Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package neatvnc for openSUSE:Factory checked
in at 2024-08-02 17:27:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/neatvnc (Old)
and /work/SRC/openSUSE:Factory/.neatvnc.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "neatvnc"
Fri Aug 2 17:27:15 2024 rev:13 rq:1191110 version:0.8.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/neatvnc/neatvnc.changes 2024-02-26
19:46:23.328073363 +0100
+++ /work/SRC/openSUSE:Factory/.neatvnc.new.7232/neatvnc.changes
2024-08-02 17:27:57.266831435 +0200
@@ -1,0 +2,7 @@
+Fri Aug 2 06:25:29 UTC 2024 - Michael Vetter <mvet...@suse.com>
+
+- bsc#1228777 (CVE-2024-42458)
+ Update to 0.8.1:
+ * Add sanity check for chosen security type
+
+-------------------------------------------------------------------
Old:
----
v0.8.0.tar.gz
New:
----
v0.8.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ neatvnc.spec ++++++
--- /var/tmp/diff_new_pack.hefBr3/_old 2024-08-02 17:27:57.690848924 +0200
+++ /var/tmp/diff_new_pack.hefBr3/_new 2024-08-02 17:27:57.690848924 +0200
@@ -19,7 +19,7 @@
%define libsoname libneatvnc0
Name: neatvnc
-Version: 0.8.0
+Version: 0.8.1
Release: 0
Summary: A VNC server library
License: ISC
++++++ v0.8.0.tar.gz -> v0.8.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/neatvnc-0.8.0/include/common.h
new/neatvnc-0.8.1/include/common.h
--- old/neatvnc-0.8.0/include/common.h 2024-02-25 12:11:28.000000000 +0100
+++ new/neatvnc-0.8.1/include/common.h 2024-08-01 23:01:01.000000000 +0200
@@ -38,6 +38,7 @@
#define MAX_OUTGOING_FRAMES 4
#define MSG_BUFFER_SIZE 4096
#define MAX_CUT_TEXT_SIZE 10000000
+#define MAX_SECURITY_TYPES 32
enum nvnc_client_state {
VNC_CLIENT_STATE_ERROR = -1,
@@ -167,6 +168,9 @@
struct crypto_rsa_priv_key* rsa_priv;
#endif
+ int n_security_types;
+ enum rfb_security_type security_types[MAX_SECURITY_TYPES];
+
uint32_t n_damage_clients;
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/neatvnc-0.8.0/meson.build
new/neatvnc-0.8.1/meson.build
--- old/neatvnc-0.8.0/meson.build 2024-02-25 12:11:28.000000000 +0100
+++ new/neatvnc-0.8.1/meson.build 2024-08-01 23:01:01.000000000 +0200
@@ -1,7 +1,7 @@
project(
'neatvnc',
'c',
- version: '0.8.0',
+ version: '0.8.1',
license: 'ISC',
default_options: [
'c_std=gnu11',
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/neatvnc-0.8.0/src/server.c
new/neatvnc-0.8.1/src/server.c
--- old/neatvnc-0.8.0/src/server.c 2024-02-25 12:11:28.000000000 +0100
+++ new/neatvnc-0.8.1/src/server.c 2024-08-01 23:01:01.000000000 +0200
@@ -67,7 +67,6 @@
#endif
#define DEFAULT_NAME "Neat VNC"
-#define SECURITY_TYPES_MAX 3
#define APPLE_DH_SERVER_KEY_LENGTH 256
#define UDIV_UP(a, b) (((a) + (b) - 1) / (b))
@@ -215,52 +214,79 @@
return 0;
}
-static int on_version_message(struct nvnc_client* client)
+static void init_security_types(struct nvnc* server)
{
- struct nvnc* server = client->server;
-
- if (client->buffer_len - client->buffer_index < 12)
- return 0;
-
- char version_string[13];
