Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Debian X Strike Force
<debia...@lists.debian.org>
* CVE-2023-33863: integer overflow
* CVE-2023-33864: integer overflow
* CVE-2023-33865: symlink attack
* Closes: #1037208
diffstat for renderdoc-1.24+dfsg renderdoc-1.24+dfsg
changelog | 10
patches/0001-Verify-array-sizes-when-serialising-for-strings.patch | 69
++++
patches/0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch | 70
++++
patches/0003-Sanitise-strings-printed-when-received-from-target-c.patch | 171
++++++++++
patches/0004-Don-t-open-symlinks-when-opening-logfile.patch | 27
+
patches/0005-Fix-incorrect-return-type.patch | 39
++
patches/series | 5
7 files changed, 391 insertions(+)
diff -Nru renderdoc-1.24+dfsg/debian/changelog
renderdoc-1.24+dfsg/debian/changelog
--- renderdoc-1.24+dfsg/debian/changelog 2022-12-14 12:16:36.000000000
+0200
+++ renderdoc-1.24+dfsg/debian/changelog 2024-12-08 14:42:02.000000000
+0200
@@ -1,3 +1,13 @@
+renderdoc (1.24+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2023-33863: integer overflow
+ * CVE-2023-33864: integer overflow
+ * CVE-2023-33865: symlink attack
+ * Closes: #1037208
+
+ -- Adrian Bunk <b...@debian.org> Sun, 08 Dec 2024 14:42:02 +0200
+
renderdoc (1.24+dfsg-1) unstable; urgency=medium
* New upstream release
diff -Nru
renderdoc-1.24+dfsg/debian/patches/0001-Verify-array-sizes-when-serialising-for-strings.patch
renderdoc-1.24+dfsg/debian/patches/0001-Verify-array-sizes-when-serialising-for-strings.patch
---
renderdoc-1.24+dfsg/debian/patches/0001-Verify-array-sizes-when-serialising-for-strings.patch
1970-01-01 02:00:00.000000000 +0200
+++
renderdoc-1.24+dfsg/debian/patches/0001-Verify-array-sizes-when-serialising-for-strings.patch
2024-12-08 08:11:19.000000000 +0200
@@ -0,0 +1,69 @@
+From ee66bc7263e3aa5d81dd4725929feb816063155c Mon Sep 17 00:00:00 2001
+From: baldurk <bald...@baldurk.org>
+Date: Fri, 19 May 2023 09:57:03 +0100
+Subject: Verify array sizes when serialising for strings
+
+* We also limit the array size to 1GB for 32-bit. The 4GB/1GB limit is far
+ larger than reasonable for strings but can be handled the same way
regardless.
+---
+ renderdoc/serialise/serialiser.h | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/renderdoc/serialise/serialiser.h
b/renderdoc/serialise/serialiser.h
+index 541a9ce7c..0dd3d2bec 100644
+--- a/renderdoc/serialise/serialiser.h
++++ b/renderdoc/serialise/serialiser.h
+@@ -727,7 +727,7 @@ public:
+ arr.ReserveChildren((size_t)size);
+
+ if(IsReading())
+- el.resize((int)size);
++ el.resize((size_t)size);
+
+ if(m_LazyThreshold > 0 && size > m_LazyThreshold)
+ {
+@@ -762,7 +762,7 @@ public:
+ else
+ {
+ if(IsReading())
+- el.resize((int)size);
++ el.resize((size_t)size);
+
+ for(size_t i = 0; i < (size_t)size; i++)
+ SerialiseDispatch<Serialiser, U>::Do(*this, el[i]);
+@@ -1311,7 +1311,8 @@ public:
+ if(IsReading())
+ {
+ m_Read->Read(len);
+- el.resize((int)len);
++ VerifyArraySize(len);
++ el.resize((size_t)len);
+ if(len > 0)
+ m_Read->Read(&el[0], len);
+ }
+@@ -1426,13 +1427,20 @@ private:
+ }
+ };
+
+- void VerifyArraySize(uint64_t &count)
++ template <typename intSize>
++ void VerifyArraySize(intSize &count)
+ {
+ uint64_t size = m_Read->GetSize();
+
+- // for streaming, just take 4GB as a 'semi reasonable' upper limit for
array sizes
++// for streaming, just take 4GB as a 'semi reasonable' upper limit for array
sizes
