Control: tags 920941 + patch Hi Peter,
I've prepared an NMU for libvncserver (versioned as 0.9.11+dfsg-1.3). The diff is attached to this message. I did upload this time without delay given the fixes were needed from the previous fixes (incomplete fixes for CVEs). I have pushed as well the changes to the packaging repository on salsa. it is a bit short on time, but it might maybe possible to still upload new upstream version in time for buster? Regards, Salvatore
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog --- libvncserver-0.9.11+dfsg/debian/changelog 2019-01-02 16:26:53.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/changelog 2019-01-30 22:39:15.000000000 +0100 @@ -1,3 +1,20 @@ +libvncserver (0.9.11+dfsg-1.3) unstable; urgency=medium + + * Non-maintainer upload. + * LibVNCClient: ignore server-sent cut text longer than 1MB (CVE-2018-20748) + (Closes: #920941) + * LibVNCClient: ignore server-sent reason strings longer than 1MB + (CVE-2018-20748) (Closes: #920941) + * LibVNCClient: fail on server-sent desktop name lengths longer than 1MB + (CVE-2018-20748) (Closes: #920941) + * LibVNCClient: remove now-useless cast (CVE-2018-20748) (Closes: #920941) + * Error out in rfbProcessFileTransferReadBuffer if length can not be + allocated (CVE-2018-20749) (Closes: #920941) + * Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer() + (CVE-2018-20750) (Closes: #920941) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 30 Jan 2019 22:39:15 +0100 + libvncserver (0.9.11+dfsg-1.2) unstable; urgency=high * Non-maintainer upload. diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch 2019-01-30 22:39:15.000000000 +0100 @@ -0,0 +1,32 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sat, 29 Dec 2018 14:16:58 +0100 +Subject: LibVNCClient: ignore server-sent cut text longer than 1MB +Origin: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a +Bug-Debian: https://bugs.debian.org/920941 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20748 + +This is in line with how LibVNCServer does it +(28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273. +--- + libvncclient/rfbproto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index 4541e0d53ad3..8792dbf67c48 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -2217,6 +2217,11 @@ HandleRFBServerMessage(rfbClient* client) + + msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); + ++ if (msg.sct.length > 1<<20) { ++ rfbClientErr("Ignoring too big cut text length sent by server: %u B > 1 MB\n", (unsigned int)msg.sct.length); ++ return FALSE; ++ } ++ + buffer = malloc((uint64_t)msg.sct.length+1); + + if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch 2019-01-30 22:39:15.000000000 +0100 @@ -0,0 +1,88 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sat, 29 Dec 2018 14:40:53 +0100 +Subject: LibVNCClient: ignore server-sent reason strings longer than 1MB +Origin: https://github.com/LibVNC/libvncserver/commit/e34bcbb759ca5bef85809967a268fdf214c1ad2c +Bug-Debian: https://bugs.debian.org/920941 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20748 + +Fixes #273 +--- + libvncclient/rfbproto.c | 45 +++++++++++++++++++---------------------- + 1 file changed, 21 insertions(+), 24 deletions(-) + +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index 8792dbf67c48..ba7d70a71575 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -412,11 +412,29 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep + extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd); + extern void rfbClientEncryptBytes2(unsigned char *where, const int length, unsigned char *key); + ++static void ++ReadReason(rfbClient* client) ++{ ++ uint32_t reasonLen; ++ char *reason; ++ ++ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; ++ reasonLen = rfbClientSwap32IfLE(reasonLen); ++ if(reasonLen > 1<<20) { ++ rfbClientLog("VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen); ++ return; ++ } ++ reason = malloc(reasonLen+1); ++ if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } ++ reason[reasonLen]=0; ++ rfbClientLog("VNC connection failed: %s\n",reason); ++ free(reason); ++} ++ + rfbBool + rfbHandleAuthResult(rfbClient* client) + { +- uint32_t authResult=0, reasonLen=0; +- char *reason=NULL; ++ uint32_t authResult=0; + + if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE; + +@@ -431,13 +449,7 @@ rfbHandleAuthResult(rfbClient* client) + if (client->major==3 && client->minor>7) + { + /* we have an error following */ +- if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE; +- reasonLen = rfbClientSwap32IfLE(reasonLen); +- reason = malloc((uint64_t)reasonLen+1); +- if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; } +- reason[reasonLen]=0; +- rfbClientLog("VNC connection failed: %s\n",reason); +- free(reason); ++ ReadReason(client); + return FALSE; + } + rfbClientLog("VNC authentication failed\n"); +@@ -452,21 +464,6 @@ rfbHandleAuthResult(rfbClient* client) + return FALSE; + } + +-static void +-ReadReason(rfbClient* client) +-{ +- uint32_t reasonLen; +- char *reason; +- +- /* we have an error following */ +- if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; +- reasonLen = rfbClientSwap32IfLE(reasonLen); +- reason = malloc((uint64_t)reasonLen+1); +- if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } +- reason[reasonLen]=0; +- rfbClientLog("VNC connection failed: %s\n",reason); +- free(reason); +-} + + static rfbBool + ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth) +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch 2019-01-30 22:39:15.000000000 +0100 @@ -0,0 +1,35 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sun, 6 Jan 2019 14:20:37 +0100 +Subject: LibVNCClient: fail on server-sent desktop name lengths longer than + 1MB +Origin: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 +Bug-Debian: https://bugs.debian.org/920941 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20748 + +re #273 +--- + libvncclient/rfbproto.