Package: release.debian.org Severity: normal Tags: stretch User: [email protected] Usertags: pu
Dear release team, I have just uploaded an update of italc to Debian stretch, containing several <no-dsa> security fixes in the bundle libvncserver code. + * Porting of libvncserver+libvncclient security patches: + - CVE-2018-7225: Uninitialized and potentially sensitive data could be + accessed by remote attackers because the msg.cct.length in rfbserver.c was + not sanitized. + - CVE-2018-15127: heap out-of-bound write vulnerability. + - CVE-2018-20019: multiple heap out-of-bound write vulnerabilities. + - CVE-2018-20020: heap out-of-bound write vulnerability inside structure + in VNC client code. + - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. + - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. + - CVE-2018-20023: Improper Initialization vulnerability in VNC Repeater + client code. + - CVE-2018-20024: null pointer dereference that can result DoS. + - CVE-2018-6307: heap use-after-free vulnerability in server code of + file transfer extension. + - CVE-2018-20748: incomplete fix for CVE-2018-20019 oob heap writes. + - CVE-2018-20749: incomplete fix for CVE-2018-15127 oob heap writes. + - CVE-2018-20750: incomplete fix for CVE-2018-15127 oob heap writes. + - CVE-2018-15126: heap use-after-free resulting in possible RCE. + - CVE-2019-15681: rfbserver: don't leak stack memory to the remote. Furthermore, I updated the Vcs-*: fields (They were still pointing to Alioth). + * debian/control: + + Update Vcs-*: fields. Package has been migrated to salsa.debian.org. + Please note that italc has been removed from Debian a while ago (stretch was the last version to ship italc). Greets, Mike -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru italc-3.0.3+dfsg1/debian/changelog italc-3.0.3+dfsg1/debian/changelog --- italc-3.0.3+dfsg1/debian/changelog 2017-01-20 11:28:48.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/changelog 2019-11-28 08:49:18.000000000 +0100 @@ -1,3 +1,30 @@ +italc (1:3.0.3+dfsg1-1+deb9u1) stretch; urgency=medium + + * Porting of libvncserver+libvncclient security patches: + - CVE-2018-7225: Uninitialized and potentially sensitive data could be + accessed by remote attackers because the msg.cct.length in rfbserver.c was + not sanitized. + - CVE-2018-15127: heap out-of-bound write vulnerability. + - CVE-2018-20019: multiple heap out-of-bound write vulnerabilities. + - CVE-2018-20020: heap out-of-bound write vulnerability inside structure + in VNC client code. + - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. + - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. + - CVE-2018-20023: Improper Initialization vulnerability in VNC Repeater + client code. + - CVE-2018-20024: null pointer dereference that can result DoS. + - CVE-2018-6307: heap use-after-free vulnerability in server code of + file transfer extension. + - CVE-2018-20748: incomplete fix for CVE-2018-20019 oob heap writes. + - CVE-2018-20749: incomplete fix for CVE-2018-15127 oob heap writes. + - CVE-2018-20750: incomplete fix for CVE-2018-15127 oob heap writes. + - CVE-2018-15126: heap use-after-free resulting in possible RCE. + - CVE-2019-15681: rfbserver: don't leak stack memory to the remote. + * debian/control: + + Update Vcs-*: fields. Package has been migrated to salsa.debian.org. + + -- Mike Gabriel <[email protected]> Thu, 28 Nov 2019 08:49:18 +0100 + italc (1:3.0.3+dfsg1-1) unstable; urgency=medium [ Mike Gabriel ] diff -Nru italc-3.0.3+dfsg1/debian/control italc-3.0.3+dfsg1/debian/control --- italc-3.0.3+dfsg1/debian/control 2017-01-20 11:28:38.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/control 2019-11-28 08:49:18.000000000 +0100 @@ -31,8 +31,8 @@ gcj-jdk | gcj, Standards-Version: 3.9.8 Homepage: http://italc.sourceforge.net/home.php -Vcs-Git: https://anonscm.debian.org/cgit/debian-edu/pkg-team/italc.git -Vcs-Browser: https://anonscm.debian.org/cgit/debian-edu/pkg-team/italc.git +Vcs-Git: https://salsa.debian.org/debian-edu-pkg-team/italc.git +Vcs-Browser: https://salsa.debian.org/debian-edu-pkg-team/italc/ Package: italc-master Architecture: any diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20020.