- memcpy(version_string, client->msg_buffer + client->buffer_index, 12);
- version_string[12] = '\0';
+#define ADD_SECURITY_TYPE(type) \
+ assert(server->n_security_types < MAX_SECURITY_TYPES); \
+ server->security_types[server->n_security_types++] = (type);
- if (strcmp(RFB_VERSION_MESSAGE, version_string) != 0)
- return handle_unsupported_version(client);
+ if (server->n_security_types > 0)
+ return;
- uint8_t buf[sizeof(struct rfb_security_types_msg) +
- SECURITY_TYPES_MAX] = {};
- struct rfb_security_types_msg* security =
- (struct rfb_security_types_msg*)buf;
-
- security->n = 0;
if (server->auth_flags & NVNC_AUTH_REQUIRE_AUTH) {
assert(server->auth_fn);
#ifdef ENABLE_TLS
if (server->tls_creds) {
- security->types[security->n++] =
RFB_SECURITY_TYPE_VENCRYPT;
+ ADD_SECURITY_TYPE(RFB_SECURITY_TYPE_VENCRYPT);
}
#endif
#ifdef HAVE_CRYPTO
- security->types[security->n++] = RFB_SECURITY_TYPE_RSA_AES256;
- security->types[security->n++] = RFB_SECURITY_TYPE_RSA_AES;
+ ADD_SECURITY_TYPE(RFB_SECURITY_TYPE_RSA_AES256);
+ ADD_SECURITY_TYPE(RFB_SECURITY_TYPE_RSA_AES);
if (!(server->auth_flags & NVNC_AUTH_REQUIRE_ENCRYPTION)) {
- security->types[security->n++] =
RFB_SECURITY_TYPE_APPLE_DH;
+ ADD_SECURITY_TYPE(RFB_SECURITY_TYPE_APPLE_DH);
}
#endif
} else {
- security->n = 1;
- security->types[0] = RFB_SECURITY_TYPE_NONE;
+ ADD_SECURITY_TYPE(RFB_SECURITY_TYPE_NONE);
}
- if (security->n == 0) {
+ if (server->n_security_types == 0) {
nvnc_log(NVNC_LOG_PANIC, "Failed to satisfy requested security
constraints");
}
+#undef ADD_SECURITY_TYPE
+}
+
+static bool is_allowed_security_type(const struct nvnc* server, uint8_t type)
+{
+ for (int i = 0; i < server->n_security_types; ++i) {
+ if ((uint8_t)server->security_types[i] == type) {
+ return true;
+ }
+ }
+ return false;
+}
+
+static int on_version_message(struct nvnc_client* client)
+{
+ struct nvnc* server = client->server;
+
+ if (client->buffer_len - client->buffer_index < 12)
+ return 0;
+
+ char version_string[13];
+ memcpy(version_string, client->msg_buffer + client->buffer_index, 12);
+ version_string[12] = '\0';
+
+ if (strcmp(RFB_VERSION_MESSAGE, version_string) != 0)
+ return handle_unsupported_version(client);
+
+ uint8_t buf[sizeof(struct rfb_security_types_msg) +
+ MAX_SECURITY_TYPES] = {};
+ struct rfb_security_types_msg* security =
+ (struct rfb_security_types_msg*)buf;
+
+ init_security_types(server);
+
+ security->n = server->n_security_types;
+ for (int i = 0; i < server->n_security_types; ++i) {
+ security->types[i] = server->security_types[i];
+ }
+
stream_write(client->net_stream, security, sizeof(*security) +
security->n, NULL, NULL);
@@ -798,6 +824,11 @@
uint8_t type = client->msg_buffer[client->buffer_index];
nvnc_log(NVNC_LOG_DEBUG, "Client chose security type: %d", type);
+ if (!is_allowed_security_type(client->server, type)) {
+ security_handshake_failed(client, NULL, "Illegal security
type");
+ return sizeof(type);
+ }
+
switch (type) {
case RFB_SECURITY_TYPE_NONE:
security_handshake_ok(client, NULL);
