Hello community, here is the log from the commit of package LibVNCServer for openSUSE:Factory checked in at 2018-05-19 15:40:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/LibVNCServer (Old) and /work/SRC/openSUSE:Factory/.LibVNCServer.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "LibVNCServer" Sat May 19 15:40:56 2018 rev:37 rq:607448 version:0.9.10 Changes: -------- --- /work/SRC/openSUSE:Factory/LibVNCServer/LibVNCServer.changes 2016-05-31 12:10:19.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.LibVNCServer.new/LibVNCServer.changes 2018-05-19 15:41:11.741416853 +0200 @@ -1,0 +2,7 @@ +Tue Mar 20 07:42:09 UTC 2018 - [email protected] + +- security update + * CVE-2018-7225 [bsc#1081493] + + LibVNCServer-CVE-2018-7225.patch + +------------------------------------------------------------------- New: ---- LibVNCServer-CVE-2018-7225.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ LibVNCServer.spec ++++++ --- /var/tmp/diff_new_pack.iTdSpB/_old 2018-05-19 15:41:12.405392560 +0200 +++ /var/tmp/diff_new_pack.iTdSpB/_new 2018-05-19 15:41:12.409392413 +0200 @@ -1,7 +1,7 @@ # # spec file for package LibVNCServer # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Version: 0.9.10 Release: 0 Summary: VNC Development Library -License: GPL-2.0+ +License: GPL-2.0-or-later Group: Development/Libraries/X11 Url: https://github.com/LibVNC/libvncserver # Archive is renamed by github @@ -36,6 +36,7 @@ Patch12: libvncserver-%{version}-ossl.patch #PATCH-FIX-UPSTREAM: use namespaced rfbMax macro (avoids conflicts with stl_algobase.h), picked from upstream Patch13: libvncserver-0.9.10-use-namespaced-rfbMax-macro.patch +Patch14: LibVNCServer-CVE-2018-7225.patch BuildRequires: libavahi-devel BuildRequires: libgcrypt-devel BuildRequires: libjpeg-devel @@ -109,6 +110,7 @@ %patch11 %patch12 %patch13 -p1 +%patch14 -p1 # fix encoding for file in AUTHORS ChangeLog ; do mv ${file} ${file}.OLD && \ ++++++ LibVNCServer-CVE-2018-7225.patch ++++++ diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c index 116c4889..4fc4d9d5 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c @@ -88,6 +88,8 @@ #include <errno.h> /* strftime() */ #include <time.h> +/* PRIu32 */ +#include <inttypes.h> #ifdef LIBVNCSERVER_WITH_WEBSOCKETS #include "rfbssl.h" @@ -2575,7 +2577,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) msg.cct.length = Swap32IfLE(msg.cct.length); - str = (char *)malloc(msg.cct.length); + /* uint32_t input is passed to malloc()'s size_t argument, + * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int + * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int + * argument. Here we impose a limit of 1 MB so that the value fits + * into all of the types to prevent from misinterpretation and thus + * from accessing uninitialized memory (CVE-2018-7225) and also to + * prevent from a denial-of-service by allocating to much memory in + * the server. */ + if (msg.cct.length > 1<<20) { + rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", + msg.cct.length); + rfbCloseClient(cl); + return; + } + + /* Allow zero-length client cut text. */ + str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); if (str == NULL) { rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); rfbCloseClient(cl);
