From 4fc6d13b5abbe961506809b9e5669014474c247d Mon Sep 17 00:00:00 2001 From: Antoni Villalonga Date: Thu, 12 Dec 2019 01:10:41 +0100 Subject: [PATCH 1/4] Add debian/.gitlab.yml salsa tests --- debian/.gitlabci.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 debian/.gitlabci.yml diff --git a/debian/.gitlabci.yml b/debian/.gitlabci.yml new file mode 100644 index 0000000..735b604 --- /dev/null +++ b/debian/.gitlabci.yml @@ -0,0 +1,3 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml \ No newline at end of file -- GitLab From caec1d4f06dd1ca4d94622debaf7545f1f827f42 Mon Sep 17 00:00:00 2001 From: Antoni Villalonga Date: Sat, 21 Mar 2020 12:42:12 +0100 Subject: [PATCH 2/4] debian/control: Bump Standards-Version: to 4.5.0. No changes needed. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index b411808..7486860 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Build-Depends: cmake (>= 3.4), libgcrypt20-dev, libsasl2-dev, zlib1g-dev -Standards-Version: 4.4.1 +Standards-Version: 4.5.0 Rules-Requires-Root: no Homepage: http://libvnc.github.io Vcs-Git: https://salsa.debian.org/debian-remote-team/libvncserver.git -- GitLab From 88f2656d8a458da0e8b0ac2d11f3066a22b51e88 Mon Sep 17 00:00:00 2001 From: Antoni Villalonga Date: Sat, 21 Mar 2020 12:53:29 +0100 Subject: [PATCH 3/4] debian/patches: Add CVE-2019-15690 --- .../0001-heap-buffer-overflow.patch | 34 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 35 insertions(+) create mode 100644 debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch diff --git a/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch b/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch new file mode 100644 index 0000000..165f340 --- /dev/null +++ b/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch @@ -0,0 +1,34 @@ +Commit: 54220248886b5001fbbb9fa73c4e1a2cb9413fed +Author: Christian Beier +Date: Sun Nov 17 17:18:35 2019 +0100 + + libvncclient/cursor: limit width/height input values + + Avoids a possible heap overflow reported by Pavel Cheremushkin + . + + re #275 + +diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c +index 67f4572..40ffb3b 100644 +--- a/libvncclient/cursor.c ++++ b/libvncclient/cursor.c +@@ -28,6 +28,8 @@ + #define OPER_SAVE 0 + #define OPER_RESTORE 1 + ++#define MAX_CURSOR_SIZE 1024 ++ + #define RGB24_TO_PIXEL(bpp,r,g,b) \ + ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \ + << client->format.redShift | \ +@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h + if (width * height == 0) + return TRUE; + ++ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE) ++ return FALSE; ++ + /* Allocate memory for pixel data and temporary mask data. */ + if(client->rcSource) + free(client->rcSource); diff --git a/debian/patches/series b/debian/patches/series index 1012616..5fe254c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch 0003_rfbserver-dont-close-fd-0-accidentally.patch 0004_avoid-pthread-join-if-backgroundLoop-is-FALSE.patch 0005_LibVNCCient-fix-regression-in-tight-raw-decoding.patch +CVE-2019-15690/0001-heap-buffer-overflow.patch -- GitLab From c3bc54b6aa0b1090641b950d5d59abbbe4122daa Mon Sep 17 00:00:00 2001 From: Antoni Villalonga Date: Sat, 21 Mar 2020 12:54:10 +0100 Subject: [PATCH 4/4] upload to unstable (debian/0.9.12+dfsg-9) --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 6fe5bf5..c1e16b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libvncserver (0.9.12+dfsg-9) unstable; urgency=medium + + * Bump Standards-Version: to 4.5.0. No changes needed. + * debian/patches: + + Add CVE-2019-15690/0001-heap-buffer-overflow.patch. (Closes: #954163). + + -- Antoni Villalonga Sat, 21 Mar 2020 12:51:24 +0100 + libvncserver (0.9.12+dfsg-8) unstable; urgency=medium * debian/changelog: -- GitLab