Hello. I prepared LTS security update for libvncserver[1]. Please review and upload. I have tested it with remmina-plugin-vnc.
[1] https://mentors.debian.net/debian/pool/main/libv/libvncserver/libvncserver_0.9.9+dfsg-1+deb7u3.dsc --abhijith
diff -Nru libvncserver-0.9.9+dfsg/debian/changelog libvncserver-0.9.9+dfsg/debian/changelog --- libvncserver-0.9.9+dfsg/debian/changelog 2017-01-03 21:03:05.000000000 +0530 +++ libvncserver-0.9.9+dfsg/debian/changelog 2018-03-29 22:55:20.000000000 +0530 @@ -1,3 +1,13 @@ +libvncserver (0.9.9+dfsg-1+deb7u3) wheezy-security; urgency=high + + * Non-maintainer upload for the Debian LTS Team. + * CVE-2018-7225: rfbserver.c does not sanitize msg.cct.length, leading to + access to uninitialized and potentially sensitive data or possibly + unspecified other impact (e.g., an integer overflow) via specially crafted + VNC packets (Closes: #894045) + + -- Abhijith PA <abhij...@disroot.org> Thu, 29 Mar 2018 22:55:20 +0530 + libvncserver (0.9.9+dfsg-1+deb7u2) wheezy-security; urgency=high * CVE-2016-9941: Fix a heap-based buffer overflow that allows remote servers diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch --- libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch 1970-01-01 05:30:00.000000000 +0530 +++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2018-7225.patch 2018-03-29 22:55:20.000000000 +0530 @@ -0,0 +1,48 @@ +Description: Fix CVE-2018-7225 + rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length + , leading to access to uninitialized and potentially sensitive data or possibly + unspecified other impact (e.g., an integer overflow) via specially crafted VNC + packets. + +Author: Abhijith PA <abhij...@disroot.org> +Bug-Debian: https://bugs.debian.org/894045 +Origin: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee +Bug: https://github.com/LibVNC/libvncserver/issues/218 +Last-Update: 2018-03-29 + +--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c ++++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c +@@ -74,6 +74,8 @@ + #include <errno.h> + /* strftime() */ + #include <time.h> ++/* PRIu32 */ ++#include <inttypes.h> + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -2487,7 +2489,23 @@ rfbProcessClientNormalMessage(rfbClientP + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)malloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we impose a limit of 1 MB so that the value fits ++ * into all of the types to prevent from misinterpretation and thus ++ * from accessing uninitialized memory (CVE-2018-7225) and also to ++ * prevent from a denial-of-service by allocating to much memory in ++ * the server. */ ++ if (msg.cct.length > 1<<20) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseClient(cl); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); diff -Nru libvncserver-0.9.9+dfsg/debian/patches/series libvncserver-0.9.9+dfsg/debian/patches/series --- libvncserver-0.9.9+dfsg/debian/patches/series 2017-01-03 21:08:12.000000000 +0530 +++ libvncserver-0.9.9+dfsg/debian/patches/series 2018-03-29 22:55:20.000000000 +0530 @@ -8,3 +8,4 @@ CVE-2015-6053.patch CVE-2016-9942.patch CVE-2016-9941.patch +CVE-2018-7225.patch