++// use 1GB on 32-bit to avoid overflows
++#if ENABLED(RDOC_X64)
+ if(m_DataStreaming)
+ size = 0xFFFFFFFFU;
++#else
++ if(m_DataStreaming)
++ size = 0x3FFFFFFFU;
++#endif
+
+ if(count > size)
+ {
+--
+2.30.2
+
diff -Nru
renderdoc-1.24+dfsg/debian/patches/0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch
renderdoc-1.24+dfsg/debian/patches/0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch
---
renderdoc-1.24+dfsg/debian/patches/0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch
1970-01-01 02:00:00.000000000 +0200
+++
renderdoc-1.24+dfsg/debian/patches/0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch
2024-12-08 08:11:19.000000000 +0200
@@ -0,0 +1,70 @@
+From fb34c1861df395d2b206363bd2cd7c8edfce6c06 Mon Sep 17 00:00:00 2001
+From: baldurk <bald...@baldurk.org>
+Date: Fri, 19 May 2023 09:58:49 +0100
+Subject: Don't call ReadLargeBuffer for socket reads
+
+* In ReadLargeBuffer we read directly into an external buffer with
ReadExternal,
+ but for sockets when reading externally we want to read ahead of the current
+ spot (non-blocking) as much as possible to batch small reads together. Rather
+ than making ReadExternal handle or detect reads to external buffers, we
+ instead avoid ReadLargeBuffer as it is an optimisation for direct I/O to
avoid
+ unnecessary memcpy's and is not relevant for sockets.
+---
+ renderdoc/serialise/streamio.cpp | 11 ++++++++++-
+ renderdoc/serialise/streamio.h | 4 +++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/renderdoc/serialise/streamio.cpp
b/renderdoc/serialise/streamio.cpp
+index 5669c2c01..ebddd33c8 100644
+--- a/renderdoc/serialise/streamio.cpp
++++ b/renderdoc/serialise/streamio.cpp
+@@ -270,7 +270,7 @@ bool StreamReader::Reserve(uint64_t numBytes)
+
+ bool StreamReader::ReadLargeBuffer(void *buffer, uint64_t length)
+ {
+- RDCASSERT(m_Sock || m_File || m_Decompressor);
++ RDCASSERT(m_File || m_Decompressor);
+
+ byte *dest = (byte *)buffer;
+
+@@ -398,6 +398,9 @@ bool StreamReader::ReadFromExternal(void *buffer, uint64_t
length)
+ // first get the required data blocking (this will sleep the thread
until it comes in).
+ byte *readDest = (byte *)buffer;
+
++ // we expect to be reading into our window buffer
++ RDCASSERT(readDest >= m_BufferBase && readDest <= m_BufferBase +
m_BufferSize);
++
+ success = m_Sock->RecvDataBlocking(readDest, (uint32_t)length);
+
+ if(success)
+@@ -407,6 +410,12 @@ bool StreamReader::ReadFromExternal(void *buffer,
uint64_t length)
+
+ uint32_t bufSize = uint32_t(m_BufferSize - m_InputSize);
+
++ if(m_InputSize > m_BufferSize)
++ {
++ bufSize = 0;
++ RDCERR("Invalid read in ReadFromExternal!");
++ }
++
+ // now read more, as much as possible, to try and batch future reads
+ success = m_Sock->RecvDataNonBlocking(readDest, bufSize);
+
+diff --git a/renderdoc/serialise/streamio.h b/renderdoc/serialise/streamio.h
+index ec7b53a8a..8b296b876 100644
+--- a/renderdoc/serialise/streamio.h
++++ b/renderdoc/serialise/streamio.h
+@@ -180,7 +180,9 @@ public:
+ // and larger by just skating over the limit each time, but that's
fine because the main
+ // case we want to catch is a window that's only a few MB and then
suddenly we read 100s of
+ // MB.
+- if(numBytes >= 10 * 1024 * 1024 && Available() + 128 < numBytes)
++ // We don't do this on sockets since we want to opportunistically
read more into the window
++ // to batch lots of small reads together.
