aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorHartmut Goebel <h.goebel@crazy-compilers.com>2020-01-20 23:43:18 +0100
committerHartmut Goebel <h.goebel@crazy-compilers.com>2020-01-22 12:43:49 +0100
commita789f654a0f370720b2c6b7856b9971dcc1d5eb1 (patch)
tree1ff81707588fcaab485ea1acb003e4a6fc9237bf /gnu/packages/patches
parent94c7ef932a5857020c2a5349ff1970b1809a080e (diff)
downloadguix-a789f654a0f370720b2c6b7856b9971dcc1d5eb1.tar
guix-a789f654a0f370720b2c6b7856b9971dcc1d5eb1.tar.gz
gnu: Add libvnc.
* gnu/packages/vnc.scm (libvnc): New variable. gnu/packages/patches/libvnc-CVE-2018-20750.patch, gnu/packages/patches/libvnc-CVE-2019-15681.patch: New files. * gnu/local.mk: Add them.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/libvnc-CVE-2018-20750.patch44
-rw-r--r--gnu/packages/patches/libvnc-CVE-2019-15681.patch23
2 files changed, 67 insertions, 0 deletions
diff --git a/gnu/packages/patches/libvnc-CVE-2018-20750.patch b/gnu/packages/patches/libvnc-CVE-2018-20750.patch
new file mode 100644
index 0000000000..146243670a
--- /dev/null
+++ b/gnu/packages/patches/libvnc-CVE-2018-20750.patch
@@ -0,0 +1,44 @@
+From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 7 Jan 2019 10:40:01 +0100
+Subject: [PATCH] Limit lenght to INT_MAX bytes in
+ rfbProcessFileTransferReadBuffer()
+
+This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
+out-of-bound write access in rfbProcessFileTransferReadBuffer() when
+reading a transfered file content in a server. The former fix did not
+work on platforms with a 32-bit int type (expected by rfbReadExact()).
+
+CVE-2018-15127
+<https://github.com/LibVNC/libvncserver/issues/243>
+<https://github.com/LibVNC/libvncserver/issues/273>
+---
+ libvncserver/rfbserver.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index 7af84906..f2edbeea 100644
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -88,6 +88,8 @@
+ #include <errno.h>
+ /* strftime() */
+ #include <time.h>
++/* INT_MAX */
++#include <limits.h>
+
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ #include "rfbssl.h"
+@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
+ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
+ will safely be allocated since this check will never trigger and malloc() can digest length+1
+ without problems as length is a uint32_t.
++ We also later pass length to rfbReadExact() that expects a signed int type and
++ that might wrap on platforms with a 32-bit int type if length is bigger
++ than 0X7FFFFFFF.
+ */
+- if(length == SIZE_MAX) {
++ if(length == SIZE_MAX || length > INT_MAX) {
+ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
+ rfbCloseClient(cl);
+ return NULL;
diff --git a/gnu/packages/patches/libvnc-CVE-2019-15681.patch b/gnu/packages/patches/libvnc-CVE-2019-15681.patch
new file mode 100644
index 0000000000..e328d87920
--- /dev/null
+++ b/gnu/packages/patches/libvnc-CVE-2019-15681.patch
@@ -0,0 +1,23 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+---
+ libvncserver/rfbserver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index 3bacc891..310e5487 100644
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
+ rfbServerCutTextMsg sct;
+ rfbClientIteratorPtr iterator;
+
++ memset((char *)&sct, 0, sizeof(sct));
++
+ iterator = rfbGetClientIterator(rfbScreen);
+ while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
+ sct.type = rfbServerCutText;