Control: tags 852213 + pending
Dear maintainer,
I've prepared an NMU for tigervnc (versioned as 1.7.0+dfsg-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru tigervnc-1.7.0+dfsg/debian/changelog tigervnc-1.7.0+dfsg/debian/changelog
--- tigervnc-1.7.0+dfsg/debian/changelog 2017-01-05 23:35:09.000000000 +0100
+++ tigervnc-1.7.0+dfsg/debian/changelog 2017-01-28 11:04:43.000000000 +0100
@@ -1,3 +1,11 @@
+tigervnc (1.7.0+dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix buffer overflow in ModifiablePixelBuffer::fillRect (CVE-2017-5581)
+ (Closes: #852213)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 28 Jan 2017 11:04:43 +0100
+
tigervnc (1.7.0+dfsg-2) unstable; urgency=high
[ Ola Lundqvist ]
diff -Nru tigervnc-1.7.0+dfsg/debian/patches/Fix-buffer-overflow-in-ModifiablePixelBuffer-fillRec.patch tigervnc-1.7.0+dfsg/debian/patches/Fix-buffer-overflow-in-ModifiablePixelBuffer-fillRec.patch
--- tigervnc-1.7.0+dfsg/debian/patches/Fix-buffer-overflow-in-ModifiablePixelBuffer-fillRec.patch 1970-01-01 01:00:00.000000000 +0100
+++ tigervnc-1.7.0+dfsg/debian/patches/Fix-buffer-overflow-in-ModifiablePixelBuffer-fillRec.patch 2017-01-28 11:04:43.000000000 +0100
@@ -0,0 +1,58 @@
+From 18c020124ff1b2441f714da2017f63dba50720ba Mon Sep 17 00:00:00 2001
+From: Michal Srb <michal...@gmail.com>
+Date: Fri, 13 Jan 2017 16:32:23 +0200
+Subject: [PATCH] Fix buffer overflow in ModifiablePixelBuffer::fillRect.
+
+It can be triggered by RRE message with subrectangle out of framebuffer
+boundaries. It may prevent the same kind of issue caused by evil message
+from another encoding too.
+---
+ common/rfb/PixelBuffer.cxx | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/common/rfb/PixelBuffer.cxx b/common/rfb/PixelBuffer.cxx
+index 89addabc..7f3df6cb 100644
+--- a/common/rfb/PixelBuffer.cxx
++++ b/common/rfb/PixelBuffer.cxx
+@@ -101,15 +101,26 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix)
+ int stride;
+ U8 *buf;
+ int w, h, b;
++ Rect drect;
+
+- w = r.width();
+- h = r.height();
++ drect = r;
++ if (!drect.enclosed_by(getRect())) {
++ vlog.error("Destination rect %dx%d at %d,%d exceeds framebuffer %dx%d",
++ drect.width(), drect.height(), drect.tl.x, drect.tl.y, width_, height_);
++ drect = drect.intersect(getRect());
++ }
++
++ if (drect.is_empty())
++ return;
++
++ w = drect.width();
++ h = drect.height();
+ b = format.bpp/8;
+
+ if (h == 0)
+ return;
+
+- buf = getBufferRW(r, &stride);
++ buf = getBufferRW(drect, &stride);
+
+ if (b == 1) {
+ while (h--) {
+@@ -136,7 +147,7 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix)
+ }
+ }
+
+- commitBufferRW(r);
++ commitBufferRW(drect);
+ }
+
+ void ModifiablePixelBuffer::imageRect(const Rect& r,
+--
+2.11.0
+
diff -Nru tigervnc-1.7.0+dfsg/debian/patches/series tigervnc-1.7.0+dfsg/debian/patches/series
--- tigervnc-1.7.0+dfsg/debian/patches/series 2017-01-02 22:20:04.000000000 +0100
+++ tigervnc-1.7.0+dfsg/debian/patches/series 2017-01-28 11:04:43.000000000 +0100
@@ -44,3 +44,4 @@
v2-Add-xorg-xserver-1.19-support-to-tigervnc.patch
CVE-2014-8240-849479.patch
CVE-2014-8241-849478.patch
+Fix-buffer-overflow-in-ModifiablePixelBuffer-fillRec.patch
