Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Please accept the recent upload of libvncserver to stretch containing the
following low impact security fix:
+ [ Antoni Villalonga ]
+ * debian/patches:
+ + Add CVE-2019-15690 patch. libvncclient/cursor: limit
+ width/height input values. Avoids a possible heap overflow reported
+ by Pavel Cheremushkin. (Closes: #954163).
Thanks,
Mike
-- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog
libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog 2020-01-08 08:22:51.000000000
+0100
+++ libvncserver-0.9.11+dfsg/debian/changelog 2020-03-31 07:56:01.000000000
+0200
@@ -1,3 +1,13 @@
+libvncserver (0.9.11+dfsg-1.3~deb9u4) stretch; urgency=medium
+
+ [ Antoni Villalonga ]
+ * debian/patches:
+ + Add CVE-2019-15690 patch. libvncclient/cursor: limit
+ width/height input values. Avoids a possible heap overflow reported
+ by Pavel Cheremushkin. (Closes: #954163).
+
+ -- Mike Gabriel <sunwea...@debian.org> Tue, 31 Mar 2020 07:56:01 +0200
+
libvncserver (0.9.11+dfsg-1.3~deb9u3) stretch; urgency=medium
* Regression update.
diff -Nru
libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch
libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch
---
libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch
1970-01-01 01:00:00.000000000 +0100
+++
libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch
2020-03-31 07:55:29.000000000 +0200
@@ -0,0 +1,34 @@
+Commit: 54220248886b5001fbbb9fa73c4e1a2cb9413fed
+Author: Christian Beier <dontm...@freeshell.org>
+Date: Sun Nov 17 17:18:35 2019 +0100
+
+ libvncclient/cursor: limit width/height input values
+
+ Avoids a possible heap overflow reported by Pavel Cheremushkin
+ <pavel.cheremush...@kaspersky.com>.
+
+ re #275
+
+diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
+index 67f4572..40ffb3b 100644
+--- a/libvncclient/cursor.c
++++ b/libvncclient/cursor.c
+@@ -28,6 +28,8 @@
+ #define OPER_SAVE 0
+ #define OPER_RESTORE 1
+
++#define MAX_CURSOR_SIZE 1024
++
+ #define RGB24_TO_PIXEL(bpp,r,g,b) \
+ ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255
\
+ << client->format.redShift |
\
+@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int
yhot, int width, int h
+ if (width * height == 0)
+ return TRUE;
+
++ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
++ return FALSE;
++
+ /* Allocate memory for pixel data and temporary mask data. */
+ if(client->rcSource)
+ free(client->rcSource);
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series
libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series 2020-01-08
08:22:51.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series 2020-03-31
07:55:29.000000000 +0200
@@ -29,3 +29,4 @@
use-after-free/5.patch
use-after-free/6.patch
0002-set-true-color-flag-to-1.patch
+CVE-2019-15690/0001-heap-buffer-overflow.patch
