Bug#950256: stretch-pu: package italc/3.0.3+dfsg1-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I have just uploaded an update of italc to Debian stretch, containing
several <no-dsa> security fixes in the bundle libvncserver code.
+ * Porting of libvncserver+libvncclient security patches:
+ - CVE-2018-7225: Uninitialized and potentially sensitive data could be
+ accessed by remote attackers because the msg.cct.length in rfbserver.c was
+ not sanitized.
+ - CVE-2018-15127: heap out-of-bound write vulnerability.
+ - CVE-2018-20019: multiple heap out-of-bound write vulnerabilities.
+ - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+ in VNC client code.
+ - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+ - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+ - CVE-2018-20023: Improper Initialization vulnerability in VNC Repeater
+ client code.
+ - CVE-2018-20024: null pointer dereference that can result DoS.
+ - CVE-2018-6307: heap use-after-free vulnerability in server code of
+ file transfer extension.
+ - CVE-2018-20748: incomplete fix for CVE-2018-20019 oob heap writes.
+ - CVE-2018-20749: incomplete fix for CVE-2018-15127 oob heap writes.
+ - CVE-2018-20750: incomplete fix for CVE-2018-15127 oob heap writes.
+ - CVE-2018-15126: heap use-after-free resulting in possible RCE.
+ - CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
Furthermore, I updated the Vcs-*: fields (They were still pointing to Alioth).
+ * debian/control:
+ + Update Vcs-*: fields. Package has been migrated to salsa.debian.org.
+
Please note that italc has been removed from Debian a while ago (stretch
was the last version to ship italc).
Greets,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru italc-3.0.3+dfsg1/debian/changelog italc-3.0.3+dfsg1/debian/changelog
--- italc-3.0.3+dfsg1/debian/changelog 2017-01-20 11:28:48.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/changelog 2019-11-28 08:49:18.000000000 +0100
@@ -1,3 +1,30 @@
+italc (1:3.0.3+dfsg1-1+deb9u1) stretch; urgency=medium
+
+ * Porting of libvncserver+libvncclient security patches:
+ - CVE-2018-7225: Uninitialized and potentially sensitive data could be
+ accessed by remote attackers because the msg.cct.length in rfbserver.c was
+ not sanitized.
+ - CVE-2018-15127: heap out-of-bound write vulnerability.
+ - CVE-2018-20019: multiple heap out-of-bound write vulnerabilities.
+ - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+ in VNC client code.
+ - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+ - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+ - CVE-2018-20023: Improper Initialization vulnerability in VNC Repeater
+ client code.
+ - CVE-2018-20024: null pointer dereference that can result DoS.
+ - CVE-2018-6307: heap use-after-free vulnerability in server code of
+ file transfer extension.
+ - CVE-2018-20748: incomplete fix for CVE-2018-20019 oob heap writes.
+ - CVE-2018-20749: incomplete fix for CVE-2018-15127 oob heap writes.
+ - CVE-2018-20750: incomplete fix for CVE-2018-15127 oob heap writes.
+ - CVE-2018-15126: heap use-after-free resulting in possible RCE.
+ - CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
+ * debian/control:
+ + Update Vcs-*: fields. Package has been migrated to salsa.debian.org.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 28 Nov 2019 08:49:18 +0100
+
italc (1:3.0.3+dfsg1-1) unstable; urgency=medium
[ Mike Gabriel ]
diff -Nru italc-3.0.3+dfsg1/debian/control italc-3.0.3+dfsg1/debian/control
--- italc-3.0.3+dfsg1/debian/control 2017-01-20 11:28:38.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/control 2019-11-28 08:49:18.000000000 +0100
@@ -31,8 +31,8 @@
gcj-jdk | gcj,
Standards-Version: 3.9.8
Homepage: http://italc.sourceforge.net/home.php
-Vcs-Git: https://anonscm.debian.org/cgit/debian-edu/pkg-team/italc.git
-Vcs-Browser: https://anonscm.debian.org/cgit/debian-edu/pkg-team/italc.git
+Vcs-Git: https://salsa.debian.org/debian-edu-pkg-team/italc.git
+Vcs-Browser: https://salsa.debian.org/debian-edu-pkg-team/italc/
Package: italc-master
Architecture: any
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20020.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20020.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20020.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20020.patch 2019-10-30 20:51:34.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20020
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/ica/x11/libvncclient/corre.c
++++ b/ica/x11/libvncclient/corre.c
+@@ -48,7 +48,7 @@
+
+ FillRectangle(client, rx, ry, rw, rh, pix);
+
+- if (!ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8))))
++ if (hdr.nSubrects > RFB_BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ return FALSE;
+
+ ptr = (uint8_t *)client->buffer;
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20021.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20021.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20021.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20021.patch 2019-11-28 08:36:39.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/ica/x11/libvncclient/rfbproto.c
++++ b/ica/x11/libvncclient/rfbproto.c
+@@ -2002,7 +2002,7 @@
+ /* Regardless of cause, do not divide by zero. */
+ linesToRead = bytesPerLine ? (RFB_BUFFER_SIZE / bytesPerLine) : 0;
+
+- while (h > 0) {
++ while (linesToRead && h > 0) {
+ if (linesToRead > h)
+ linesToRead = h;
+
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20022.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20022.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20022.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20022.patch 2019-11-28 08:36:43.000000000 +0100
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abuse for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/ica/x11/libvncclient/rfbproto.c
++++ b/ica/x11/libvncclient/rfbproto.c
+@@ -1768,6 +1768,7 @@
+
+ if (!SupportsClient2Server(client, rfbKeyEvent)) return TRUE;
+
++ memset(&ke, 0, sizeof(ke));
+ ke.type = rfbKeyEvent;
+ ke.down = down ? 1 : 0;
+ ke.key = rfbClientSwap32IfLE(key);
+@@ -1786,6 +1787,7 @@
+
+ if (!SupportsClient2Server(client, rfbClientCutText)) return TRUE;
+
++ memset(&cct, 0, sizeof(cct));
+ cct.type = rfbClientCutText;
+ cct.length = rfbClientSwap32IfLE(len);
+ return (WriteToRFBServer(client, (char *)&cct, sz_rfbClientCutTextMsg) &&
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20023.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20023.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20023.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20023.patch 2019-11-28 08:36:49.000000000 +0100
@@ -0,0 +1,37 @@
+Description: CVE-2018-20023
+ contains CWE-665: Improper Initialization vulnerability in VNC Repeater client
+ code that allows attacker to read stack memory and can be abuse for information
+ disclosure. Combined with another vulnerability, it can be used to leak stack
+ memory layout and in bypassing ASLR
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/8b06f835e259652b0ff026898014fc7297ade858
+Bug: https://github.com/LibVNC/libvncserver/issues/253
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/ica/x11/libvncclient/rfbproto.c
++++ b/ica/x11/libvncclient/rfbproto.c
+@@ -497,6 +497,7 @@
+ rfbProtocolVersionMsg pv;
+ int major,minor;
+ char tmphost[250];
++ int tmphostlen;
+
+ #ifdef LIBVNCSERVER_IPv6
+ client->sock = ConnectClientToTcpAddr6(repeaterHost, repeaterPort);
+@@ -532,8 +533,11 @@
+
+ rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor);
+
+- snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
+- if (!WriteToRFBServer(client, tmphost, sizeof(tmphost)))
++ tmphostlen = snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
++ if(tmphostlen < 0 || tmphostlen >= (int)sizeof(tmphost))
++ return FALSE; /* snprintf error or output truncated */
++
++ if (!WriteToRFBServer(client, tmphost, tmphostlen + 1))
+ return FALSE;
+
+ return TRUE;
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20024.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20024.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20024.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20024.patch 2019-10-30 20:51:44.000000000 +0100
@@ -0,0 +1,30 @@
+Description: CVE-2018-20024
+ null pointer dereference in VNC client code that can result DoS.
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7
+Bug: https://github.com/LibVNC/libvncserver/issues/254
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/ica/x11/libvncclient/ultra.c
++++ b/ica/x11/libvncclient/ultra.c
+@@ -66,6 +66,8 @@
+ if ((client->raw_buffer_size % 4)!=0)
+ client->raw_buffer_size += (4-(client->raw_buffer_size % 4));
+ client->raw_buffer = (char*) malloc( client->raw_buffer_size );
++ if(client->raw_buffer == NULL)
++ return FALSE;
+ }
+
+ /* allocate enough space to store the incoming compressed packet */
+@@ -150,6 +152,8 @@
+ if ((client->raw_buffer_size % 4)!=0)
+ client->raw_buffer_size += (4-(client->raw_buffer_size % 4));
+ client->raw_buffer = (char*) malloc( client->raw_buffer_size );
++ if(client->raw_buffer == NULL)
++ return FALSE;
+ }
+
+
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-1.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-1.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-1.patch 2019-11-28 08:37:15.000000000 +0100
@@ -0,0 +1,25 @@
+From c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sat, 29 Dec 2018 14:16:58 +0100
+Subject: [PATCH] LibVNCClient: ignore server-sent cut text longer than 1MB
+
+This is in line with how LibVNCServer does it
+(28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273.
+---
+ libvncclient/rfbproto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/ica/x11/libvncclient/rfbproto.c
++++ b/ica/x11/libvncclient/rfbproto.c
+@@ -2280,6 +2280,11 @@
+
+ msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
+
++ if (msg.sct.length > 1<<20) {
++ rfbClientErr("Ignoring too big cut text length sent by server: %u B > 1 MB\n", (unsigned int)msg.sct.length);
++ return FALSE;
++ }
++
+ buffer = malloc((uint64_t)msg.sct.length+1);
+
+ if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-2.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-2.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-2.patch 2019-11-28 08:36:55.000000000 +0100
@@ -0,0 +1,82 @@
+From e34bcbb759ca5bef85809967a268fdf214c1ad2c Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sat, 29 Dec 2018 14:40:53 +0100
+Subject: [PATCH] LibVNCClient: ignore server-sent reason strings longer than
+ 1MB
+
+Fixes #273
+---
+ libvncclient/rfbproto.c | 45 +++++++++++++++++++----------------------
+ 1 file changed, 21 insertions(+), 24 deletions(-)
+
+--- a/ica/x11/libvncclient/rfbproto.c
++++ b/ica/x11/libvncclient/rfbproto.c
+@@ -546,11 +546,29 @@
+ extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd);
+ extern void rfbClientEncryptBytes2(unsigned char *where, const int length, unsigned char *key);
+
++static void
++ReadReason(rfbClient* client)
++{
++ uint32_t reasonLen;
++ char *reason;
++
++ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
++ reasonLen = rfbClientSwap32IfLE(reasonLen);
++ if(reasonLen > 1<<20) {
++ rfbClientLog("VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen);
++ return;
++ }
++ reason = malloc(reasonLen+1);
++ if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
++ reason[reasonLen]=0;
++ rfbClientLog("VNC connection failed: %s\n",reason);
++ free(reason);
++}
++
+ rfbBool
+ rfbHandleAuthResult(rfbClient* client)
+ {
+- uint32_t authResult=0, reasonLen=0;
+- char *reason=NULL;
++ uint32_t authResult=0;
+
+ if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE;
+
+@@ -565,13 +583,7 @@
+ if (client->major==3 && client->minor>7)
+ {
+ /* we have an error following */
+- if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
+- reasonLen = rfbClientSwap32IfLE(reasonLen);
+- reason = malloc((uint64_t)reasonLen+1);
+- if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; }
+- reason[reasonLen]=0;
+- rfbClientLog("VNC connection failed: %s\n",reason);
+- free(reason);
++ ReadReason(client);
+ return FALSE;
+ }
+ rfbClientLog("VNC authentication failed\n");
+@@ -586,21 +598,6 @@
+ return FALSE;
+ }
+
+-static void
+-ReadReason(rfbClient* client)
+-{
+- uint32_t reasonLen;
+- char *reason;
+-
+- /* we have an error following */
+- if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
+- reasonLen = rfbClientSwap32IfLE(reasonLen);
+- reason = malloc((uint64_t)reasonLen+1);
+- if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
+- reason[reasonLen]=0;
+- rfbClientLog("VNC connection failed: %s\n",reason);
+- free(reason);
+-}
+
+ static rfbBool
+ ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth)
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-3.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-3.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-3.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-3.patch 2019-11-28 08:38:37.000000000 +0100
@@ -0,0 +1,25 @@
+From c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 6 Jan 2019 14:20:37 +0100
+Subject: [PATCH] LibVNCClient: fail on server-sent desktop name lengths longer
+ than 1MB
+
+re #273
+---
+ libvncclient/rfbproto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/ica/x11/libvncclient/rfbproto.c
++++ b/ica/x11/libvncclient/rfbproto.c
+@@ -1315,6 +1315,11 @@
+ client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax);
+ client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength);
+
++ if (client->si.nameLength > 1<<20) {
++ rfbClientErr("Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)client->si.nameLength);
++ return FALSE;
++ }
++
+ /* To guard against integer wrap-around, si.nameLength is cast to 64 bit */
+ client->desktopName = malloc((uint64_t)client->si.nameLength + 1);
+ if (!client->desktopName) {
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-4.patch italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-4.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-4.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncclient_CVE-2018-20748-4.patch 2019-11-28 08:38:47.000000000 +0100
@@ -0,0 +1,21 @@
+From a64c3b37af9a6c8f8009d7516874b8d266b42bae Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 6 Jan 2019 14:22:34 +0100
+Subject: [PATCH] LibVNCClient: remove now-useless cast
+
+re #273
+---
+ libvncclient/rfbproto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/ica/x11/libvncclient/rfbproto.c
++++ b/ica/x11/libvncclient/rfbproto.c
+@@ -2287,7 +2287,7 @@
+ return FALSE;
+ }
+
+- buffer = malloc((uint64_t)msg.sct.length+1);
++ buffer = malloc(msg.sct.length+1);
+
+ if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
+ free(buffer);
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvnc_server+client_CVE-2018-15127-CVE-2018-20019.patch italc-3.0.3+dfsg1/debian/patches/libvnc_server+client_CVE-2018-15127-CVE-2018-20019.patch
--- italc-3.0.3+dfsg1/debian/patches/libvnc_server+client_CVE-2018-15127-CVE-2018-20019.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvnc_server+client_CVE-2018-15127-CVE-2018-20019.patch 2019-11-28 08:36:32.000000000 +0100
@@ -0,0 +1,63 @@
+Description: CVE-2018-15127, CVE-2018-20019
+ CVE-2018-15127
+ heap out-of-bound write vulnerability in server code of file transfer
+ extension that can result remote code execution
+ CVE-2018-20019
+ multiple heap out-of-bound write vulnerabilities in VNC client code that can
+ result remote code execution
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/502821828ed00b4a2c4bef90683d0fd88ce495de
+ https://github.com/LibVNC/libvncserver/commit/a83439b9fbe0f03c48eb94ed05729cb016f8b72f
+Bug: https://github.com/LibVNC/libvncserver/issues/243
+ https://github.com/LibVNC/libvncserver/issues/247
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/ica/x11/libvncclient/rfbproto.c
++++ b/ica/x11/libvncclient/rfbproto.c
+@@ -563,7 +563,7 @@
+ /* we have an error following */
+ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
+ reasonLen = rfbClientSwap32IfLE(reasonLen);
+- reason = malloc(reasonLen+1);
++ reason = malloc((uint64_t)reasonLen+1);
+ if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; }
+ reason[reasonLen]=0;
+ rfbClientLog("VNC connection failed: %s\n",reason);
+@@ -591,7 +591,7 @@
+ /* we have an error following */
+ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
+ reasonLen = rfbClientSwap32IfLE(reasonLen);
+- reason = malloc(reasonLen+1);
++ reason = malloc((uint64_t)reasonLen+1);
+ if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
+ reason[reasonLen]=0;
+ rfbClientLog("VNC connection failed: %s\n",reason);
+@@ -2274,10 +2274,12 @@
+
+ msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
+
+- buffer = malloc(msg.sct.length+1);
++ buffer = malloc((uint64_t)msg.sct.length+1);
+
+- if (!ReadFromRFBServer(client, buffer, msg.sct.length))
++ if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
++ free(buffer);
+ return FALSE;
++ }
+
+ buffer[msg.sct.length] = 0;
+
+--- a/ica/x11/libvncserver/rfbserver.c
++++ b/ica/x11/libvncserver/rfbserver.c
+@@ -1466,7 +1466,7 @@
+ rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
+ */
+ if (length>0) {
+- buffer=malloc(length+1);
++ buffer=malloc((uint64_t)length+1);
+ if (buffer!=NULL) {
+ if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
+ if (n != 0)
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20749.patch italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20749.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20749.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20749.patch 2019-11-28 08:38:50.000000000 +0100
@@ -0,0 +1,37 @@
+From 15bb719c03cc70f14c36a843dcb16ed69b405707 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 6 Jan 2019 15:13:56 +0100
+Subject: [PATCH] Error out in rfbProcessFileTransferReadBuffer if length can
+ not be allocated
+
+re #273
+---
+ libvncserver/rfbserver.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/ica/x11/libvncserver/rfbserver.c
++++ b/ica/x11/libvncserver/rfbserver.c
+@@ -1462,11 +1462,21 @@
+ int n=0;
+
+ FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
++
+ /*
+- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
++ We later alloc length+1, which might wrap around on 32-bit systems if length equals
++ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
++ will safely be allocated since this check will never trigger and malloc() can digest length+1
++ without problems as length is a uint32_t.
+ */
++ if(length == SIZE_MAX) {
++ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
++ rfbCloseClient(cl);
++ return NULL;
++ }
++
+ if (length>0) {
+- buffer=malloc((uint64_t)length+1);
++ buffer=malloc((size_t)length+1);
+ if (buffer!=NULL) {
+ if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
+ if (n != 0)
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20750.patch italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20750.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20750.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-20750.patch 2019-11-28 08:38:53.000000000 +0100
@@ -0,0 +1,42 @@
+From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 7 Jan 2019 10:40:01 +0100
+Subject: [PATCH] Limit length to INT_MAX bytes in
+ rfbProcessFileTransferReadBuffer()
+
+This amends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
+out-of-bound write access in rfbProcessFileTransferReadBuffer() when
+reading a transferred file content in a server. The former fix did not
+work on platforms with a 32-bit int type (expected by rfbReadExact()).
+
+CVE-2018-15127
+<https://github.com/LibVNC/libvncserver/issues/243>
+<https://github.com/LibVNC/libvncserver/issues/273>
+---
+ libvncserver/rfbserver.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/ica/x11/libvncserver/rfbserver.c
++++ b/ica/x11/libvncserver/rfbserver.c
+@@ -87,6 +87,8 @@
+ #include <time.h>
+ /* PRIu32 */
+ #include <inttypes.h>
++/* INT_MAX */
++#include <limits.h>
+
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ #include "rfbssl.h"
+@@ -1468,8 +1470,11 @@
+ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
+ will safely be allocated since this check will never trigger and malloc() can digest length+1
+ without problems as length is a uint32_t.
