Package: tigervnc / 1.9.0+dfsg-3+deb10u1

Metadata

Package Version Patches format
tigervnc 1.9.0+dfsg-3+deb10u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0102 fix spelling error in manpages to shutup lintian.patch | (download)

unix/x0vncserver/x0vncserver.man | 4 2 + 2 - 0 !
vncviewer/vncviewer.man | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 fix spelling error in manpages to silence lintian.
0151 make cmake enable options mandatory if turned on.patch | (download)

CMakeLists.txt | 31 24 + 7 - 0 !
1 file changed, 24 insertions(+), 7 deletions(-)

 make cmake enable options mandatory if turned on.
rh/0904 Added RH patch tigervnc11 rh588342.patch which fixes.patch | (download)

unix/xserver/hw/vnc/Input.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch 4/7] added rh patch tigervnc11-rh588342.patch which fixes eq overflowing bug.

Xvnc could become unresponsive and the following error message was shown
in the log: "[mi] EQ overflowing. The server is probably stuck in an
infinite loop.". This was caused by a large number of user input events
in the Xvnc event queue, which were being processed too slowly. With
this update, this issue no longer occurs and the system works as
expected. (BZ#588342)

rh/tigervnc manpages.patch | (download)

unix/vncserver | 1 1 + 0 - 0 !
vncviewer/vncviewer.cxx | 5 5 + 0 - 0 !
2 files changed, 6 insertions(+)

 add help output for options -display and -geometry."
rh/tigervnc cursor.patch | (download)

vncviewer/Viewport.cxx | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 make sure cursor is defined before using it.
rh/tigervnc working tls on fips systems.patch | (download)

common/rfb/SSecurityTLS.cxx | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 get tigervnc's tls working on fips systems.
find fltk libs.diff | (download)

CMakeLists.txt | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 find fltk shared libraries
fix linking.diff | (download)

CMakeLists.txt | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 fix linking against libx11 and libxext
CVE 2014 8240 849479.patch | (download)

unix/x0vncserver/Image.cxx | 19 19 + 0 - 0 !
vncviewer/PlatformPixelBuffer.cxx | 19 19 + 0 - 0 !
2 files changed, 38 insertions(+)

 fix integer overflow in tigervnc that allowed remote vnc servers to cause a denial of service (crash).
CVE 2014 8241 849478.patch | (download)

common/Xregion/Region.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 xregion in tigervnc allowed remote vnc servers to cause a denial of service.
CVE 2019 15691.patch | (download)

common/rdr/ZlibInStream.cxx | 13 7 + 6 - 0 !
common/rdr/ZlibInStream.h | 2 1 + 1 - 0 !
common/rfb/TightDecoder.cxx | 3 2 + 1 - 0 !
common/rfb/zrleDecode.h | 3 2 + 1 - 0 !
4 files changed, 12 insertions(+), 9 deletions(-)

 [patch] make zlibinstream more robust against failures

Move the checks around to avoid missing cases where we might access
memory that is no longer valid. Also avoid touching the underlying
stream implicitly (e.g. via the destructor) as it might also no
longer be valid.

A malicious server could theoretically use this for remote code
execution in the client.

Issue found by Pavel Cheremushkin from Kaspersky Lab

CVE 2019 15692.patch | (download)

common/rfb/Cursor.cxx | 3 1 + 2 - 0 !
common/rfb/EncodeManager.cxx | 5 1 + 4 - 0 !
common/rfb/PixelBuffer.cxx | 93 68 + 25 - 0 !
common/rfb/PixelBuffer.h | 14 11 + 3 - 0 !
unix/x0vncserver/XPixelBuffer.cxx | 7 2 + 5 - 0 !
unix/xserver/hw/vnc/XserverDesktop.cc | 26 11 + 15 - 0 !
unix/xserver/hw/vnc/XserverDesktop.h | 2 1 + 1 - 0 !
vncviewer/PlatformPixelBuffer.cxx | 15 7 + 8 - 0 !
vncviewer/PlatformPixelBuffer.h | 2 1 + 1 - 0 !
9 files changed, 103 insertions(+), 64 deletions(-)

 [patch] restrict pixelbuffer dimensions to safe values

We do a lot of calculations based on pixel coordinates and we need
to make sure they do not overflow. Restrict the maximum dimensions
we support rather than try to switch over all calculations to use
64 bit integers.

This prevents attackers from injecting code by specifying a
huge framebuffer size and relying on the values overflowing to
access invalid areas of the heap.

This primarily affects the client which gets both the screen
dimensions and the pixel contents from the remote side. But the
server might also be affected as a client can adjust the screen
dimensions, as can applications inside the session.

Issue found by Pavel Cheremushkin from Kaspersky Lab.

CVE 2019 15693.patch | (download)

common/rfb/tightDecode.h | 37 21 + 16 - 0 !
1 file changed, 21 insertions(+), 16 deletions(-)

 [patch] handle empty tight gradient rects

We always assumed there would be one pixel per row so a rect with
a zero width would result in us writing to unknown memory.

This could theoretically be used by a malicious server to inject
code in to the viewer process.

Issue found by Pavel Cheremushkin from Kaspersky Lab.

CVE 2019 15694.patch | (download)

common/rdr/FdInStream.cxx | 20 10 + 10 - 0 !
common/rdr/FdInStream.h | 17 9 + 8 - 0 !
common/rdr/FdOutStream.cxx | 20 10 + 10 - 0 !
common/rdr/FdOutStream.h | 12 6 + 6 - 0 !
common/rdr/FileInStream.cxx | 8 4 + 4 - 0 !
common/rdr/FileInStream.h | 4 2 + 2 - 0 !
common/rdr/HexInStream.cxx | 20 10 + 10 - 0 !
common/rdr/HexInStream.h | 12 6 + 6 - 0 !
common/rdr/HexOutStream.cxx | 20 10 + 10 - 0 !
common/rdr/HexOutStream.h | 12 6 + 6 - 0 !
common/rdr/InStream.h | 16 8 + 8 - 0 !
common/rdr/MemInStream.h | 8 4 + 4 - 0 !
common/rdr/MemOutStream.h | 12 6 + 6 - 0 !
common/rdr/OutStream.h | 20 10 + 10 - 0 !
common/rdr/RandomStream.cxx | 14 7 + 7 - 0 !
common/rdr/RandomStream.h | 6 3 + 3 - 0 !
common/rdr/SubstitutingInStream.h | 6 3 + 3 - 0 !
common/rdr/TLSInStream.cxx | 10 5 + 5 - 0 !
common/rdr/TLSInStream.h | 10 5 + 5 - 0 !
common/rdr/TLSOutStream.cxx | 10 5 + 5 - 0 !
common/rdr/TLSOutStream.h | 10 5 + 5 - 0 !
common/rdr/ZlibInStream.cxx | 16 8 + 8 - 0 !
common/rdr/ZlibInStream.h | 14 7 + 7 - 0 !
common/rdr/ZlibOutStream.cxx | 10 5 + 5 - 0 !
common/rdr/ZlibOutStream.h | 10 5 + 5 - 0 !
common/rfb/Configuration.cxx | 6 3 + 3 - 0 !
common/rfb/Configuration.h | 13 7 + 6 - 0 !
common/rfb/Password.cxx | 6 3 + 3 - 0 !
common/rfb/Password.h | 6 3 + 3 - 0 !
common/rfb/util.h | 2 1 + 1 - 0 !
tests/encperf.cxx | 8 4 + 4 - 0 !
31 files changed, 180 insertions(+), 178 deletions(-)

 [patch] use size_t for lengths in stream objects

Provides safety against them accidentally becoming negative because
of bugs in the calculations.

Also does the same to CharArray and friends as they were strongly
connection to the stream objects.

CVE 2019 15695.patch | (download)

common/rfb/PixelFormat.cxx | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch] handle pixel formats with odd shift values

Our fast paths assume that each channel fits in to a separate byte.
That means the shift needs to be a multiple of 8. Start actually
checking this so that a client cannot trip us up and possibly cause
incorrect code execution.

Issue found by Pavel Cheremushkin from Kaspersky Lab.