diff -Nru libvncserver-0.9.9+dfsg/debian/changelog libvncserver-0.9.9+dfsg/debian/changelog --- libvncserver-0.9.9+dfsg/debian/changelog 2013-12-22 12:00:56.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/changelog 2018-03-30 14:46:20.000000000 +0000 @@ -1,3 +1,52 @@ +libvncserver (0.9.9+dfsg-1ubuntu1.3) trusty-security; urgency=medium + + * SECURITY UPDATE: integer overflow or memory access + - debian/patches/CVE-2018-7225.patch: limit client cut text length to + 1 MB in libvncserver/rfbserver.c. + - CVE-2018-7225 + + -- Marc Deslauriers Fri, 30 Mar 2018 10:46:20 -0400 + +libvncserver (0.9.9+dfsg-1ubuntu1.2) trusty-security; urgency=medium + + * SECURITY UPDATE: heap overflows in rectangle fill functions + - debian/patches/CVE-2016-9941.patch: add bounds checking to + libvncclient/rfbproto.c. + - CVE-2016-9941 + * SECURITY UPDATE: heap overflow in Ultra type tile decoder + - debian/patches/CVE-2016-9942.patch: use _safe variant in + libvncclient/ultra.c. + - CVE-2016-9942 + + -- Marc Deslauriers Fri, 06 Jan 2017 07:57:31 -0500 + +libvncserver (0.9.9+dfsg-1ubuntu1.1) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service and possible code execution via + integer overflow and lack of malloc error handling in + MallocFrameBuffer() + - debian/patches/CVE-2014-6051-6052.patch: check size and handle + return code in libvncclient/vncviewer.c, handle return code in + libvncclient/rfbproto.c. + - CVE-2014-6051 + - CVE-2014-6052 + * SECURITY UPDATE: denial of service via large ClientCutText message + - debian/patches/CVE-2014-6053.patch: check malloc result in + libvncserver/rfbserver.c. + - CVE-2014-6053 + * SECURITY UPDATE: denial of service via zero scaling factor + - debian/patches/CVE-2014-6054.patch: prevent zero scaling factor in + libvncserver/rfbserver.c, check for integer overflow in + libvncserver/scale.c. + - CVE-2014-6054 + * SECURITY UPDATE: denial of service and possible code execution via + stack overflows in File Transfer feature + - debian/patches/CVE-2014-6055.patch: check sizes in + libvncserver/rfbserver.c. + - CVE-2014-6055 + + -- Marc Deslauriers Thu, 25 Sep 2014 11:40:15 -0400 + libvncserver (0.9.9+dfsg-1ubuntu1) trusty; urgency=medium * Patch acinclude.m4 for ppc64el. diff -Nru libvncserver-0.9.9+dfsg/debian/control libvncserver-0.9.9+dfsg/debian/control --- libvncserver-0.9.9+dfsg/debian/control 2012-05-05 21:45:26.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/control 2014-09-25 15:40:37.000000000 +0000 @@ -1,7 +1,8 @@ Source: libvncserver Section: libs Priority: optional -Maintainer: Luca Falavigna +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Luca Falavigna Build-Depends: debhelper (>= 9), dh-autoreconf, libgnutls-dev, libjpeg-dev, pkg-config, zlib1g-dev Standards-Version: 3.9.3 Homepage: http://libvncserver.sourceforge.net diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6051-6052.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6051-6052.patch --- libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6051-6052.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6051-6052.patch 2014-09-25 15:39:56.000000000 +0000 @@ -0,0 +1,83 @@ +Description: fix denial of service and possible code execution via + integer overflow and lack of malloc error handling in MallocFrameBuffer() +Origin: backport, https://github.com/newsoft/libvncserver/commit/045a044e8ae79db9244593fbce154cdf6e843273 +Origin: backport, https://github.com/newsoft/libvncserver/commit/85a778c0e45e87e35ee7199f1f25020648e8b812 + +Index: libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c +=================================================================== +--- libvncserver-0.9.9+dfsg.orig/libvncclient/rfbproto.c 2012-05-04 10:19:00.000000000 -0400 ++++ libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c 2014-09-25 11:11:55.884057336 -0400 +@@ -1807,7 +1807,8 @@ + client->updateRect.x = client->updateRect.y = 0; + client->updateRect.w = client->width; + client->updateRect.h = client->height; +- client->MallocFrameBuffer(client); ++ if (!client->MallocFrameBuffer(client)) ++ return FALSE; + SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE); + rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h); + continue; +@@ -2260,7 +2261,8 @@ + client->updateRect.x = client->updateRect.y = 0; + client->updateRect.w = client->width; + client->updateRect.h = client->height; +- client->MallocFrameBuffer(client); ++ if (!client->MallocFrameBuffer(client)) ++ return FALSE; + SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); + rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); + break; +@@ -2276,7 +2278,9 @@ + client->updateRect.x = client->updateRect.y = 0; + client->updateRect.w = client->width; + client->updateRect.h = client->height; +- client->MallocFrameBuffer(client); ++ if (!client->MallocFrameBuffer(client)) ++ return FALSE; ++ + SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); + rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); + break; +Index: libvncserver-0.9.9+dfsg/libvncclient/vncviewer.c +=================================================================== +--- libvncserver-0.9.9+dfsg.orig/libvncclient/vncviewer.c 2012-05-04 10:19:00.000000000 -0400 ++++ libvncserver-0.9.9+dfsg/libvncclient/vncviewer.c 2014-09-25 11:10:29.984055035 -0400 +@@ -82,9 +82,27 @@ + #endif + } + static rfbBool MallocFrameBuffer(rfbClient* client) { ++uint64_t allocSize; ++ + if(client->frameBuffer) + free(client->frameBuffer); +- client->frameBuffer=malloc(client->width*client->height*client->format.bitsPerPixel/8); ++ ++ /* SECURITY: promote 'width' into uint64_t so that the multiplication does not overflow ++ 'width' and 'height' are 16-bit integers per RFB protocol design ++ SIZE_MAX is the maximum value that can fit into size_t ++ */ ++ allocSize = (uint64_t)client->width * client->height * client->format.bitsPerPixel/8; ++ ++ if (allocSize >= SIZE_MAX) { ++ rfbClientErr("CRITICAL: cannot allocate frameBuffer, requested size is too large\n"); ++ return FALSE; ++ } ++ ++ client->frameBuffer=malloc( (size_t)allocSize ); ++ ++ if (client->frameBuffer == NULL) ++ rfbClientErr("CRITICAL: frameBuffer allocation failed, requested size too large or not enough memory?\n"); ++ + return client->frameBuffer?TRUE:FALSE; + } + +@@ -225,7 +243,8 @@ + + client->width=client->si.framebufferWidth; + client->height=client->si.framebufferHeight; +- client->MallocFrameBuffer(client); ++ if (!client->MallocFrameBuffer(client)) ++ return FALSE; + + if (!SetFormatAndEncodings(client)) + return FALSE; diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6053.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6053.patch --- libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6053.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6053.patch 2014-09-25 15:40:03.000000000 +0000 @@ -0,0 +1,19 @@ +Description: fix denial of service via large ClientCutText message +Origin: backport, https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 + +Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c +=================================================================== +--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2012-05-04 10:19:00.000000000 -0400 ++++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2014-09-25 11:12:36.124058413 -0400 +@@ -2457,6 +2457,11 @@ + msg.cct.length = Swap32IfLE(msg.cct.length); + + str = (char *)malloc(msg.cct.length); ++ if (str == NULL) { ++ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); ++ rfbCloseClient(cl); ++ return; ++ } + + if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) { + if (n != 0) diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6054.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6054.patch --- libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6054.