Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).

Resolves: rhbz#1050928
2014-03-19 12:31:34 +00:00 · 2014-03-19 12:31:34 +00:00 · e38dd7e00e
commit e38dd7e00e
parent 372fc5f067
2 changed files with 57 additions and 1 deletions
--- a/tigervnc-CVE-2014-0011.patch
+++ b/tigervnc-CVE-2014-0011.patch
@ -0,0 +1,49 @@
+diff -up tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 tigervnc-1.3.0/common/CMakeLists.txt
+--- tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011	2013-07-01 13:42:01.000000000 +0100
+++ tigervnc-1.3.0/common/CMakeLists.txt	2014-02-04 16:59:10.840037314 +0000
+@@ -23,3 +23,6 @@ if(CMAKE_COMPILER_IS_GNUCXX AND (CMAKE_S
+     set_target_properties(zlib PROPERTIES COMPILE_FLAGS -fPIC)
+   endif()
+ endif()
+
+# Turn asserts on.
+set_target_properties(rdr rfb PROPERTIES COMPILE_FLAGS -UNDEBUG)
+diff -up tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 tigervnc-1.3.0/common/rfb/zrleDecode.h
+--- tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011	2013-07-01 13:41:59.000000000 +0100
+++ tigervnc-1.3.0/common/rfb/zrleDecode.h	2014-02-04 16:17:00.881565540 +0000
+@@ -25,9 +25,10 @@
+ // FILL_RECT          - fill a rectangle with a single colour
+ // IMAGE_RECT         - draw a rectangle of pixel data from a buffer
+ 
+#include <stdio.h>
+ #include <rdr/InStream.h>
+ #include <rdr/ZlibInStream.h>
+-#include <assert.h>
+#include <rfb/Exception.h>
+ 
+ namespace rfb {
+ 
+@@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In
+               len += b;
+             } while (b == 255);
+ 
+-            assert(len <= end - ptr);
+	    if (end - ptr < len) {
+	      fprintf (stderr, "ZRLE decode error\n");
+	      throw Exception ("ZRLE decode error");
+	    }
+ 
+ #ifdef FAVOUR_FILL_RECT
+             int i = ptr - buf;
+@@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In
+                 len += b;
+               } while (b == 255);
+ 
+-              assert(len <= end - ptr);
+	      if (end - ptr < len) {
+		fprintf (stderr, "ZRLE decode error\n");
+		throw Exception ("ZRLE decode error");
+	      }
+             }
+ 
+             index &= 127;
--- a/tigervnc.spec
+++ b/tigervnc.spec
@ -1,6 +1,6 @@
 Name:		tigervnc
 Version:	1.3.0
-Release:	13%{?dist}
+Release:	14%{?dist}
 Summary:	A TigerVNC remote display system

 Group:		User Interface/Desktops
@ -50,6 +50,7 @@ Patch10:	tigervnc-1.3.0-xserver-1.15.patch
 Patch11:	tigervnc-format-security.patch
 Patch12:	tigervnc-zrle-crash.patch
 Patch13:	tigervnc-cursor.patch
+Patch14:	tigervnc-CVE-2014-0011.patch

 %description
 Virtual Network Computing (VNC) is a remote display system which
@ -183,6 +184,9 @@ popd
 # Fixed viewer crash when cursor has not been set (bug #1038701).
 %patch13 -p1 -b .cursor

+# Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).
+%patch14 -p1 -b .CVE-2014-0011
+
 %build
 %ifarch sparcv9 sparc64 s390 s390x
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@ -355,6 +359,9 @@ fi
 %{_datadir}/icons/hicolor/*/apps/*

 %changelog
+* Wed Mar 19 2014 Tim Waugh <twaugh@redhat.com> 1.3.0-14
+- Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).
+
 * Mon Feb 10 2014 Tim Waugh <twaugh@redhat.com> 1.3.0-13
 - Clearer xstartup file (bug #923655).