NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/libvncserver: fix CVE-2019-15681

Browse Source 
LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a
memory leak (CWE-655) in VNC server code, which allow an attacker to
read stack memory and can be abused for information disclosure. Combined
with another vulnerability, it can be used to leak stack memory and
bypass ASLR. This attack appear to be exploitable via network
connectivity. These vulnerabilities have been fixed in commit
d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 05bf029c11)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Fabrice Fontaine 2020-03-03 20:02:32 +01:00 committed by Peter Korsgaard
parent 0cabb7a98d
commit 318323ce69
2 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
package/libvncserver/0004-rfbserver-don-t-leak-stack-memory-to-the-remote.patch Normal file
View File

@ -0,0 +1,26 @@
From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Mon, 19 Aug 2019 22:32:25 +0200
Subject: [PATCH] rfbserver: don't leak stack memory to the remote
Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
[Retrieved from:
https://github.com/LibVNC/libvncserver/commit/d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
libvncserver/rfbserver.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 3bacc891..310e5487 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
rfbServerCutTextMsg sct;
rfbClientIteratorPtr iterator;
+ memset((char *)&sct, 0, sizeof(sct));
+
iterator = rfbGetClientIterator(rfbScreen);
while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
sct.type = rfbServerCutText;

3
package/libvncserver/libvncserver.mk
View File

@ -16,6 +16,9 @@ LIBVNCSERVER_CONF_OPTS = -DWITH_LZO=ON
# 0003-Limit-lenght-to-INT_MAX-bytes-in-rfbProcessFileTransferReadBuffer.patch
LIBVNCSERVER_IGNORE_CVES += CVE-2018-20750
# 0004-rfbserver-don-t-leak-stack-memory-to-the-remote.patch
LIBVNCSERVER_IGNORE_CVES += CVE-2019-15681
# only used for examples
LIBVNCSERVER_CONF_OPTS += \
-DWITH_FFMPEG=OFF \