* [Buildroot] [PATCH 1/1] package/libvncserver: fix CVE-2019-20788
@ 2020-05-02 20:07 Fabrice Fontaine
2020-05-11 7:25 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Fabrice Fontaine @ 2020-05-02 20:07 UTC (permalink / raw)
To: buildroot
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a
HandleCursorShape integer overflow and heap-based buffer overflow via a
large height or width value. NOTE: this may overlap CVE-2019-15690.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...rsor-limit-width-height-input-values.patch | 40 +++++++++++++++++++
package/libvncserver/libvncserver.mk | 3 ++
2 files changed, 43 insertions(+)
create mode 100644 package/libvncserver/0006-libvncclient-cursor-limit-width-height-input-values.patch
diff --git a/package/libvncserver/0006-libvncclient-cursor-limit-width-height-input-values.patch b/package/libvncserver/0006-libvncclient-cursor-limit-width-height-input-values.patch
new file mode 100644
index 0000000000..c389f2ecfb
--- /dev/null
+++ b/package/libvncserver/0006-libvncclient-cursor-limit-width-height-input-values.patch
@@ -0,0 +1,40 @@
+From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 17 Nov 2019 17:18:35 +0100
+Subject: [PATCH] libvncclient/cursor: limit width/height input values
+
+Avoids a possible heap overflow reported by Pavel Cheremushkin
+<Pavel.Cheremushkin@kaspersky.com>.
+
+re #275
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Retrieved from:
+https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed]
+---
+ libvncclient/cursor.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
+index 67f45726..40ffb3b0 100644
+--- a/libvncclient/cursor.c
++++ b/libvncclient/cursor.c
+@@ -28,6 +28,8 @@
+ #define OPER_SAVE 0
+ #define OPER_RESTORE 1
+
++#define MAX_CURSOR_SIZE 1024
++
+ #define RGB24_TO_PIXEL(bpp,r,g,b) \
+ ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \
+ << client->format.redShift | \
+@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
+ if (width * height == 0)
+ return TRUE;
+
++ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
++ return FALSE;
++
+ /* Allocate memory for pixel data and temporary mask data. */
+ if(client->rcSource)
+ free(client->rcSource);
diff --git a/package/libvncserver/libvncserver.mk b/package/libvncserver/libvncserver.mk
index 5b8648fa6d..890672d04b 100644
--- a/package/libvncserver/libvncserver.mk
+++ b/package/libvncserver/libvncserver.mk
@@ -19,6 +19,9 @@ LIBVNCSERVER_IGNORE_CVES += CVE-2018-20750
# 0004-rfbserver-don-t-leak-stack-memory-to-the-remote.patch
LIBVNCSERVER_IGNORE_CVES += CVE-2019-15681
+# 0006-libvncclient-cursor-limit-width-height-input-values.patch
+LIBVNCSERVER_IGNORE_CVES += CVE-2019-20788
+
# only used for examples
LIBVNCSERVER_CONF_OPTS += \
-DWITH_FFMPEG=OFF \
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/libvncserver: fix CVE-2019-20788
2020-05-02 20:07 [Buildroot] [PATCH 1/1] package/libvncserver: fix CVE-2019-20788 Fabrice Fontaine
@ 2020-05-11 7:25 ` Peter Korsgaard
2020-05-11 19:23 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2020-05-11 7:25 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> libvncclient/cursor.c in LibVNCServer through 0.9.12 has a
> HandleCursorShape integer overflow and heap-based buffer overflow via a
> large height or width value. NOTE: this may overlap CVE-2019-15690.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/libvncserver: fix CVE-2019-20788
2020-05-11 7:25 ` Peter Korsgaard
@ 2020-05-11 19:23 ` Peter Korsgaard
0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-05-11 19:23 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
>> libvncclient/cursor.c in LibVNCServer through 0.9.12 has a
>> HandleCursorShape integer overflow and heap-based buffer overflow via a
>> large height or width value. NOTE: this may overlap CVE-2019-15690.
>> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2020.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-11 19:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-02 20:07 [Buildroot] [PATCH 1/1] package/libvncserver: fix CVE-2019-20788 Fabrice Fontaine
2020-05-11 7:25 ` Peter Korsgaard
2020-05-11 19:23 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.