main/libvncserver: fix CVE-2018-7225

fixes #8559
author: prspkt <prspkt@protonmail.com> 2018-04-10 18:57:57 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2018-08-08 17:50:15 +0200
commit: ef8044ed82008b70d1e6fc86b340d60d3c0d16a0 (patch)
tree: cbac18fc62a58cf25c6e4469463fcbb3c480d3f3
parent: 960c744d0dfc8cd51a8e1c7399d4b50fc829458b (diff)
download: alpine_aports-ef8044ed82008b70d1e6fc86b340d60d3c0d16a0.tar.bz2
alpine_aports-ef8044ed82008b70d1e6fc86b340d60d3c0d16a0.tar.xz
alpine_aports-ef8044ed82008b70d1e6fc86b340d60d3c0d16a0.zip
2 files changed, 70 insertions, 5 deletions
diff --git a/main/libvncserver/APKBUILD b/main/libvncserver/APKBUILD
index 33569e3adb..657b9d429d 100644
--- a/main/libvncserver/APKBUILD
+++ b/main/libvncserver/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer:
 pkgname=libvncserver
 pkgver=0.9.11
-pkgrel=0
+pkgrel=1
 pkgdesc="Library to make writing a vnc server easy"
 url="http://libvncserver.sourceforge.net/"
 arch="all"
@@ -16,8 +16,11 @@ makedepends="$depends_dev autoconf automake libtool"
 install=""
 subpackages="$pkgname-dev"
 source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz
-        "
+        CVE-2018-7225.patch"
 # secfixes:
+#   0.9.11-r1:
+#     - CVE-2018-7225
 #   0.9.11-r0:
 #     - CVE-2016-9941
 #     - CVE-2016-9942
@@ -50,6 +53,5 @@ package() {
        make install DESTDIR="$pkgdir" || return 1
 }
-md5sums="7f06104d5c009813e95142932c4ddb06  LibVNCServer-0.9.11.tar.gz"
+sha512sums="e473c081b68dd3cdd96a1756b4f4945ece79d3c8e4cef62140be1699671555fc16d3080e81d764197a14ea83203ffcd0e18c3cc182e012d036e3faae943003fb  LibVNCServer-0.9.11.tar.gz
-sha256sums="193d630372722a532136fd25c5326b2ca1a636cbb8bf9bb115ef869c804d2894  LibVNCServer-0.9.11.tar.gz"
+1704254e74aa0adca48669c28ff475bf82a9468cf31edf43c3e0d10178307a7c8ecd8a8f11c061931318a6e529922d4adc188347da1e632dc2ade604a4388706  CVE-2018-7225.patch"
-sha512sums="e473c081b68dd3cdd96a1756b4f4945ece79d3c8e4cef62140be1699671555fc16d3080e81d764197a14ea83203ffcd0e18c3cc182e012d036e3faae943003fb  LibVNCServer-0.9.11.tar.gz"
diff --git a/main/libvncserver/CVE-2018-7225.patch b/main/libvncserver/CVE-2018-7225.patch
new file mode 100644
index 0000000000..08ae206475
--- /dev/null
+++ b/main/libvncserver/CVE-2018-7225.patch
@@ -0,0 +1,63 @@
+From 28afb6c537dc82ba04d5f245b15ca7205c6dbb9c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 26 Feb 2018 13:48:00 +0100
+Subject: [PATCH] Limit client cut text length to 1 MB
+This patch constrains a client cut text length to 1 MB. Otherwise
+a client could make server allocate 2 GB of memory and that seems to
+be to much to classify it as a denial of service.
+The limit also prevents from an integer overflow followed by copying
+an uninitilized memory when processing msg.cct.length value larger
+than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg.
+This patch also corrects accepting length value of zero (malloc(0) is
+interpreted on differnet systems differently).
+CVE-2018-7225
+<https://github.com/LibVNC/libvncserver/issues/218>
+---
+ libvncserver/rfbserver.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index 116c488..4fc4d9d 100644
+--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
+@@ -85,6 +88,8 @@
+ #include <errno.h>
+ /* strftime() */
+ #include <time.h>
+/* PRIu32 */
+#include <inttypes.h>
+ 
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ #include "rfbssl.h"
+@@ -2577,7 +2577,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
+ 
+        msg.cct.length = Swap32IfLE(msg.cct.length);
+ 
+-       str = (char *)malloc(msg.cct.length);
+       /* uint32_t input is passed to malloc()'s size_t argument,
+        * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
+        * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
+        * argument. Here we impose a limit of 1 MB so that the value fits
+        * into all of the types to prevent from misinterpretation and thus
+        * from accessing uninitialized memory (CVE-2018-7225) and also to
+        * prevent from a denial-of-service by allocating to much memory in
+        * the server. */
+       if (msg.cct.length > 1<<20) {
+           rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
+                   msg.cct.length);
+           rfbCloseClient(cl);
+           return;
+       }
+
+       /* Allow zero-length client cut text. */
+       str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+        if (str == NULL) {
+                rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
+                rfbCloseClient(cl);
+-- 
+2.17.0
author	prspkt <prspkt@protonmail.com>	2018-04-10 18:57:57 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2018-08-08 17:50:15 +0200
commit	ef8044ed82008b70d1e6fc86b340d60d3c0d16a0 (patch)
tree	cbac18fc62a58cf25c6e4469463fcbb3c480d3f3
parent	960c744d0dfc8cd51a8e1c7399d4b50fc829458b (diff)
download	alpine_aports-ef8044ed82008b70d1e6fc86b340d60d3c0d16a0.tar.bz2 alpine_aports-ef8044ed82008b70d1e6fc86b340d60d3c0d16a0.tar.xz alpine_aports-ef8044ed82008b70d1e6fc86b340d60d3c0d16a0.zip

