libvncserver: fix CVE-2018-7225
This commit is contained in:
		
							
								
								
									
										61
									
								
								srcpkgs/libvncserver/patches/CVE-2018-7225.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										61
									
								
								srcpkgs/libvncserver/patches/CVE-2018-7225.patch
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,61 @@ | ||||
| From 28afb6c537dc82ba04d5f245b15ca7205c6dbb9c Mon Sep 17 00:00:00 2001 | ||||
| From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> | ||||
| Date: Mon, 26 Feb 2018 13:48:00 +0100 | ||||
| Subject: [PATCH] Limit client cut text length to 1 MB | ||||
|  | ||||
| This patch constrains a client cut text length to 1 MB. Otherwise | ||||
| a client could make server allocate 2 GB of memory and that seems to | ||||
| be to much to classify it as a denial of service. | ||||
|  | ||||
| The limit also prevents from an integer overflow followed by copying | ||||
| an uninitilized memory when processing msg.cct.length value larger | ||||
| than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg. | ||||
|  | ||||
| This patch also corrects accepting length value of zero (malloc(0) is | ||||
| interpreted on differnet systems differently). | ||||
|  | ||||
| CVE-2018-7225 | ||||
| <https://github.com/LibVNC/libvncserver/issues/218> | ||||
| --- | ||||
|  libvncserver/rfbserver.c | 20 +++++++++++++++++++- | ||||
|  1 file changed, 19 insertions(+), 1 deletion(-) | ||||
|  | ||||
| diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c | ||||
| index 116c4889..4fc4d9d5 100644 | ||||
| --- libvncserver/rfbserver.c | ||||
| +++ libvncserver/rfbserver.c | ||||
| @@ -88,6 +88,8 @@ | ||||
|  #include <errno.h> | ||||
|  /* strftime() */ | ||||
|  #include <time.h> | ||||
| +/* PRIu32 */ | ||||
| +#include <inttypes.h> | ||||
|   | ||||
|  #ifdef LIBVNCSERVER_WITH_WEBSOCKETS | ||||
|  #include "rfbssl.h" | ||||
| @@ -2575,7 +2577,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) | ||||
|   | ||||
|  	msg.cct.length = Swap32IfLE(msg.cct.length); | ||||
|   | ||||
| -	str = (char *)malloc(msg.cct.length); | ||||
| +	/* uint32_t input is passed to malloc()'s size_t argument, | ||||
| +	 * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int | ||||
| +	 * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int | ||||
| +	 * argument. Here we impose a limit of 1 MB so that the value fits | ||||
| +	 * into all of the types to prevent from misinterpretation and thus | ||||
| +	 * from accessing uninitialized memory (CVE-2018-7225) and also to | ||||
| +	 * prevent from a denial-of-service by allocating to much memory in | ||||
| +	 * the server. */ | ||||
| +	if (msg.cct.length > 1<<20) { | ||||
| +	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", | ||||
| +		    msg.cct.length); | ||||
| +	    rfbCloseClient(cl); | ||||
| +	    return; | ||||
| +	} | ||||
| + | ||||
| +	/* Allow zero-length client cut text. */ | ||||
| +	str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); | ||||
|  	if (str == NULL) { | ||||
|  		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); | ||||
|  		rfbCloseClient(cl); | ||||
|  | ||||
| @@ -1,15 +1,15 @@ | ||||
| # Template file for 'libvncserver' | ||||
| pkgname=libvncserver | ||||
| version=0.9.11 | ||||
| revision=4 | ||||
| revision=5 | ||||
| wrksrc="libvncserver-LibVNCServer-${version}" | ||||
| build_style=gnu-configure | ||||
| hostmakedepends="automake libtool pkg-config" | ||||
| makedepends="zlib-devel libjpeg-turbo-devel libpng-devel libressl-devel gnutls-devel" | ||||
| short_desc="C libraries to easily implement VNC server or client functionality" | ||||
| maintainer="Juan RP <xtraeme@voidlinux.eu>" | ||||
| license="GPL-2.0-or-later" | ||||
| homepage="https://libvnc.github.io/" | ||||
| license="GPL-2" | ||||
| distfiles="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-${version}.tar.gz" | ||||
| checksum=193d630372722a532136fd25c5326b2ca1a636cbb8bf9bb115ef869c804d2894 | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 maxice8
					maxice8