Hello community, here is the log from the commit of package krfb for openSUSE:Factory checked in at 2014-10-16 18:14:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krfb (Old) and /work/SRC/openSUSE:Factory/.krfb.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krfb" Changes: -------- --- /work/SRC/openSUSE:Factory/krfb/krfb.changes 2014-09-18 08:01:49.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.krfb.new/krfb.changes 2014-10-16 18:16:04.000000000 +0200 @@ -1,0 +2,7 @@ +Sun Oct 12 12:40:08 UTC 2014 - [email protected] + +- Update to 4.14.2 + * KDE 4.14.2 SC Bugfix Release + * See http://www.kde.org/announcements/announce-4.14.2.php + +------------------------------------------------------------------- Old: ---- krfb-4.14.1.tar.xz New: ---- krfb-4.14.2.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krfb.spec ++++++ --- /var/tmp/diff_new_pack.HQULGr/_old 2014-10-16 18:16:05.000000000 +0200 +++ /var/tmp/diff_new_pack.HQULGr/_new 2014-10-16 18:16:05.000000000 +0200 @@ -25,7 +25,7 @@ BuildRequires: pkgconfig(xdamage) BuildRequires: pkgconfig(xt) BuildRequires: pkgconfig(xtst) -Version: 4.14.1 +Version: 4.14.2 Release: 0 Summary: Desktop Sharing License: GPL-2.0+ ++++++ krfb-4.14.1.tar.xz -> krfb-4.14.2.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/krfb-4.14.1/libvncserver/rfbserver.c new/krfb-4.14.2/libvncserver/rfbserver.c --- old/krfb-4.14.1/libvncserver/rfbserver.c 2014-09-11 00:47:46.000000000 +0200 +++ new/krfb-4.14.2/libvncserver/rfbserver.c 2014-09-23 23:06:21.000000000 +0200 @@ -1175,13 +1175,21 @@ #define RFB_FILE_ATTRIBUTE_TEMPORARY 0x100 #define RFB_FILE_ATTRIBUTE_COMPRESSED 0x800 -rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, char *path, char *unixPath) +rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, char *path, char *unixPath, size_t unixPathMaxLen) { int x; char *home=NULL; FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE); + /* + * Do not use strncpy() - truncating the file name would probably have undesirable side effects + * Instead check if destination buffer is big enough + */ + + if (strlen(path) >= unixPathMaxLen) + return FALSE; + /* C: */ if (path[0]=='C' && path[1]==':') strcpy(unixPath, &path[2]); @@ -1190,6 +1198,10 @@ home = getenv("HOME"); if (home!=NULL) { + /* Re-check buffer size */ + if ((strlen(path) + strlen(home) + 1) >= unixPathMaxLen) + return FALSE; + strcpy(unixPath, home); strcat(unixPath,"/"); strcat(unixPath, path); @@ -1227,7 +1239,9 @@ FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE); /* Client thinks we are Winblows */ - rfbFilenameTranslate2UNIX(cl, buffer, path); + if (!rfbFilenameTranslate2UNIX(cl, buffer, path, sizeof(path))) + return FALSE; + if (DB) rfbLog("rfbProcessFileTransfer() rfbDirContentRequest: rfbRDirContent: \"%s\"->\"%s\"\n",buffer, path); @@ -1504,7 +1518,12 @@ /* add some space to the end of the buffer as we will be adding a timespec to it */ if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; /* The client requests a File */ - rfbFilenameTranslate2UNIX(cl, buffer, filename1); + if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) + { + if (buffer!=NULL) free(buffer); + return FALSE; + } + cl->fileTransfer.fd=open(filename1, O_RDONLY, 0744); /* @@ -1602,7 +1621,8 @@ p = strrchr(buffer, ','); if (p!=NULL) { *p = '\0'; - strcpy(szFileTime, p+1); + strncpy(szFileTime, p+1, sizeof(szFileTime)); + szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */ } else szFileTime[0]=0; @@ -1619,7 +1639,12 @@ } sizeHtmp = Swap32IfLE(sizeHtmp); - rfbFilenameTranslate2UNIX(cl, buffer, filename1); + if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) + { + if (buffer!=NULL) free(buffer); + return FALSE; + } + /* If the file exists... We can send a rfbFileChecksums back to the client before we send an rfbFileAcceptHeader */ /* TODO: Delta Transfer */ @@ -1745,7 +1770,12 @@ if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; switch (contentParam) { case rfbCDirCreate: /* Client requests the creation of a directory */ - rfbFilenameTranslate2UNIX(cl, buffer, filename1); + if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) + { + if (buffer!=NULL) free(buffer); + return FALSE; + } + retval = mkdir(filename1, 0755); if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCDirCreate(\"%s\"->\"%s\") %s\n", buffer, filename1, (retval==-1?"Failed":"Success")); /* @@ -1754,7 +1784,11 @@ if (buffer!=NULL) free(buffer); return retval; case rfbCFileDelete: /* Client requests the deletion of a file */ - rfbFilenameTranslate2UNIX(cl, buffer, filename1); + if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) + { + if (buffer!=NULL) free(buffer); + return FALSE; + } if (stat(filename1,&statbuf)==0) { if (S_ISDIR(statbuf.st_mode)) @@ -1772,8 +1806,17 @@ { /* Split into 2 filenames ('*' is a seperator) */ *p = '\0'; - rfbFilenameTranslate2UNIX(cl, buffer, filename1); - rfbFilenameTranslate2UNIX(cl, p+1, filename2); + if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) + { + if (buffer!=NULL) free(buffer); + return FALSE; + } + + if (!rfbFilenameTranslate2UNIX(cl, p+1, filename2, sizeof(filename2))) + { + if (buffer!=NULL) free(buffer); + return FALSE; + } retval = rename(filename1,filename2); if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCFileRename(\"%s\"->\"%s\" -->> \"%s\"->\"%s\") %s\n", buffer, filename1, p+1, filename2, (retval==-1?"Failed":"Success")); /* @@ -2361,6 +2404,12 @@ str = (char *)malloc(msg.cct.length); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); + return; + } + if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) { if (n != 0) rfbLogPerror("rfbProcessClientNormalMessage: read"); @@ -2385,6 +2434,11 @@ rfbCloseClient(cl); return; } + if (msg.ssc.scale == 0) { + rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); + rfbCloseClient(cl); + return; + } rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); @@ -2401,6 +2455,11 @@ rfbCloseClient(cl); return; } + if (msg.ssc.scale == 0) { + rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); + rfbCloseClient(cl); + return; + } rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
