diff options
author | Robert Scott <code@humanleg.org.uk> | 2019-11-24 18:44:01 +0000 |
---|---|---|
committer | Renaud <c0bw3b@users.noreply.github.com> | 2019-11-24 19:44:01 +0100 |
commit | 2482f8b8dca0f57466d20f9dcf2ff3d5cd16adbf (patch) | |
tree | 059d083a311730aeabde1af2e55808e1b04d23c5 /pkgs | |
parent | 1206faa6d5c9dc9aecb811091e1d547599ecd195 (diff) | |
download | nixpkgs-2482f8b8dca0f57466d20f9dcf2ff3d5cd16adbf.tar nixpkgs-2482f8b8dca0f57466d20f9dcf2ff3d5cd16adbf.tar.gz nixpkgs-2482f8b8dca0f57466d20f9dcf2ff3d5cd16adbf.tar.bz2 nixpkgs-2482f8b8dca0f57466d20f9dcf2ff3d5cd16adbf.tar.lz nixpkgs-2482f8b8dca0f57466d20f9dcf2ff3d5cd16adbf.tar.xz nixpkgs-2482f8b8dca0f57466d20f9dcf2ff3d5cd16adbf.tar.zst nixpkgs-2482f8b8dca0f57466d20f9dcf2ff3d5cd16adbf.zip |
tightvnc: add patches for four CVEs
Security fixes for: * CVE-2019-8287 * CVE-2019-15678 * CVE-2019-15679 * CVE-2019-15680 mostly adapted from patches fixing similar issues in the actively maintained libvnc (#73970)
Diffstat (limited to 'pkgs')
-rw-r--r-- | pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch | 18 | ||||
-rw-r--r-- | pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch | 19 | ||||
-rw-r--r-- | pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch | 16 | ||||
-rw-r--r-- | pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch | 14 | ||||
-rw-r--r-- | pkgs/tools/admin/tightvnc/default.nix | 7 |
5 files changed, 74 insertions, 0 deletions
diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch new file mode 100644 index 00000000000..cd65d2fb5dd --- /dev/null +++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch @@ -0,0 +1,18 @@ +Adapted from https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a +diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c +index 04b0230..47a6863 100644 +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -1217,6 +1217,12 @@ HandleRFBServerMessage() + if (serverCutText) + free(serverCutText); + ++ if (msg.sct.length > 1<<20) { ++ fprintf(stderr,"Ignoring too big cut text length sent by server: %u B > 1 MB\n", ++ (unsigned int)msg.sct.length); ++ return False; ++ } ++ + serverCutText = malloc(msg.sct.length+1); + + if (!ReadFromRFBServer(serverCutText, msg.sct.length)) diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch new file mode 100644 index 00000000000..6d7b3e89e0c --- /dev/null +++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch @@ -0,0 +1,19 @@ +Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 +diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c +index 04b0230..bd11b54 100644 +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -303,7 +303,12 @@ InitialiseRFBConnection(void) + si.format.blueMax = Swap16IfLE(si.format.blueMax); + si.nameLength = Swap32IfLE(si.nameLength); + +- /* FIXME: Check arguments to malloc() calls. */ ++ if (si.nameLength > 1<<20) { ++ fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n", ++ (unsigned long)si.nameLength); ++ return False; ++ } ++ + desktopName = malloc(si.nameLength + 1); + if (!desktopName) { + fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n", diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch new file mode 100644 index 00000000000..7426a2b58b1 --- /dev/null +++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch @@ -0,0 +1,16 @@ +diff --git a/vncviewer/zlib.c b/vncviewer/zlib.c +index 80c4eee..76998d8 100644 +--- a/vncviewer/zlib.c ++++ b/vncviewer/zlib.c +@@ -55,6 +55,11 @@ HandleZlibBPP (int rx, int ry, int rw, int rh) + raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); + raw_buffer = (char*) malloc( raw_buffer_size ); + ++ if ( raw_buffer == NULL ) { ++ fprintf(stderr, ++ "couldn't allocate raw_buffer in HandleZlibBPP"); ++ return False; ++ } + } + + if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch new file mode 100644 index 00000000000..5bfd1b9ea87 --- /dev/null +++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch @@ -0,0 +1,14 @@ +Adapted from https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d +diff --git a/vncviewer/corre.c b/vncviewer/corre.c +index c846a10..a4c272d 100644 +--- a/vncviewer/corre.c ++++ b/vncviewer/corre.c +@@ -56,7 +56,7 @@ HandleCoRREBPP (int rx, int ry, int rw, int rh) + XChangeGC(dpy, gc, GCForeground, &gcv); + XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh); + +- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) ++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) + return False; + + ptr = (CARD8 *)buffer; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 5a76b500d14..1a65c31102e 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -9,6 +9,13 @@ stdenv.mkDerivation { sha256 = "f48c70fea08d03744ae18df6b1499976362f16934eda3275cead87baad585c0d"; }; + patches = [ + ./1.3.10-CVE-2019-15678.patch + ./1.3.10-CVE-2019-15679.patch + ./1.3.10-CVE-2019-15680.patch + ./1.3.10-CVE-2019-8287.patch + ]; + # for the builder script inherit fontDirectories; |