Control: tags 916941 + pending Hi Peter,
I've prepared an NMU for libvncserver (versioned as 0.9.11+dfsg-1.2) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. One IMHO important remark, the fix for CVE-2018-15126 removed one function, adding two new ones to make the fix possible. Unless I'm mistaken I have not found any reverse dependency though which would use this directly. But given the above I have instead of delayed/5 choosen delayed/10 to get any more feedback. Moritz is preparing a corresponding update for libvncserver on stretch, so CC'ing him as well here on this bug. Regards, Salvatore
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog --- libvncserver-0.9.11+dfsg/debian/changelog 2018-06-05 14:43:47.000000000 +0200 +++ libvncserver-0.9.11+dfsg/debian/changelog 2019-01-02 16:26:53.000000000 +0100 @@ -1,3 +1,32 @@ +libvncserver (0.9.11+dfsg-1.2) unstable; urgency=high + + * Non-maintainer upload. + * Fix multiple security vulnerabilities (Closes: #916941) + - Use-after-free in file transfer extension allows for potential + code execution (CVE-2018-15126) + - Heap out-of-bounds write in + rfbserver.c:rfbProcessFileTransferReadBuffer() allows for + potential code execution (CVE-2018-15127) + - Multiple heap out-of-bound writes in VNC client code + (CVE-2018-20019) + - Heap out-of-bound write inside structure in VNC client code allows + for potential code execution (CVE-2018-20020) + - Infinite loop in VNC client code allows for denial of service + (CVE-2018-20021) + - Improper initialization in VNC client code allows for information + disclosure (CVE-2018-20022) + - Improper initialization in VNC Repeater client code allows for + information disclosure (CVE-2018-20023) + - NULL pointer dereference in VNC client code allows for denial of + service (CVE-2018-20024) + - Use-after-free in file transfer extension server code allows for + potential code execution (CVE-2018-6307) + * Update symbols file for libvncserver1. + The fix for CVE-2018-15126 removes CloseUndoneFileTransfer and + introduces new CloseUndoneFileDownload and CloseUndoneFileUpload. + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 02 Jan 2019 16:26:53 +0100 + libvncserver (0.9.11+dfsg-1.1) unstable; urgency=high * Non-maintainer upload. diff -Nru libvncserver-0.9.11+dfsg/debian/libvncserver1.symbols libvncserver-0.9.11+dfsg/debian/libvncserver1.symbols --- libvncserver-0.9.11+dfsg/debian/libvncserver1.symbols 2018-06-05 14:43:47.000000000 +0200 +++ libvncserver-0.9.11+dfsg/debian/libvncserver1.symbols 2019-01-02 16:26:53.000000000 +0100 @@ -3,7 +3,9 @@ ChkFileDownloadErr@Base 0.9.10 ChkFileUploadErr@Base 0.9.10 ChkFileUploadWriteErr@Base 0.9.10 - CloseUndoneFileTransfer@Base 0.9.10 +#MISSING: 0.9.11+dfsg-1.2~# CloseUndoneFileTransfer@Base 0.9.10 + CloseUndoneFileDownload@Base 0.9.11+dfsg-1.2~ + CloseUndoneFileUpload@Base 0.9.11+dfsg-1.2~ ConvertPath@Base 0.9.10 CreateDirectory@Base 0.9.10 CreateFileDownloadBlockSizeDataMsg@Base 0.9.10 diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,51 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sun, 21 Oct 2018 23:38:40 +0200 +Subject: [1/5] tightvnc-filetransfer: tie the download thread to the control + structure +Origin: https://github.com/LibVNC/libvncserver/commit/89419fb1a0cef42b63528e6930f4e545cfef4c95 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15126 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/242 + +re #242 +--- + libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 3 +-- + libvncserver/tightvnc-filetransfer/rfbtightproto.h | 1 + + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +index 0473783164f2..8e38f8880f5b 100644 +--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c ++++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +@@ -508,7 +508,6 @@ RunFileDownloadThread(void* client) + void + HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp) + { +- pthread_t fileDownloadThread; + FileTransferMsg fileDownloadMsg; + + memset(&fileDownloadMsg, 0, sizeof(FileTransferMsg)); +@@ -521,7 +520,7 @@ HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp) + rtcp->rcft.rcfd.downloadInProgress = FALSE; + rtcp->rcft.rcfd.downloadFD = -1; + +- if(pthread_create(&fileDownloadThread, NULL, RunFileDownloadThread, (void*) ++ if(pthread_create(&rtcp->rcft.rcfd.downloadThread, NULL, RunFileDownloadThread, (void*) + cl) != 0) { + FileTransferMsg ftm = GetFileDownLoadErrMsg(); + +diff --git a/libvncserver/tightvnc-filetransfer/rfbtightproto.h b/libvncserver/tightvnc-filetransfer/rfbtightproto.h +index d0fe642ecfa3..30fc5f5413aa 