Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 2ddaccbaa242
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 0d357bbdb8c0
Choose a head ref
  • 1 commit
  • 5 files changed
  • 1 contributor

Commits on Nov 24, 2019

  1. tightvnc: add patches for four CVEs 

    Security fixes for:
* CVE-2019-8287
* CVE-2019-15678
* CVE-2019-15679
* CVE-2019-15680

mostly adapted from patches fixing similar issues in the actively
maintained libvnc

(#73970)

(cherry picked from commit 2482f8b)
    @risicle @c0bw3b
    risicle authored and c0bw3b committed Nov 24, 2019
    Copy the full SHA
    0d357bb View commit details
18 changes: 18 additions & 0 deletions pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
Adapted from https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a
diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
index 04b0230..47a6863 100644
--- a/vncviewer/rfbproto.c
+++ b/vncviewer/rfbproto.c
@@ -1217,6 +1217,12 @@ HandleRFBServerMessage()
if (serverCutText)
free(serverCutText);

+ if (msg.sct.length > 1<<20) {
+ fprintf(stderr,"Ignoring too big cut text length sent by server: %u B > 1 MB\n",
+ (unsigned int)msg.sct.length);
+ return False;
+ }
+
serverCutText = malloc(msg.sct.length+1);

if (!ReadFromRFBServer(serverCutText, msg.sct.length))
19 changes: 19 additions & 0 deletions pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7
diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
index 04b0230..bd11b54 100644
--- a/vncviewer/rfbproto.c
+++ b/vncviewer/rfbproto.c
@@ -303,7 +303,12 @@ InitialiseRFBConnection(void)
si.format.blueMax = Swap16IfLE(si.format.blueMax);
si.nameLength = Swap32IfLE(si.nameLength);

- /* FIXME: Check arguments to malloc() calls. */
+ if (si.nameLength > 1<<20) {
+ fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n",
+ (unsigned long)si.nameLength);
+ return False;
+ }
+
desktopName = malloc(si.nameLength + 1);
if (!desktopName) {
fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",
16 changes: 16 additions & 0 deletions pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
diff --git a/vncviewer/zlib.c b/vncviewer/zlib.c
index 80c4eee..76998d8 100644
--- a/vncviewer/zlib.c
+++ b/vncviewer/zlib.c
@@ -55,6 +55,11 @@ HandleZlibBPP (int rx, int ry, int rw, int rh)
raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
raw_buffer = (char*) malloc( raw_buffer_size );

+ if ( raw_buffer == NULL ) {
+ fprintf(stderr,
+ "couldn't allocate raw_buffer in HandleZlibBPP");
+ return False;
+ }
}

if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
14 changes: 14 additions & 0 deletions pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
Adapted from https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
diff --git a/vncviewer/corre.c b/vncviewer/corre.c
index c846a10..a4c272d 100644
--- a/vncviewer/corre.c
+++ b/vncviewer/corre.c
@@ -56,7 +56,7 @@ HandleCoRREBPP (int rx, int ry, int rw, int rh)
XChangeGC(dpy, gc, GCForeground, &gcv);
XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh);

- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
return False;

ptr = (CARD8 *)buffer;
7 changes: 7 additions & 0 deletions pkgs/tools/admin/tightvnc/default.nix
View file
Original file line number Diff line number Diff line change
@@ -9,6 +9,13 @@ stdenv.mkDerivation {
sha256 = "f48c70fea08d03744ae18df6b1499976362f16934eda3275cead87baad585c0d";
};

patches = [
./1.3.10-CVE-2019-15678.patch
./1.3.10-CVE-2019-15679.patch
./1.3.10-CVE-2019-15680.patch
./1.3.10-CVE-2019-8287.patch
];

# for the builder script
inherit fontDirectories;