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20020.patch --- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20020.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20020.patch 2019-10-30 20:51:34.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2018-20020 + heap out-of-bound write vulnerability inside structure in VNC client code that + can result remote code execution +--- + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d +Bug: https://github.com/LibVNC/libvncserver/issues/250 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/ica/x11/libvncclient/corre.c ++++ b/ica/x11/libvncclient/corre.c +@@ -48,7 +48,7 @@ + + FillRectangle(client, rx, ry, rw, rh, pix); + +- if (!ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) ++ if (hdr.nSubrects > RFB_BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) + return FALSE; + + ptr = (uint8_t *)client->buffer; diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20021.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20021.patch --- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20021.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20021.patch 2019-11-28 08:36:39.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2018-20021 + CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows + attacker to consume excessive amount of resources like CPU and RAM +--- + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c +Bug: https://github.com/LibVNC/libvncserver/issues/251 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/ica/x11/libvncclient/rfbproto.c ++++ b/ica/x11/libvncclient/rfbproto.c +@@ -2002,7 +2002,7 @@ + /* Regardless of cause, do not divide by zero. */ + linesToRead = bytesPerLine ? (RFB_BUFFER_SIZE / bytesPerLine) : 0; + +- while (h > 0) { ++ while (linesToRead && h > 0) { + if (linesToRead > h) + linesToRead = h; + diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20022.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20022.patch --- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20022.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20022.patch 2019-11-28 08:36:43.000000000 +0100 @@ -0,0 +1,31 @@ +Description: CVE-2018-20022 + multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC + client code that allows attacker to read stack memory and can be abuse for + information disclosure. Combined with another vulnerability, it can be used + to leak stack memory layout and in bypassing ASLR +--- + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 +Bug: https://github.com/LibVNC/libvncserver/issues/252 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/ica/x11/libvncclient/rfbproto.c ++++ b/ica/x11/libvncclient/rfbproto.c +@@ -1768,6 +1768,7 @@ + + if (!SupportsClient2Server(client, rfbKeyEvent)) return TRUE; + ++ memset(&ke, 0, sizeof(ke)); + ke.type = rfbKeyEvent; + ke.down = down ? 1 : 0; + ke.key = rfbClientSwap32IfLE(key); +@@ -1786,6 +1787,7 @@ + + if (!SupportsClient2Server(client, rfbClientCutText)) return TRUE; + ++ memset(&cct, 0, sizeof(cct)); + cct.type = rfbClientCutText; + cct.length = rfbClientSwap32IfLE(len); + return (WriteToRFBServer(client, (char *)&cct, sz_rfbClientCutTextMsg) && diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20023.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20023.patch --- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20023.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20023.patch 2019-11-28 08:36:49.000000000 +0100 @@ -0,0 +1,37 @@ +Description: CVE-2018-20023 + contains CWE-665: Improper Initialization vulnerability in VNC Repeater client + code that allows attacker to read stack memory and can be abuse for information + disclosure. Combined with another vulnerability, it can be used to leak stack + memory layout and in bypassing ASLR +--- + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/LibVNC/libvncserver/commit/8b06f835e259652b0ff026898014fc7297ade858 +Bug: https://github.com/LibVNC/libvncserver/issues/253 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/ica/x11/libvncclient/rfbproto.c ++++ b/ica/x11/libvncclient/rfbproto.c +@@ -497,6 +497,7 @@ + rfbProtocolVersionMsg pv; + int major,minor; + char tmphost[250]; ++ int tmphostlen; + + #ifdef LIBVNCSERVER_IPv6 + client->sock = ConnectClientToTcpAddr6(repeaterHost, repeaterPort); +@@ -532,8 +533,11 @@ + + rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor); + +- snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort); +- if (!WriteToRFBServer(client, tmphost, sizeof(tmphost))) ++ tmphostlen = snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort); ++ if(tmphostlen < 0 || tmphostlen >= (int)sizeof(tmphost)) ++ return FALSE; /* snprintf error or output truncated */ ++ ++ if (!WriteToRFBServer(client, tmphost, tmphostlen + 1)) + return FALSE; + + return TRUE; diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20024.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20024.patch --- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20024.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20024.patch 2019-10-30 20:51:44.000000000 +0100 @@ -0,0 +1,30 @@ +Description: CVE-2018-20024 + null pointer dereference in VNC client code that can result DoS. +--- + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 +Bug: https://github.com/LibVNC/libvncserver/issues/254 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/ica/x11/libvncclient/ultra.c ++++ b/ica/x11/libvncclient/ultra.c +@@ -66,6 +66,8 @@ + if ((client->raw_buffer_size % 4)!=0) + client->raw_buffer_size += (4-(client->raw_buffer_size % 4)); + client->raw_buffer = (char*) malloc( client->raw_buffer_size ); ++ if(client->raw_buffer == NULL) ++ return FALSE; + } + + /* allocate enough space to store the incoming compressed packet */ +@@ -150,6 +152,8 @@ + if ((client->raw_buffer_size % 4)!=0) + client->raw_buffer_size += (4-(client->raw_buffer_size % 4)); + client->raw_buffer = (char*) malloc( client->raw_buffer_size ); ++ if(client->raw_buffer == NULL) ++ return FALSE; + } + + diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-1.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-1.patch --- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-1.patch 2019-11-28 08:37:15.000000000 +0100 @@ -0,0 +1,25 @@ +From c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a Mon Sep 17 00:00:00 2001 +From: Christian Beier <[email protected]> +Date: Sat, 29 Dec 2018 14:16:58 +0100 +Subject: [PATCH] LibVNCClient: ignore server-sent cut text longer than 1MB + +This is in line with how LibVNCServer does it +(28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273. +--- + libvncclient/rfbproto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/ica/x11/libvncclient/rfbproto.c ++++ b/ica/x11/libvncclient/rfbproto.c +@@ -2280,6 +2280,11 @@ + + msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); + ++ if (msg.sct.length > 1<<20) { ++ rfbClientErr("Ignoring too big cut text length sent by server: %u B > 1 MB\n", (unsigned int)msg.sct.length); ++ return FALSE; ++ } ++ + buffer = malloc((uint64_t)msg.sct.length+1); + + if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-2.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-2.patch --- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-2.patch 2019-11-28 08:36:55.000000000 +0100 @@ -0,0 +1,82 @@ +From e34bcbb759ca5bef85809967a268fdf214c1ad2c Mon Sep 17 00:00:00 2001 +From: Christian Beier <[email protected]> +Date: Sat, 29 Dec 2018 14:40:53 +0100 +Subject: [PATCH] LibVNCClient: ignore server-sent reason strings longer than + 1MB + +Fixes #273 +--- + libvncclient/rfbproto.c | 45 +++++++++++++++++++---------------------- + 1 file changed, 21 insertions(+), 24 deletions(-) + +--- a/ica/x11/libvncclient/rfbproto.c ++++ b/ica/x11/libvncclient/rfbproto.c +@@ -546,11 +546,29 @@ + extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd); + extern void rfbClientEncryptBytes2(unsigned char *where, const int length, unsigned char *key); + ++static void ++ReadReason(rfbClient* client) ++{ ++ uint32_t reasonLen; ++ char *reason; ++ ++ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; ++ reasonLen = rfbClientSwap32IfLE(reasonLen); ++ if(reasonLen > 1<<20) { ++ rfbClientLog("VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen); ++ return; ++ } ++ reason = malloc(reasonLen+1); ++ if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } ++ reason[reasonLen]=0; ++ rfbClientLog("VNC connection failed: %s\n",reason); ++ free(reason); ++} ++ + rfbBool + rfbHandleAuthResult(rfbClient* client) + { +- uint32_t authResult=0, reasonLen=0; +- char *reason=NULL; ++ uint32_t authResult=0; + + if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE; + +@@ -565,13 +583,7 @@ + if (client->major==3 && client->minor>7) + { + /* we have an error following */ +- if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE; +- reasonLen = rfbClientSwap32IfLE(reasonLen); +- reason = malloc((uint64_t)reasonLen+1); +- if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; } +- reason[reasonLen]=0; +- rfbClientLog("VNC connection failed: %s\n",reason); +- free(reason); ++ ReadReason(client); + return FALSE; + } + rfbClientLog("VNC authentication failed\n"); +@@ -586,21 +598,6 @@ + return FALSE; + } + +-static void +-ReadReason(rfbClient* client) +-{ +- uint32_t reasonLen; +- char *reason; +- +- /* we have an error following */ +- if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; +- reasonLen = rfbClientSwap32IfLE(reasonLen); +- reason = malloc((uint64_t)reasonLen+1); +- if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } +- reason[reasonLen]=0; +- rfbClientLog("VNC connection failed: %s\n",reason); +- free(reason); +-} + + static rfbBool + ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth) diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-3.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-3.patch --- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-3.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-3.patch 2019-11-28 08:38:37.000000000 +0100 @@ -0,0 +1,25 @@ +From c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 Mon Sep 17 00:00:00 2001 +From: Christian Beier <[email protected]> +Date: Sun, 6 Jan 2019 14:20:37 +0100 +Subject: [PATCH] LibVNCClient: fail on server-sent desktop name lengths longer + than 1MB + +re #273 +--- + libvncclient/rfbproto.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/ica/x11/libvncclient/rfbproto.c ++++ b/ica/x11/libvncclient/rfbproto.c +@@ -1315,6 +1315,11 @@ + client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax); + client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength); + ++ if (client->si.nameLength > 1<<20) { ++ rfbClientErr("Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)client->si.nameLength); ++ return FALSE; ++ } ++ + /* To guard against integer wrap-around, si.nameLength is cast to 64 bit */ + client->desktopName = malloc((uint64_t)client->si.nameLength + 1); + if (!client->desktopName) { diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-4.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-4.patch --- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-4.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-4.patch 2019-11-28 08:38:47.000000000 +0100 @@ -0,0 +1,21 @@ +From a64c3b37af9a6c8f8009d7516874b8d266b42bae Mon Sep 17 00:00:00 2001 +From: Christian Beier <[email protected]> +Date: Sun, 6 Jan 2019 14:22:34 +0100 +Subject: [PATCH] LibVNCClient: remove now-useless cast + +re #273 +--- + libvncclient/rfbproto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/ica/x11/libvncclient/rfbproto.c ++++ b/ica/x11/libvncclient/rfbproto.c +@@ -2287,7 +2287,7 @@ + return FALSE; + } + +- buffer = malloc((uint64_t)msg.sct.length+1); ++ buffer = malloc(msg.sct.length+1); + + if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { + free(buffer); diff -Nru italc-3.0.3+dfsg1/debian/patches/libvnc_server+client_CVE-2018-15127-CVE-2018-20019.patch italc-3.0.3+dfsg1/debian/patches/libvnc_server+client_CVE-2018-15127-CVE-2018-20019.patch --- italc-3.0.3+dfsg1/debian/patches/libvnc_server+client_CVE-2018-15127-CVE-2018-20019.