Hello community, here is the log from the commit of package vino for openSUSE:11.4 checked in at Mon May 9 17:00:14 CEST 2011.
-------- --- old-versions/11.4/all/vino/vino.changes 2011-02-13 17:24:38.000000000 +0100 +++ 11.4/vino/vino.changes 2011-05-02 15:49:03.000000000 +0200 @@ -1,0 +2,8 @@ +Mon May 2 15:44:57 CEST 2011 - [email protected] + +- Add vino-CVE-2011-0904_0905.patch to fix security vulnerabilities + that lead to an out-of-bounds memory write and read with a + crafted client framebuffer update request packet. +- Fixes CVE-2011-0904, CVE-2011-0905 and bnc#691207. + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/vino Destination is old-versions/11.4/UPDATES/all/vino calling whatdependson for 11.4-i586 New: ---- vino-CVE-2011-0904_0905.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vino.spec ++++++ --- /var/tmp/diff_new_pack.EaZTkb/_old 2011-05-09 16:59:57.000000000 +0200 +++ /var/tmp/diff_new_pack.EaZTkb/_new 2011-05-09 16:59:57.000000000 +0200 @@ -22,10 +22,12 @@ License: GPLv2+ Group: Productivity/Networking/Other Version: 2.32.1 -Release: 2 +Release: 6.<RELEASE7> Summary: GNOME VNC Server Url: http://www.gnome.org Source: vino-%{version}.tar.bz2 +# PATCH-FIX-UPSTREAM vino-CVE-2011-0904_0905.patch bnc#691207 [email protected] -- Fix security issues +Patch0: vino-CVE-2011-0904_0905.patch BuildRequires: fdupes BuildRequires: gconf2-devel BuildRequires: gnutls-devel @@ -51,6 +53,7 @@ %prep %setup translation-update-upstream +%patch0 -p1 %build %configure\ ++++++ vino-CVE-2011-0904_0905.patch ++++++ >From af7847f11681770018ed6e7f86e7a31feabf9963 Mon Sep 17 00:00:00 2001 From: David King <[email protected]> Date: Tue, 26 Apr 2011 22:31:36 +0200 Subject: [PATCH] Avoid out-of-bounds memory accesses This fixes two critical security vulnerabilities that lead to an out-of-bounds memory write and read with a crafted client framebuffer update request packet. The dimensions of the update from the packet are checked to ensure that they are within the screen dimensions. Thanks to Kevin Chen from the Bitblaze group for the reports in bugs 641802 and 641803. The CVE identifiers for these vulnerabilities are CVE-2011-0904 and CVE-2011-0905. --- server/libvncserver/rfbserver.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c index 8c35853..f02a7f9 100644 --- a/server/libvncserver/rfbserver.c +++ b/server/libvncserver/rfbserver.c @@ -1163,6 +1163,10 @@ rfbSendFramebufferUpdate(rfbClientPtr cl, cl->rfbRawBytesEquivalent += (sz_rfbFramebufferUpdateRectHeader + w * (cl->format.bitsPerPixel / 8) * h); + /* Validate the rectangle given by the update packet. */ + if (w + x > cl->screen->width || h + y > cl->screen->height) + goto tx_error; + switch (cl->preferredEncoding) { case rfbEncodingRaw: if (!rfbSendRectEncodingRaw(cl, x, y, w, h)) -- 1.7.3.4 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