100644 +--- a/libvncserver/tightvnc-filetransfer/rfbtightproto.h ++++ b/libvncserver/tightvnc-filetransfer/rfbtightproto.h +@@ -148,6 +148,7 @@ typedef struct _rfbClientFileDownload { + int downloadInProgress; + unsigned long mTime; + int downloadFD; ++ pthread_t downloadThread; + } rfbClientFileDownload ; + + typedef struct _rfbClientFileUpload { +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,112 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sun, 21 Oct 2018 23:44:39 +0200 +Subject: [2/5] tightvnc-filetransfer: refactor CloseUndoneFileTransfer() into + two functions +Origin: https://github.com/LibVNC/libvncserver/commit/f8912fee5a58fb3975eda2589f6d4686f0c1ae68 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15126 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/242 + +...for closing upload and download separately. + +re #242 +--- + libvncserver/tightvnc-filetransfer/filetransfermsg.c | 12 ++++++++++-- + libvncserver/tightvnc-filetransfer/filetransfermsg.h | 3 ++- + .../handlefiletransferrequest.c | 8 ++++---- + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c b/libvncserver/tightvnc-filetransfer/filetransfermsg.c +index 5f84e7f3d323..f674b9283126 100644 +--- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c ++++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c +@@ -672,7 +672,7 @@ ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr rtcp, char* pBuf) + char reason[] = "Error writing file data"; + int reasonLen = strlen(reason); + ftm = CreateFileUploadErrMsg(reason, reasonLen); +- CloseUndoneFileTransfer(cl, rtcp); ++ CloseUndoneFileUpload(cl, rtcp); + } + return ftm; + } +@@ -735,7 +735,7 @@ CreateFileUploadErrMsg(char* reason, unsigned int reasonLen) + ******************************************************************************/ + + void +-CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr rtcp) ++CloseUndoneFileUpload(rfbClientPtr cl, rfbTightClientPtr rtcp) + { + /* TODO :: File Upload case is not handled currently */ + /* TODO :: In case of concurrency we need to use Critical Section */ +@@ -759,6 +759,14 @@ CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr rtcp) + + memset(rtcp->rcft.rcfu.fName, 0 , PATH_MAX); + } ++} ++ ++ ++void ++CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp) ++{ ++ if(cl == NULL) ++ return; + + if(rtcp->rcft.rcfd.downloadInProgress == TRUE) { + rtcp->rcft.rcfd.downloadInProgress = FALSE; +diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.h b/libvncserver/tightvnc-filetransfer/filetransfermsg.h +index 3b27bd04d3f0..bbb9148db4d6 100644 +--- a/libvncserver/tightvnc-filetransfer/filetransfermsg.h ++++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.h +@@ -51,7 +51,8 @@ FileTransferMsg ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr data, c + + void CreateDirectory(char* dirName); + void FileUpdateComplete(rfbClientPtr cl, rfbTightClientPtr data); +-void CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr data); ++void CloseUndoneFileUpload(rfbClientPtr cl, rfbTightClientPtr data); ++void CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr data); + + void FreeFileTransferMsg(FileTransferMsg ftm); + +diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +index 8e38f8880f5b..31163d0f62f3 100644 +--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c ++++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +@@ -492,7 +492,7 @@ RunFileDownloadThread(void* client) + + if(cl != NULL) { + rfbCloseClient(cl); +- CloseUndoneFileTransfer(cl, rtcp); ++ CloseUndoneFileDownload(cl, rtcp); + } + + FreeFileTransferMsg(fileDownloadMsg); +@@ -592,7 +592,7 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp) + " reason <%s>\n", __FILE__, __FUNCTION__, reason); + + pthread_mutex_lock(&fileDownloadMutex); +- CloseUndoneFileTransfer(cl, rtcp); ++ CloseUndoneFileDownload(cl, rtcp); + pthread_mutex_unlock(&fileDownloadMutex); + + if(reason != NULL) { +@@ -835,7 +835,7 @@ HandleFileUploadDataRequest(rfbClientPtr cl, rfbTightClientPtr rtcp) + FreeFileTransferMsg(ftm); + } + +- CloseUndoneFileTransfer(cl, rtcp); ++ CloseUndoneFileUpload(cl, rtcp); + + if(pBuf != NULL) { + free(pBuf); +@@ -935,7 +935,7 @@ HandleFileUploadFailedRequest(rfbClientPtr cl, rfbTightClientPtr rtcp) + rfbLog("File [%s]: Method [%s]: File Upload Failed Request received:" + " reason <%s>\n", __FILE__, __FUNCTION__, reason); + +- CloseUndoneFileTransfer(cl, rtcp); ++ CloseUndoneFileUpload(cl, rtcp); + + if(reason != NULL) { + free(reason); +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,59 