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvnc_server+client_CVE-2018-15127-CVE-2018-20019.patch 2019-11-28 08:36:32.000000000 +0100 @@ -0,0 +1,63 @@ +Description: CVE-2018-15127, CVE-2018-20019 + CVE-2018-15127 + heap out-of-bound write vulnerability in server code of file transfer + extension that can result remote code execution + CVE-2018-20019 + multiple heap out-of-bound write vulnerabilities in VNC client code that can + result remote code execution +--- + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/LibVNC/libvncserver/commit/502821828ed00b4a2c4bef90683d0fd88ce495de + https://github.com/LibVNC/libvncserver/commit/a83439b9fbe0f03c48eb94ed05729cb016f8b72f +Bug: https://github.com/LibVNC/libvncserver/issues/243 + https://github.com/LibVNC/libvncserver/issues/247 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/ica/x11/libvncclient/rfbproto.c ++++ b/ica/x11/libvncclient/rfbproto.c +@@ -563,7 +563,7 @@ + /* we have an error following */ + if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE; + reasonLen = rfbClientSwap32IfLE(reasonLen); +- reason = malloc(reasonLen+1); ++ reason = malloc((uint64_t)reasonLen+1); + if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; } + reason[reasonLen]=0; + rfbClientLog("VNC connection failed: %s\n",reason); +@@ -591,7 +591,7 @@ + /* we have an error following */ + if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; + reasonLen = rfbClientSwap32IfLE(reasonLen); +- reason = malloc(reasonLen+1); ++ reason = malloc((uint64_t)reasonLen+1); + if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } + reason[reasonLen]=0; + rfbClientLog("VNC connection failed: %s\n",reason); +@@ -2274,10 +2274,12 @@ + + msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); + +- buffer = malloc(msg.sct.length+1); ++ buffer = malloc((uint64_t)msg.sct.length+1); + +- if (!ReadFromRFBServer(client, buffer, msg.sct.length)) ++ if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { ++ free(buffer); + return FALSE; ++ } + + buffer[msg.sct.length] = 0; + +--- a/ica/x11/libvncserver/rfbserver.c ++++ b/ica/x11/libvncserver/rfbserver.c +@@ -1466,7 +1466,7 @@ + rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); + */ + if (length>0) { +- buffer=malloc(length+1); ++ buffer=malloc((uint64_t)length+1); + if (buffer!=NULL) { + if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { + if (n != 0) diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20749.patch italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20749.patch --- italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20749.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20749.patch 2019-11-28 08:38:50.000000000 +0100 @@ -0,0 +1,37 @@ +From 15bb719c03cc70f14c36a843dcb16ed69b405707 Mon Sep 17 00:00:00 2001 +From: Christian Beier <[email protected]> +Date: Sun, 6 Jan 2019 15:13:56 +0100 +Subject: [PATCH] Error out in rfbProcessFileTransferReadBuffer if length can + not be allocated + +re #273 +--- + libvncserver/rfbserver.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/ica/x11/libvncserver/rfbserver.c ++++ b/ica/x11/libvncserver/rfbserver.c +@@ -1462,11 +1462,21 @@ + int n=0; + + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL); ++ + /* +- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); ++ We later alloc length+1, which might wrap around on 32-bit systems if length equals ++ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF ++ will safely be allocated since this check will never trigger and malloc() can digest length+1 ++ without problems as length is a uint32_t. + */ ++ if(length == SIZE_MAX) { ++ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); ++ rfbCloseClient(cl); ++ return NULL; ++ } ++ + if (length>0) { +- buffer=malloc((uint64_t)length+1); ++ buffer=malloc((size_t)length+1); + if (buffer!=NULL) { + if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { + if (n != 0) diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20750.patch italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20750.patch --- italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20750.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20750.patch 2019-11-28 08:38:53.000000000 +0100 @@ -0,0 +1,42 @@ +From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Mon, 7 Jan 2019 10:40:01 +0100 +Subject: [PATCH] Limit length to INT_MAX bytes in + rfbProcessFileTransferReadBuffer() + +This amends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap +out-of-bound write access in rfbProcessFileTransferReadBuffer() when +reading a transferred file content in a server. The former fix did not +work on platforms with a 32-bit int type (expected by rfbReadExact()). + +CVE-2018-15127 +<https://github.com/LibVNC/libvncserver/issues/243> +<https://github.com/LibVNC/libvncserver/issues/273> +--- + libvncserver/rfbserver.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/ica/x11/libvncserver/rfbserver.c ++++ b/ica/x11/libvncserver/rfbserver.c +@@ -87,6 +87,8 @@ + #include <time.h> + /* PRIu32 */ + #include <inttypes.h> ++/* INT_MAX */ ++#include <limits.h> + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -1468,8 +1470,11 @@ + 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF + will safely be allocated since this check will never trigger and malloc() can digest length+1 + without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ +- if(length == SIZE_MAX) { ++ if(length == SIZE_MAX || length > INT_MAX) { + rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); + rfbCloseClient(cl); + return NULL; diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-7225.patch italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-7225.patch --- italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-7225.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-7225.patch 2019-11-28 08:35:55.000000000 +0100 @@ -0,0 +1,46 @@ +From: Markus Koschany <[email protected]> +Date: Tue, 5 Jun 2018 14:04:07 +0200 +Subject: CVE-2018-7225 + +Bug-Debian: https://bugs.debian.org/894045 +Origin: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee +--- + libvncserver/rfbserver.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/ica/x11/libvncserver/rfbserver.c ++++ b/ica/x11/libvncserver/rfbserver.c +@@ -85,6 +85,8 @@ + #include <errno.h> + /* strftime() */ + #include <time.h> ++/* PRIu32 */ ++#include <inttypes.h> + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -2577,7 +2579,23 @@ + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)malloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we impose a limit of 1 MB so that the value fits ++ * into all of the types to prevent from misinterpretation and thus ++ * from accessing uninitialized memory (CVE-2018-7225) and also to ++ * prevent from a denial-of-service by allocating to much memory in ++ * the server. */ ++ if (msg.cct.length > 1<<20) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseClient(cl); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2019-15681.patch italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2019-15681.patch --- italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2019-15681.patch 1970-01-01 01:00:00.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2019-15681.patch 2019-11-28 08:38:55.000000000 +0100 @@ -0,0 +1,21 @@ +From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001 +From: Christian Beier <[email protected]> +Date: Mon, 19 Aug 2019 22:32:25 +0200 +Subject: [PATCH] rfbserver: don't leak stack memory to the remote + +Thanks go to Pavel Cheremushkin of Kaspersky for reporting. +--- + libvncserver/rfbserver.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/ica/x11/libvncserver/rfbserver.c ++++ b/ica/x11/libvncserver/rfbserver.c +@@ -3529,6 +3529,8 @@ + rfbServerCutTextMsg sct; + rfbClientIteratorPtr iterator; + ++ memset((char *)&sct, 0, sizeof(sct)); ++ + iterator = rfbGetClientIterator(rfbScreen); + while ((cl = rfbClientIteratorNext(iterator)) != NULL) { + sct.type = rfbServerCutText; diff -Nru italc-3.0.3+dfsg1/debian/patches/series italc-3.0.3+dfsg1/debian/patches/series --- italc-3.0.3+dfsg1/debian/patches/series 2017-01-20 10:50:55.000000000 +0100 +++ italc-3.0.3+dfsg1/debian/patches/series 2019-11-28 08:48:52.000000000 +0100 @@ -1,2 +1,16 @@ 1005_gcc47-ftbfs.patch 2001_inject-buildtype-from-outside.patch +libvncserver_CVE-2018-7225.patch +libvnc_server+client_CVE-2018-15127-CVE-2018-20019.patch +libvncclient_CVE-2018-20020.patch +libvncclient_CVE-2018-20021.patch +libvncclient_CVE-2018-20022.patch +libvncclient_CVE-2018-20023.patch +libvncclient_CVE-2018-20024.patch +libvncclient_CVE-2018-20748-1.patch +libvncclient_CVE-2018-20748-2.patch +libvncclient_CVE-2018-20748-3.patch +libvncclient_CVE-2018-20748-4.patch +libvncserver_CVE-2018-20749.patch +libvncserver_CVE-2018-20750.patch +libvncserver_CVE-2019-15681.patch
