debian/0000755000000000000000000000000013424374263007176 5ustar debian/libvncserver0.install0000644000000000000000000000007011751317566013353 0ustar usr/lib/*/libvncclient.so.* usr/lib/*/libvncserver.so.* debian/rules0000755000000000000000000000120712255552241010251 0ustar #!/usr/bin/make -f VERSION = $(shell head -n1 debian/changelog | sed -e 's/.*(//;s/-.*).*//') export LIBTOOLIZE = true DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) ifneq ($(DEB_HOST_ARCH_OS), linux) EXTRA_DH_ARG=-Nlinuxvnc endif %: dh $@ $(EXTRA_DH_ARG) --with autoreconf --dbg-package=libvncserver0-dbg override_dh_auto_configure: dh_auto_configure -- --disable-silent-rules get-orig-source: tar fxz ../libvncserver_${VERSION}.orig.tar.gz -C .. cd ../LibVNCServer-${VERSION} && rm -fr webclients tar czf ../libvncserver_${VERSION}+dfsg.orig.tar.gz ../LibVNCServer-${VERSION} rm -fr ../LibVNCServer-${VERSION} debian/libvncserver0.docs0000644000000000000000000000002111751317566012631 0ustar NEWS README TODO debian/control0000644000000000000000000000577712411033565010611 0ustar Source: libvncserver Section: libs Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Luca Falavigna Build-Depends: debhelper (>= 9), dh-autoreconf, libgnutls-dev, libjpeg-dev, pkg-config, zlib1g-dev Standards-Version: 3.9.3 Homepage: http://libvncserver.sourceforge.net Vcs-Git: git://git.debian.org/collab-maint/libvncserver.git Vcs-Browser: http://git.debian.org/?p=collab-maint/libvncserver.git;a=summary Package: libvncserver0 Architecture: any Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} Suggests: libvncserver0-dbg (= ${binary:Version}) Multi-Arch: same Description: API to write one's own vnc server LibVNCServer makes writing a VNC server (or more correctly, a program exporting a framebuffer via the Remote Frame Buffer protocol) easy. It hides the programmer from the tedious task of managing clients and compression. Package: libvncserver-dev Section: libdevel Architecture: any Depends: ${misc:Depends}, libvncserver0 (= ${binary:Version}), libgnutls-dev, libjpeg-dev, zlib1g-dev, libvncserver-config Multi-Arch: same Description: API to write one's own vnc server - development files LibVNCServer makes writing a VNC server (or more correctly, a program exporting a framebuffer via the Remote Frame Buffer protocol) easy. It hides the programmer from the tedious task of managing clients and compression. . This is the development package which contains headers and static libraries for libvncserver. Package: libvncserver-config Section: libdevel Architecture: any Depends: ${misc:Depends}, libvncserver0 (= ${binary:Version}) Breaks: libvncserver-dev (<< 0.9.9) Replaces: libvncserver-dev (<< 0.9.9) Multi-Arch: foreign Description: API to write one's own vnc server - library utility LibVNCServer makes writing a VNC server (or more correctly, a program exporting a framebuffer via the Remote Frame Buffer protocol) easy. It hides the programmer from the tedious task of managing clients and compression. . This package provides libvncserver-config utility, needed to obtain some option of the libvncserver library. Package: libvncserver0-dbg Priority: extra Section: debug Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libvncserver0 (= ${binary:Version}) Multi-Arch: same Description: debugging symbols for libvncserver LibVNCServer makes writing a VNC server (or more correctly, a program exporting a framebuffer via the Remote Frame Buffer protocol) easy. It hides the programmer from the tedious task of managing clients and compression. . This package contains the debugging symbols for libvncserver. Package: linuxvnc Section: net Architecture: linux-any Depends: ${shlibs:Depends}, ${misc:Depends} Multi-Arch: foreign Description: VNC server to allow remote access to a tty linuxvnc can export your currently running text sessions to any VNC client. It can be useful if you want to move to another computer without having to log out or to help a distant colleague solve a problem. debian/watch0000644000000000000000000000014511751317566010233 0ustar version=3 opts=dversionmangle=s/\+dfsg// \ http://sf.net/libvncserver/LibVNCServer-([0-9.]+)\.tar.gz debian/libvncserver-config.10000644000000000000000000000245011751317566013234 0ustar .TH libvncserver-config 1 "19 November 2011" "libvncserver 0.9.8.2" "libvncserver-config manual" .SH NAME libvncserver-config \- Get information about a libvncserver installation .SH SYNOPSIS .B libvncserver-config \fI[--prefix[=DIR]] [--exec-prefix[=DIR]] [--version] \fI[\-\-link] [\-\-libs] [\-\-cflags] .SH DESCRIPTION .B libvncserver-config displays information about a previous libvncserver installation. .SH OPTIONS .IP "--prefix=DIR" Shows location where architecture-independent files are stored. .IP "--exec-prefix=DIR" Shows location where architecture-dependent files are stored. .IP "--version" Shows libvncserver version. .IP "--link" Shows the complete set of linking options libvncserver has been built with. .IP "--libs" Shows the complete set of libs and other linker options you will need in order to link your application with libvncserver. .IP "--cflags" Set of compiler options (CFLAGS) to use when compiling files that use libvncserver. .SH "EXAMPLES" What linker options do I need when I link with libvncserver? libvncserver-config \-\-libs What compiler options do I need when I compile using libvncserver functions? libvncserver-config \-\-cflags .SH AUTHOR This manual page was written by Ludovic Drolez for the Debian GNU/Linux system (but may be used by others). debian/linuxvnc.install0000644000000000000000000000002111751317566012431 0ustar usr/bin/linuxvnc