tightvnc: add patches for four CVEs · pyrox.dev/nixpkgs@2482f8b

lol

tightvnc: add patches for four CVEs

Security fixes for:
* CVE-2019-8287
* CVE-2019-15678
* CVE-2019-15679
* CVE-2019-15680

mostly adapted from patches fixing similar issues in the actively
maintained libvnc

(#73970)

authored by

Robert Scott and committed by

Renaud 6 years ago 2482f8b8 1206faa6

+74

5 changed files

expand all

pkgs

tools

admin

tightvnc

1.3.10-CVE-2019-15678.patch

1.3.10-CVE-2019-15679.patch

1.3.10-CVE-2019-15680.patch

1.3.10-CVE-2019-8287.patch

default.nix

+18

pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch

··· 1 + Adapted from https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a 2 + diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c 3 + index 04b0230..47a6863 100644 4 + --- a/vncviewer/rfbproto.c 5 + +++ b/vncviewer/rfbproto.c 6 + @@ -1217,6 +1217,12 @@ HandleRFBServerMessage() 7 + if (serverCutText) 8 + free(serverCutText); 9 + 10 + + if (msg.sct.length > 1<<20) { 11 + + fprintf(stderr,"Ignoring too big cut text length sent by server: %u B > 1 MB\n", 12 + + (unsigned int)msg.sct.length); 13 + + return False; 14 + + } 15 + + 16 + serverCutText = malloc(msg.sct.length+1); 17 + 18 + if (!ReadFromRFBServer(serverCutText, msg.sct.length))

+19

pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch

··· 1 + Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 2 + diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c 3 + index 04b0230..bd11b54 100644 4 + --- a/vncviewer/rfbproto.c 5 + +++ b/vncviewer/rfbproto.c 6 + @@ -303,7 +303,12 @@ InitialiseRFBConnection(void) 7 + si.format.blueMax = Swap16IfLE(si.format.blueMax); 8 + si.nameLength = Swap32IfLE(si.nameLength); 9 + 10 + - /* FIXME: Check arguments to malloc() calls. */ 11 + + if (si.nameLength > 1<<20) { 12 + + fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n", 13 + + (unsigned long)si.nameLength); 14 + + return False; 15 + + } 16 + + 17 + desktopName = malloc(si.nameLength + 1); 18 + if (!desktopName) { 19 + fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",

+16

pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch

··· 1 + diff --git a/vncviewer/zlib.c b/vncviewer/zlib.c 2 + index 80c4eee..76998d8 100644 3 + --- a/vncviewer/zlib.c 4 + +++ b/vncviewer/zlib.c 5 + @@ -55,6 +55,11 @@ HandleZlibBPP (int rx, int ry, int rw, int rh) 6 + raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); 7 + raw_buffer = (char*) malloc( raw_buffer_size ); 8 + 9 + + if ( raw_buffer == NULL ) { 10 + + fprintf(stderr, 11 + + "couldn't allocate raw_buffer in HandleZlibBPP"); 12 + + return False; 13 + + } 14 + } 15 + 16 + if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))

+14

pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch

··· 1 + Adapted from https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d 2 + diff --git a/vncviewer/corre.c b/vncviewer/corre.c 3 + index c846a10..a4c272d 100644 4 + --- a/vncviewer/corre.c 5 + +++ b/vncviewer/corre.c 6 + @@ -56,7 +56,7 @@ HandleCoRREBPP (int rx, int ry, int rw, int rh) 7 + XChangeGC(dpy, gc, GCForeground, &gcv); 8 + XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh); 9 + 10 + - if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) 11 + + if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) 12 + return False; 13 + 14 + ptr = (CARD8 *)buffer;

pkgs/tools/admin/tightvnc/default.nix

··· 9 9 sha256 = "f48c70fea08d03744ae18df6b1499976362f16934eda3275cead87baad585c0d"; 10 10 }; 11 11 12 + patches = [ 13 + ./1.3.10-CVE-2019-15678.patch 14 + ./1.3.10-CVE-2019-15679.patch 15 + ./1.3.10-CVE-2019-15680.patch 16 + ./1.3.10-CVE-2019-8287.patch 17 + ]; 18 + 12 19 # for the builder script 13 20 inherit fontDirectories; 14 21