Hello community,
here is the log from the commit of package LibVNCServer for openSUSE:Leap:15.2
checked in at 2020-05-07 19:26:35
Comparing /work/SRC/openSUSE:Leap:15.2/LibVNCServer (Old)
and /work/SRC/openSUSE:Leap:15.2/.LibVNCServer.new.2738 (New)
Package is "LibVNCServer"
Thu May 7 19:26:35 2020 rev:17 rq:800610 version:0.9.10
Changes:
--- /work/SRC/openSUSE:Leap:15.2/LibVNCServer/LibVNCServer.changes
2020-01-15 14:45:20.657204187 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.LibVNCServer.new.2738/LibVNCServer.changes
2020-05-07 19:26:58.325445719 +0200
@@ -1,0 +2,20 @@
+Mon Apr 27 09:22:31 UTC 2020 - pgaj...@suse.com
+
+- security update
+- added patches
+ fix CVE-2019-15690 [bsc#1160471], heap buffer overflow
+ + LibVNCServer-CVE-2019-15690.patch
+ fix CVE-2019-20788 [bsc#1170441], integer overflow and heap-based buffer
overflow via a large height or width value
+ + LibVNCServer-CVE-2019-20788.patch
+
+---
+Mon Nov 4 12:50:59 UTC 2019 - pgaj...@suse.com
+
+- security update
+- added patches
+ CVE-2019-15681 [bsc#1155419]
+ + LibVNCServer-CVE-2019-15681.patch
+- note the correct way how to run the testsuite, it does not
+ seem to be usable as it is, though (segfaults)
+
+---
New:
LibVNCServer-CVE-2019-15681.patch
LibVNCServer-CVE-2019-15690.patch
LibVNCServer-CVE-2019-20788.patch
Other differences:
--
++ LibVNCServer.spec ++
--- /var/tmp/diff_new_pack.Spws4K/_old 2020-05-07 19:26:59.185447439 +0200
+++ /var/tmp/diff_new_pack.Spws4K/_new 2020-05-07 19:26:59.185447439 +0200
@@ -49,6 +49,12 @@
Patch24:LibVNCServer-CVE-2018-20749.patch
Patch25:LibVNCServer-CVE-2018-20750.patch
Patch26:LibVNCServer-CVE-2018-20748.patch
+# CVE-2019-15681 [bsc#1155419]
+Patch27:LibVNCServer-CVE-2019-15681.patch
+# CVE-2019-20788 [bsc#1170441], integer overflow and heap-based buffer
overflow via a large height or width value
+Patch28:LibVNCServer-CVE-2019-20788.patch
+# CVE-2019-15690 [bsc#1160471], heap buffer overflow
+Patch29:LibVNCServer-CVE-2019-15690.patch
BuildRequires: libavahi-devel
BuildRequires: libgcrypt-devel
BuildRequires: libgnutls-devel
@@ -136,6 +142,9 @@
%patch24 -p1
%patch25 -p1
%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
# fix encoding
for file in AUTHORS ChangeLog ; do
mv ${file} ${file}.OLD && \
@@ -161,7 +170,10 @@
%{__install} -d -m0755 RPM_BUILD_ROOT%{_datadir}/x11vnc/classes
%check
-make check
+pushd test
+# encodingstest segfaults during rfbShutdownServer() [no of our patch causes
the segfault]
+make test || true
+popd
%install
%makeinstall
++ LibVNCServer-CVE-2019-15681.patch ++
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 3bacc891..310e5487 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char
*str, int len)
rfbServerCutTextMsg sct;
rfbClientIteratorPtr iterator;
+memset((char *), 0, sizeof(sct));
+
iterator = rfbGetClientIterator(rfbScreen);
while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
sct.type = rfbServerCutText;
++ LibVNCServer-CVE-2019-15690.patch ++
diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
index 67f45726..40ffb3b0 100644
--- a/libvncclient/cursor.c
+++ b/libvncclient/cursor.c
@@ -28,6 +28,8 @@
#define OPER_SAVE 0
#define OPER_RESTORE 1
+#define MAX_CURSOR_SIZE 1024
+
#define RGB24_TO_PIXEL(bpp,r,g,b) \
uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255
\
<< client->format.redShift | \
@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int
yhot, int width, int h
if (width * height == 0)
return TRUE;
+ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
+return FALSE;
+
/* Allocate memory for pixel data and temporary mask data. */
if(client->rcSource)
free(client->rcSource);
++ LibVNCServer-CVE-2019-20788.patch ++
Index: libvncserver-LibVNCServer-0.9.12/libvncclient/rfbproto.c
===
--- libvncserver-LibVNCServer-0.9.12.orig/libvncclient/rfbproto.c
2019-01-06 20:09:30.0 +0100
+++ libvncserver-LibVNCServer-0.9.12/libvncclient/rfbproto.c2020-04-27
10:32:26.192984242 +0200
@@ -225,6 +225,7 @@ ClearServer2Client(rfbClient* client, in
client->supportedMessages.server2client[((messageType & 0xFF)/8)] &=
(!(1<<(messageType % 8)));
}