debian/patches/0000755000000000000000000000000013424371553010624 5ustar debian/patches/format_string.patch0000644000000000000000000000110411751317566014524 0ustar Description: Use format string argument with fprintf. Author: Luca Falavigna Index: libvncserver/test/encodingstest.c =================================================================== --- libvncserver.orig/test/encodingstest.c 2012-05-05 13:52:52.457034521 +0200 +++ libvncserver/test/encodingstest.c 2012-05-05 23:11:51.650769263 +0200 @@ -256,7 +256,7 @@ time(&log_clock); strftime(buf, 255, "%d/%m/%Y %X (client) ", localtime(&log_clock)); - fprintf(stderr,buf); + fprintf(stderr,"%s",buf); vfprintf(stderr, format, args); fflush(stderr); debian/patches/ppc64el.diff0000644000000000000000000000127412255551501012731 0ustar Index: b/aclocal.m4 =================================================================== --- a/acinclude.m4 +++ b/acinclude.m4 @@ -533,7 +533,10 @@ x86_64-*linux*) LD="${LD-ld} -m elf_i386" ;; - ppc64-*linux*|powerpc64-*linux*) + powerpc64le-*) + LD="${LD-ld} -m elf32lppclinux" + ;; + powerpc64-*) LD="${LD-ld} -m elf32ppclinux" ;; s390x-*linux*) @@ -549,7 +552,10 @@ x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; - ppc*-*linux*|powerpc*-*linux*) + powerpcle-*) + LD="${LD-ld} -m elf64lppc" + ;; + powerpc-*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*) debian/patches/series0000644000000000000000000000276513424371553012053 0ustar ignore_webclients.patch no_x11vnc_subdir.patch format_string.patch ppc64el.diff format-security.diff CVE-2014-6051-6052.patch CVE-2014-6053.patch CVE-2014-6054.patch CVE-2014-6055.patch CVE-2016-9941.patch CVE-2016-9942.patch CVE-2018-7225.patch CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch CVE-2018-20020/0001-LibVNCClient-make-sure-ReadFromRFBServer-does-not-wr.patch CVE-2018-20020/0002-LibVNCClient-really-fix-250.patch CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch CVE-2018-20024/0001-LibVNCClient-make-sure-Ultra-decoding-cannot-derefer.patch CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch CVE-2018-20748/CVE-2018-20748-1.patch CVE-2018-20748/CVE-2018-20748-2.patch CVE-2018-20748/CVE-2018-20748-3.patch CVE-2018-20748/CVE-2018-20748-4.patch CVE-2018-20749/CVE-2018-20749.patch CVE-2018-20750/CVE-2018-20750.patch debian/patches/CVE-2016-9941.patch0000644000000000000000000000450013033711743013246 0ustar Backport of: From 5418e8007c248bf9668d22a8c1fa9528149b69f2 Mon Sep 17 00:00:00 2001 From: Josef Gajdusek Date: Mon, 14 Nov 2016 11:39:01 +0100 Subject: [PATCH] Fix heap overflows in the various rectangle fill functions Altough rfbproto.c does check whether the overall FramebufferUpdate rectangle is too large, some of the individual encoding decoders do not, which allows a malicious server to overwrite parts of the heap. --- libvncclient/rfbproto.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) Index: libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncclient/rfbproto.c 2017-01-06 07:56:00.893123903 -0500 +++ libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c 2017-01-06 07:56:00.889123863 -0500 @@ -136,9 +136,18 @@ /* messages */ +static boolean CheckRect(rfbClient* client, int x, int y, int w, int h) { + return x + w <= client->width && y + h <= client->height; +} + static void FillRectangle(rfbClient* client, int x, int y, int w, int h, uint32_t colour) { int i,j; + if (!CheckRect(client, x, y, w, h)) { + rfbClientLog("Rect out of bounds: %dx%d at (%d, %d)\n", x, y, w, h); + return; + } + #define FILL_RECT(BPP) \ for(j=y*client->width;j<(y+h)*client->width;j+=client->width) \ for(i=x;iwidth * BPP / 8; \ @@ -178,6 +192,16 @@ static void CopyRectangleFromRectangle(rfbClient* client, int src_x, int src_y, int w, int h, int dest_x, int dest_y) { int i,j; + if (!CheckRect(client, src_x, src_y, w, h)) { + rfbClientLog("Source rect out of bounds: %dx%d at (%d, %d)\n", src_x, src_y, w, h); + return; + } + + if (!CheckRect(client, dest_x, dest_y, w, h)) { + rfbClientLog("Dest rect out of bounds: %dx%d at (%d, %d)\n", dest_x, dest_y, w, h); + return; + } + #define COPY_RECT_FROM_RECT(BPP) \ { \ uint##BPP##_t* _buffer=((uint##BPP##_t*)client->frameBuffer)+(src_y-dest_y)*client->width+src_x-dest_x; \ debian/patches/CVE-2018-15127/0000755000000000000000000000000013424365116012304 5ustar debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch0000644000000000000000000000210313413154075024543 0ustar From: Christian Beier Date: Sun, 21 Oct 2018 20:21:30 +0200 Subject: LibVNCServer: fix heap out-of-bound write access Origin: https://github.com/LibVNC/libvncserver/commit/502821828ed00b4a2c4bef90683d0fd88ce495de Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15127 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/243 Closes #243 --- libvncserver/rfbserver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c index ed1365a55389..6ca511fee3ed 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c @@ -1465,7 +1465,7 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); */ if (length>0) { - buffer=malloc(length+1); + buffer=malloc((uint64_t)length+1); if (buffer!=NULL) { if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { if (n != 0) -- 2.20.1 debian/patches/CVE-2018-20022/0000755000000000000000000000000013424365114012270 5ustar debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch0000644000000000000000000000264113413154075025564 0ustar From: Christian Beier Date: Sat, 29 Sep 2018 21:10:32 +0200 Subject: LibVNCClient: don't leak uninitialised memory to remote Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20022 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/252 The pad fields of the rfbClientCutTextMsg and rfbKeyEventMsg could contain arbitray memory belonging to the process, don't leak this to the remote. Closes #252 --- libvncclient/rfbproto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c index 669e38848d15..808ad4d28b7f 100644 --- a/libvncclient/rfbproto.c +++ b/libvncclient/rfbproto.c @@ -1643,6 +1643,7 @@ SendKeyEvent(rfbClient* client, uint32_t key, rfbBool down) if (!SupportsClient2Server(client, rfbKeyEvent)) return TRUE; + memset(&ke, 0, sizeof(ke)); ke.type = rfbKeyEvent; ke.down = down ? 