Hello community, here is the log from the commit of package tigervnc for openSUSE:Factory checked in at 2014-11-03 13:11:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tigervnc (Old) and /work/SRC/openSUSE:Factory/.tigervnc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tigervnc" Changes: -------- --- /work/SRC/openSUSE:Factory/tigervnc/tigervnc.changes 2014-10-14 07:10:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.tigervnc.new/tigervnc.changes 2014-11-03 13:11:59.000000000 +0100 @@ -1,0 +2,7 @@ +Thu Oct 30 13:33:27 UTC 2014 - m...@suse.com + +- u_tigervnc-cve-2014-8240.patch + * Prevent potentially dangerous integer overflow. + (bnc#900896 CVE-2014-8240) + +------------------------------------------------------------------- New: ---- u_tigervnc-cve-2014-8240.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tigervnc.spec ++++++ --- /var/tmp/diff_new_pack.nN6nd0/_old 2014-11-03 13:12:00.000000000 +0100 +++ /var/tmp/diff_new_pack.nN6nd0/_new 2014-11-03 13:12:00.000000000 +0100 @@ -113,6 +113,7 @@ Patch9: U_include-vencrypt-only-if-any-subtype-present.patch Patch10: u_tigervnc-check-shm-harder.patch Patch11: u_tigervnc-use_preferred_mode.patch +Patch12: u_tigervnc-cve-2014-8240.patch # Xserver patches Patch20: tigervnc-1.2.80-fix-int-to-pointer.patch @@ -157,6 +158,7 @@ %patch9 -p0 %patch10 -p0 %patch11 -p0 +%patch12 -p1 pushd unix/xserver patch -p1 < ../xserver114.patch ++++++ u_tigervnc-cve-2014-8240.patch ++++++ Patch-Mainline: To be upstreamed References: bnc#900896 CVE-2014-8240 Signed-off-by: Michal Srb <m...@suse.com> diff -up tigervnc-1.3.1/unix/x0vncserver/Image.cxx.CVE-2014-8240 tigervnc-1.3.1/unix/x0vncserver/Image.cxx --- tigervnc-1.3.1/unix/x0vncserver/Image.cxx.CVE-2014-8240 2008-03-19 16:14:48.000000000 +0000 +++ tigervnc-1.3.1/unix/x0vncserver/Image.cxx 2014-10-16 12:23:08.013339234 +0100 @@ -80,6 +80,14 @@ void Image::Init(int width, int height) xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)), ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0); + if (xim->bytes_per_line <= 0 || + xim->height <= 0 || + xim->height >= INT_MAX / xim->bytes_per_line) { + vlog.error("Invalid display size"); + XDestroyImage(xim); + exit(1); + } + xim->data = (char *)malloc(xim->bytes_per_line * xim->height); if (xim->data == NULL) { vlog.error("malloc() failed"); @@ -254,6 +262,17 @@ void ShmImage::Init(int width, int heigh delete shminfo; shminfo = NULL; return; + } + + if (xim->bytes_per_line <= 0 || + xim->height <= 0 || + xim->height >= INT_MAX / xim->bytes_per_line) { + vlog.error("Invalid display size"); + XDestroyImage(xim); + xim = NULL; + delete shminfo; + shminfo = NULL; + return; } shminfo->shmid = shmget(IPC_PRIVATE, diff -up tigervnc-1.3.1/vncviewer/X11PixelBuffer.cxx.CVE-2014-8240 tigervnc-1.3.1/vncviewer/X11PixelBuffer.cxx --- tigervnc-1.3.1/vncviewer/X11PixelBuffer.cxx.CVE-2014-8240 2011-08-23 13:04:46.000000000 +0100 +++ tigervnc-1.3.1/vncviewer/X11PixelBuffer.cxx 2014-10-16 12:22:53.053261132 +0100 @@ -105,6 +105,15 @@ PlatformPixelBuffer::PlatformPixelBuffer ZPixmap, 0, 0, width, height, BitmapPad(fl_display), 0); assert(xim); + if (xim->bytes_per_line <= 0 || + xim->height <= 0 || + xim->height >= INT_MAX / xim->bytes_per_line) { + if (xim) + XDestroyImage(xim); + xim = NULL; + throw rfb::Exception("Invalid display size"); + } + xim->data = (char*)malloc(xim->bytes_per_line * xim->height); assert(xim->data); } @@ -169,6 +178,16 @@ int PlatformPixelBuffer::setupShm() if (!xim) goto free_shminfo; + if (xim->bytes_per_line <= 0 || + xim->height <= 0 || + xim->height >= INT_MAX / xim->bytes_per_line) { + XDestroyImage(xim); + xim = NULL; + delete shminfo; + shminfo = NULL; + throw rfb::Exception("Invalid display size"); + } + shminfo->shmid = shmget(IPC_PRIVATE, xim->bytes_per_line * xim->height, IPC_CREAT|0777); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org