++ if(m_Sock == NULL && numBytes >= 10 * 1024 * 1024 && Available() +
128 < numBytes)
+ {
+ success = ReadLargeBuffer(data, numBytes);
+ alreadyread = true;
+--
+2.30.2
+
diff -Nru
renderdoc-1.24+dfsg/debian/patches/0003-Sanitise-strings-printed-when-received-from-target-c.patch
renderdoc-1.24+dfsg/debian/patches/0003-Sanitise-strings-printed-when-received-from-target-c.patch
---
renderdoc-1.24+dfsg/debian/patches/0003-Sanitise-strings-printed-when-received-from-target-c.patch
1970-01-01 02:00:00.000000000 +0200
+++
renderdoc-1.24+dfsg/debian/patches/0003-Sanitise-strings-printed-when-received-from-target-c.patch
2024-12-08 08:11:19.000000000 +0200
@@ -0,0 +1,171 @@
+From 1006007cc88d6727a993c1e9bbe6eb58dafa88ab Mon Sep 17 00:00:00 2001
+From: baldurk <bald...@baldurk.org>
+Date: Fri, 19 May 2023 10:28:58 +0100
+Subject: Sanitise strings printed when received from target control/remote
+ server
+
+* Given socket corruption or network errors these strings could contain
+ unprintable characters so we sanitise them reasonably. This also ameliorates
a
+ potential security concern with arbitrary strings being written to a log, but
+ these connections are still considered trusted and users should not be
+ exposing RenderDoc ports to the internet.
+---
+ renderdoc/common/common.cpp | 11 +++++++++++
+ renderdoc/core/remote_server.cpp | 2 +-
+ renderdoc/core/target_control.cpp | 29 ++++++++++++++++++-----------
+ renderdoc/strings/string_utils.cpp | 12 ++++++++++++
+ renderdoc/strings/string_utils.h | 5 +++++
+ 5 files changed, 47 insertions(+), 12 deletions(-)
+
+diff --git a/renderdoc/common/common.cpp b/renderdoc/common/common.cpp
+index f026eea16..670b3fbd0 100644
+--- a/renderdoc/common/common.cpp
++++ b/renderdoc/common/common.cpp
+@@ -473,6 +473,17 @@ void rdclog_direct(time_t utcTime, uint32_t pid, LogType
type, const char *proje
+ va_end(args2);
+ }
+
++ // normalise newlines
++ {
++ char *nl = base;
++ while(*nl)
++ {
++ if(*nl == '\r')
++ *nl = '\n';
++ nl++;
++ }
++ }
++
+ // likely path - string contains no newlines
+ char *nl = strchr(base, '\n');
+ if(nl == NULL)
+diff --git a/renderdoc/core/remote_server.cpp
b/renderdoc/core/remote_server.cpp
+index 4944ab394..5153562f2 100644
+--- a/renderdoc/core/remote_server.cpp
++++ b/renderdoc/core/remote_server.cpp
+@@ -464,7 +464,7 @@ static void ActiveRemoteClientThread(ClientThread
*threadData,
+
+ reader.EndChunk();
+
+- RDCLOG("Taking ownership of '%s'.", path.c_str());
++ RDCLOG("Taking ownership of capture.");
+
+ tempFiles.push_back(path);
+ }
+diff --git a/renderdoc/core/target_control.cpp
b/renderdoc/core/target_control.cpp
+index a63a4a2e6..bfc6a3ddd 100644
+--- a/renderdoc/core/target_control.cpp
++++ b/renderdoc/core/target_control.cpp
+@@ -31,6 +31,7 @@
+ #include "os/os_specific.h"
+ #include "replay/replay_driver.h"
+ #include "serialise/serialiser.h"
++#include "strings/string_utils.h"
+
+ static const uint32_t TargetControlProtocolVersion = 9;
+
+@@ -484,6 +485,8 @@ void RenderDoc::TargetControlServerThread(Network::Socket
*sock)
+
+ ser.EndChunk();
+
++ strip_nonbasic(newClient);
++
+ if(newClient.empty() || !IsProtocolVersionSupported(version))
+ {
+ RDCLOG("Invalid/Unsupported handshake '%s' / %d", newClient.c_str(),
version);
+@@ -605,12 +608,23 @@ public:
+
+ m_Version = 0;
+
++ if(type == ePacket_Handshake)
+ {
+ READ_DATA_SCOPE();
+ SERIALISE_ELEMENT(m_Version);
+ SERIALISE_ELEMENT(m_Target);
+ SERIALISE_ELEMENT(m_PID);
+ }
++ else if(type == ePacket_Busy)
++ {
++ READ_DATA_SCOPE();
++ SERIALISE_ELEMENT(m_Version);
++ SERIALISE_ELEMENT(m_Target);
++ SERIALISE_ELEMENT(m_BusyClient);
++ }
++
++ strip_nonbasic(m_Target);
++ strip_nonbasic(m_BusyClient);
+
+ reader.EndChunk();
+
+@@ -745,17 +759,6 @@ public:
+ reader.EndChunk();
+ return msg;
+ }
+- else if(type == ePacket_Busy)
+- {
+- READ_DATA_SCOPE();
+- SERIALISE_ELEMENT(msg.busy.clientName).Named("Client Name"_lit);
+-
+- SAFE_DELETE(m_Socket);
+-
+- RDCLOG("Got busy signal: '%s", msg.busy.clientName.c_str());
+- msg.type = TargetControlMessageType::Busy;
+- return msg;
+- }
+ else if(type == ePacket_NewChild)
+ {
+ msg.type = TargetControlMessageType::NewChild;
+@@ -884,8 +887,12 @@ public:
+ RDCLOG("Used API: %s (%s & %s)", msg.apiUse.name.c_str(),
+ presenting ? "Presenting" : "Not presenting",
+ supported ? "supported" : "not supported");
++
+ if(!supportMessage.empty())
++ {
++ strip_nonbasic(supportMessage);
+ RDCLOG("Support: %s", supportMessage.c_str());
++ }
+
+ reader.EndChunk();
+ return msg;
+diff --git a/renderdoc/strings/string_utils.cpp
b/renderdoc/strings/string_utils.cpp
+index 100ec9773..b2d02c8b4 100644
+--- a/renderdoc/strings/string_utils.cpp
++++ b/renderdoc/strings/string_utils.cpp
+@@ -141,6 +141,18 @@ rdcstr strip_extension(const rdcstr &path)
+ return path.substr(0, offs);
+ }
+
++rdcstr strip_nonbasic(rdcstr &str)
++{
++ for(char &c : str)
++ {
++ if((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <=
'9') || c == '.' ||
++ c == ' ')
++ continue;
++
++ c = '_';
++ }
++}
++
+ void split(const rdcstr &in, rdcarray<rdcstr> &out, const char sep)
+ {
+ if(in.empty())
+diff --git a/renderdoc/strings/string_utils.h
b/renderdoc/strings/string_utils.h
+index e833b7263..bb6c45a2f 100644
+--- a/renderdoc/strings/string_utils.h
++++ b/renderdoc/strings/string_utils.h
+@@ -37,5 +37,10 @@ rdcstr get_basename(const rdcstr &path);
+ rdcstr get_dirname(const rdcstr &path);
+ rdcstr strip_extension(const rdcstr &path);
+
++// remove everything but alphanumeric ' ' and '.'
++// It replaces everything else with _
++// for logging strings where they might contain garbage characters
++rdcstr strip_nonbasic(rdcstr &str);
++
+ void split(const rdcstr &in, rdcarray<rdcstr> &out, const char sep);
+ void merge(const rdcarray<rdcstr> &in, rdcstr &out, const char sep);
+--
+2.30.2
+
diff -Nru
renderdoc-1.24+dfsg/debian/patches/0004-Don-t-open-symlinks-when-opening-logfile.patch
renderdoc-1.24+dfsg/debian/patches/0004-Don-t-open-symlinks-when-opening-logfile.patch
---
renderdoc-1.24+dfsg/debian/patches/0004-Don-t-open-symlinks-when-opening-logfile.patch
1970-01-01 02:00:00.000000000 +0200
+++
renderdoc-1.24+dfsg/debian/patches/0004-Don-t-open-symlinks-when-opening-logfile.patch
2024-12-08 08:11:19.000000000 +0200
@@ -0,0 +1,27 @@
+From bcdc4f166b433710ff7ca3684ee339065a711f9a Mon Sep 17 00:00:00 2001
+From: baldurk <bald...@baldurk.org>
+Date: Fri, 19 May 2023 10:47:12 +0100
+Subject: Don't open symlinks when opening logfile
+
+---
+ renderdoc/os/posix/posix_stringio.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/renderdoc/os/posix/posix_stringio.cpp
b/renderdoc/os/posix/posix_stringio.cpp
+index f27bad820..495f2def0 100644
+--- a/renderdoc/os/posix/posix_stringio.cpp
++++ b/renderdoc/os/posix/posix_stringio.cpp
+@@ -505,8 +505,8 @@ rdcstr logfile_readall(uint64_t offset, const rdcstr
&filename)
+
+ LogFileHandle *logfile_open(const rdcstr &filename)
+ {
+- int fd =
+- open(filename.c_str(), O_APPEND | O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR
| S_IRGRP | S_IROTH);
++ int fd = open(filename.c_str(), O_APPEND | O_WRONLY | O_CREAT | O_NOFOLLOW,
++ S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+
+ if(fd < 0)
+ {
+--
+2.30.2
+
diff -Nru
renderdoc-1.24+dfsg/debian/patches/0005-Fix-incorrect-return-type.patch
renderdoc-1.24+dfsg/debian/patches/0005-Fix-incorrect-return-type.patch
--- renderdoc-1.24+dfsg/debian/patches/0005-Fix-incorrect-return-type.patch
1970-01-01 02:00:00.000000000 +0200
+++ renderdoc-1.24+dfsg/debian/patches/0005-Fix-incorrect-return-type.patch
2024-12-08 08:11:19.000000000 +0200
@@ -0,0 +1,39 @@
+From c949b20cb634ea1fd101a2c0ecf6c4f401990c52 Mon Sep 17 00:00:00 2001
+From: baldurk <bald...@baldurk.org>
+Date: Fri, 19 May 2023 10:58:29 +0100
+Subject: Fix incorrect return type
+
+---
+ renderdoc/strings/string_utils.cpp | 2 +-
+ renderdoc/strings/string_utils.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/renderdoc/strings/string_utils.cpp
b/renderdoc/strings/string_utils.cpp
+index b2d02c8b4..61addb115 100644
+--- a/renderdoc/strings/string_utils.cpp
++++ b/renderdoc/strings/string_utils.cpp
+@@ -141,7 +141,7 @@ rdcstr strip_extension(const rdcstr &path)
+ return path.substr(0, offs);
+ }
+
+-rdcstr strip_nonbasic(rdcstr &str)
++void strip_nonbasic(rdcstr &str)
+ {
+ for(char &c : str)
+ {
+diff --git a/renderdoc/strings/string_utils.h
b/renderdoc/strings/string_utils.h
+index bb6c45a2f..3a5a5983a 100644
+--- a/renderdoc/strings/string_utils.h
++++ b/renderdoc/strings/string_utils.h
+@@ -40,7 +40,7 @@ rdcstr strip_extension(const rdcstr &path);
+ // remove everything but alphanumeric ' ' and '.'
+ // It replaces everything else with _
+ // for logging strings where they might contain garbage characters
+-rdcstr strip_nonbasic(rdcstr &str);
++void strip_nonbasic(rdcstr &str);
+
+ void split(const rdcstr &in, rdcarray<rdcstr> &out, const char sep);
+ void merge(const rdcarray<rdcstr> &in, rdcstr &out, const char sep);
+--
+2.30.2
+
diff -Nru renderdoc-1.24+dfsg/debian/patches/series
renderdoc-1.24+dfsg/debian/patches/series
--- renderdoc-1.24+dfsg/debian/patches/series 2022-12-14 12:12:23.000000000
+0200
+++ renderdoc-1.24+dfsg/debian/patches/series 2024-12-08 14:42:00.000000000
+0200
@@ -16,3 +16,8 @@
0016-qrenderdoc-Fix-misspelling-hiearchy-hierarchy.patch
0017-renderdoc-Fix-misspelling-persistant-persistent.patch
0018-renderdoc-Patch-for-glslang-11.12.0.patch
+0001-Verify-array-sizes-when-serialising-for-strings.patch
+0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch
+0003-Sanitise-strings-printed-when-received-from-target-c.patch
+0004-Don-t-open-symlinks-when-opening-logfile.patch
+0005-Fix-incorrect-return-type.patch