1 : 0; ke.key = rfbClientSwap32IfLE(key); @@ -1661,6 +1662,7 @@ SendClientCutText(rfbClient* client, char *str, int len) if (!SupportsClient2Server(client, rfbClientCutText)) return TRUE; + memset(&cct, 0, sizeof(cct)); cct.type = rfbClientCutText; cct.length = rfbClientSwap32IfLE(len); return (WriteToRFBServer(client, (char *)&cct, sz_rfbClientCutTextMsg) && -- 2.20.1 debian/patches/CVE-2018-6307/0000755000000000000000000000000013424365102012217 5ustar debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch0000644000000000000000000000260213413154075024440 0ustar From: Christian Beier Date: Sun, 21 Oct 2018 20:52:04 +0200 Subject: tightvnc-filetransfer: fix heap use-after-free Origin: https://github.com/LibVNC/libvncserver/commit/ca2a5ac02fbbadd0a21fabba779c1ea69173d10b Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6307 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/241 One can only guess what the intended semantics were here, but as every other rfbCloseClient() call in this file is followed by an immediate return, let's assume this was forgotton in this case. Anyway, don't forget to clean up to not leak memory. Closes #241 --- libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c index c511eed17fcd..0473783164f2 100644 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c @@ -585,6 +585,8 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp) "FileDownloadCancelMsg\n", __FILE__, __FUNCTION__); rfbCloseClient(cl); + free(reason); + return; } rfbLog("File [%s]: Method [%s]: File Download Cancel Request received:" -- 2.20.1 debian/patches/CVE-2018-20021/0000755000000000000000000000000013424365722012274 5ustar debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch0000644000000000000000000000207713424365722023271 0ustar From: Christian Beier Date: Sat, 29 Sep 2018 21:32:59 +0200 Subject: LibVNCClient: fix possible infinite loop Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20021 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/251 Closes #251 --- libvncclient/rfbproto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libvncserver-0.9.10+dfsg/libvncclient/rfbproto.c =================================================================== --- libvncserver-0.9.10+dfsg.orig/libvncclient/rfbproto.c 2019-01-30 13:24:16.177745483 -0500 +++ libvncserver-0.9.10+dfsg/libvncclient/rfbproto.c 2019-01-30 13:24:16.173745473 -0500 @@ -1972,7 +1972,7 @@ HandleRFBServerMessage(rfbClient* client bytesPerLine = rect.r.w * client->format.bitsPerPixel / 8; linesToRead = RFB_BUFFER_SIZE / bytesPerLine; - while (h > 0) { + while (linesToRead && h > 0) { if (linesToRead > h) linesToRead = h; debian/patches/CVE-2014-6051-6052.patch0000644000000000000000000000672712411033514013630 0ustar Description: fix denial of service and possible code execution via integer overflow and lack of malloc error handling in MallocFrameBuffer() Origin: backport, https://github.com/newsoft/libvncserver/commit/045a044e8ae79db9244593fbce154cdf6e843273 Origin: backport, https://github.com/newsoft/libvncserver/commit/85a778c0e45e87e35ee7199f1f25020648e8b812 Index: libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncclient/rfbproto.c 2012-05-04 10:19:00.000000000 -0400 +++ libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c 2014-09-25 11:11:55.884057336 -0400 @@ -1807,7 +1807,8 @@ client->updateRect.x = client->updateRect.y = 0; client->updateRect.w = client->width; client->updateRect.h = client->height; - client->MallocFrameBuffer(client); + if (!client->MallocFrameBuffer(client)) + return FALSE; SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE); rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h); continue; @@ -2260,7 +2261,8 @@ client->updateRect.x = client->updateRect.y = 0; client->updateRect.w = client->width; client->updateRect.h = client->height; - client->MallocFrameBuffer(client); + if (!client->MallocFrameBuffer(client)) + return FALSE; SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); break; @@ -2276,7 +2278,9 @@ client->updateRect.x = client->updateRect.y = 0; client->updateRect.w = client->width; client->updateRect.h = client->height; - client->MallocFrameBuffer(client); + if (!client->MallocFrameBuffer(client)) + return FALSE; + SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); break; Index: libvncserver-0.9.9+dfsg/libvncclient/vncviewer.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncclient/vncviewer.c 2012-05-04 10:19:00.000000000 -0400 +++ libvncserver-0.9.9+dfsg/libvncclient/vncviewer.c 2014-09-25 11:10:29.984055035 -0400 @@ -82,9 +82,27 @@ #endif } static rfbBool MallocFrameBuffer(rfbClient* client) { +uint64_t allocSize; + if(client->frameBuffer) free(client->frameBuffer); - client->frameBuffer=malloc(client->width*client->height*client->format.bitsPerPixel/8); + + /* SECURITY: promote 'width' into uint64_t so that the multiplication does not overflow + 'width' and 'height' are 16-bit integers per RFB protocol design + SIZE_MAX is the maximum value that can fit into size_t + */ + allocSize = (uint64_t)client->width * client->height * client->format.bitsPerPixel/8; + + if (allocSize >= SIZE_MAX) { + rfbClientErr("CRITICAL: cannot allocate frameBuffer, requested size is too large\n"); + return FALSE; + } + + client->frameBuffer=malloc( (size_t)allocSize ); + + if (client->frameBuffer == NULL) + rfbClientErr("CRITICAL: frameBuffer allocation failed, requested size too large or not enough memory?\n"); + return client->frameBuffer?TRUE:FALSE; } @@ -225,7 +243,8 @@ client->width=client->si.framebufferWidth; client->height=client->si.framebufferHeight; - client->MallocFrameBuffer(client); + if (!client->MallocFrameBuffer(client)) + return FALSE; if (!SetFormatAndEncodings(client)) return FALSE; debian/patches/CVE-2018-20024/0000755000000000000000000000000013424365113012271 5ustar debian/patches/CVE-2018-20024/0001-LibVNCClient-make-sure-Ultra-decoding-cannot-derefer.patch0000644000000000000000000000261513413154075025531 0ustar From: Christian Beier Date: Mon, 1 Oct 2018 19:38:33 +0200 Subject: LibVNCClient: make sure Ultra decoding cannot dereference a null pointer Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20024 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/254 Closes #254 --- libvncclient/ultra.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c index a82e2eddbdc2..a2875267e790 100644 --- a/libvncclient/ultra.c +++ b/libvncclient/ultra.c @@ -66,6 +66,8 @@ HandleUltraBPP (rfbClient* client, int rx, int ry, int rw, int rh) if ((client->raw_buffer_size % 4)!=0) client->raw_buffer_size += (4-(client->raw_buffer_size % 4)); client->raw_buffer = (char*) malloc( client->raw_buffer_size ); + if(client->raw_buffer == NULL) + return FALSE; } /* allocate enough space to store the incoming compressed packet */ @@ -150,6 +152,8 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) if ((client->raw_buffer_size % 4)!=0) client->raw_buffer_size += (4-(client->raw_buffer_size % 4)); client->raw_buffer = (char*) malloc( client->raw_buffer_size ); + if(client->raw_buffer == NULL) + return FALSE; } -- 2.20.1 debian/patches/CVE-2014-6054.patch0000644000000000000000000000727412411033527013243 0ustar Description: fix denial of service via zero scaling factor Origin: backport, https://github.com/newsoft/libvncserver/commit/05a9bd41a8ec0a9d580a8f420f41718bdd235446 Origin: backport, https://github.com/newsoft/libvncserver/commit/f18f24ce65f5cac22ddcf3ed51417e477f9bad09 Origin: backport, https://github.com/newsoft/libvncserver/commit/5dee1cbcd83920370a487c4fd2718aa4d3eba548 Origin: backport, https://github.com/newsoft/libvncserver/commit/819481c5e2003cd36d002336c248de8c75de362e Origin: backport, https://github.com/newsoft/libvncserver/commit/e5d9b6a07257c12bf3b6242ddea79ea1c95353a8 Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2014-09-25 11:19:54.464070151 -0400 +++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2014-09-25 11:20:04.344070416 -0400 @@ -2487,6 +2487,13 @@ rfbCloseClient(cl); return; } + + if (msg.ssc.scale == 0) { + rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); + rfbCloseClient(cl); + return; + } + rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); @@ -2503,6 +2510,13 @@ rfbCloseClient(cl); return; } + + if (msg.ssc.scale == 0) { + rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); + rfbCloseClient(cl); + return; + } + rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); Index: libvncserver-0.9.9+dfsg/libvncserver/scale.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncserver/scale.c 2012-05-04 10:19:00.000000000 -0400 +++ libvncserver-0.9.9+dfsg/libvncserver/scale.c 2014-09-25 11:20:13.580070663 -0400 @@ -66,6 +66,10 @@ (double) ((int) (x)) : (double) ((int) (x) + 1) ) #define FLOOR(x) ( (double) ((int) (x)) ) +static inline int pad4(int value) { + int remainder = value & 3; + return value + (remainder == 0 ? 0 : 4 - remainder); +} int ScaleX(rfbScreenInfoPtr from, rfbScreenInfoPtr to, int x) { @@ -281,14 +285,29 @@ ptr = malloc(sizeof(rfbScreenInfo)); if (ptr!=NULL) { + int allocSize; + /* copy *everything* (we don't use most of it, but just in case) */ memcpy(ptr, cl->screen, sizeof(rfbScreenInfo)); + + /* SECURITY: make sure that no integer overflow will occur afterwards. + * Note: this is defensive coding, as the check should have already been + * performed during initial, non-scaled screen setup. + */ + allocSize = pad4(width * (ptr->bitsPerPixel/8)); /* per protocol, width<2**16 and bpp<256 */ + if ((height == 0) || (allocSize >= (SIZE_MAX / height))) + { + free(ptr); + return NULL; /* malloc() will allocate an incorrect buffer size - early abort */ + } + + /* Resume copy everything */ ptr->width = width; ptr->height = height; ptr->paddedWidthInBytes = (ptr->bitsPerPixel/8)*ptr->width; /* Need to by multiples of 4 for Sparc systems */ - ptr->paddedWidthInBytes += (ptr->paddedWidthInBytes % 4); + ptr->paddedWidthInBytes = pad4(ptr->paddedWidthInBytes); /* Reset the reference count to 0! */ ptr->scaledScreenRefCount = 0; debian/patches/CVE-2018-20748/0000755000000000000000000000000013424372101012301 5ustar debian/patches/CVE-2018-20748/CVE-2018-20748-4.patch0000644000000000000000000000156013424362551015164 0ustar From a64c3b37af9a6c8f8009d7516874b8d266b42bae Mon Sep 17 00:00:00 2001 From: Christian Beier Date: Sun, 6 Jan 2019 14:22:34 +0100 Subject: [PATCH] LibVNCClient: remove now-useless cast re #273 --- libvncclient/rfbproto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libvncserver-0.9.11+dfsg/libvncclient/rfbproto.c =================================================================== --- libvncserver-0.9.11+dfsg.orig/libvncclient/rfbproto.c 2019-01-30 12:56:55.878000557 -0500 +++ libvncserver-0.9.11+dfsg/libvncclient/rfbproto.c 2019-01-30 