6 +23,7 @@ int main(int argc,char** argv)
"Usage: %s <id> <repeater-host> [<repeater-port>]\n", argv[0]);
exit(1);
}
+ memset(id, 0, sizeof(id));
snprintf(id, sizeof(id) - 1, "ID:%s", argv[1]);
repeaterHost = argv[2];
repeaterPort = argc < 4 ? 5500 : atoi(argv[3]);
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 6c07d97e..675248fa 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -402,6 +402,7 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor);
+ memset(tmphost, 0, sizeof(tmphost));
snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
if (!WriteToRFBServer(client, tmphost, sizeof(tmphost)))
return FALSE;

25
SOURCES/libvncserver-0.9.11-CVE-2019-20839.patch Normal file
View File

@ -0,0 +1,25 @@
From 3fd03977c9b35800d73a865f167338cb4d05b0c1 Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Sat, 6 Apr 2019 20:23:12 +0200
Subject: [PATCH] libvncclient: bail out if unix socket name would overflow
Closes #291
---
libvncclient/sockets.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libvncclient/sockets.c b/libvncclient/sockets.c
index f042472f..821f85ca 100644
--- a/libvncclient/sockets.c
+++ b/libvncclient/sockets.c
@@ -461,6 +461,10 @@ ConnectClientToUnixSock(const char *sockFile)
int sock;
struct sockaddr_un addr;
addr.sun_family = AF_UNIX;
+ if(strlen(sockFile) + 1 > sizeof(addr.sun_path)) {
+ rfbClientErr("ConnectToUnixSock: socket file name too long\n");
+ return -1;
+ }
strcpy(addr.sun_path, sockFile);
sock = socket(AF_UNIX, SOCK_STREAM, 0);

80
SOURCES/libvncserver-0.9.11-CVE-2020-14397.patch Normal file
View File

@ -0,0 +1,80 @@
From 416d7662a3f3ac5131014c6011bf1364d57a27e2 Mon Sep 17 00:00:00 2001
From: Tobias Junghans <tobydox@veyon.io>
Date: Tue, 3 Nov 2020 13:58:36 -0600
Subject: [PATCH] libvncserver: add missing NULL pointer checks
---
libvncserver/rfbregion.c | 26 ++++++++++++++++----------
libvncserver/rfbserver.c | 4 +++-
2 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/libvncserver/rfbregion.c b/libvncserver/rfbregion.c
index 1947d7c4..1e59646a 100644
--- a/libvncserver/rfbregion.c
+++ b/libvncserver/rfbregion.c
@@ -50,24 +50,30 @@ sraSpanDup(const sraSpan *src) {
static void
sraSpanInsertAfter(sraSpan *newspan, sraSpan *after) {
- newspan->_next = after->_next;
- newspan->_prev = after;
- after->_next->_prev = newspan;
- after->_next = newspan;
+ if (newspan && after) {
+ newspan->_next = after->_next;
+ newspan->_prev = after;
+ after->_next->_prev = newspan;
+ after->_next = newspan;
+ }
}
static void
sraSpanInsertBefore(sraSpan *newspan, sraSpan *before) {
- newspan->_next = before;
- newspan->_prev = before->_prev;
- before->_prev->_next = newspan;
- before->_prev = newspan;
+ if (newspan && before) {
+ newspan->_next = before;
+ newspan->_prev = before->_prev;
+ before->_prev->_next = newspan;
+ before->_prev = newspan;
+ }
}
static void
sraSpanRemove(sraSpan *span) {
- span->_prev->_next = span->_next;
- span->_next->_prev = span->_prev;
+ if (span) {
+ span->_prev->_next = span->_next;
+ span->_next->_prev = span->_prev;
+ }
}
static void
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 1b4dd975..1f4230f2 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -218,6 +218,8 @@ rfbClientIteratorHead(rfbClientIteratorPtr i)
rfbClientPtr
rfbClientIteratorNext(rfbClientIteratorPtr i)
{
+ if (!i)
+ return NULL;
if(i->next == 0) {
LOCK(rfbClientListMutex);
i->next = i->screen->clientHead;
@@ -242,7 +244,7 @@ rfbClientIteratorNext(rfbClientIteratorPtr i)
void
rfbReleaseClientIterator(rfbClientIteratorPtr iterator)
{
- IF_PTHREADS(if(iterator->next) rfbDecrClientRef(iterator->next));
+ IF_PTHREADS(if(iterator && iterator->next) rfbDecrClientRef(iterator->next));
free(iterator);
}
--
2.28.0

38
SOURCES/libvncserver-0.9.11-CVE-2020-14405.patch Normal file
View File

@ -0,0 +1,38 @@
From 483dd0834167b86833ec6d756168b426ff8b4304 Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Tue, 3 Nov 2020 13:44:14 -0600
Subject: [PATCH] libvncclient/rfbproto: limit max textchat size
Addresses GitHub Security Lab (GHSL) Vulnerability Report
`GHSL-2020-063`.
Re #275
---
libvncclient/rfbproto.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 94751a22..7ba00b55 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -73,6 +73,8 @@
# define snprintf _snprintf /* MSVC went straight to the underscored syntax */
#endif
+#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */
+
/*
* rfbClientLog prints a time-stamped message to the log file (stderr).
*/
@@ -2285,6 +2287,8 @@ HandleRFBServerMessage(rfbClient* client)
client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);
break;
default:
+ if(msg.tc.length > MAX_TEXTCHAT_SIZE)
+ return FALSE;
buffer=malloc(msg.tc.length+1);
if (!ReadFromRFBServer(client, buffer, msg.tc.length))
{
--
2.28.0

24
SOURCES/libvncserver-0.9.11-CVE-2020-25708.patch Normal file
View File

@ -0,0 +1,24 @@
From 673c07a75ed844d74676f3ccdcfdc706a7052dba Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Sun, 17 May 2020 13:47:21 +0200
Subject: [PATCH] libvncserver/rfbserver: fix possible divide-by-zero
Closes #409
---
libvncserver/rfbserver.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 269a0137..9cc29c52 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -3369,6 +3369,9 @@ rfbSendRectEncodingRaw(rfbClientPtr cl,
char *fbptr = (cl->scaledScreen->frameBuffer + (cl->scaledScreen->paddedWidthInBytes * y)
+ (x * (cl->scaledScreen->bitsPerPixel / 8)));
+ if(!h || !w)
+ return TRUE; /* nothing to send */
+
/* Flush the buffer to guarantee correct alignment for translateFn(). */
if (cl->ublen > 0) {
if (!rfbSendUpdateBuf(cl))

60
SPECS/libvncserver.spec
View File

@ -1,7 +1,7 @@
Summary: Library to make writing a VNC server easy
Name: libvncserver
Version: 0.9.11
Release: 15%{?dist}.1
Release: 17%{?dist}
# NOTE: --with-filetransfer => GPLv2
License: GPLv2+
@ -45,6 +45,16 @@ Patch107: libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-v
Patch108: libvncserver-0.9.11-CVE-2017-18922.patch
# https://github.com/LibVNC/libvncserver/pull/308
Patch109: libvncserver-0.9.11-CVE-2019-20840.patch
# https://github.com/LibVNC/libvncserver/issues/291
Patch110: libvncserver-0.9.11-CVE-2019-20839.patch
# https://github.com/LibVNC/libvncserver/issues/253
Patch111: libvncserver-0.9.11-CVE-2018-21247.patch
# https://github.com/LibVNC/libvncserver/issues/275
Patch112: libvncserver-0.9.11-CVE-2020-14405.patch
# https://github.com/LibVNC/libvncserver/pull/416
Patch113: libvncserver-0.9.11-CVE-2020-14397.patch
# https://github.com/LibVNC/libvncserver/issues/409
Patch114: libvncserver-0.9.11-CVE-2020-25708.patch
BuildRequires: autoconf
BuildRequires: automake
@ -92,33 +102,7 @@ developing applications that use %{name}.
%prep
%setup -q -n %{name}-LibVNCServer-%{version}
%patch4 -p1 -b .0004
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch100 -p1 -b .system_minilzo
# Nuke bundled minilzo
#rm -fv common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c
%patch101 -p1 -b .multilib
%patch102 -p1
%if 0%{?fedora} < 26
%patch103 -p1 -b .soname
%global soname 0
%else
%global soname 1
%endif
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%patch108 -p1
%patch109 -p1
%autosetup -p1 -n %{name}-LibVNCServer-%{version}
# Fix encoding
for file in ChangeLog ; do
@ -165,8 +149,8 @@ make -C test test ||:
%files
%license COPYING
%doc AUTHORS ChangeLog NEWS README TODO
%{_libdir}/libvncclient.so.%{soname}*
%{_libdir}/libvncserver.so.%{soname}*
%{_libdir}/libvncclient.so.0*
%{_libdir}/libvncserver.so.0*
%files devel
%{_bindir}/libvncserver-config
@ -178,9 +162,19 @@ make -C test test ||:
%changelog
* Tue Jul 28 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 0.9.11-15.1
- Fix NVR
Related: #1852356
* Tue Nov 24 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 0.9.11-17
- Fix CVE-2020-25708
Resolves: #1898078
* Tue Nov 03 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 0.9.11-16
- Fix CVE-2019-20839
Resolves: #1851032
- Fix CVE-2018-21247
Resolves: #1852516
- Fix CVE-2020-14405
Resolves: #1860527
- Fix CVE-2020-14397
Resolves: #1861152
* Mon Jul 27 2020 Michael Catanzaro <mcatanzaro@redhat.com> - 0.9.11-15
- Fix CVE-2017-18922