diff options
author | prspkt <prspkt@protonmail.com> | 2018-04-10 18:57:57 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-08 17:50:15 +0200 |
commit | ef8044ed82008b70d1e6fc86b340d60d3c0d16a0 (patch) | |
tree | cbac18fc62a58cf25c6e4469463fcbb3c480d3f3 | |
parent | 960c744d0dfc8cd51a8e1c7399d4b50fc829458b (diff) | |
download | alpine_aports-ef8044ed82008b70d1e6fc86b340d60d3c0d16a0.tar.bz2 alpine_aports-ef8044ed82008b70d1e6fc86b340d60d3c0d16a0.tar.xz alpine_aports-ef8044ed82008b70d1e6fc86b340d60d3c0d16a0.zip |
main/libvncserver: fix CVE-2018-7225
fixes #8559
-rw-r--r-- | main/libvncserver/APKBUILD | 12 | ||||
-rw-r--r-- | main/libvncserver/CVE-2018-7225.patch | 63 |
2 files changed, 70 insertions, 5 deletions
diff --git a/main/libvncserver/APKBUILD b/main/libvncserver/APKBUILD index 33569e3adb..657b9d429d 100644 --- a/main/libvncserver/APKBUILD +++ b/main/libvncserver/APKBUILD | |||
@@ -3,7 +3,7 @@ | |||
3 | # Maintainer: | 3 | # Maintainer: |
4 | pkgname=libvncserver | 4 | pkgname=libvncserver |
5 | pkgver=0.9.11 | 5 | pkgver=0.9.11 |
6 | pkgrel=0 | 6 | pkgrel=1 |
7 | pkgdesc="Library to make writing a vnc server easy" | 7 | pkgdesc="Library to make writing a vnc server easy" |
8 | url="http://libvncserver.sourceforge.net/" | 8 | url="http://libvncserver.sourceforge.net/" |
9 | arch="all" | 9 | arch="all" |
@@ -16,8 +16,11 @@ makedepends="$depends_dev autoconf automake libtool" | |||
16 | install="" | 16 | install="" |
17 | subpackages="$pkgname-dev" | 17 | subpackages="$pkgname-dev" |
18 | source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz | 18 | source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz |
19 | " | 19 | CVE-2018-7225.patch" |
20 | |||
20 | # secfixes: | 21 | # secfixes: |
22 | # 0.9.11-r1: | ||
23 | # - CVE-2018-7225 | ||
21 | # 0.9.11-r0: | 24 | # 0.9.11-r0: |
22 | # - CVE-2016-9941 | 25 | # - CVE-2016-9941 |
23 | # - CVE-2016-9942 | 26 | # - CVE-2016-9942 |
@@ -50,6 +53,5 @@ package() { | |||
50 | make install DESTDIR="$pkgdir" || return 1 | 53 | make install DESTDIR="$pkgdir" || return 1 |
51 | } | 54 | } |
52 | 55 | ||
53 | md5sums="7f06104d5c009813e95142932c4ddb06 LibVNCServer-0.9.11.tar.gz" | 56 | sha512sums="e473c081b68dd3cdd96a1756b4f4945ece79d3c8e4cef62140be1699671555fc16d3080e81d764197a14ea83203ffcd0e18c3cc182e012d036e3faae943003fb LibVNCServer-0.9.11.tar.gz |
54 | sha256sums="193d630372722a532136fd25c5326b2ca1a636cbb8bf9bb115ef869c804d2894 LibVNCServer-0.9.11.tar.gz" | 57 | 1704254e74aa0adca48669c28ff475bf82a9468cf31edf43c3e0d10178307a7c8ecd8a8f11c061931318a6e529922d4adc188347da1e632dc2ade604a4388706 CVE-2018-7225.patch" |
55 | sha512sums="e473c081b68dd3cdd96a1756b4f4945ece79d3c8e4cef62140be1699671555fc16d3080e81d764197a14ea83203ffcd0e18c3cc182e012d036e3faae943003fb LibVNCServer-0.9.11.tar.gz" | ||
diff --git a/main/libvncserver/CVE-2018-7225.patch b/main/libvncserver/CVE-2018-7225.patch new file mode 100644 index 0000000000..08ae206475 --- /dev/null +++ b/main/libvncserver/CVE-2018-7225.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 28afb6c537dc82ba04d5f245b15ca7205c6dbb9c Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> | ||
3 | Date: Mon, 26 Feb 2018 13:48:00 +0100 | ||
4 | Subject: [PATCH] Limit client cut text length to 1 MB | ||
5 | |||
6 | This patch constrains a client cut text length to 1 MB. Otherwise | ||
7 | a client could make server allocate 2 GB of memory and that seems to | ||
8 | be to much to classify it as a denial of service. | ||
9 | |||
10 | The limit also prevents from an integer overflow followed by copying | ||
11 | an uninitilized memory when processing msg.cct.length value larger | ||
12 | than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg. | ||
13 | |||
14 | This patch also corrects accepting length value of zero (malloc(0) is | ||
15 | interpreted on differnet systems differently). | ||
16 | |||
17 | CVE-2018-7225 | ||
18 | <https://github.com/LibVNC/libvncserver/issues/218> | ||
19 | --- | ||
20 | libvncserver/rfbserver.c | 20 +++++++++++++++++++- | ||
21 | 1 file changed, 19 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c | ||
24 | index 116c488..4fc4d9d 100644 | ||
25 | --- a/libvncserver/rfbserver.c | ||
26 | +++ b/libvncserver/rfbserver.c | ||
27 | @@ -85,6 +88,8 @@ | ||
28 | #include <errno.h> | ||
29 | /* strftime() */ | ||
30 | #include <time.h> | ||
31 | +/* PRIu32 */ | ||
32 | +#include <inttypes.h> | ||
33 | |||
34 | #ifdef LIBVNCSERVER_WITH_WEBSOCKETS | ||
35 | #include "rfbssl.h" | ||
36 | @@ -2577,7 +2577,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) | ||
37 | |||
38 | msg.cct.length = Swap32IfLE(msg.cct.length); | ||
39 | |||
40 | - str = (char *)malloc(msg.cct.length); | ||
41 | + /* uint32_t input is passed to malloc()'s size_t argument, | ||
42 | + * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int | ||
43 | + * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int | ||
44 | + * argument. Here we impose a limit of 1 MB so that the value fits | ||
45 | + * into all of the types to prevent from misinterpretation and thus | ||
46 | + * from accessing uninitialized memory (CVE-2018-7225) and also to | ||
47 | + * prevent from a denial-of-service by allocating to much memory in | ||
48 | + * the server. */ | ||
49 | + if (msg.cct.length > 1<<20) { | ||
50 | + rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", | ||
51 | + msg.cct.length); | ||
52 | + rfbCloseClient(cl); | ||
53 | + return; | ||
54 | + } | ||
55 | + | ||
56 | + /* Allow zero-length client cut text. */ | ||
57 | + str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); | ||
58 | if (str == NULL) { | ||
59 | rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); | ||
60 | rfbCloseClient(cl); | ||
61 | -- | ||
62 | 2.17.0 | ||
63 | |||