12:56:55.878000557 -0500 @@ -2257,7 +2257,7 @@ HandleRFBServerMessage(rfbClient* client return FALSE; } - buffer = malloc((uint64_t)msg.sct.length+1); + buffer = malloc(msg.sct.length+1); if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { free(buffer); debian/patches/CVE-2018-20748/CVE-2018-20748-2.patch0000644000000000000000000000577513424362536015201 0ustar From e34bcbb759ca5bef85809967a268fdf214c1ad2c Mon Sep 17 00:00:00 2001 From: Christian Beier Date: Sat, 29 Dec 2018 14:40:53 +0100 Subject: [PATCH] LibVNCClient: ignore server-sent reason strings longer than 1MB Fixes #273 --- libvncclient/rfbproto.c | 45 +++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 24 deletions(-) Index: libvncserver-0.9.11+dfsg/libvncclient/rfbproto.c =================================================================== --- libvncserver-0.9.11+dfsg.orig/libvncclient/rfbproto.c 2019-01-30 12:56:44.593971846 -0500 +++ libvncserver-0.9.11+dfsg/libvncclient/rfbproto.c 2019-01-30 12:56:44.593971846 -0500 @@ -536,11 +536,29 @@ rfbBool ConnectToRFBRepeater(rfbClient* extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd); extern void rfbClientEncryptBytes2(unsigned char *where, const int length, unsigned char *key); +static void +ReadReason(rfbClient* client) +{ + uint32_t reasonLen; + char *reason; + + if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; + reasonLen = rfbClientSwap32IfLE(reasonLen); + if(reasonLen > 1<<20) { + rfbClientLog("VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen); + return; + } + reason = malloc(reasonLen+1); + if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } + reason[reasonLen]=0; + rfbClientLog("VNC connection failed: %s\n",reason); + free(reason); +} + rfbBool rfbHandleAuthResult(rfbClient* client) { - uint32_t authResult=0, reasonLen=0; - char *reason=NULL; + uint32_t authResult=0; if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE; @@ -555,13 +573,7 @@ rfbHandleAuthResult(rfbClient* client) if (client->major==3 && client->minor>7) { /* we have an error following */ - if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE; - reasonLen = rfbClientSwap32IfLE(reasonLen); - reason = malloc((uint64_t)reasonLen+1); - if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; } - reason[reasonLen]=0; - rfbClientLog("VNC connection failed: %s\n",reason); - free(reason); + ReadReason(client); return FALSE; } rfbClientLog("VNC authentication failed\n"); @@ -576,21 +588,6 @@ rfbHandleAuthResult(rfbClient* client) return FALSE; } -static void -ReadReason(rfbClient* client) -{ - uint32_t reasonLen; - char *reason; - - /* we have an error following */ - if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; - reasonLen = rfbClientSwap32IfLE(reasonLen); - reason = malloc((uint64_t)reasonLen+1); - if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } - reason[reasonLen]=0; - rfbClientLog("VNC connection failed: %s\n",reason); - free(reason); -} static rfbBool ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth) debian/patches/CVE-2018-20748/CVE-2018-20748-1.patch0000644000000000000000000000217513424362531015162 0ustar From c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a Mon Sep 17 00:00:00 2001 From: Christian Beier Date: Sat, 29 Dec 2018 14:16:58 +0100 Subject: [PATCH] LibVNCClient: ignore server-sent cut text longer than 1MB This is in line with how LibVNCServer does it (28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273. --- libvncclient/rfbproto.c | 5 +++++ 1 file changed, 5 insertions(+) Index: libvncserver-0.9.11+dfsg/libvncclient/rfbproto.c =================================================================== --- libvncserver-0.9.11+dfsg.orig/libvncclient/rfbproto.c 2019-01-30 12:56:38.453956222 -0500 +++ libvncserver-0.9.11+dfsg/libvncclient/rfbproto.c 2019-01-30 12:56:38.453956222 -0500 @@ -2251,6 +2251,11 @@ HandleRFBServerMessage(rfbClient* client msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); + if (msg.sct.length > 1<<20) { + rfbClientErr("Ignoring too big cut text length sent by server: %u B > 1 MB\n", (unsigned int)msg.sct.length); + return FALSE; + } + buffer = malloc((uint64_t)msg.sct.length+1); if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { debian/patches/CVE-2018-20748/CVE-2018-20748-3.patch0000644000000000000000000000232013424372100015145 0ustar Backport of: From c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 Mon Sep 17 00:00:00 2001 From: Christian Beier Date: Sun, 6 Jan 2019 14:20:37 +0100 Subject: [PATCH] LibVNCClient: fail on server-sent desktop name lengths longer than 1MB re #273 --- libvncclient/rfbproto.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) Index: libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncclient/rfbproto.c 2019-01-30 13:58:46.437795526 -0500 +++ libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c 2019-01-30 13:59:49.189992278 -0500 @@ -1257,6 +1257,11 @@ InitialiseRFBConnection(rfbClient* clien client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax); client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength); + if (client->si.nameLength > 1<<20) { + rfbClientErr("Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)client->si.nameLength); + return FALSE; + } + client->desktopName = malloc(client->si.nameLength + 1); if (!client->desktopName) { rfbClientLog("Error allocating memory for desktop name, %lu bytes\n", debian/patches/CVE-2018-20019/0000755000000000000000000000000013424365116012300 5ustar debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch0000644000000000000000000000423013413154075025642 0ustar From: Christian Beier Date: Sat, 29 Sep 2018 22:28:57 +0200 Subject: LibVNCClient: fix three possible heap buffer overflows Origin: https://github.com/LibVNC/libvncserver/commit/a83439b9fbe0f03c48eb94ed05729cb016f8b72f Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20019 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/247 An attacker could feed `0xffffffff`, causing a `malloc(0)` for the buffers which are subsequently written to. Closes #247 --- libvncclient/rfbproto.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c index 8d6a4c1f0d9d..ac2a983597e4 100644 --- a/libvncclient/rfbproto.c +++ b/libvncclient/rfbproto.c @@ -433,7 +433,7 @@ rfbHandleAuthResult(rfbClient* client) /* we have an error following */ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE; reasonLen = rfbClientSwap32IfLE(reasonLen); - reason = malloc(reasonLen+1); + reason = malloc((uint64_t)reasonLen+1); if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; } reason[reasonLen]=0; rfbClientLog("VNC connection failed: %s\n",reason); @@ -461,7 +461,7 @@ ReadReason(rfbClient* client) /* we have an error following */ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; reasonLen = rfbClientSwap32IfLE(reasonLen); - reason = malloc(reasonLen+1); + reason = malloc((uint64_t)reasonLen+1); if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } reason[reasonLen]=0; rfbClientLog("VNC connection failed: %s\n",reason); @@ -2187,10 +2187,12 @@ HandleRFBServerMessage(rfbClient* client) msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); - buffer = malloc(msg.sct.length+1); + buffer = malloc((uint64_t)msg.sct.length+1); - if (!ReadFromRFBServer(client, buffer, msg.sct.length)) + if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { + free(buffer); return FALSE; + } buffer[msg.sct.length] = 0; -- 2.20.1 debian/patches/CVE-2018-20750/0000755000000000000000000000000013424365110012274 5ustar debian/patches/CVE-2018-20750/CVE-2018-20750.patch0000644000000000000000000000367513424362637015023 0ustar Backport of: From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Mon, 7 Jan 2019 10:40:01 +0100 Subject: [PATCH] Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer() This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap out-of-bound write access in rfbProcessFileTransferReadBuffer() when reading a transfered file content in a server. The former fix did not work on platforms with a 32-bit int type (expected by rfbReadExact()). CVE-2018-15127 --- libvncserver/rfbserver.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) Index: libvncserver-0.9.11+dfsg/libvncserver/rfbserver.c =================================================================== --- libvncserver-0.9.11+dfsg.orig/libvncserver/rfbserver.c 2019-01-30 12:57:12.370036015 -0500 +++ libvncserver-0.9.11+dfsg/libvncserver/rfbserver.c 2019-01-30 12:57:31.286072659 -0500 @@ -87,6 +87,8 @@ #include /* PRIu32 */ #include +/* INT_MAX */ +#include #ifdef LIBVNCSERVER_WITH_WEBSOCKETS #include "rfbssl.h" @@ -1468,8 +1470,11 @@ char *rfbProcessFileTransferReadBuffer(r 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF will safely be allocated since this check will never trigger and malloc() can digest length+1 without problems as length is a uint32_t. + We also later pass length to rfbReadExact() that expects a signed int type and + that might wrap on platforms with a 32-bit int type if length is bigger + than 0X7FFFFFFF. */ - if(length == SIZE_MAX) { + if(length == SIZE_MAX || length > INT_MAX) { rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); rfbCloseClient(cl); return NULL; debian/patches/CVE-2018-15126/0000755000000000000000000000000013424365117012304 5ustar debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch0000644000000000000000000000412413413154075026005 0ustar From: Christian Beier Date: Sun, 21 Oct 2018 23:59:39 +0200 Subject: [3/5] tightvnc-filetransfer: wait for download thread end in CloseUndoneFileDownload() Origin: https://github.com/LibVNC/libvncserver/commit/73cb96fec028a576a5a24417b57723b55854ad7b Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15126 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/242 ...and use it when deregistering the file transfer extension. Closes #242 --- libvncserver/tightvnc-filetransfer/filetransfermsg.c | 2 ++ libvncserver/tightvnc-filetransfer/rfbtightserver.c | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c b/libvncserver/tightvnc-filetransfer/filetransfermsg.c index f674b9283126..0003b11f6f50 100644 --- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c +++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c @@ -770,6 +770,8 @@ CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp) if(rtcp->rcft.rcfd.downloadInProgress == TRUE) { rtcp->rcft.rcfd.downloadInProgress = FALSE; + /* the thread will return if downloadInProgress is FALSE */ + pthread_join(rtcp->rcft.rcfd.downloadThread, NULL); if(rtcp->rcft.rcfd.downloadFD != -1) { close(rtcp->rcft.rcfd.downloadFD); diff --git a/libvncserver/tightvnc-filetransfer/rfbtightserver.c b/libvncserver/tightvnc-filetransfer/rfbtightserver.c index 67d4cb545fad..651d8fb7e75f 100644 --- a/libvncserver/tightvnc-filetransfer/rfbtightserver.c +++ b/libvncserver/tightvnc-filetransfer/rfbtightserver.c @@ -26,6 +26,7 @@ #include #include "rfbtightproto.h" #include "handlefiletransferrequest.h" +#include "filetransfermsg.h" /* * Get my data! @@ -448,9 +449,11 @@ rfbTightExtensionMsgHandler(struct _rfbClientRec* cl, void* data, void rfbTightExtensionClientClose(rfbClientPtr cl, void* data) { - if(data != NULL) + if(data != NULL) { + CloseUndoneFileUpload(cl, data); + CloseUndoneFileDownload(cl, data); free(data); - + } } void -- 2.20.1 debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch0000644000000000000000000000241313413154075026017 0ustar From: Christian Beier Date: Mon, 22 Oct 2018 00:39:50 +0200 Subject: [4/5] tightvnc-filetransfer: when creating a new download thread, make sure the previous one ends Origin: https://github.com/LibVNC/libvncserver/commit/2d939267a176bf4976dbad36399638956ad8cc34 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15126 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/242 re #242 --- libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c index 31163d0f62f3..70e105f45adb 100644 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c @@ -517,8 +517,7 @@ HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp) FreeFileTransferMsg(fileDownloadMsg); return; } - rtcp->rcft.rcfd.downloadInProgress = FALSE; - rtcp->rcft.rcfd.downloadFD = -1; + CloseUndoneFileDownload(cl, rtcp); if(pthread_create(&rtcp->rcft.rcfd.downloadThread, NULL, RunFileDownloadThread, (void*) cl) != 0) { -- 2.20.1 debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch0000644000000000000000000001046213413154075026211 0ustar From: Christian Beier Date: Sun, 21 Oct 2018 23:44:39 +0200 Subject: [2/5] tightvnc-filetransfer: refactor CloseUndoneFileTransfer() into two functions Origin: https://github.com/LibVNC/libvncserver/commit/f8912fee5a58fb3975eda2589f6d4686f0c1ae68 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15126 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/242 ...for closing upload and download separately. re #242 --- libvncserver/tightvnc-filetransfer/filetransfermsg.c | 12 ++++++++++-- libvncserver/tightvnc-filetransfer/filetransfermsg.h | 3 ++- .../handlefiletransferrequest.c | 8 ++++---- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c b/libvncserver/tightvnc-filetransfer/filetransfermsg.c index 5f84e7f3d323..f674b9283126 100644 --- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c +++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c @@ -672,7 +672,7 @@ ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr rtcp, char* pBuf) char reason[] = "Error writing file data"; int reasonLen = strlen(reason); ftm = CreateFileUploadErrMsg(reason, reasonLen); - CloseUndoneFileTransfer(cl, rtcp); + CloseUndoneFileUpload(cl, rtcp); } return ftm; } @@ -735,7 +735,7 @@ CreateFileUploadErrMsg(char* reason, unsigned int reasonLen) ******************************************************************************/ void -CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr rtcp) +CloseUndoneFileUpload(rfbClientPtr cl, rfbTightClientPtr rtcp) { /* TODO :: File Upload case is not handled currently */ /* TODO :: In case of concurrency we need to use Critical Section */ @@ -759,6 +759,14 @@ CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr rtcp) memset(rtcp->rcft.rcfu.fName, 0 , PATH_MAX); } +} + + +void +CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp) +{ + if(cl == NULL) + return; if(rtcp->rcft.rcfd.downloadInProgress == TRUE) { rtcp->rcft.rcfd.downloadInProgress = FALSE; diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.h b/libvncserver/tightvnc-filetransfer/filetransfermsg.h index 3b27bd04d3f0..bbb9148db4d6 100644 --- a/libvncserver/tightvnc-filetransfer/filetransfermsg.h +++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.h @@ -51,7 +51,8 @@ FileTransferMsg ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr data, c void CreateDirectory(char* dirName); void FileUpdateComplete(rfbClientPtr cl, rfbTightClientPtr data); -void CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr data); +void CloseUndoneFileUpload(rfbClientPtr cl, rfbTightClientPtr data); +void CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr data); void FreeFileTransferMsg(FileTransferMsg ftm); diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c index 8e38f8880f5b..31163d0f62f3 100644 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c @@ -492,7 +492,7 @@ RunFileDownloadThread(void* client) if(cl != NULL) { rfbCloseClient(cl); - CloseUndoneFileTransfer(cl, rtcp); + CloseUndoneFileDownload(cl, rtcp); } FreeFileTransferMsg(fileDownloadMsg); @@ -592,7 +592,7 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp) " reason <%s>\n", __FILE__, __FUNCTION__, reason); pthread_mutex_lock(&fileDownloadMutex); - CloseUndoneFileTransfer(cl, rtcp); + CloseUndoneFileDownload(cl, rtcp); pthread_mutex_unlock(&fileDownloadMutex); if(reason != NULL) { @@ -835,7 +835,7 @@ HandleFileUploadDataRequest(rfbClientPtr cl, rfbTightClientPtr rtcp) FreeFileTransferMsg(ftm); } - CloseUndoneFileTransfer(cl, rtcp); + CloseUndoneFileUpload(cl, rtcp); if(pBuf != NULL) { free(pBuf); @@ -935,7 +935,7 @@ HandleFileUploadFailedRequest(rfbClientPtr cl, rfbTightClientPtr rtcp) rfbLog("File [%s]: Method [%s]: File Upload Failed Request received:" " reason <%s>\n", __FILE__, __FUNCTION__, reason); - CloseUndoneFileTransfer(cl, rtcp); + CloseUndoneFileUpload(cl, rtcp); if(reason != NULL) { free(reason); -- 2.20.1 debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch0000644000000000000000000000256013413154075026106 0ustar From: Christian Beier Date: Sat, 10 Nov 2018 17:33:00 +0100 Subject: [5/5] tightvnc-filetransfer: do not close stuff from within a thread Origin: https://github.com/LibVNC/libvncserver/commit/495ffa3f3a213ab058eee1d7da48fa5ef71914d8 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15126 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/242 ... as this crashes badly and the client is closed by the main thread machinery afterwards. re #242 --- .../tightvnc-filetransfer/handlefiletransferrequest.