upload libvncserver
Hello.
I prepared LTS security update for libvncserver[1]. Please review and
upload. I have tested it with remmina-plugin-vnc.
[1]
https://mentors.debian.net/debian/pool/main/libv/libvncserver/libvncserver_0.9.9+dfsg-1+deb7u3.dsc
--abhijith
diff -Nru libvncserver-0.9.9+dfsg/debian/changelog libvncserver-0.9.9+dfsg/debian/changelog
--- libvncserver-0.9.9+dfsg/debian/changelog 2017-01-03 21:03:05.000000000 +0530
+++ libvncserver-0.9.9+dfsg/debian/changelog 2018-03-29 22:55:20.000000000 +0530
@@ -1,3 +1,13 @@
+libvncserver (0.9.9+dfsg-1+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload for the Debian LTS Team.
+ * CVE-2018-7225: rfbserver.c does not sanitize msg.cct.length, leading to
+ access to uninitialized and potentially sensitive data or possibly
+ unspecified other impact (e.g., an integer overflow) via specially crafted
+ VNC packets (Closes: #894045)
+
+ -- Abhijith PA <abhijith@disroot.org> Thu, 29 Mar 2018 22:55:20 +0530
+
libvncserver (0.9.9+dfsg-1+deb7u2) wheezy-security; urgency=high
* CVE-2016-9941: Fix a heap-based buffer overflow that allows remote servers
diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch
--- libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch 1970-01-01 05:30:00.000000000 +0530
+++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch 2018-03-29 22:55:20.000000000 +0530
@@ -0,0 +1,48 @@
+Description: Fix CVE-2018-7225
+ rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length
+ , leading to access to uninitialized and potentially sensitive data or possibly
+ unspecified other impact (e.g., an integer overflow) via specially crafted VNC
+ packets.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Bug-Debian: https://bugs.debian.org/894045
+Origin: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee
+Bug: https://github.com/LibVNC/libvncserver/issues/218
+Last-Update: 2018-03-29
+
+--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c
++++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c
+@@ -74,6 +74,8 @@
+ #include <errno.h>
+ /* strftime() */
+ #include <time.h>
++/* PRIu32 */
++#include <inttypes.h>
+
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ #include "rfbssl.h"
+@@ -2487,7 +2489,23 @@ rfbProcessClientNormalMessage(rfbClientP
+
+ msg.cct.length = Swap32IfLE(msg.cct.length);
+
+- str = (char *)malloc(msg.cct.length);
++ /* uint32_t input is passed to malloc()'s size_t argument,
++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
++ * argument. Here we impose a limit of 1 MB so that the value fits
++ * into all of the types to prevent from misinterpretation and thus
++ * from accessing uninitialized memory (CVE-2018-7225) and also to
++ * prevent from a denial-of-service by allocating to much memory in
++ * the server. */
++ if (msg.cct.length > 1<<20) {
++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
++ msg.cct.length);
++ rfbCloseClient(cl);
++ return;
++ }
++
++ /* Allow zero-length client cut text. */
++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+ if (str == NULL) {
+ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
+ rfbCloseClient(cl);
diff -Nru libvncserver-0.9.9+dfsg/debian/patches/series libvncserver-0.9.9+dfsg/debian/patches/series
--- libvncserver-0.9.9+dfsg/debian/patches/series 2017-01-03 21:08:12.000000000 +0530
+++ libvncserver-0.9.9+dfsg/debian/patches/series 2018-03-29 22:55:20.000000000 +0530
@@ -8,3 +8,4 @@
CVE-2015-6053.patch
CVE-2016-9942.patch
CVE-2016-9941.patch
+CVE-2018-7225.patch
Reply to: