[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#955395: marked as done (buster-pu: package libvncserver/0.9.11+dfsg-1.3+deb10u3)



Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #955395,
regarding buster-pu: package libvncserver/0.9.11+dfsg-1.3+deb10u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
955395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955395
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Please accept the recent upload of libvncserver to buster containing the
following low impact security fix:

+  [ Antoni Villalonga ]
+  * debian/patches:
+    + Add CVE-2019-15690 patch. libvncclient/cursor: limit
+      width/height input values. Avoids a possible heap overflow reported
+      by Pavel Cheremushkin. (Closes: #954163).

Thanks,
Mike


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog	2020-01-08 08:22:51.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/changelog	2020-03-31 07:05:57.000000000 +0200
@@ -1,3 +1,13 @@
+libvncserver (0.9.11+dfsg-1.3+deb10u3) buster; urgency=medium
+
+  [ Antoni Villalonga ]
+  * debian/patches:
+    + Add CVE-2019-15690 patch. libvncclient/cursor: limit
+      width/height input values. Avoids a possible heap overflow reported
+      by Pavel Cheremushkin. (Closes: #954163).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Tue, 31 Mar 2020 07:05:57 +0200
+
 libvncserver (0.9.11+dfsg-1.3+deb10u2) buster; urgency=medium
 
   * Regression update.
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch	2020-03-31 07:04:43.000000000 +0200
@@ -0,0 +1,34 @@
+Commit: 54220248886b5001fbbb9fa73c4e1a2cb9413fed
+Author: Christian Beier <dontmind@freeshell.org>
+Date:   Sun Nov 17 17:18:35 2019 +0100
+
+    libvncclient/cursor: limit width/height input values
+    
+    Avoids a possible heap overflow reported by Pavel Cheremushkin
+    <Pavel.Cheremushkin@kaspersky.com>.
+    
+    re #275
+
+diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
+index 67f4572..40ffb3b 100644
+--- a/libvncclient/cursor.c
++++ b/libvncclient/cursor.c
+@@ -28,6 +28,8 @@
+ #define OPER_SAVE     0
+ #define OPER_RESTORE  1
+ 
++#define MAX_CURSOR_SIZE 1024
++
+ #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
+    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255             \
+     << client->format.redShift |                                              \
+@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
+   if (width * height == 0)
+     return TRUE;
+ 
++  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
++    return FALSE;
++
+   /* Allocate memory for pixel data and temporary mask data. */
+   if(client->rcSource)
+     free(client->rcSource);
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series	2020-01-08 08:22:34.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series	2020-03-31 07:05:57.000000000 +0200
@@ -29,3 +29,4 @@
 use-after-free/5.patch
 use-after-free/6.patch
 0002-set-true-color-flag-to-1.patch
+CVE-2019-15690/0001-heap-buffer-overflow.patch

--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Reply to: