/ssvnc/trunk/debian/patches/libvncclient_CVE-2018-20020.patch |
---|
0,0 → 1,22 |
Description: CVE-2018-20020 |
heap out-of-bound write vulnerability inside structure in VNC client code that |
can result remote code execution |
--- |
Author: Abhijith PA <abhijith@debian.org> |
Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d |
Bug: https://github.com/LibVNC/libvncserver/issues/250 |
Bug-Debian: https://bugs.debian.org/916941 |
Last-Update: 2018-12-23 |
--- a/vnc_unixsrc/vncviewer/corre.c |
+++ b/vnc_unixsrc/vncviewer/corre.c |
@@ -76,7 +76,7 @@ |
FillRectangle(rx, ry, rw, rh, gcv.foreground); |
#endif |
- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) |
+ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) |
return False; |
ptr = (CARD8 *)buffer; |
/ssvnc/trunk/debian/patches/libvncclient_CVE-2018-20021.patch |
---|
0,0 → 1,22 |
Description: CVE-2018-20021 |
CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows |
attacker to consume excessive amount of resources like CPU and RAM |
--- |
Author: Abhijith PA <abhijith@debian.org> |
Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c |
Bug: https://github.com/LibVNC/libvncserver/issues/251 |
Bug-Debian: https://bugs.debian.org/916941 |
Last-Update: 2018-12-23 |
--- a/vnc_unixsrc/vncviewer/rfbproto.c |
+++ b/vnc_unixsrc/vncviewer/rfbproto.c |
@@ -3156,7 +3156,7 @@ |
if (db) fprintf(stderr, "Raw: %dx%d+%d+%d\n", rect.r.w, rect.r.h, rect.r.x, rect.r.y); |
area_raw += rect.r.w * rect.r.h; |
- while (rect.r.h > 0) { |
+ while (linesToRead && rect.r.h > 0) { |
if (linesToRead > rect.r.h) { |
linesToRead = rect.r.h; |
} |
/ssvnc/trunk/debian/patches/libvncclient_CVE-2018-20022.patch |
---|
0,0 → 1,31 |
Description: CVE-2018-20022 |
multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC |
client code that allows attacker to read stack memory and can be abuse for |
information disclosure. Combined with another vulnerability, it can be used |
to leak stack memory layout and in bypassing ASLR |
--- |
Author: Abhijith PA <abhijith@debian.org> |
Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 |
Bug: https://github.com/LibVNC/libvncserver/issues/252 |
Bug-Debian: https://bugs.debian.org/916941 |
Last-Update: 2018-12-23 |
--- a/vnc_unixsrc/vncviewer/rfbproto.c |
+++ b/vnc_unixsrc/vncviewer/rfbproto.c |
@@ -2447,6 +2447,7 @@ |
} |
} |
+ memset(&ke, 0, sizeof(ke)); |
ke.type = rfbKeyEvent; |
ke.down = down ? 1 : 0; |
ke.key = Swap32IfLE(key); |
@@ -2480,6 +2481,7 @@ |
return True; |
} |
+ memset(&cct, 0, sizeof(cct)); |
cct.type = rfbClientCutText; |
cct.length = Swap32IfLE((unsigned int) len); |
currentMsg = rfbClientCutText; |
/ssvnc/trunk/debian/patches/libvncclient_CVE-2018-20024.patch |
---|
0,0 → 1,43 |
Description: CVE-2018-20024 |
null pointer dereference in VNC client code that can result DoS. |
--- |
Author: Abhijith PA <abhijith@debian.org> |
Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 |
Bug: https://github.com/LibVNC/libvncserver/issues/254 |
Bug-Debian: https://bugs.debian.org/916941 |
Last-Update: 2018-12-23 |
[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in zrle.c and zlib.c. |
The ultra.c code that this has originally been reported against is not present in |
ssvnc. |
--- a/vnc_unixsrc/vncviewer/zlib.c |
+++ b/vnc_unixsrc/vncviewer/zlib.c |
@@ -55,6 +55,11 @@ |
raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); |
raw_buffer = (char*) malloc( raw_buffer_size ); |
+ if (raw_buffer == NULL) { |
+ |
+ return False; |
+ |
+ } |
} |
if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) |
--- a/vnc_unixsrc/vncviewer/zrle.c |
+++ b/vnc_unixsrc/vncviewer/zrle.c |
@@ -132,6 +132,12 @@ |
raw_buffer_size = min_buffer_size; |
raw_buffer = (char*) malloc( raw_buffer_size ); |
+ if ( raw_buffer == NULL ) { |
+ |
+ return False; |
+ |
+ } |
+ |
} |
if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader)) |
/ssvnc/trunk/debian/patches/series |
---|
6,3 → 6,7 |
openssl1.1.patch |
auto-scale.patch |
samemachine_ip6_overflow.patch |
libvncclient_CVE-2018-20020.patch |
libvncclient_CVE-2018-20021.patch |
libvncclient_CVE-2018-20022.patch |
libvncclient_CVE-2018-20024.patch |