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sun, 21 Oct 2018 23:59:39 +0200 +Subject: [3/5] tightvnc-filetransfer: wait for download thread end in + CloseUndoneFileDownload() +Origin: https://github.com/LibVNC/libvncserver/commit/73cb96fec028a576a5a24417b57723b55854ad7b +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15126 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/242 + +...and use it when deregistering the file transfer extension. + +Closes #242 +--- + libvncserver/tightvnc-filetransfer/filetransfermsg.c | 2 ++ + libvncserver/tightvnc-filetransfer/rfbtightserver.c | 7 +++++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c b/libvncserver/tightvnc-filetransfer/filetransfermsg.c +index f674b9283126..0003b11f6f50 100644 +--- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c ++++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c +@@ -770,6 +770,8 @@ CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp) + + if(rtcp->rcft.rcfd.downloadInProgress == TRUE) { + rtcp->rcft.rcfd.downloadInProgress = FALSE; ++ /* the thread will return if downloadInProgress is FALSE */ ++ pthread_join(rtcp->rcft.rcfd.downloadThread, NULL); + + if(rtcp->rcft.rcfd.downloadFD != -1) { + close(rtcp->rcft.rcfd.downloadFD); +diff --git a/libvncserver/tightvnc-filetransfer/rfbtightserver.c b/libvncserver/tightvnc-filetransfer/rfbtightserver.c +index 67d4cb545fad..651d8fb7e75f 100644 +--- a/libvncserver/tightvnc-filetransfer/rfbtightserver.c ++++ b/libvncserver/tightvnc-filetransfer/rfbtightserver.c +@@ -26,6 +26,7 @@ + #include <rfb/rfb.h> + #include "rfbtightproto.h" + #include "handlefiletransferrequest.h" ++#include "filetransfermsg.h" + + /* + * Get my data! +@@ -448,9 +449,11 @@ rfbTightExtensionMsgHandler(struct _rfbClientRec* cl, void* data, + void + rfbTightExtensionClientClose(rfbClientPtr cl, void* data) { + +- if(data != NULL) ++ if(data != NULL) { ++ CloseUndoneFileUpload(cl, data); ++ CloseUndoneFileDownload(cl, data); + free(data); +- ++ } + } + + void +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,31 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Mon, 22 Oct 2018 00:39:50 +0200 +Subject: [4/5] tightvnc-filetransfer: when creating a new download thread, + make sure the previous one ends +Origin: https://github.com/LibVNC/libvncserver/commit/2d939267a176bf4976dbad36399638956ad8cc34 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15126 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/242 + +re #242 +--- + libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +index 31163d0f62f3..70e105f45adb 100644 +--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c ++++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +@@ -517,8 +517,7 @@ HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp) + FreeFileTransferMsg(fileDownloadMsg); + return; + } +- rtcp->rcft.rcfd.downloadInProgress = FALSE; +- rtcp->rcft.rcfd.downloadFD = -1; ++ CloseUndoneFileDownload(cl, rtcp); + + if(pthread_create(&rtcp->rcft.rcfd.downloadThread, NULL, RunFileDownloadThread, (void*) + cl) != 0) { +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,35 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sat, 10 Nov 2018 17:33:00 +0100 +Subject: [5/5] tightvnc-filetransfer: do not close stuff from within a thread +Origin: https://github.com/LibVNC/libvncserver/commit/495ffa3f3a213ab058eee1d7da48fa5ef71914d8 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15126 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/242 + +... as this crashes badly and the client is closed by the main thread machinery afterwards. + +re #242 +--- + .../tightvnc-filetransfer/handlefiletransferrequest.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +index 70e105f45adb..71fb08512470 100644 +--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c ++++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +@@ -489,12 +489,6 @@ RunFileDownloadThread(void* client) + if(rfbWriteExact(cl, fileDownloadMsg.data, fileDownloadMsg.length) < 0) { + rfbLog("File [%s]: Method [%s]: Error while writing to socket \n" + , __FILE__, __FUNCTION__); +- +- if(cl != NULL) { +- rfbCloseClient(cl); +- CloseUndoneFileDownload(cl, rtcp); +- } +- + FreeFileTransferMsg(fileDownloadMsg); + return NULL; + } +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,29 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sun, 21 Oct 2018 20:21:30 +0200 +Subject: LibVNCServer: fix heap out-of-bound write access +Origin: https://github.com/LibVNC/libvncserver/commit/502821828ed00b4a2c4bef90683d0fd88ce495de +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15127 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/243 + +Closes #243 +--- + libvncserver/rfbserver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index ed1365a55389..6ca511fee3ed 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -1465,7 +1465,7 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); + */ + if (length>0) { +- buffer=malloc(length+1); ++ buffer=malloc((uint64_t)length+1); + if (buffer!=NULL) { + if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { + if (n != 0) +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,56 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sat, 29 Sep 2018 22:28:57 +0200 +Subject: LibVNCClient: fix three possible heap buffer overflows +Origin: https://github.com/LibVNC/libvncserver/commit/a83439b9fbe0f03c48eb94ed05729cb016f8b72f +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20019 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/247 + +An attacker could feed `0xffffffff`, causing a `malloc(0)` for the +buffers which are subsequently written to. + +Closes #247 +--- + libvncclient/rfbproto.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index 8d6a4c1f0d9d..ac2a983597e4 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -433,7 +433,7 @@ rfbHandleAuthResult(rfbClient* client) + /* we have an error following */ + if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE; + reasonLen = rfbClientSwap32IfLE(reasonLen); +- reason = malloc(reasonLen+1); ++ reason = malloc((uint64_t)reasonLen+1); + if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; } + reason[reasonLen]=0; + rfbClientLog("VNC connection failed: %s\n",reason); +@@ -461,7 +461,7 @@ ReadReason(rfbClient* client) + /* we have an error following */ + if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; + reasonLen = rfbClientSwap32IfLE(reasonLen); +- reason = malloc(reasonLen+1); ++ reason = malloc((uint64_t)reasonLen+1); + if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } + reason[reasonLen]=0; + rfbClientLog("VNC connection failed: %s\n",reason); +@@ -2187,10 +2187,12 @@ HandleRFBServerMessage(rfbClient* client) + + msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); + +- buffer = malloc(msg.sct.length+1); ++ buffer = malloc((uint64_t)msg.sct.length+1); + +- if (!ReadFromRFBServer(client, buffer, msg.sct.length)) ++ if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { ++ free(buffer); + return FALSE; ++ } + + buffer[msg.sct.length] = 0; + +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20020/0001-LibVNCClient-make-sure-ReadFromRFBServer-does-not-wr.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20020/0001-LibVNCClient-make-sure-ReadFromRFBServer-does-not-wr.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20020/0001-LibVNCClient-make-sure-ReadFromRFBServer-does-not-wr.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20020/0001-LibVNCClient-make-sure-ReadFromRFBServer-does-not-wr.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,25 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sat, 29 Sep 2018 22:07:27 +0200 +Subject: LibVNCClient: make sure ReadFromRFBServer() does not write after + buffer end in CoRRE decoding +Origin: https://github.com/LibVNC/libvncserver/commit/09f2f3fb6a5a163e453e5c2979054670c39694bc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20020 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/250 + +Closes #250 +--- + libvncclient/corre.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/libvncclient/corre.c ++++ b/libvncclient/corre.c +@@ -48,7 +48,7 @@ HandleCoRREBPP (rfbClient* client, int r + + FillRectangle(client, rx, ry, rw, rh, pix); + +- if (!ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) ++ if (hdr.nSubrects * (4 + (BPP / 8)) > RFB_BUFFER_SIZE || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) + return FALSE; + + ptr = (uint8_t *)client->buffer; diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20020/0002-LibVNCClient-really-fix-250.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20020/0002-LibVNCClient-really-fix-250.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20020/0002-LibVNCClient-really-fix-250.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20020/0002-LibVNCClient-really-fix-250.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,23 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Thu, 4 Oct 2018 22:27:39 +0200 +Subject: LibVNCClient: really fix #250 +Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20020 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/250 + +--- + libvncclient/corre.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/libvncclient/corre.c ++++ b/libvncclient/corre.c +@@ -48,7 +48,7 @@ HandleCoRREBPP (rfbClient* client, int r + + FillRectangle(client, rx, ry, rw, rh, pix); + +- if (hdr.nSubrects * (4 + (BPP / 8)) > RFB_BUFFER_SIZE || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) ++ if (hdr.nSubrects > RFB_BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) + return FALSE; + + ptr = (uint8_t *)client->buffer; diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,29 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sat, 29 Sep 2018 21:32:59 +0200 +Subject: LibVNCClient: fix possible infinite loop +Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20021 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/251 + +Closes #251 +--- + libvncclient/rfbproto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index 808ad4d28b7f..8d6a4c1f0d9d 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -1879,7 +1879,7 @@ HandleRFBServerMessage(rfbClient* client) + /* Regardless of cause, do not divide by zero. */ + linesToRead = bytesPerLine ? (RFB_BUFFER_SIZE / bytesPerLine) : 0; + +- while (h > 0) { ++ while (linesToRead && h > 0) { + if (linesToRead > h) + linesToRead = h; + +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,39 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sat, 29 Sep 2018 21:10:32 +0200 +Subject: LibVNCClient: don't leak uninitialised memory to remote +Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20022 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/252 + +The pad fields of the rfbClientCutTextMsg and rfbKeyEventMsg could contain arbitray memory belonging to the process, +don't leak this to the remote. + +Closes #252 +--- + libvncclient/rfbproto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index 669e38848d15..808ad4d28b7f 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -1643,6 +1643,7 @@ SendKeyEvent(rfbClient* client, uint32_t key, rfbBool down) + + if (!SupportsClient2Server(client, rfbKeyEvent)) return TRUE; + ++ memset(&ke, 0, sizeof(ke)); + ke.type = rfbKeyEvent; + ke.down = down ? 1 : 0; + ke.key = rfbClientSwap32IfLE(key); +@@ -1661,6 +1662,7 @@ SendClientCutText(rfbClient* client, char *str, int len) + + if (!SupportsClient2Server(client, rfbClientCutText)) return TRUE; + ++ memset(&cct, 0, sizeof(cct)); + cct.type = rfbClientCutText; + cct.length = rfbClientSwap32IfLE(len); + return (WriteToRFBServer(client, (char *)&cct, sz_rfbClientCutTextMsg) && +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,78 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sat, 29 Sep 2018 20:55:24 +0200 +Subject: When connecting to a repeater, only send initialised string +Origin: https://github.com/LibVNC/libvncserver/commit/8b06f835e259652b0ff026898014fc7297ade858 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20023 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/253 + +Closes #253 +--- + examples/repeater.c | 10 ++++++++-- + libvncclient/rfbproto.c | 8 ++++++-- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/examples/repeater.c b/examples/repeater.c +index cf0350ff98a2..dbfa39e1d514 100644 +--- a/examples/repeater.c ++++ b/examples/repeater.c +@@ -12,6 +12,7 @@ int main(int argc,char** argv) + char *repeaterHost; + int repeaterPort, sock; + char id[250]; ++ int idlen; + rfbClientPtr cl; + + int i,j; +@@ -23,7 +24,12 @@ int main(int argc,char** argv) + "Usage: %s <id> <repeater-host> [<repeater-port>]\n", argv[0]); + exit(1); + } +- snprintf(id, sizeof(id) - 1, "ID:%s", argv[1]); ++ idlen = snprintf(id, sizeof(id) - 1, "ID:%s", argv[1]); ++ if(idlen < 0 || idlen >= (int)sizeof(id)) { ++ fprintf(stderr, "Error, given ID is probably too long.\n"); ++ return 1; ++ } ++ + repeaterHost = argv[2]; + repeaterPort = argc < 4 ? 5500 : atoi(argv[3]); + +@@ -48,7 +54,7 @@ int main(int argc,char** argv) + perror("connect to repeater"); + return 1; + } +- if (write(sock, id, sizeof(id)) != sizeof(id)) { ++ if (write(sock, id, idlen+1) != idlen+1) { + perror("writing id"); + return 1; + } +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index e5373bc4345f..669e38848d15 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -363,6 +363,7 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep + rfbProtocolVersionMsg pv; + int major,minor; + char tmphost[250]; ++ int tmphostlen; + + #ifdef LIBVNCSERVER_IPv6 + client->sock = ConnectClientToTcpAddr6(repeaterHost, repeaterPort); +@@ -398,8 +399,11 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep + + rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor); + +- snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort); +- if (!WriteToRFBServer(client, tmphost, sizeof(tmphost))) ++ tmphostlen = snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort); ++ if(tmphostlen < 0 || tmphostlen >= (int)sizeof(tmphost)) ++ return FALSE; /* snprintf error or output truncated */ ++ ++ if (!WriteToRFBServer(client, tmphost, tmphostlen + 1)) + return FALSE; + + return TRUE; +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20024/0001-LibVNCClient-make-sure-Ultra-decoding-cannot-derefer.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20024/0001-LibVNCClient-make-sure-Ultra-decoding-cannot-derefer.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20024/0001-LibVNCClient-make-sure-Ultra-decoding-cannot-derefer.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20024/0001-LibVNCClient-make-sure-Ultra-decoding-cannot-derefer.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,39 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Mon, 1 Oct 2018 19:38:33 +0200 +Subject: LibVNCClient: make sure Ultra decoding cannot dereference a null + pointer +Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20024 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/254 + +Closes #254 +--- + libvncclient/ultra.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c +index a82e2eddbdc2..a2875267e790 100644 +--- a/libvncclient/ultra.c ++++ b/libvncclient/ultra.c +@@ -66,6 +66,8 @@ HandleUltraBPP (rfbClient* client, int rx, int ry, int rw, int rh) + if ((client->raw_buffer_size % 4)!=0) + client->raw_buffer_size += (4-(client->raw_buffer_size % 4)); + client->raw_buffer = (char*) malloc( client->raw_buffer_size ); ++ if(client->raw_buffer == NULL) ++ return FALSE; + } + + /* allocate enough space to store the incoming compressed packet */ +@@ -150,6 +152,8 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + if ((client->raw_buffer_size % 4)!=0) + client->raw_buffer_size += (4-(client->raw_buffer_size % 4)); + client->raw_buffer = (char*) malloc( client->raw_buffer_size ); ++ if(client->raw_buffer == NULL) ++ return FALSE; + } + + +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch 2019-01-02 16:26:53.000000000 +0100 @@ -0,0 +1,35 @@ +From: Christian Beier <dontm...@freeshell.org> +Date: Sun, 21 Oct 2018 20:52:04 +0200 +Subject: tightvnc-filetransfer: fix heap use-after-free +Origin: https://github.com/LibVNC/libvncserver/commit/ca2a5ac02fbbadd0a21fabba779c1ea69173d10b +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6307 +Bug-Debian: https://bugs.debian.org/916941 +Bug: https://github.com/LibVNC/libvncserver/issues/241 + +One can only guess what the intended semantics were here, but as every +other rfbCloseClient() call in this file is followed by an immediate +return, let's assume this was forgotton in this case. + +Anyway, don't forget to clean up to not leak memory. + +Closes #241 +--- + libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +index c511eed17fcd..0473783164f2 100644 +--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c ++++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +@@ -585,6 +585,8 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp) + "FileDownloadCancelMsg\n", __FILE__, __FUNCTION__); + + rfbCloseClient(cl); ++ free(reason); ++ return; + } + + rfbLog("File [%s]: Method [%s]: File Download Cancel Request received:" +-- +2.20.1 + diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series --- libvncserver-0.9.11+dfsg/debian/patches/series 2018-06-05 14:43:47.000000000 +0200 +++ libvncserver-0.9.11+dfsg/debian/patches/series 2019-01-02 16:26:53.000000000 +0100 @@ -1,3 +1,17 @@ remove-libpng.patch 0001-ignore_webclients.patch CVE-2018-7225.patch +CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch +CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch +CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch +CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch +CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch +CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch +CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch +CVE-2018-20020/0001-LibVNCClient-make-sure-ReadFromRFBServer-does-not-wr.patch +CVE-2018-20020/0002-LibVNCClient-really-fix-250.patch +CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch +CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch +CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch +CVE-2018-20024/0001-LibVNCClient-make-sure-Ultra-decoding-cannot-derefer.patch +CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch
