diff options
| author | Alyssa Ross <hi@alyssa.is> | 2020-01-11 23:37:02 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2020-01-11 23:41:30 +0000 |
| commit | 6c557e3f1c28cf87e9fba232811d6875dd1399c1 (patch) | |
| tree | 035a071d5d8980df6de0fa42e2ef8fc0cce7055e /nixpkgs/pkgs/tools/admin/tightvnc | |
| parent | da7500bc026e937ac7fce7b50f67a0e1765737a7 (diff) | |
| parent | e4134747f5666bcab8680aff67fa3b63384f9a0f (diff) | |
| download | nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.gz nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.bz2 nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.lz nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.xz nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.zst nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.zip | |
Merge commit 'e4134747f5666bcab8680aff67fa3b63384f9a0f'
Diffstat (limited to 'nixpkgs/pkgs/tools/admin/tightvnc')
5 files changed, 74 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch b/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch new file mode 100644 index 000000000000..cd65d2fb5dd9 --- /dev/null +++ b/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch @@ -0,0 +1,18 @@ +Adapted from https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a +diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c +index 04b0230..47a6863 100644 +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -1217,6 +1217,12 @@ HandleRFBServerMessage() + if (serverCutText) + free(serverCutText); + ++ if (msg.sct.length > 1<<20) { ++ fprintf(stderr,"Ignoring too big cut text length sent by server: %u B > 1 MB\n", ++ (unsigned int)msg.sct.length); ++ return False; ++ } ++ + serverCutText = malloc(msg.sct.length+1); + + if (!ReadFromRFBServer(serverCutText, msg.sct.length)) diff --git a/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch b/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch new file mode 100644 index 000000000000..6d7b3e89e0c4 --- /dev/null +++ b/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch @@ -0,0 +1,19 @@ +Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 +diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c +index 04b0230..bd11b54 100644 +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -303,7 +303,12 @@ InitialiseRFBConnection(void) + si.format.blueMax = Swap16IfLE(si.format.blueMax); + si.nameLength = Swap32IfLE(si.nameLength); + +- /* FIXME: Check arguments to malloc() calls. */ ++ if (si.nameLength > 1<<20) { ++ fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n", ++ (unsigned long)si.nameLength); ++ return False; ++ } ++ + desktopName = malloc(si.nameLength + 1); + if (!desktopName) { + fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n", diff --git a/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch b/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch new file mode 100644 index 000000000000..7426a2b58b10 --- /dev/null +++ b/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch @@ -0,0 +1,16 @@ +diff --git a/vncviewer/zlib.c b/vncviewer/zlib.c +index 80c4eee..76998d8 100644 +--- a/vncviewer/zlib.c ++++ b/vncviewer/zlib.c +@@ -55,6 +55,11 @@ HandleZlibBPP (int rx, int ry, int rw, int rh) + raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); + raw_buffer = (char*) malloc( raw_buffer_size ); + ++ if ( raw_buffer == NULL ) { ++ fprintf(stderr, ++ "couldn't allocate raw_buffer in HandleZlibBPP"); ++ return False; ++ } + } + + if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) diff --git a/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch b/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch new file mode 100644 index 000000000000..5bfd1b9ea87f --- /dev/null +++ b/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch @@ -0,0 +1,14 @@ +Adapted from https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d +diff --git a/vncviewer/corre.c b/vncviewer/corre.c +index c846a10..a4c272d 100644 +--- a/vncviewer/corre.c ++++ b/vncviewer/corre.c +@@ -56,7 +56,7 @@ HandleCoRREBPP (int rx, int ry, int rw, int rh) + XChangeGC(dpy, gc, GCForeground, &gcv); + XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh); + +- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) ++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) + return False; + + ptr = (CARD8 *)buffer; diff --git a/nixpkgs/pkgs/tools/admin/tightvnc/default.nix b/nixpkgs/pkgs/tools/admin/tightvnc/default.nix index 5a76b500d149..1a65c31102e9 100644 --- a/nixpkgs/pkgs/tools/admin/tightvnc/default.nix +++ b/nixpkgs/pkgs/tools/admin/tightvnc/default.nix @@ -9,6 +9,13 @@ stdenv.mkDerivation { sha256 = "f48c70fea08d03744ae18df6b1499976362f16934eda3275cead87baad585c0d"; }; + patches = [ + ./1.3.10-CVE-2019-15678.patch + ./1.3.10-CVE-2019-15679.patch + ./1.3.10-CVE-2019-15680.patch + ./1.3.10-CVE-2019-8287.patch + ]; + # for the builder script inherit fontDirectories; |