diff -Nru libvncserver-0.9.9+dfsg/debian/changelog libvncserver-0.9.9+dfsg/debian/changelog --- libvncserver-0.9.9+dfsg/debian/changelog 2017-01-06 12:57:31.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/changelog 2018-03-30 14:46:20.000000000 +0000 @@ -1,3 +1,12 @@ +libvncserver (0.9.9+dfsg-1ubuntu1.3) trusty-security; urgency=medium + + * SECURITY UPDATE: integer overflow or memory access + - debian/patches/CVE-2018-7225.patch: limit client cut text length to + 1 MB in libvncserver/rfbserver.c. + - CVE-2018-7225 + + -- Marc Deslauriers Fri, 30 Mar 2018 10:46:20 -0400 + libvncserver (0.9.9+dfsg-1ubuntu1.2) trusty-security; urgency=medium * SECURITY UPDATE: heap overflows in rectangle fill functions diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch --- libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch 2018-03-30 14:46:18.000000000 +0000 @@ -0,0 +1,60 @@ +From 28afb6c537dc82ba04d5f245b15ca7205c6dbb9c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 26 Feb 2018 13:48:00 +0100 +Subject: [PATCH] Limit client cut text length to 1 MB + +This patch constrains a client cut text length to 1 MB. Otherwise +a client could make server allocate 2 GB of memory and that seems to +be to much to classify it as a denial of service. + +The limit also prevents from an integer overflow followed by copying +an uninitilized memory when processing msg.cct.length value larger +than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg. + +This patch also corrects accepting length value of zero (malloc(0) is +interpreted on differnet systems differently). + +CVE-2018-7225 + +--- + libvncserver/rfbserver.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c +=================================================================== +--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2018-03-30 10:46:15.898988584 -0400 ++++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2018-03-30 10:46:15.898988584 -0400 +@@ -74,6 +74,8 @@ + #include + /* strftime() */ + #include ++/* PRIu32 */ ++#include + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -2487,7 +2489,23 @@ rfbProcessClientNormalMessage(rfbClientP + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)malloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we impose a limit of 1 MB so that the value fits ++ * into all of the types to prevent from misinterpretation and thus ++ * from accessing uninitialized memory (CVE-2018-7225) and also to ++ * prevent from a denial-of-service by allocating to much memory in ++ * the server. */ ++ if (msg.cct.length > 1<<20) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseClient(cl); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); diff -Nru libvncserver-0.9.9+dfsg/debian/patches/series libvncserver-0.9.9+dfsg/debian/patches/series --- libvncserver-0.9.9+dfsg/debian/patches/series 2017-01-06 12:57:26.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/patches/series 2018-03-30 14:46:14.000000000 +0000 @@ -9,3 +9,4 @@ CVE-2014-6055.patch CVE-2016-9941.patch CVE-2016-9942.patch +CVE-2018-7225.patch