diff --git a/main/libvncserver/APKBUILD b/main/libvncserver/APKBUILD index 33569e3adb..657b9d429d 100644 --- a/main/libvncserver/APKBUILD +++ b/main/libvncserver/APKBUILD
@@ -3,7 +3,7 @@
3	# Maintainer:	3	# Maintainer:
4	pkgname=libvncserver	4	pkgname=libvncserver
5	pkgver=0.9.11	5	pkgver=0.9.11
6	pkgrel=0	6	pkgrel=1
7	pkgdesc="Library to make writing a vnc server easy"	7	pkgdesc="Library to make writing a vnc server easy"
8	url="http://libvncserver.sourceforge.net/"	8	url="http://libvncserver.sourceforge.net/"
9	arch="all"	9	arch="all"
@@ -16,8 +16,11 @@ makedepends="$depends_dev autoconf automake libtool"
16	install=""	16	install=""
17	subpackages="$pkgname-dev"	17	subpackages="$pkgname-dev"
18	source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz	18	source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz
19	"	19	CVE-2018-7225.patch"
		20
20	# secfixes:	21	# secfixes:
		22	# 0.9.11-r1:
		23	# - CVE-2018-7225
21	# 0.9.11-r0:	24	# 0.9.11-r0:
22	# - CVE-2016-9941	25	# - CVE-2016-9941
23	# - CVE-2016-9942	26	# - CVE-2016-9942
@@ -50,6 +53,5 @@ package() {
50	make install DESTDIR="$pkgdir" \|\| return 1	53	make install DESTDIR="$pkgdir" \|\| return 1
51	}	54	}
52		55
53	md5sums="7f06104d5c009813e95142932c4ddb06 LibVNCServer-0.9.11.tar.gz"	56	sha512sums="e473c081b68dd3cdd96a1756b4f4945ece79d3c8e4cef62140be1699671555fc16d3080e81d764197a14ea83203ffcd0e18c3cc182e012d036e3faae943003fb LibVNCServer-0.9.11.tar.gz
54	sha256sums="193d630372722a532136fd25c5326b2ca1a636cbb8bf9bb115ef869c804d2894 LibVNCServer-0.9.11.tar.gz"	57	1704254e74aa0adca48669c28ff475bf82a9468cf31edf43c3e0d10178307a7c8ecd8a8f11c061931318a6e529922d4adc188347da1e632dc2ade604a4388706 CVE-2018-7225.patch"
55	sha512sums="e473c081b68dd3cdd96a1756b4f4945ece79d3c8e4cef62140be1699671555fc16d3080e81d764197a14ea83203ffcd0e18c3cc182e012d036e3faae943003fb LibVNCServer-0.9.11.tar.gz"


diff --git a/main/libvncserver/CVE-2018-7225.patch b/main/libvncserver/CVE-2018-7225.patch new file mode 100644 index 0000000000..08ae206475 --- /dev/null +++ b/main/libvncserver/CVE-2018-7225.patch
@@ -0,0 +1,63 @@
		1	From 28afb6c537dc82ba04d5f245b15ca7205c6dbb9c Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
		3	Date: Mon, 26 Feb 2018 13:48:00 +0100
		4	Subject: [PATCH] Limit client cut text length to 1 MB
		5
		6	This patch constrains a client cut text length to 1 MB. Otherwise
		7	a client could make server allocate 2 GB of memory and that seems to
		8	be to much to classify it as a denial of service.
		9
		10	The limit also prevents from an integer overflow followed by copying
		11	an uninitilized memory when processing msg.cct.length value larger
		12	than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg.
		13
		14	This patch also corrects accepting length value of zero (malloc(0) is
		15	interpreted on differnet systems differently).
		16
		17	CVE-2018-7225
		18	<https://github.com/LibVNC/libvncserver/issues/218>
		19	---
		20	libvncserver/rfbserver.c \| 20 +++++++++++++++++++-
		21	1 file changed, 19 insertions(+), 1 deletion(-)
		22
		23	diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
		24	index 116c488..4fc4d9d 100644
		25	--- a/libvncserver/rfbserver.c
		26	+++ b/libvncserver/rfbserver.c
		27	@@ -85,6 +88,8 @@
		28	#include <errno.h>
		29	/* strftime() */
		30	#include <time.h>
		31	+/* PRIu32 */
		32	+#include <inttypes.h>
		33
		34	#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
		35	#include "rfbssl.h"
		36	@@ -2577,7 +2577,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
		37
		38	msg.cct.length = Swap32IfLE(msg.cct.length);
		39
		40	- str = (char *)malloc(msg.cct.length);
		41	+ /* uint32_t input is passed to malloc()'s size_t argument,
		42	+ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
		43	+ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
		44	+ * argument. Here we impose a limit of 1 MB so that the value fits
		45	+ * into all of the types to prevent from misinterpretation and thus
		46	+ * from accessing uninitialized memory (CVE-2018-7225) and also to
		47	+ * prevent from a denial-of-service by allocating to much memory in
		48	+ * the server. */
		49	+ if (msg.cct.length > 1<<20) {
		50	+ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
		51	+ msg.cct.length);
		52	+ rfbCloseClient(cl);
		53	+ return;
		54	+ }
		55	+
		56	+ /* Allow zero-length client cut text. */
		57	+ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
		58	if (str == NULL) {
		59	rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
		60	rfbCloseClient(cl);
		61	--
		62	2.17.0
		63