Browse Source

gnu: libvnc: Update to 0.9.13.

* gnu/packages/patches/libvnc-CVE-2018-20750.patch,
gnu/packages/patches/libvnc-CVE-2019-15681.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/vnc.scm (libvnc): Update to 0.9.13.
[source](patches): Remove.
[arguments]: Add phase to patch 'cc' invocation.
wip-filesearch
Marius Bakke 1 year ago
parent
commit
2195ad6bd7
No known key found for this signature in database GPG Key ID: A2A06DF2A33A54FA
  1. 2
      gnu/local.mk
  2. 44
      gnu/packages/patches/libvnc-CVE-2018-20750.patch
  3. 23
      gnu/packages/patches/libvnc-CVE-2019-15681.patch
  4. 15
      gnu/packages/vnc.scm

2
gnu/local.mk

@ -1241,8 +1241,6 @@ dist_patch_DATA = \
%D%/packages/patches/libutils-add-includes.patch \
%D%/packages/patches/libutils-remove-damaging-includes.patch \
%D%/packages/patches/libvdpau-va-gl-unbundle.patch \
%D%/packages/patches/libvnc-CVE-2018-20750.patch \
%D%/packages/patches/libvnc-CVE-2019-15681.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/libxt-guix-search-paths.patch \

44
gnu/packages/patches/libvnc-CVE-2018-20750.patch

@ -1,44 +0,0 @@
From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 7 Jan 2019 10:40:01 +0100
Subject: [PATCH] Limit lenght to INT_MAX bytes in
rfbProcessFileTransferReadBuffer()
This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
out-of-bound write access in rfbProcessFileTransferReadBuffer() when
reading a transfered file content in a server. The former fix did not
work on platforms with a 32-bit int type (expected by rfbReadExact()).
CVE-2018-15127
<https://github.com/LibVNC/libvncserver/issues/243>
<https://github.com/LibVNC/libvncserver/issues/273>
---
libvncserver/rfbserver.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 7af84906..f2edbeea 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -88,6 +88,8 @@
#include <errno.h>
/* strftime() */
#include <time.h>
+/* INT_MAX */
+#include <limits.h>
#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
#include "rfbssl.h"
@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
will safely be allocated since this check will never trigger and malloc() can digest length+1
without problems as length is a uint32_t.
+ We also later pass length to rfbReadExact() that expects a signed int type and
+ that might wrap on platforms with a 32-bit int type if length is bigger
+ than 0X7FFFFFFF.
*/
- if(length == SIZE_MAX) {
+ if(length == SIZE_MAX || length > INT_MAX) {
rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
rfbCloseClient(cl);
return NULL;

23
gnu/packages/patches/libvnc-CVE-2019-15681.patch

@ -1,23 +0,0 @@
From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Mon, 19 Aug 2019 22:32:25 +0200
Subject: [PATCH] rfbserver: don't leak stack memory to the remote
Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
---
libvncserver/rfbserver.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 3bacc891..310e5487 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
rfbServerCutTextMsg sct;
rfbClientIteratorPtr iterator;
+ memset((char *)&sct, 0, sizeof(sct));
+
iterator = rfbGetClientIterator(rfbScreen);
while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
sct.type = rfbServerCutText;

15
gnu/packages/vnc.scm

@ -2,6 +2,7 @@
;;; Copyright © 2019 Todor Kondić <tk.code@protonmail.com>
;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright © 2020 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@ -233,7 +234,7 @@ where the server is installed.")))
(define-public libvnc
(package
(name "libvnc")
(version "0.9.12")
(version "0.9.13")
(source
(origin
(method git-fetch)
@ -242,10 +243,16 @@ where the server is installed.")))
(commit (string-append "LibVNCServer-" version))))
(file-name (git-file-name name version))
(sha256
(base32 "1226hb179l914919f5nm2mlf8rhaarqbf48aa649p4rwmghyx9vm"))
(patches (search-patches "libvnc-CVE-2018-20750.patch"
"libvnc-CVE-2019-15681.patch"))))
(base32 "0zz0hslw8b1p3crnfy3xnmrljik359h83dpk64s697dqdcrzy141"))))
(build-system cmake-build-system)
(arguments
'(#:phases (modify-phases %standard-phases
(add-after 'unpack 'patch-cc-reference
(lambda _
(substitute* "test/includetest.sh"
(("^cc -I")
"gcc -I"))
#t)))))
(native-inputs
`(("pkg-config" ,pkg-config)))
(inputs

Loading…
Cancel
Save