armin76 14/03/20 19:10:56 Added: CVE-2014-0011.patch Log: Bump to 1.3.1 and patch 1.2.80_p5065 wrt security bug #505170 (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0xF6AD3240)
Revision Changes Path 1.1 net-misc/tigervnc/files/CVE-2014-0011.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/tigervnc/files/CVE-2014-0011.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/tigervnc/files/CVE-2014-0011.patch?rev=1.1&content-type=text/plain Index: CVE-2014-0011.patch =================================================================== diff -up tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 tigervnc-1.3.0/common/CMakeLists.txt --- tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 2013-07-01 13:42:01.000000000 +0100 +++ tigervnc-1.3.0/common/CMakeLists.txt 2014-02-04 16:59:10.840037314 +0000 @@ -23,3 +23,6 @@ if(CMAKE_COMPILER_IS_GNUCXX AND (CMAKE_S set_target_properties(zlib PROPERTIES COMPILE_FLAGS -fPIC) endif() endif() + +# Turn asserts on. +set_target_properties(rdr rfb PROPERTIES COMPILE_FLAGS -UNDEBUG) diff -up tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 tigervnc-1.3.0/common/rfb/zrleDecode.h --- tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 2013-07-01 13:41:59.000000000 +0100 +++ tigervnc-1.3.0/common/rfb/zrleDecode.h 2014-02-04 16:17:00.881565540 +0000 @@ -25,9 +25,10 @@ // FILL_RECT - fill a rectangle with a single colour // IMAGE_RECT - draw a rectangle of pixel data from a buffer +#include <stdio.h> #include <rdr/InStream.h> #include <rdr/ZlibInStream.h> -#include <assert.h> +#include <rfb/Exception.h> namespace rfb { @@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In len += b; } while (b == 255); - assert(len <= end - ptr); + if (end - ptr < len) { + fprintf (stderr, "ZRLE decode error\n"); + throw Exception ("ZRLE decode error"); + } #ifdef FAVOUR_FILL_RECT int i = ptr - buf; @@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In len += b; } while (b == 255); - assert(len <= end - ptr); + if (end - ptr < len) { + fprintf (stderr, "ZRLE decode error\n"); + throw Exception ("ZRLE decode error"); + } } index &= 127;