From mboxrd@z Thu Jan 1 00:00:00 1970 From: Fabrice Fontaine Date: Sat, 2 May 2020 22:07:47 +0200 Subject: [Buildroot] [PATCH 1/1] package/libvncserver: fix CVE-2019-20788 Message-ID: <20200502200747.3438774-1-fontaine.fabrice@gmail.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690. Signed-off-by: Fabrice Fontaine --- ...rsor-limit-width-height-input-values.patch | 40 +++++++++++++++++++ package/libvncserver/libvncserver.mk | 3 ++ 2 files changed, 43 insertions(+) create mode 100644 package/libvncserver/0006-libvncclient-cursor-limit-width-height-input-values.patch diff --git a/package/libvncserver/0006-libvncclient-cursor-limit-width-height-input-values.patch b/package/libvncserver/0006-libvncclient-cursor-limit-width-height-input-values.patch new file mode 100644 index 0000000000..c389f2ecfb --- /dev/null +++ b/package/libvncserver/0006-libvncclient-cursor-limit-width-height-input-values.patch @@ -0,0 +1,40 @@ +From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Sun, 17 Nov 2019 17:18:35 +0100 +Subject: [PATCH] libvncclient/cursor: limit width/height input values + +Avoids a possible heap overflow reported by Pavel Cheremushkin +. + +re #275 + +Signed-off-by: Fabrice Fontaine +[Retrieved from: +https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed] +--- + libvncclient/cursor.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c +index 67f45726..40ffb3b0 100644 +--- a/libvncclient/cursor.c ++++ b/libvncclient/cursor.c +@@ -28,6 +28,8 @@ + #define OPER_SAVE 0 + #define OPER_RESTORE 1 + ++#define MAX_CURSOR_SIZE 1024 ++ + #define RGB24_TO_PIXEL(bpp,r,g,b) \ + ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \ + << client->format.redShift | \ +@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h + if (width * height == 0) + return TRUE; + ++ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE) ++ return FALSE; ++ + /* Allocate memory for pixel data and temporary mask data. */ + if(client->rcSource) + free(client->rcSource); diff --git a/package/libvncserver/libvncserver.mk b/package/libvncserver/libvncserver.mk index 5b8648fa6d..890672d04b 100644 --- a/package/libvncserver/libvncserver.mk +++ b/package/libvncserver/libvncserver.mk @@ -19,6 +19,9 @@ LIBVNCSERVER_IGNORE_CVES += CVE-2018-20750 # 0004-rfbserver-don-t-leak-stack-memory-to-the-remote.patch LIBVNCSERVER_IGNORE_CVES += CVE-2019-15681 +# 0006-libvncclient-cursor-limit-width-height-input-values.patch +LIBVNCSERVER_IGNORE_CVES += CVE-2019-20788 + # only used for examples LIBVNCSERVER_CONF_OPTS += \ -DWITH_FFMPEG=OFF \ -- 2.26.2