Subversion Repositories ssvnc

Compare Revisions

Ignore whitespace Rev 55 → Rev 56

/ssvnc/trunk/debian/changelog
1,3 → 1,15
ssvnc (1.0.29-5) unstable; urgency=high
 
* Porting of libvncclient security patches by the jessie LTS team
(Closes: #945827):
- CVE-2018-20020: heap out-of-bound write vulnerability inside structure
in VNC client code.
- CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
- CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
- CVE-2018-20024: null pointer dereference that can result DoS.
 
-- Magnus Holmgren <holmgren@debian.org> Mon, 16 Dec 2019 19:07:55 +0100
 
ssvnc (1.0.29-4) unstable; urgency=low
 
* default-jdk-headless is enough to build.
/ssvnc/trunk/debian/control
6,7 → 6,7
libxmu-dev, libxext-dev, libxt-dev, libsm-dev, libice-dev,
libjpeg-dev, zlib1g-dev | libz-dev,
default-jdk-headless, libssl-dev, dh-strip-nondeterminism
Standards-Version: 3.9.8
Standards-Version: 4.1.4
Homepage: http://www.karlrunge.com/x11vnc/ssvnc.html
 
Package: ssvnc
/ssvnc/trunk/debian/patches/libvncclient_CVE-2018-20020.patch
0,0 → 1,22
Description: CVE-2018-20020
heap out-of-bound write vulnerability inside structure in VNC client code that
can result remote code execution
---
 
Author: Abhijith PA <abhijith@debian.org>
Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
Bug: https://github.com/LibVNC/libvncserver/issues/250
Bug-Debian: https://bugs.debian.org/916941
Last-Update: 2018-12-23
 
--- a/vnc_unixsrc/vncviewer/corre.c
+++ b/vnc_unixsrc/vncviewer/corre.c
@@ -76,7 +76,7 @@
FillRectangle(rx, ry, rw, rh, gcv.foreground);
#endif
- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
return False;
ptr = (CARD8 *)buffer;
/ssvnc/trunk/debian/patches/libvncclient_CVE-2018-20021.patch
0,0 → 1,22
Description: CVE-2018-20021
CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
attacker to consume excessive amount of resources like CPU and RAM
---
 
Author: Abhijith PA <abhijith@debian.org>
Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
Bug: https://github.com/LibVNC/libvncserver/issues/251
Bug-Debian: https://bugs.debian.org/916941
Last-Update: 2018-12-23
 
--- a/vnc_unixsrc/vncviewer/rfbproto.c
+++ b/vnc_unixsrc/vncviewer/rfbproto.c
@@ -3156,7 +3156,7 @@
if (db) fprintf(stderr, "Raw: %dx%d+%d+%d\n", rect.r.w, rect.r.h, rect.r.x, rect.r.y);
area_raw += rect.r.w * rect.r.h;
- while (rect.r.h > 0) {
+ while (linesToRead && rect.r.h > 0) {
if (linesToRead > rect.r.h) {
linesToRead = rect.r.h;
}
/ssvnc/trunk/debian/patches/libvncclient_CVE-2018-20022.patch
0,0 → 1,31
Description: CVE-2018-20022
multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
client code that allows attacker to read stack memory and can be abuse for
information disclosure. Combined with another vulnerability, it can be used
to leak stack memory layout and in bypassing ASLR
---
 
Author: Abhijith PA <abhijith@debian.org>
Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
Bug: https://github.com/LibVNC/libvncserver/issues/252
Bug-Debian: https://bugs.debian.org/916941
Last-Update: 2018-12-23
 
--- a/vnc_unixsrc/vncviewer/rfbproto.c
+++ b/vnc_unixsrc/vncviewer/rfbproto.c
@@ -2447,6 +2447,7 @@
}
}
+ memset(&ke, 0, sizeof(ke));
ke.type = rfbKeyEvent;
ke.down = down ? 1 : 0;
ke.key = Swap32IfLE(key);
@@ -2480,6 +2481,7 @@
return True;
}
+ memset(&cct, 0, sizeof(cct));
cct.type = rfbClientCutText;
cct.length = Swap32IfLE((unsigned int) len);
currentMsg = rfbClientCutText;
/ssvnc/trunk/debian/patches/libvncclient_CVE-2018-20024.patch
0,0 → 1,43
Description: CVE-2018-20024
null pointer dereference in VNC client code that can result DoS.
---
 
Author: Abhijith PA <abhijith@debian.org>
Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7
Bug: https://github.com/LibVNC/libvncserver/issues/254
Bug-Debian: https://bugs.debian.org/916941
Last-Update: 2018-12-23
 
[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in zrle.c and zlib.c.
The ultra.c code that this has originally been reported against is not present in
ssvnc.
 
--- a/vnc_unixsrc/vncviewer/zlib.c
+++ b/vnc_unixsrc/vncviewer/zlib.c
@@ -55,6 +55,11 @@
raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
raw_buffer = (char*) malloc( raw_buffer_size );
+ if (raw_buffer == NULL) {
+
+ return False;
+
+ }
}
if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
--- a/vnc_unixsrc/vncviewer/zrle.c
+++ b/vnc_unixsrc/vncviewer/zrle.c
@@ -132,6 +132,12 @@
raw_buffer_size = min_buffer_size;
raw_buffer = (char*) malloc( raw_buffer_size );
+ if ( raw_buffer == NULL ) {
+
+ return False;
+
+ }
+
}
if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader))
/ssvnc/trunk/debian/patches/series
6,3 → 6,7
openssl1.1.patch
auto-scale.patch
samemachine_ip6_overflow.patch
libvncclient_CVE-2018-20020.patch
libvncclient_CVE-2018-20021.patch
libvncclient_CVE-2018-20022.patch
libvncclient_CVE-2018-20024.patch