Date: Wed, 24 Sep 2014 21:23:16 +0000 (UTC) From: Raphael Kubo da Costa <rakuco@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r369207 - in head/net/krfb: . files Message-ID: <201409242123.s8OLNGG9010065@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rakuco Date: Wed Sep 24 21:23:16 2014 New Revision: 369207 URL: http://svnweb.freebsd.org/changeset/ports/369207 QAT: https://qat.redports.org/buildarchive/r369207/ Log: Add upstream patches for CVE-2014-6055 (more vulnerabilities in libvncserver). Don't worry, more recent krfb versions will stop bundling libvncserver. MFH: 2014Q3 Security: fb25333d-442f-11e4-98f3-5453ed2e2b49 Added: head/net/krfb/files/patch-CVE-2014-6055 (contents, props changed) Modified: head/net/krfb/Makefile Modified: head/net/krfb/Makefile ============================================================================== --- head/net/krfb/Makefile Wed Sep 24 21:22:02 2014 (r369206) +++ head/net/krfb/Makefile Wed Sep 24 21:23:16 2014 (r369207) @@ -2,7 +2,7 @@ PORTNAME= krfb PORTVERSION= ${KDE4_VERSION} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= net kde MASTER_SITES= KDE/${KDE4_BRANCH}/${PORTVERSION}/src DIST_SUBDIR= KDE/${PORTVERSION} Added: head/net/krfb/files/patch-CVE-2014-6055 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/krfb/files/patch-CVE-2014-6055 Wed Sep 24 21:23:16 2014 (r369207) @@ -0,0 +1,212 @@ +Fixes for CVE-2014-6055, taken from upstream. + +commit d931eafccf3140d740ac61e876dce72a23ade7f4 +Author: Martin T. H. Sandsmark <martin.sandsmark@kde.org> +Date: Tue Sep 23 22:46:27 2014 +0200 + + libvncserver: Check malloc() return value on client->server ClientCutText message. + + Client can send up to 2**32-1 bytes of text, and such a large allocation + is likely to fail in case of high memory pressure. This would in a + server crash (write at address 0). + + Upstream commit: 6037a9074d52b1963c97cb28ea1096c7c14cbf28 + +commit 126a746dd7bee35840083e9bec7a52935a010346 +Author: Martin T. H. Sandsmark <martin.sandsmark@kde.org> +Date: Tue Sep 23 22:43:38 2014 +0200 + + libnvcserver: Do not accept a scaling factor of zero. + + This would cause a division by zero and crash the server. + + Upstream commit: 05a9bd41a8ec0a9d580a8f420f41718bdd235446 + +commit 2e211579455fd832fb21322482c005b6a85aa1bf +Author: Martin T. H. Sandsmark <martin.sandsmark@kde.org> +Date: Tue Sep 23 22:40:17 2014 +0200 + + libvncserver: Fix multiple stack-based buffer overflows in file transfer feature + + Upstream commit: 06ccdf016154fde8eccb5355613ba04c59127b2e + + CVE-2014-6055 + +commit 857c2b411ed806ef806116407612a2d2a40fab9c +Author: Martin T. H. Sandsmark <martin.sandsmark@kde.org> +Date: Tue Sep 23 17:54:11 2014 +0200 + + libvncserver: Fix stack-based buffer overflow in rfbFileTransferOffer message, FileTime processing + + Upstream commit: f528072216dec01cee7ca35d94e171a3b909e677 + + CVE-2014-6055 +--- libvncserver/rfbserver.c ++++ libvncserver/rfbserver.c +@@ -1175,13 +1175,21 @@ typedef struct { + #define RFB_FILE_ATTRIBUTE_TEMPORARY 0x100 + #define RFB_FILE_ATTRIBUTE_COMPRESSED 0x800 + +-rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, char *path, char *unixPath) ++rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, char *path, char *unixPath, size_t unixPathMaxLen) + { + int x; + char *home=NULL; + + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE); + ++ /* ++ * Do not use strncpy() - truncating the file name would probably have undesirable side effects ++ * Instead check if destination buffer is big enough ++ */ ++ ++ if (strlen(path) >= unixPathMaxLen) ++ return FALSE; ++ + /* C: */ + if (path[0]=='C' && path[1]==':') + strcpy(unixPath, &path[2]); +@@ -1190,6 +1198,10 @@ rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, char *path, char *unixPath) + home = getenv("HOME"); + if (home!=NULL) + { ++ /* Re-check buffer size */ ++ if ((strlen(path) + strlen(home) + 1) >= unixPathMaxLen) ++ return FALSE; ++ + strcpy(unixPath, home); + strcat(unixPath,"/"); + strcat(unixPath, path); +@@ -1227,7 +1239,9 @@ rfbBool rfbSendDirContent(rfbClientPtr cl, int length, char *buffer) + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE); + + /* Client thinks we are Winblows */ +- rfbFilenameTranslate2UNIX(cl, buffer, path); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, path, sizeof(path))) ++ return FALSE; ++ + + if (DB) rfbLog("rfbProcessFileTransfer() rfbDirContentRequest: rfbRDirContent: \"%s\"->\"%s\"\n",buffer, path); + +@@ -1504,7 +1518,12 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + /* add some space to the end of the buffer as we will be adding a timespec to it */ + if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; + /* The client requests a File */ +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } ++ + cl->fileTransfer.fd=open(filename1, O_RDONLY, 0744); + + /* +@@ -1602,7 +1621,8 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + p = strrchr(buffer, ','); + if (p!=NULL) { + *p = '\0'; +- strcpy(szFileTime, p+1); ++ strncpy(szFileTime, p+1, sizeof(szFileTime)); ++ szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */ + } else + szFileTime[0]=0; + +@@ -1619,7 +1639,12 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + } + sizeHtmp = Swap32IfLE(sizeHtmp); + +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } ++ + + /* If the file exists... We can send a rfbFileChecksums back to the client before we send an rfbFileAcceptHeader */ + /* TODO: Delta Transfer */ +@@ -1745,7 +1770,12 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; + switch (contentParam) { + case rfbCDirCreate: /* Client requests the creation of a directory */ +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } ++ + retval = mkdir(filename1, 0755); + if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCDirCreate(\"%s\"->\"%s\") %s\n", buffer, filename1, (retval==-1?"Failed":"Success")); + /* +@@ -1754,7 +1784,11 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + if (buffer!=NULL) free(buffer); + return retval; + case rfbCFileDelete: /* Client requests the deletion of a file */ +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } + if (stat(filename1,&statbuf)==0) + { + if (S_ISDIR(statbuf.st_mode)) +@@ -1772,8 +1806,17 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + { + /* Split into 2 filenames ('*' is a seperator) */ + *p = '\0'; +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); +- rfbFilenameTranslate2UNIX(cl, p+1, filename2); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } ++ ++ if (!rfbFilenameTranslate2UNIX(cl, p+1, filename2, sizeof(filename2))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } + retval = rename(filename1,filename2); + if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCFileRename(\"%s\"->\"%s\" -->> \"%s\"->\"%s\") %s\n", buffer, filename1, p+1, filename2, (retval==-1?"Failed":"Success")); + /* +@@ -2361,6 +2404,12 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + + str = (char *)malloc(msg.cct.length); + ++ if (str == NULL) { ++ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); ++ rfbCloseClient(cl); ++ return; ++ } ++ + if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) { + if (n != 0) + rfbLogPerror("rfbProcessClientNormalMessage: read"); +@@ -2385,6 +2434,11 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + rfbCloseClient(cl); + return; + } ++ if (msg.ssc.scale == 0) { ++ rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); ++ rfbCloseClient(cl); ++ return; ++ } + rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); + rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); + rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); +@@ -2401,6 +2455,11 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + rfbCloseClient(cl); + return; + } ++ if (msg.ssc.scale == 0) { ++ rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); ++ rfbCloseClient(cl); ++ return; ++ } + rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); + rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); + rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201409242123.s8OLNGG9010065>