++ We also later pass length to rfbReadExact() that expects a signed int type and
++ that might wrap on platforms with a 32-bit int type if length is bigger
++ than 0X7FFFFFFF.
+ */
+- if(length == SIZE_MAX) {
++ if(length == SIZE_MAX || length > INT_MAX) {
+ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
+ rfbCloseClient(cl);
+ return NULL;
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-7225.patch italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-7225.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-7225.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2018-7225.patch 2019-11-28 08:35:55.000000000 +0100
@@ -0,0 +1,46 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 5 Jun 2018 14:04:07 +0200
+Subject: CVE-2018-7225
+
+Bug-Debian: https://bugs.debian.org/894045
+Origin: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee
+---
+ libvncserver/rfbserver.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/ica/x11/libvncserver/rfbserver.c
++++ b/ica/x11/libvncserver/rfbserver.c
+@@ -85,6 +85,8 @@
+ #include <errno.h>
+ /* strftime() */
+ #include <time.h>
++/* PRIu32 */
++#include <inttypes.h>
+
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ #include "rfbssl.h"
+@@ -2577,7 +2579,23 @@
+
+ msg.cct.length = Swap32IfLE(msg.cct.length);
+
+- str = (char *)malloc(msg.cct.length);
++ /* uint32_t input is passed to malloc()'s size_t argument,
++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
++ * argument. Here we impose a limit of 1 MB so that the value fits
++ * into all of the types to prevent from misinterpretation and thus
++ * from accessing uninitialized memory (CVE-2018-7225) and also to
++ * prevent from a denial-of-service by allocating to much memory in
++ * the server. */
++ if (msg.cct.length > 1<<20) {
++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
++ msg.cct.length);
++ rfbCloseClient(cl);
++ return;
++ }
++
++ /* Allow zero-length client cut text. */
++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+ if (str == NULL) {
+ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
+ rfbCloseClient(cl);
diff -Nru italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2019-15681.patch italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2019-15681.patch
--- italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2019-15681.patch 1970-01-01 01:00:00.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/libvncserver_CVE-2019-15681.patch 2019-11-28 08:38:55.000000000 +0100
@@ -0,0 +1,21 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+---
+ libvncserver/rfbserver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/ica/x11/libvncserver/rfbserver.c
++++ b/ica/x11/libvncserver/rfbserver.c
+@@ -3529,6 +3529,8 @@
+ rfbServerCutTextMsg sct;
+ rfbClientIteratorPtr iterator;
+
++ memset((char *)&sct, 0, sizeof(sct));
++
+ iterator = rfbGetClientIterator(rfbScreen);
+ while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
+ sct.type = rfbServerCutText;
diff -Nru italc-3.0.3+dfsg1/debian/patches/series italc-3.0.3+dfsg1/debian/patches/series
--- italc-3.0.3+dfsg1/debian/patches/series 2017-01-20 10:50:55.000000000 +0100
+++ italc-3.0.3+dfsg1/debian/patches/series 2019-11-28 08:48:52.000000000 +0100
@@ -1,2 +1,16 @@
1005_gcc47-ftbfs.patch
2001_inject-buildtype-from-outside.patch
+libvncserver_CVE-2018-7225.patch
+libvnc_server+client_CVE-2018-15127-CVE-2018-20019.patch
+libvncclient_CVE-2018-20020.patch
+libvncclient_CVE-2018-20021.patch
+libvncclient_CVE-2018-20022.patch
+libvncclient_CVE-2018-20023.patch
+libvncclient_CVE-2018-20024.patch
+libvncclient_CVE-2018-20748-1.patch
+libvncclient_CVE-2018-20748-2.patch
+libvncclient_CVE-2018-20748-3.patch
+libvncclient_CVE-2018-20748-4.patch
+libvncserver_CVE-2018-20749.patch
+libvncserver_CVE-2018-20750.patch
+libvncserver_CVE-2019-15681.patch
Reply to: