rpms/tigervnc
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).

Browse Source 
Resolves: rhbz#1050928
This commit is contained in:
Tim Waugh 2014-03-19 12:28:35 +00:00
parent d7ee3f8932
commit 0235d7a499
2 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
tigervnc-CVE-2014-0011.patch Normal file
View File

@ -0,0 +1,49 @@
diff -up tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 tigervnc-1.3.0/common/CMakeLists.txt
--- tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 2013-07-01 13:42:01.000000000 +0100
+++ tigervnc-1.3.0/common/CMakeLists.txt 2014-02-04 16:59:10.840037314 +0000
@@ -23,3 +23,6 @@ if(CMAKE_COMPILER_IS_GNUCXX AND (CMAKE_S
set_target_properties(zlib PROPERTIES COMPILE_FLAGS -fPIC)
endif()
endif()
+
+# Turn asserts on.
+set_target_properties(rdr rfb PROPERTIES COMPILE_FLAGS -UNDEBUG)
diff -up tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 tigervnc-1.3.0/common/rfb/zrleDecode.h
--- tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 2013-07-01 13:41:59.000000000 +0100
+++ tigervnc-1.3.0/common/rfb/zrleDecode.h 2014-02-04 16:17:00.881565540 +0000
@@ -25,9 +25,10 @@
// FILL_RECT - fill a rectangle with a single colour
// IMAGE_RECT - draw a rectangle of pixel data from a buffer
+#include <stdio.h>
#include <rdr/InStream.h>
#include <rdr/ZlibInStream.h>
-#include <assert.h>
+#include <rfb/Exception.h>
namespace rfb {
@@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In
len += b;
} while (b == 255);
- assert(len <= end - ptr);
+ if (end - ptr < len) {
+ fprintf (stderr, "ZRLE decode error\n");
+ throw Exception ("ZRLE decode error");
+ }
#ifdef FAVOUR_FILL_RECT
int i = ptr - buf;
@@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In
len += b;
} while (b == 255);
- assert(len <= end - ptr);
+ if (end - ptr < len) {
+ fprintf (stderr, "ZRLE decode error\n");
+ throw Exception ("ZRLE decode error");
+ }
}
index &= 127;

9
tigervnc.spec
View File

@ -1,6 +1,6 @@
Name: tigervnc Name: tigervnc
Version: 1.3.0 Version: 1.3.0
Release: 14%{?dist} Release: 15%{?dist}
Summary: A TigerVNC remote display system Summary: A TigerVNC remote display system
%global _hardened_build 1 %global _hardened_build 1
@ -53,6 +53,7 @@ Patch11: tigervnc-format-security.patch
Patch12: tigervnc-zrle-crash.patch Patch12: tigervnc-zrle-crash.patch
Patch13: tigervnc-cursor.patch Patch13: tigervnc-cursor.patch
Patch14: tigervnc-xstartup.patch Patch14: tigervnc-xstartup.patch
Patch15: tigervnc-CVE-2014-0011.patch
%description %description
Virtual Network Computing (VNC) is a remote display system which Virtual Network Computing (VNC) is a remote display system which
@ -189,6 +190,9 @@ popd
# Clearer xstartup file (bug #923655). # Clearer xstartup file (bug #923655).
%patch14 -p1 -b .xstartup %patch14 -p1 -b .xstartup
# Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).
%patch15 -p1 -b .CVE-2014-0011
%build %build
%ifarch sparcv9 sparc64 s390 s390x %ifarch sparcv9 sparc64 s390 s390x
export CFLAGS="$RPM_OPT_FLAGS -fPIC" export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@ -361,6 +365,9 @@ fi
%{_datadir}/icons/hicolor/*/apps/* %{_datadir}/icons/hicolor/*/apps/*
%changelog %changelog
* Wed Mar 19 2014 Tim Waugh <twaugh@redhat.com> 1.3.0-15
- Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).
* Fri Feb 21 2014 Tim Waugh <twaugh@redhat.com> 1.3.0-14 * Fri Feb 21 2014 Tim Waugh <twaugh@redhat.com> 1.3.0-14
- Enabled hardened build (bug #955206). - Enabled hardened build (bug #955206).