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index e56e778f6b91..6af21a54f07b 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -1224,8 +1224,12 @@ InitialiseRFBConnection(rfbClient* client) + client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax); + client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength); + +- /* To guard against integer wrap-around, si.nameLength is cast to 64 bit */ +- client->desktopName = malloc((uint64_t)client->si.nameLength + 1); ++ if (client->si.nameLength > 1<<20) { ++ rfbClientErr("Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)client->si.nameLength); ++ return FALSE; ++ } ++ ++ client->desktopName = malloc(client->si.nameLength + 1); + if (!client->desktopName) { + rfbClientLog("Error allocating memory for desktop name, %lu bytes\n", + (unsigned long)client->si.nameLength); +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch 2019-01-30 22:39:15.000000000 +0100 @@ -0,0 +1,28 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sun, 6 Jan 2019 14:22:34 +0100 +Subject: LibVNCClient: remove now-useless cast +Origin: https://github.com/LibVNC/libvncserver/commit/a64c3b37af9a6c8f8009d7516874b8d266b42bae +Bug-Debian: https://bugs.debian.org/920941 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20748 + +re #273 +--- + libvncclient/rfbproto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index 6af21a54f07b..2f887c32978f 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -2227,7 +2227,7 @@ HandleRFBServerMessage(rfbClient* client) + return FALSE; + } + +- buffer = malloc((uint64_t)msg.sct.length+1); ++ buffer = malloc(msg.sct.length+1); + + if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { + free(buffer); +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch 2019-01-30 22:39:15.000000000 +0100 @@ -0,0 +1,44 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sun, 6 Jan 2019 15:13:56 +0100 +Subject: Error out in rfbProcessFileTransferReadBuffer if length can not be + allocated +Origin: https://github.com/LibVNC/libvncserver/commit/15bb719c03cc70f14c36a843dcb16ed69b405707 +Bug-Debian: https://bugs.debian.org/920941 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20749 + +re #273 +--- + libvncserver/rfbserver.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 6ca511fee3ed..e210a32f5c45 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -1461,11 +1461,21 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + int n=0; + + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL); ++ + /* +- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); ++ We later alloc length+1, which might wrap around on 32-bit systems if length equals ++ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF ++ will safely be allocated since this check will never trigger and malloc() can digest length+1 ++ without problems as length is a uint32_t. + */ ++ if(length == SIZE_MAX) { ++ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); ++ rfbCloseClient(cl); ++ return NULL; ++ } ++ + if (length>0) { +- buffer=malloc((uint64_t)length+1); ++ buffer=malloc((size_t)length+1); + if (buffer!=NULL) { + if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { + if (n != 0) +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20750/0001-Limit-lenght-to-INT_MAX-bytes-in-rfbProcessFileTrans.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20750/0001-Limit-lenght-to-INT_MAX-bytes-in-rfbProcessFileTrans.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20750/0001-Limit-lenght-to-INT_MAX-bytes-in-rfbProcessFileTrans.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20750/0001-Limit-lenght-to-INT_MAX-bytes-in-rfbProcessFileTrans.patch 2019-01-30 22:39:15.000000000 +0100 @@ -0,0 +1,43 @@ +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> +Date: Mon, 7 Jan 2019 10:40:01 +0100 +Subject: Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer() +Origin: https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec +Bug-Debian: https://bugs.debian.org/920941 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20750 + +This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap +out-of-bound write access in rfbProcessFileTransferReadBuffer() when +reading a transfered file content in a server. The former fix did not +work on platforms with a 32-bit int type (expected by rfbReadExact()). + +CVE-2018-15127 +<https://github.com/LibVNC/libvncserver/issues/243> +<https://github.com/LibVNC/libvncserver/issues/273> +--- + libvncserver/rfbserver.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -87,6 +87,8 @@ + #include <time.h> + /* PRIu32 */ + #include <inttypes.h> ++/* INT_MAX */ ++#include <limits.h> + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -1468,8 +1470,11 @@ char *rfbProcessFileTransferReadBuffer(r + 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF + will safely be allocated since this check will never trigger and malloc() can digest length+1 + without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ +- if(length == SIZE_MAX) { ++ if(length == SIZE_MAX || length > INT_MAX) { + rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); + rfbCloseClient(cl); + return NULL; diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series --- libvncserver-0.9.11+dfsg/debian/patches/series 2019-01-02 16:26:53.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/series 2019-01-30 22:39:15.000000000 +0100 @@ -15,3 +15,9 @@ CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch CVE-2018-20024/0001-LibVNCClient-make-sure-Ultra-decoding-cannot-derefer.patch CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch +CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch +CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch +CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch +CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch +CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch +CVE-2018-20750/0001-Limit-lenght-to-INT_MAX-bytes-in-rfbProcessFileTrans.patch