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6054.patch 2014-09-25 15:40:07.000000000 +0000 @@ -0,0 +1,85 @@ +Description: fix denial of service via zero scaling factor +Origin: backport, https://github.com/newsoft/libvncserver/commit/05a9bd41a8ec0a9d580a8f420f41718bdd235446 +Origin: backport, https://github.com/newsoft/libvncserver/commit/f18f24ce65f5cac22ddcf3ed51417e477f9bad09 +Origin: backport, https://github.com/newsoft/libvncserver/commit/5dee1cbcd83920370a487c4fd2718aa4d3eba548 +Origin: backport, https://github.com/newsoft/libvncserver/commit/819481c5e2003cd36d002336c248de8c75de362e +Origin: backport, https://github.com/newsoft/libvncserver/commit/e5d9b6a07257c12bf3b6242ddea79ea1c95353a8 + +Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c +=================================================================== +--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2014-09-25 11:19:54.464070151 -0400 ++++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2014-09-25 11:20:04.344070416 -0400 +@@ -2487,6 +2487,13 @@ + rfbCloseClient(cl); + return; + } ++ ++ if (msg.ssc.scale == 0) { ++ rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); ++ rfbCloseClient(cl); ++ return; ++ } ++ + rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); + rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); + rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); +@@ -2503,6 +2510,13 @@ + rfbCloseClient(cl); + return; + } ++ ++ if (msg.ssc.scale == 0) { ++ rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); ++ rfbCloseClient(cl); ++ return; ++ } ++ + rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); + rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); + rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); +Index: libvncserver-0.9.9+dfsg/libvncserver/scale.c +=================================================================== +--- libvncserver-0.9.9+dfsg.orig/libvncserver/scale.c 2012-05-04 10:19:00.000000000 -0400 ++++ libvncserver-0.9.9+dfsg/libvncserver/scale.c 2014-09-25 11:20:13.580070663 -0400 +@@ -66,6 +66,10 @@ + (double) ((int) (x)) : (double) ((int) (x) + 1) ) + #define FLOOR(x) ( (double) ((int) (x)) ) + ++static inline int pad4(int value) { ++ int remainder = value & 3; ++ return value + (remainder == 0 ? 0 : 4 - remainder); ++} + + int ScaleX(rfbScreenInfoPtr from, rfbScreenInfoPtr to, int x) + { +@@ -281,14 +285,29 @@ + ptr = malloc(sizeof(rfbScreenInfo)); + if (ptr!=NULL) + { ++ int allocSize; ++ + /* copy *everything* (we don't use most of it, but just in case) */ + memcpy(ptr, cl->screen, sizeof(rfbScreenInfo)); ++ ++ /* SECURITY: make sure that no integer overflow will occur afterwards. ++ * Note: this is defensive coding, as the check should have already been ++ * performed during initial, non-scaled screen setup. ++ */ ++ allocSize = pad4(width * (ptr->bitsPerPixel/8)); /* per protocol, width<2**16 and bpp<256 */ ++ if ((height == 0) || (allocSize >= (SIZE_MAX / height))) ++ { ++ free(ptr); ++ return NULL; /* malloc() will allocate an incorrect buffer size - early abort */ ++ } ++ ++ /* Resume copy everything */ + ptr->width = width; + ptr->height = height; + ptr->paddedWidthInBytes = (ptr->bitsPerPixel/8)*ptr->width; + + /* Need to by multiples of 4 for Sparc systems */ +- ptr->paddedWidthInBytes += (ptr->paddedWidthInBytes % 4); ++ ptr->paddedWidthInBytes = pad4(ptr->paddedWidthInBytes); + + /* Reset the reference count to 0! */ + ptr->scaledScreenRefCount = 0; diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6055.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6055.patch --- libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6055.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6055.patch 2014-09-25 15:40:11.000000000 +0000 @@ -0,0 +1,148 @@ +Description: fix denial of service and possible code execution via + stack overflows in File Transfer feature +Origin: backport, https://github.com/newsoft/libvncserver/commit/06ccdf016154fde8eccb5355613ba04c59127b2e +Origin: backport, https://github.com/newsoft/libvncserver/commit/f528072216dec01cee7ca35d94e171a3b909e677 +Origin: backport, https://github.com/newsoft/libvncserver/commit/256964b884c980038cd8b2f0d180fbb295b1c748 + +Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c +=================================================================== +--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2014-09-25 11:20:22.972070915 -0400 ++++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2014-09-25 11:20:40.368071381 -0400 +@@ -1237,21 +1237,35 @@ + #define RFB_FILE_ATTRIBUTE_TEMPORARY 0x100 + #define RFB_FILE_ATTRIBUTE_COMPRESSED 0x800 + +-rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, char *path, char *unixPath) ++rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, /* in */ char *path, /* out */ char *unixPath, size_t unixPathMaxLen ) + { + int x; + char *home=NULL; + + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE); + ++ /* ++ * Do not use strncpy() - truncating the file name would probably have undesirable side effects ++ * Instead check if destination buffer is big enough ++ */ ++ ++ if (strlen(path) >= unixPathMaxLen) ++ return FALSE; ++ + /* C: */ + if (path[0]=='C' && path[1]==':') ++ { + strcpy(unixPath, &path[2]); ++ } + else + { + home = getenv("HOME"); + if (home!=NULL) + { ++ /* Re-check buffer size */ ++ if ((strlen(path) + strlen(home) + 1) >= unixPathMaxLen) ++ return FALSE; ++ + strcpy(unixPath, home); + strcat(unixPath,"/"); + strcat(unixPath, path); +@@ -1289,7 +1303,8 @@ + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE); + + /* Client thinks we are Winblows */ +- rfbFilenameTranslate2UNIX(cl, buffer, path); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, path, sizeof(path))) ++ return FALSE; + + if (DB) rfbLog("rfbProcessFileTransfer() rfbDirContentRequest: rfbRDirContent: \"%s\"->\"%s\"\n",buffer, path); + +@@ -1566,7 +1581,9 @@ + /* add some space to the end of the buffer as we will be adding a timespec to it */ + if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; + /* The client requests a File */ +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ goto fail; ++ + cl->fileTransfer.fd=open(filename1, O_RDONLY, 0744); + + /* +@@ -1660,16 +1677,17 @@ + */ + if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; + +- /* Parse the FileTime */ ++ /* Parse the FileTime ++ * TODO: FileTime is actually never used afterwards ++ */ + p = strrchr(buffer, ','); + if (p!=NULL) { + *p = '\0'; +- strcpy(szFileTime, p+1); ++ strncpy(szFileTime, p+1, sizeof(szFileTime)); ++ szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */ + } else + szFileTime[0]=0; + +- +- + /* Need to read in sizeHtmp */ + if ((n = rfbReadExact(cl, (char *)&sizeHtmp, 4)) <= 0) { + if (n != 0) +@@ -1681,7 +1699,8 @@ + } + sizeHtmp = Swap32IfLE(sizeHtmp); + +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ goto fail; + + /* If the file exists... We can send a rfbFileChecksums back to the client before we send an rfbFileAcceptHeader */ + /* TODO: Delta Transfer */ +@@ -1810,7 +1829,9 @@ + if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; + switch (contentParam) { + case rfbCDirCreate: /* Client requests the creation of a directory */ +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ goto fail; ++ + retval = mkdir(filename1, 0755); + if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCDirCreate(\"%s\"->\"%s\") %s\n", buffer, filename1, (retval==-1?"Failed":"Success")); + /* +@@ -1819,7 +1840,9 @@ + if (buffer!=NULL) free(buffer); + return retval; + case rfbCFileDelete: /* Client requests the deletion of a file */ +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ goto fail; ++ + if (stat(filename1,&statbuf)==0) + { + if (S_ISDIR(statbuf.st_mode)) +@@ -1837,8 +1860,12 @@ + { + /* Split into 2 filenames ('*' is a seperator) */ + *p = '\0'; +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); +- rfbFilenameTranslate2UNIX(cl, p+1, filename2); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ goto fail; ++ ++ if (!rfbFilenameTranslate2UNIX(cl, p+1, filename2, sizeof(filename2))) ++ goto fail; ++ + retval = rename(filename1,filename2); + if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCFileRename(\"%s\"->\"%s\" -->> \"%s\"->\"%s\") %s\n", buffer, filename1, p+1, filename2, (retval==-1?"Failed":"Success")); + /* +@@ -1858,6 +1885,10 @@ + /* NOTE: don't forget to free(buffer) if you return early! */ + if (buffer!=NULL) free(buffer); + return TRUE; ++ ++fail: ++ if (buffer!=NULL) free(buffer); ++ return FALSE; + } + + /* diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2016-9941.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2016-9941.patch --- libvncserver-0.9.9+dfsg/debian/patches/CVE-2016-9941.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2016-9941.patch 2017-01-06 12:56:03.000000000 +0000 @@ -0,0 +1,66 @@ +Backport of: + +From 5418e8007c248bf9668d22a8c1fa9528149b69f2 Mon Sep 17 00:00:00 2001 +From: Josef Gajdusek +Date: Mon, 14 Nov 2016 11:39:01 +0100 +Subject: [PATCH] Fix heap overflows in the various rectangle fill functions + +Altough rfbproto.c does check whether the overall FramebufferUpdate rectangle is +too large, some of the individual encoding decoders do not, which allows a +malicious server to overwrite parts of the heap. +--- + libvncclient/rfbproto.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +Index: libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c +=================================================================== +--- libvncserver-0.9.9+dfsg.orig/libvncclient/rfbproto.c 2017-01-06 07:56:00.893123903 -0500 ++++ libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c 2017-01-06 07:56:00.889123863 -0500 +@@ -136,9 +136,18 @@ + + /* messages */ + ++static boolean CheckRect(rfbClient* client, int x, int y, int w, int h) { ++ return x + w <= client->width && y + h <= client->height; ++} ++ + static void FillRectangle(rfbClient* client, int x, int y, int w, int h, uint32_t colour) { + int i,j; + ++ if (!CheckRect(client, x, y, w, h)) { ++ rfbClientLog("Rect out of bounds: %dx%d at (%d, %d)\n", x, y, w, h); ++ return; ++ } ++ + #define FILL_RECT(BPP) \ + for(j=y*client->width;j<(y+h)*client->width;j+=client->width) \ + for(i=x;iwidth * BPP / 8; \ +@@ -178,6 +192,16 @@ + static void CopyRectangleFromRectangle(rfbClient* client, int src_x, int src_y, int w, int h, int dest_x, int dest_y) { + int i,j; + ++ if (!CheckRect(client, src_x, src_y, w, h)) { ++ rfbClientLog("Source rect out of bounds: %dx%d at (%d, %d)\n", src_x, src_y, w, h); ++ return; ++ } ++ ++ if (!CheckRect(client, dest_x, dest_y, w, h)) { ++ rfbClientLog("Dest rect out of bounds: %dx%d at (%d, %d)\n", dest_x, dest_y, w, h); ++ return; ++ } ++ + #define COPY_RECT_FROM_RECT(BPP) \ + { \ + uint##BPP##_t* _buffer=((uint##BPP##_t*)client->frameBuffer)+(src_y-dest_y)*client->width+src_x-dest_x; \ diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2016-9942.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2016-9942.patch --- libvncserver-0.9.9+dfsg/debian/patches/CVE-2016-9942.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2016-9942.patch 2017-01-06 12:57:26.000000000 +0000 @@ -0,0 +1,43 @@ +From 5fff4353f66427b467eb29e5fdc1da4f2be028bb Mon Sep 17 00:00:00 2001 +From: Josef Gajdusek +Date: Mon, 14 Nov 2016 12:38:05 +0100 +Subject: [PATCH] Fix heap overflow in the ultra.c decoder + +The Ultra type tile decoder does not use the _safe variant of the LZO +decompress function, which allows a maliciuous server to overwrite parts of the +heap by sending a larger-than-specified LZO data stream. +--- + libvncclient/ultra.