diff options
author | Marius Bakke <marius@gnu.org> | 2020-07-21 22:18:50 +0200 |
---|---|---|
committer | Marius Bakke <marius@gnu.org> | 2020-07-21 23:54:44 +0200 |
commit | 2195ad6bd7df591c1f24b5717203b363bc3e1bfd (patch) | |
tree | c3a704acbefde225f2532b4f18dcebf31c72b685 /gnu/packages/patches | |
parent | 938f3190e786baab4116ea826bde21d102396cc2 (diff) | |
download | guix-2195ad6bd7df591c1f24b5717203b363bc3e1bfd.tar guix-2195ad6bd7df591c1f24b5717203b363bc3e1bfd.tar.gz |
gnu: libvnc: Update to 0.9.13.
* gnu/packages/patches/libvnc-CVE-2018-20750.patch,
gnu/packages/patches/libvnc-CVE-2019-15681.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/vnc.scm (libvnc): Update to 0.9.13.
[source](patches): Remove.
[arguments]: Add phase to patch 'cc' invocation.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/libvnc-CVE-2018-20750.patch | 44 | ||||
-rw-r--r-- | gnu/packages/patches/libvnc-CVE-2019-15681.patch | 23 |
2 files changed, 0 insertions, 67 deletions
diff --git a/gnu/packages/patches/libvnc-CVE-2018-20750.patch b/gnu/packages/patches/libvnc-CVE-2018-20750.patch deleted file mode 100644 index 146243670a..0000000000 --- a/gnu/packages/patches/libvnc-CVE-2018-20750.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> -Date: Mon, 7 Jan 2019 10:40:01 +0100 -Subject: [PATCH] Limit lenght to INT_MAX bytes in - rfbProcessFileTransferReadBuffer() - -This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap -out-of-bound write access in rfbProcessFileTransferReadBuffer() when -reading a transfered file content in a server. The former fix did not -work on platforms with a 32-bit int type (expected by rfbReadExact()). - -CVE-2018-15127 -<https://github.com/LibVNC/libvncserver/issues/243> -<https://github.com/LibVNC/libvncserver/issues/273> ---- - libvncserver/rfbserver.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c -index 7af84906..f2edbeea 100644 ---- a/libvncserver/rfbserver.c -+++ b/libvncserver/rfbserver.c -@@ -88,6 +88,8 @@ - #include <errno.h> - /* strftime() */ - #include <time.h> -+/* INT_MAX */ -+#include <limits.h> - - #ifdef LIBVNCSERVER_WITH_WEBSOCKETS - #include "rfbssl.h" -@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) - 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF - will safely be allocated since this check will never trigger and malloc() can digest length+1 - without problems as length is a uint32_t. -+ We also later pass length to rfbReadExact() that expects a signed int type and -+ that might wrap on platforms with a 32-bit int type if length is bigger -+ than 0X7FFFFFFF. - */ -- if(length == SIZE_MAX) { -+ if(length == SIZE_MAX || length > INT_MAX) { - rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); - rfbCloseClient(cl); - return NULL; diff --git a/gnu/packages/patches/libvnc-CVE-2019-15681.patch b/gnu/packages/patches/libvnc-CVE-2019-15681.patch deleted file mode 100644 index e328d87920..0000000000 --- a/gnu/packages/patches/libvnc-CVE-2019-15681.patch +++ /dev/null @@ -1,23 +0,0 @@ -From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001 -From: Christian Beier <dontmind@freeshell.org> -Date: Mon, 19 Aug 2019 22:32:25 +0200 -Subject: [PATCH] rfbserver: don't leak stack memory to the remote - -Thanks go to Pavel Cheremushkin of Kaspersky for reporting. ---- - libvncserver/rfbserver.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c -index 3bacc891..310e5487 100644 ---- a/libvncserver/rfbserver.c -+++ b/libvncserver/rfbserver.c -@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len) - rfbServerCutTextMsg sct; - rfbClientIteratorPtr iterator; - -+ memset((char *)&sct, 0, sizeof(sct)); -+ - iterator = rfbGetClientIterator(rfbScreen); - while ((cl = rfbClientIteratorNext(iterator)) != NULL) { - sct.type = rfbServerCutText; |