diff options
-rw-r--r-- | gnu/local.mk | 2 | ||||
-rw-r--r-- | gnu/packages/patches/libvnc-CVE-2018-20750.patch | 44 | ||||
-rw-r--r-- | gnu/packages/patches/libvnc-CVE-2019-15681.patch | 23 | ||||
-rw-r--r-- | gnu/packages/vnc.scm | 39 |
4 files changed, 108 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index b10ad21520..51272b2dc8 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1124,6 +1124,8 @@ dist_patch_DATA = \ %D%/packages/patches/libutils-add-includes.patch \ %D%/packages/patches/libutils-remove-damaging-includes.patch \ %D%/packages/patches/libvdpau-va-gl-unbundle.patch \ + %D%/packages/patches/libvnc-CVE-2018-20750.patch \ + %D%/packages/patches/libvnc-CVE-2019-15681.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libvpx-use-after-free-in-postproc.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ diff --git a/gnu/packages/patches/libvnc-CVE-2018-20750.patch b/gnu/packages/patches/libvnc-CVE-2018-20750.patch new file mode 100644 index 0000000000..146243670a --- /dev/null +++ b/gnu/packages/patches/libvnc-CVE-2018-20750.patch @@ -0,0 +1,44 @@ +From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Mon, 7 Jan 2019 10:40:01 +0100 +Subject: [PATCH] Limit lenght to INT_MAX bytes in + rfbProcessFileTransferReadBuffer() + +This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap +out-of-bound write access in rfbProcessFileTransferReadBuffer() when +reading a transfered file content in a server. The former fix did not +work on platforms with a 32-bit int type (expected by rfbReadExact()). + +CVE-2018-15127 +<https://github.com/LibVNC/libvncserver/issues/243> +<https://github.com/LibVNC/libvncserver/issues/273> +--- + libvncserver/rfbserver.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 7af84906..f2edbeea 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -88,6 +88,8 @@ + #include <errno.h> + /* strftime() */ + #include <time.h> ++/* INT_MAX */ ++#include <limits.h> + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF + will safely be allocated since this check will never trigger and malloc() can digest length+1 + without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ +- if(length == SIZE_MAX) { ++ if(length == SIZE_MAX || length > INT_MAX) { + rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); + rfbCloseClient(cl); + return NULL; diff --git a/gnu/packages/patches/libvnc-CVE-2019-15681.patch b/gnu/packages/patches/libvnc-CVE-2019-15681.patch new file mode 100644 index 0000000000..e328d87920 --- /dev/null +++ b/gnu/packages/patches/libvnc-CVE-2019-15681.patch @@ -0,0 +1,23 @@ +From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001 +From: Christian Beier <dontmind@freeshell.org> +Date: Mon, 19 Aug 2019 22:32:25 +0200 +Subject: [PATCH] rfbserver: don't leak stack memory to the remote + +Thanks go to Pavel Cheremushkin of Kaspersky for reporting. +--- + libvncserver/rfbserver.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 3bacc891..310e5487 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len) + rfbServerCutTextMsg sct; + rfbClientIteratorPtr iterator; + ++ memset((char *)&sct, 0, sizeof(sct)); ++ + iterator = rfbGetClientIterator(rfbScreen); + while ((cl = rfbClientIteratorNext(iterator)) != NULL) { + sct.type = rfbServerCutText; diff --git a/gnu/packages/vnc.scm b/gnu/packages/vnc.scm index e715e10d5a..e1cba08952 100644 --- a/gnu/packages/vnc.scm +++ b/gnu/packages/vnc.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019 Todor Kondić <tk.code@protonmail.com> ;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com> +;;; Copyright © 2020 Hartmut Goebel <h.goebel@crazy-compilers.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,6 +25,7 @@ #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix utils) + #:use-module (gnu packages) #:use-module (gnu packages autotools) #:use-module (gnu packages base) #:use-module (gnu packages cmake) @@ -31,9 +33,12 @@ #:use-module (gnu packages compression) #:use-module (gnu packages fltk) #:use-module (gnu packages gettext) + #:use-module (gnu packages gnupg) #:use-module (gnu packages image) #:use-module (gnu packages linux) #:use-module (gnu packages perl) + #:use-module (gnu packages pkg-config) + #:use-module (gnu packages sdl) #:use-module (gnu packages tls) #:use-module (gnu packages xorg)) @@ -232,3 +237,37 @@ applications. It also provides extensions for advanced authentication methods and TLS encryption. This package installs the VNC server, a program that will enable users with VNC clients to log into a graphical session on the machine where the server is installed."))) + +(define-public libvnc + (package + (name "libvnc") + (version "0.9.12") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/LibVNC/libvncserver.git") + (commit (string-append "LibVNCServer-" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 "1226hb179l914919f5nm2mlf8rhaarqbf48aa649p4rwmghyx9vm")) + (patches (search-patches "libvnc-CVE-2018-20750.patch" + "libvnc-CVE-2019-15681.patch")))) + (build-system cmake-build-system) + (native-inputs + `(("pkg-config" ,pkg-config))) + (inputs + `(("gnutls" ,gnutls) + ("libgcrypt" ,libgcrypt) + ("libjpeg" ,libjpeg) + ("libpng" ,libpng) + ("lzo" ,lzo) + ("sdl2" ,sdl2))) + (home-page "https://libvnc.github.io/") + (synopsis "Cross-platform C libraries for implementing VNC server or +client") + (description "This package provides @code{LibVNCServer} and +@code{LibVNCClient}. These are cross-platform C libraries that allow you to +easily implement VNC server or client functionality in your program.") + (license ;; GPL for programs, FDL for documentation + (list license:gpl2+ license:fdl1.2+)))) |