NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/libvncserver: fix CVE-2018-20750

Browse Source 
LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability
in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Fabrice Fontaine 2020-03-03 20:02:31 +01:00 committed by Thomas Petazzoni
parent 8b3f8df76e
commit b10cee5326
2 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
package/libvncserver/0003-Limit-lenght-to-INT_MAX-bytes-in-rfbProcessFileTransferReadBuffer.patch Normal file
View File

@ -0,0 +1,47 @@
From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 7 Jan 2019 10:40:01 +0100
Subject: [PATCH] Limit lenght to INT_MAX bytes in
rfbProcessFileTransferReadBuffer()
This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
out-of-bound write access in rfbProcessFileTransferReadBuffer() when
reading a transfered file content in a server. The former fix did not
work on platforms with a 32-bit int type (expected by rfbReadExact()).
CVE-2018-15127
<https://github.com/LibVNC/libvncserver/issues/243>
<https://github.com/LibVNC/libvncserver/issues/273>
[Retrieved from:
https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
libvncserver/rfbserver.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 7af84906..f2edbeea 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -88,6 +88,8 @@
#include <errno.h>
/* strftime() */
#include <time.h>
+/* INT_MAX */
+#include <limits.h>
#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
#include "rfbssl.h"
@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
will safely be allocated since this check will never trigger and malloc() can digest length+1
without problems as length is a uint32_t.
+ We also later pass length to rfbReadExact() that expects a signed int type and
+ that might wrap on platforms with a 32-bit int type if length is bigger
+ than 0X7FFFFFFF.
*/
- if(length == SIZE_MAX) {
+ if(length == SIZE_MAX || length > INT_MAX) {
rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
rfbCloseClient(cl);
return NULL;

3
package/libvncserver/libvncserver.mk
View File

@ -13,6 +13,9 @@ LIBVNCSERVER_INSTALL_STAGING = YES
LIBVNCSERVER_DEPENDENCIES = host-pkgconf lzo
LIBVNCSERVER_CONF_OPTS = -DWITH_LZO=ON
# 0003-Limit-lenght-to-INT_MAX-bytes-in-rfbProcessFileTransferReadBuffer.patch
LIBVNCSERVER_IGNORE_CVES += CVE-2018-20750
# only used for examples
LIBVNCSERVER_CONF_OPTS += \
-DWITH_FFMPEG=OFF \