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c +index dac89b5..32a1b2b 100644 +--- a/libvncclient/ultra.c ++++ b/libvncclient/ultra.c +@@ -86,14 +86,14 @@ HandleUltraBPP (rfbClient* client, int rx, int ry, int rw, int rh) + + /* uncompress the data */ + uncompressedBytes = client->raw_buffer_size; +- inflateResult = lzo1x_decompress( ++ inflateResult = lzo1x_decompress_safe( + (lzo_byte *)client->ultra_buffer, toRead, + (lzo_byte *)client->raw_buffer, (lzo_uintp) &uncompressedBytes, + NULL); + +- ++ /* Note that uncompressedBytes will be 0 on output overrun */ + if ((rw * rh * (BPP / 8)) != uncompressedBytes) +- rfbClientLog("Ultra decompressed too little (%d < %d)", (rw * rh * (BPP / 8)), uncompressedBytes); ++ rfbClientLog("Ultra decompressed unexpected amount of data (%d != %d)\n", (rw * rh * (BPP / 8)), uncompressedBytes); + + /* Put the uncompressed contents of the update on the screen. */ + if ( inflateResult == LZO_E_OK ) +@@ -168,7 +168,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + + /* uncompress the data */ + uncompressedBytes = client->raw_buffer_size; +- inflateResult = lzo1x_decompress( ++ inflateResult = lzo1x_decompress_safe( + (lzo_byte *)client->ultra_buffer, toRead, + (lzo_byte *)client->raw_buffer, &uncompressedBytes, NULL); + if ( inflateResult != LZO_E_OK ) diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch --- libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch 2018-03-30 14:46:18.000000000 +0000 @@ -0,0 +1,60 @@ +From 28afb6c537dc82ba04d5f245b15ca7205c6dbb9c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 26 Feb 2018 13:48:00 +0100 +Subject: [PATCH] Limit client cut text length to 1 MB + +This patch constrains a client cut text length to 1 MB. Otherwise +a client could make server allocate 2 GB of memory and that seems to +be to much to classify it as a denial of service. + +The limit also prevents from an integer overflow followed by copying +an uninitilized memory when processing msg.cct.length value larger +than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg. + +This patch also corrects accepting length value of zero (malloc(0) is +interpreted on differnet systems differently). + +CVE-2018-7225 + +--- + libvncserver/rfbserver.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c +=================================================================== +--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2018-03-30 10:46:15.898988584 -0400 ++++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2018-03-30 10:46:15.898988584 -0400 +@@ -74,6 +74,8 @@ + #include + /* strftime() */ + #include ++/* PRIu32 */ ++#include + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -2487,7 +2489,23 @@ rfbProcessClientNormalMessage(rfbClientP + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)malloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we impose a limit of 1 MB so that the value fits ++ * into all of the types to prevent from misinterpretation and thus ++ * from accessing uninitialized memory (CVE-2018-7225) and also to ++ * prevent from a denial-of-service by allocating to much memory in ++ * the server. */ ++ if (msg.cct.length > 1<<20) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseClient(cl); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); diff -Nru libvncserver-0.9.9+dfsg/debian/patches/series libvncserver-0.9.9+dfsg/debian/patches/series --- libvncserver-0.9.9+dfsg/debian/patches/series 2013-12-22 11:59:47.000000000 +0000 +++ libvncserver-0.9.9+dfsg/debian/patches/series 2018-03-30 14:46:14.000000000 +0000 @@ -3,3 +3,10 @@ format_string.patch ppc64el.diff format-security.diff +CVE-2014-6051-6052.patch +CVE-2014-6053.patch +CVE-2014-6054.patch +CVE-2014-6055.patch +CVE-2016-9941.patch +CVE-2016-9942.patch +CVE-2018-7225.patch