commit LibVNCServer for openSUSE:Factory

Wed, 29 Apr 2020 11:42:21 -0700 

Hello community,

here is the log from the commit of package LibVNCServer for openSUSE:Factory 
checked in at 2020-04-29 20:41:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/LibVNCServer (Old)
 and      /work/SRC/openSUSE:Factory/.LibVNCServer.new.2738 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "LibVNCServer"

Wed Apr 29 20:41:20 2020 rev:41 rq:798132 version:0.9.12

Changes:
--------
--- /work/SRC/openSUSE:Factory/LibVNCServer/LibVNCServer.changes        
2020-01-12 23:18:30.186685625 +0100
+++ /work/SRC/openSUSE:Factory/.LibVNCServer.new.2738/LibVNCServer.changes      
2020-04-29 20:42:10.139609266 +0200
@@ -1,0 +2,10 @@
+Mon Apr 27 09:20:21 UTC 2020 - [email protected]
+
+- security update
+- added patches
+  fix CVE-2019-15690 [bsc#1160471], heap buffer overflow
+  + LibVNCServer-CVE-2019-15690.patch
+  fix CVE-2019-20788 [bsc#1170441], integer overflow and heap-based buffer 
overflow via a large height or width value
+  + LibVNCServer-CVE-2019-20788.patch
+
+-------------------------------------------------------------------

New:
----
  LibVNCServer-CVE-2019-15690.patch
  LibVNCServer-CVE-2019-20788.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ LibVNCServer.spec ++++++
--- /var/tmp/diff_new_pack.ts1xBF/_old  2020-04-29 20:42:10.859611143 +0200
+++ /var/tmp/diff_new_pack.ts1xBF/_new  2020-04-29 20:42:10.863611153 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package LibVNCServer
 #
-# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
 Summary:        VNC Development Library
 License:        GPL-2.0-or-later
 Group:          Development/Libraries/X11
-Url:            https://github.com/LibVNC/libvncserver
+URL:            https://github.com/LibVNC/libvncserver
 # Archive is renamed by github
 Source0:        
https://github.com/LibVNC/libvncserver/archive/%{name}-%{version}.tar.gz
 Source1:        baselibs.conf
@@ -38,6 +38,10 @@
 Patch4:         avoid-pthread_join-if-backgroundLoop-is-FALSE.patch
 # PATCH-FIX-UPSTREAM: https://github.com/LibVNC/libvncserver/pull/361
 Patch5:         fix-crash-on-shutdown.patch
+# CVE-2019-20788 [bsc#1170441], integer overflow and heap-based buffer 
overflow via a large height or width value
+Patch6:         LibVNCServer-CVE-2019-20788.patch
+# CVE-2019-15690 [bsc#1160471], heap buffer overflow
+Patch7:         LibVNCServer-CVE-2019-15690.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  libavahi-devel
@@ -109,6 +113,8 @@
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
 #%patch2 -p1
 # fix encoding
 for file in ChangeLog ; do

++++++ LibVNCServer-CVE-2019-15690.patch ++++++
diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
index 67f45726..40ffb3b0 100644
--- a/libvncclient/cursor.c
+++ b/libvncclient/cursor.c
@@ -28,6 +28,8 @@
 #define OPER_SAVE     0
 #define OPER_RESTORE  1
 
+#define MAX_CURSOR_SIZE 1024
+
 #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255          
   \
     << client->format.redShift |                                              \
@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int 
yhot, int width, int h
   if (width * height == 0)
     return TRUE;
 
+  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
+    return FALSE;
+
   /* Allocate memory for pixel data and temporary mask data. */
   if(client->rcSource)
     free(client->rcSource);

++++++ LibVNCServer-CVE-2019-20788.patch ++++++
Index: libvncserver-LibVNCServer-0.9.12/libvncclient/rfbproto.c
===================================================================
--- libvncserver-LibVNCServer-0.9.12.orig/libvncclient/rfbproto.c       
2019-01-06 20:09:30.000000000 +0100
+++ libvncserver-LibVNCServer-0.9.12/libvncclient/rfbproto.c    2020-04-27 
10:32:26.192984242 +0200
@@ -225,6 +225,7 @@ ClearServer2Client(rfbClient* client, in
   client->supportedMessages.server2client[((messageType & 0xFF)/8)] &= 
(!(1<<(messageType % 8)));
 }
 
+#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */
 
 void
 DefaultSupportedMessages(rfbClient* client)
@@ -2268,6 +2269,8 @@ HandleRFBServerMessage(rfbClient* client
               client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);
           break;
       default:
+         if(msg.tc.length > MAX_TEXTCHAT_SIZE)
+             return FALSE;
           buffer=malloc(msg.tc.length+1);
           if (!ReadFromRFBServer(client, buffer, msg.tc.length))
           {

Reply via email to