From c2263a87d88b844a40ed28bdff1ad735e46ab9e9 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Tue, 10 May 2011 11:54:44 +0200 Subject: [PATCH] Viewer can send password without proper validation of X.509 certs (CVE-2011-1775). Signed-off-by: Adam Tkac --- tigervnc.spec | 9 ++++++++- tigervnc11-CVE-2011-1775.patch | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 tigervnc11-CVE-2011-1775.patch diff --git a/tigervnc.spec b/tigervnc.spec index 16e5f59..d362482 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,6 +1,6 @@ Name: tigervnc Version: 1.0.90 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A TigerVNC remote display system Group: User Interface/Desktops @@ -46,6 +46,7 @@ Patch11: tigervnc11-gethomedir.patch Patch12: tigervnc11-glx.patch Patch13: tigervnc11-rh692048.patch Patch14: 0001-Use-memmove-instead-of-memcpy-in-fbblt.c-when-memory.patch +Patch15: tigervnc11-CVE-2011-1775.patch %description Virtual Network Computing (VNC) is a remote display system which @@ -144,6 +145,8 @@ patch -p1 -b --suffix .vnc < %{SOURCE7} %patch14 -p1 -b .memcpy popd +%patch15 -p0 -b .CVE-2011-1775 + # Use newer gettext sed -i 's/AM_GNU_GETTEXT_VERSION.*/AM_GNU_GETTEXT_VERSION([0.18.1])/' \ configure.ac @@ -304,6 +307,10 @@ fi %doc LICENCE.TXT %changelog +* Tue May 10 2011 Adam Tkac - 1.0.90-4 +- viewer can send password without proper validation of X.509 certs + (CVE-2011-1775) + * Wed Apr 13 2011 Adam Tkac - 1.0.90-3 - fix wrong usage of memcpy which caused screen artifacts (#652590) - don't point to inaccessible link in sysconfig/vncservers (#644975) diff --git a/tigervnc11-CVE-2011-1775.patch b/tigervnc11-CVE-2011-1775.patch new file mode 100644 index 0000000..69fbaa5 --- /dev/null +++ b/tigervnc11-CVE-2011-1775.patch @@ -0,0 +1,22 @@ +Index: common/rfb/CSecurityTLS.cxx +=================================================================== +--- common/rfb/CSecurityTLS.cxx (revision 4399) ++++ common/rfb/CSecurityTLS.cxx (revision 4400) +@@ -171,8 +171,15 @@ + if (!is->checkNoWait(1)) + return false; + +- if (is->readU8() == 0) +- return true; ++ if (is->readU8() == 0) { ++ rdr::U32 result = is->readU32(); ++ CharArray reason; ++ if (result == secResultFailed || result == secResultTooMany) ++ reason.buf = is->readString(); ++ else ++ reason.buf = strDup("Authentication failure (protocol error)"); ++ throw AuthFailureException(reason.buf); ++ } + + if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_init failed");