commit: 56b1a55f56872459376e4f24cdf272477844123c Author: Mart Raudsepp <leio <AT> gentoo <DOT> org> AuthorDate: Sun Feb 16 13:03:12 2020 +0000 Commit: Mart Raudsepp <leio <AT> gentoo <DOT> org> CommitDate: Sun Feb 16 17:27:50 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56b1a55f
net-misc/vino: apply 3 security fixes and misc upstream fixes Adds patchset for a plethora of translation updates and a couple bug fixes pending in master without any releases for years. The security fixes are not found in upstream and are ported separately from libvncserver commits. Bug: https://bugs.gentoo.org/701836 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio <AT> gentoo.org> net-misc/vino/Manifest | 1 + net-misc/vino/files/CVE-2014-6053.patch | 31 +++++++++++++ net-misc/vino/files/CVE-2018-7225.patch | 64 +++++++++++++++++++++++++++ net-misc/vino/files/CVE-2019-15681.patch | 26 +++++++++++ net-misc/vino/vino-3.22.0-r2.ebuild | 76 ++++++++++++++++++++++++++++++++ 5 files changed, 198 insertions(+) diff --git a/net-misc/vino/Manifest b/net-misc/vino/Manifest index 8ec11375c7e..56fb2cd63fb 100644 --- a/net-misc/vino/Manifest +++ b/net-misc/vino/Manifest @@ -1 +1,2 @@ +DIST vino-3.22.0-patchset.tar.xz 158480 BLAKE2B fb8b50abde8cb4728410302c1d3a57bc4d344a33ac0bd9f1265fd24eb142dcd52e870845b902c9b63e98134f87873ebf6abfcfcd1efadb72b0cc72b04f9bf4be SHA512 cf96f5dce96d5c060462698c9d8df6f6d94eb9d624cb689c1262830840ed8f3617485f2274832076c273625e92a89732f9c2ae99dbcbf495e5293cf88408064f DIST vino-3.22.0.tar.xz 768716 BLAKE2B 5c3f6df059f129009bbc97527d1767bc8a29d8cbff5e6f9e89dabc4583ffdae2cf235eec66cbcb5f9e73c9a0a7c05a504e4e90221bf5adfc2ecbbbd518fdc84a SHA512 29b88e151b0b8c69bce1565ae3ec2e788f48c7645429984329fb2d3daaf03cc5ac100abbf70247bf0516c6d03a3b9aeb78d018c8f1bf35fd241919117fd1105f diff --git a/net-misc/vino/files/CVE-2014-6053.patch b/net-misc/vino/files/CVE-2014-6053.patch new file mode 100644 index 00000000000..8830c30f870 --- /dev/null +++ b/net-misc/vino/files/CVE-2014-6053.patch @@ -0,0 +1,31 @@ +From b1bfadcbfd88970c6d48672e2dbcca8713c91411 Mon Sep 17 00:00:00 2001 +From: Nicolas Ruff <nr...@google.com> +Date: Mon, 18 Aug 2014 15:16:16 +0200 +Subject: [PATCH 1/3] Check malloc() return value on client->server + ClientCutText message. Client can send up to 2**32-1 bytes of text, and such + a large allocation is likely to fail in case of high memory pressure. This + would in a server crash (write at address 0). + +--- + server/libvncserver/rfbserver.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c +index a880b53..2615dc3 100644 +--- a/server/libvncserver/rfbserver.c ++++ b/server/libvncserver/rfbserver.c +@@ -853,6 +853,11 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + msg.cct.length = Swap32IfLE(msg.cct.length); + + str = (char *)malloc(msg.cct.length); ++ if (str == NULL) { ++ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); ++ rfbCloseClient(cl); ++ return; ++ } + + if ((n = ReadExact(cl, str, msg.cct.length)) <= 0) { + if (n != 0) +-- +2.20.1 + diff --git a/net-misc/vino/files/CVE-2018-7225.patch b/net-misc/vino/files/CVE-2018-7225.patch new file mode 100644 index 00000000000..1b1186b4fe7 --- /dev/null +++ b/net-misc/vino/files/CVE-2018-7225.patch @@ -0,0 +1,64 @@ +From d8a663541ef358a13fed2fbb39e7d323454369dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> +Date: Mon, 26 Feb 2018 13:48:00 +0100 +Subject: [PATCH 2/3] Limit client cut text length to 1 MB + +This patch constrains a client cut text length to 1 MB. Otherwise +a client could make server allocate 2 GB of memory and that seems to +be to much to classify it as a denial of service. + +The limit also prevents from an integer overflow followed by copying +an uninitilized memory when processing msg.cct.length value larger +than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg. + +This patch also corrects accepting length value of zero (malloc(0) is +interpreted on differnet systems differently). + +CVE-2018-7225 +<https://github.com/LibVNC/libvncserver/issues/218> +--- + server/libvncserver/rfbserver.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c +index 2615dc3..2224edb 100644 +--- a/server/libvncserver/rfbserver.c ++++ b/server/libvncserver/rfbserver.c +@@ -59,6 +59,9 @@ + #define DEBUGPROTO(x) + #endif + ++/* PRIu32 */ ++#include <inttypes.h> ++ + rfbClientPtr pointerClient = NULL; /* Mutex for pointer events */ + + static void rfbProcessClientProtocolVersion(rfbClientPtr cl); +@@ -852,7 +855,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)malloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we impose a limit of 1 MB so that the value fits ++ * into all of the types to prevent from misinterpretation and thus ++ * from accessing uninitialized memory (CVE-2018-7225) and also to ++ * prevent from a denial-of-service by allocating to much memory in ++ * the server. */ ++ if (msg.cct.length > 1<<20) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseClient(cl); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); +-- +2.20.1 + diff --git a/net-misc/vino/files/CVE-2019-15681.patch b/net-misc/vino/files/CVE-2019-15681.patch new file mode 100644 index 00000000000..31bb47ee9b2 --- /dev/null +++ b/net-misc/vino/files/CVE-2019-15681.patch @@ -0,0 +1,26 @@ +From d9f3fa0ede556c6a751a8ca6c8bc37e769715233 Mon Sep 17 00:00:00 2001 +From: Christian Beier <dontm...@freeshell.org> +Date: Mon, 19 Aug 2019 22:32:25 +0200 +Subject: [PATCH 3/3] rfbserver: don't leak stack memory to the remote + +Thanks go to Pavel Cheremushkin of Kaspersky for reporting. +--- + server/libvncserver/rfbserver.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c +index 2224edb..ca4f59b 100644 +--- a/server/libvncserver/rfbserver.c ++++ b/server/libvncserver/rfbserver.c +@@ -1565,6 +1565,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len) + rfbServerCutTextMsg sct; + rfbClientIteratorPtr iterator; + ++ memset((char *)&sct, 0, sizeof(sct)); ++ + iterator = rfbGetClientIterator(rfbScreen); + while ((cl = rfbClientIteratorNext(iterator)) != NULL) { + /* Client is not authenticated, ignore. See GNOME bug 678434. */ +-- +2.20.1 + diff --git a/net-misc/vino/vino-3.22.0-r2.ebuild b/net-misc/vino/vino-3.22.0-r2.ebuild new file mode 100644 index 00000000000..bb0874d055d --- /dev/null +++ b/net-misc/vino/vino-3.22.0-r2.ebuild @@ -0,0 +1,76 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +GNOME2_EAUTORECONF="yes" +inherit gnome2 systemd + +DESCRIPTION="An integrated VNC server for GNOME" +HOMEPAGE="https://wiki.gnome.org/Projects/Vino"; +SRC_URI+=" https://dev.gentoo.org/~leio/distfiles/${P}-patchset.tar.xz"; + +LICENSE="GPL-2+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86" +IUSE="crypt debug gnome-keyring ipv6 jpeg ssl systemd +telepathy zeroconf +zlib" +# bug #394611; tight encoding requires zlib encoding +REQUIRED_USE="jpeg? ( zlib )" + +# cairo used in vino-fb +# libSM and libICE used in eggsmclient-xsmp +RDEPEND=" + >=dev-libs/glib-2.26:2 + >=dev-libs/libgcrypt-1.1.90:0= + >=x11-libs/gtk+-3:3 + + x11-libs/cairo:= + x11-libs/libICE + x11-libs/libSM + x11-libs/libX11 + x11-libs/libXdamage + x11-libs/libXext + x11-libs/libXfixes + x11-libs/libXtst + x11-libs/pango[X] + + >=x11-libs/libnotify-0.7.0:= + + crypt? ( >=dev-libs/libgcrypt-1.1.90:0= ) + gnome-keyring? ( app-crypt/libsecret ) + jpeg? ( virtual/jpeg:0= ) + ssl? ( >=net-libs/gnutls-2.2.0:= ) + systemd? ( sys-apps/dbus[user-session] ) + telepathy? ( + dev-libs/dbus-glib + >=net-libs/telepathy-glib-0.18 ) + zeroconf? ( >=net-dns/avahi-0.6:=[dbus] ) + zlib? ( sys-libs/zlib:= ) +" +DEPEND="${RDEPEND} + app-crypt/libsecret + dev-util/glib-utils + >=dev-util/intltool-0.50 + virtual/pkgconfig +" +# libsecret is always required at build time per bug 322763 + +PATCHES=( + "${WORKDIR}"/patches/ # Patches from master branch at 2020-02-15 state; needs autoreconf + "${FILESDIR}"/CVE-2014-6053.patch + "${FILESDIR}"/CVE-2018-7225.patch + "${FILESDIR}"/CVE-2019-15681.patch +) + +src_configure() { + gnome2_src_configure \ + $(use_enable ipv6) \ + $(use_with crypt gcrypt) \ + $(usex debug --enable-debug=yes ' ') \ + $(use_with gnome-keyring secret) \ + $(use_with jpeg) \ + $(use_with ssl gnutls) \ + $(use_with telepathy) \ + $(use_with zeroconf avahi) \ + $(use_with zlib) \ + --with-systemduserunitdir="$(systemd_get_userunitdir)" +}
