rpms/tigervnc
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).

Browse Source 
Resolves: rhbz#1050928
This commit is contained in:
Tim Waugh 2014-03-19 12:31:34 +00:00
parent 372fc5f067
commit e38dd7e00e
2 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
tigervnc-CVE-2014-0011.patch Normal file
View File

@ -0,0 +1,49 @@
diff -up tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 tigervnc-1.3.0/common/CMakeLists.txt
--- tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 2013-07-01 13:42:01.000000000 +0100
+++ tigervnc-1.3.0/common/CMakeLists.txt 2014-02-04 16:59:10.840037314 +0000
@@ -23,3 +23,6 @@ if(CMAKE_COMPILER_IS_GNUCXX AND (CMAKE_S
set_target_properties(zlib PROPERTIES COMPILE_FLAGS -fPIC)
endif()
endif()
+
+# Turn asserts on.
+set_target_properties(rdr rfb PROPERTIES COMPILE_FLAGS -UNDEBUG)
diff -up tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 tigervnc-1.3.0/common/rfb/zrleDecode.h
--- tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 2013-07-01 13:41:59.000000000 +0100
+++ tigervnc-1.3.0/common/rfb/zrleDecode.h 2014-02-04 16:17:00.881565540 +0000
@@ -25,9 +25,10 @@
// FILL_RECT - fill a rectangle with a single colour
// IMAGE_RECT - draw a rectangle of pixel data from a buffer
+#include <stdio.h>
#include <rdr/InStream.h>
#include <rdr/ZlibInStream.h>
-#include <assert.h>
+#include <rfb/Exception.h>
namespace rfb {
@@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In
len += b;
} while (b == 255);
- assert(len <= end - ptr);
+ if (end - ptr < len) {
+ fprintf (stderr, "ZRLE decode error\n");
+ throw Exception ("ZRLE decode error");
+ }
#ifdef FAVOUR_FILL_RECT
int i = ptr - buf;
@@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In
len += b;
} while (b == 255);
- assert(len <= end - ptr);
+ if (end - ptr < len) {
+ fprintf (stderr, "ZRLE decode error\n");
+ throw Exception ("ZRLE decode error");
+ }
}
index &= 127;

9
tigervnc.spec
View File

@ -1,6 +1,6 @@
Name: tigervnc Name: tigervnc
Version: 1.3.0 Version: 1.3.0
Release: 13%{?dist} Release: 14%{?dist}
Summary: A TigerVNC remote display system Summary: A TigerVNC remote display system
Group: User Interface/Desktops Group: User Interface/Desktops
@ -50,6 +50,7 @@ Patch10: tigervnc-1.3.0-xserver-1.15.patch
Patch11: tigervnc-format-security.patch Patch11: tigervnc-format-security.patch
Patch12: tigervnc-zrle-crash.patch Patch12: tigervnc-zrle-crash.patch
Patch13: tigervnc-cursor.patch Patch13: tigervnc-cursor.patch
Patch14: tigervnc-CVE-2014-0011.patch
%description %description
Virtual Network Computing (VNC) is a remote display system which Virtual Network Computing (VNC) is a remote display system which
@ -183,6 +184,9 @@ popd
# Fixed viewer crash when cursor has not been set (bug #1038701). # Fixed viewer crash when cursor has not been set (bug #1038701).
%patch13 -p1 -b .cursor %patch13 -p1 -b .cursor
# Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).
%patch14 -p1 -b .CVE-2014-0011
%build %build
%ifarch sparcv9 sparc64 s390 s390x %ifarch sparcv9 sparc64 s390 s390x
export CFLAGS="$RPM_OPT_FLAGS -fPIC" export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@ -355,6 +359,9 @@ fi
%{_datadir}/icons/hicolor/*/apps/* %{_datadir}/icons/hicolor/*/apps/*
%changelog %changelog
* Wed Mar 19 2014 Tim Waugh <twaugh@redhat.com> 1.3.0-14
- Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).
* Mon Feb 10 2014 Tim Waugh <twaugh@redhat.com> 1.3.0-13 * Mon Feb 10 2014 Tim Waugh <twaugh@redhat.com> 1.3.0-13
- Clearer xstartup file (bug #923655). - Clearer xstartup file (bug #923655).