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c index 70e105f45adb..71fb08512470 100644 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c @@ -489,12 +489,6 @@ RunFileDownloadThread(void* client) if(rfbWriteExact(cl, fileDownloadMsg.data, fileDownloadMsg.length) < 0) { rfbLog("File [%s]: Method [%s]: Error while writing to socket \n" , __FILE__, __FUNCTION__); - - if(cl != NULL) { - rfbCloseClient(cl); - CloseUndoneFileDownload(cl, rtcp); - } - FreeFileTransferMsg(fileDownloadMsg); return NULL; } -- 2.20.1 debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch0000644000000000000000000000412113413154075026013 0ustar From: Christian Beier Date: Sun, 21 Oct 2018 23:38:40 +0200 Subject: [1/5] tightvnc-filetransfer: tie the download thread to the control structure Origin: https://github.com/LibVNC/libvncserver/commit/89419fb1a0cef42b63528e6930f4e545cfef4c95 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15126 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/242 re #242 --- libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 3 +-- libvncserver/tightvnc-filetransfer/rfbtightproto.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c index 0473783164f2..8e38f8880f5b 100644 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c @@ -508,7 +508,6 @@ RunFileDownloadThread(void* client) void HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp) { - pthread_t fileDownloadThread; FileTransferMsg fileDownloadMsg; memset(&fileDownloadMsg, 0, sizeof(FileTransferMsg)); @@ -521,7 +520,7 @@ HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp) rtcp->rcft.rcfd.downloadInProgress = FALSE; rtcp->rcft.rcfd.downloadFD = -1; - if(pthread_create(&fileDownloadThread, NULL, RunFileDownloadThread, (void*) + if(pthread_create(&rtcp->rcft.rcfd.downloadThread, NULL, RunFileDownloadThread, (void*) cl) != 0) { FileTransferMsg ftm = GetFileDownLoadErrMsg(); diff --git a/libvncserver/tightvnc-filetransfer/rfbtightproto.h b/libvncserver/tightvnc-filetransfer/rfbtightproto.h index d0fe642ecfa3..30fc5f5413aa 100644 --- a/libvncserver/tightvnc-filetransfer/rfbtightproto.h +++ b/libvncserver/tightvnc-filetransfer/rfbtightproto.h @@ -148,6 +148,7 @@ typedef struct _rfbClientFileDownload { int downloadInProgress; unsigned long mTime; int downloadFD; + pthread_t downloadThread; } rfbClientFileDownload ; typedef struct _rfbClientFileUpload { -- 2.20.1 debian/patches/CVE-2018-7225.patch0000644000000000000000000000461013257446672013261 0ustar From 28afb6c537dc82ba04d5f245b15ca7205c6dbb9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Mon, 26 Feb 2018 13:48:00 +0100 Subject: [PATCH] Limit client cut text length to 1 MB This patch constrains a client cut text length to 1 MB. Otherwise a client could make server allocate 2 GB of memory and that seems to be to much to classify it as a denial of service. The limit also prevents from an integer overflow followed by copying an uninitilized memory when processing msg.cct.length value larger than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg. This patch also corrects accepting length value of zero (malloc(0) is interpreted on differnet systems differently). CVE-2018-7225 --- libvncserver/rfbserver.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2018-03-30 10:46:15.898988584 -0400 +++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2018-03-30 10:46:15.898988584 -0400 @@ -74,6 +74,8 @@ #include /* strftime() */ #include +/* PRIu32 */ +#include #ifdef LIBVNCSERVER_WITH_WEBSOCKETS #include "rfbssl.h" @@ -2487,7 +2489,23 @@ rfbProcessClientNormalMessage(rfbClientP msg.cct.length = Swap32IfLE(msg.cct.length); - str = (char *)malloc(msg.cct.length); + /* uint32_t input is passed to malloc()'s size_t argument, + * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int + * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int + * argument. Here we impose a limit of 1 MB so that the value fits + * into all of the types to prevent from misinterpretation and thus + * from accessing uninitialized memory (CVE-2018-7225) and also to + * prevent from a denial-of-service by allocating to much memory in + * the server. */ + if (msg.cct.length > 1<<20) { + rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", + msg.cct.length); + rfbCloseClient(cl); + return; + } + + /* Allow zero-length client cut text. */ + str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); if (str == NULL) { rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); rfbCloseClient(cl); debian/patches/CVE-2018-20749/0000755000000000000000000000000013424365111012305 5ustar debian/patches/CVE-2018-20749/CVE-2018-20749.patch0000644000000000000000000000317313424362562015031 0ustar From 15bb719c03cc70f14c36a843dcb16ed69b405707 Mon Sep 17 00:00:00 2001 From: Christian Beier Date: Sun, 6 Jan 2019 15:13:56 +0100 Subject: [PATCH] Error out in rfbProcessFileTransferReadBuffer if length can not be allocated re #273 --- libvncserver/rfbserver.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) Index: libvncserver-0.9.11+dfsg/libvncserver/rfbserver.c =================================================================== --- libvncserver-0.9.11+dfsg.orig/libvncserver/rfbserver.c 2019-01-30 12:57:04.062020032 -0500 +++ libvncserver-0.9.11+dfsg/libvncserver/rfbserver.c 2019-01-30 12:57:04.058020025 -0500 @@ -1462,11 +1462,21 @@ char *rfbProcessFileTransferReadBuffer(r int n=0; FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL); + /* - rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); + We later alloc length+1, which might wrap around on 32-bit systems if length equals + 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF + will safely be allocated since this check will never trigger and malloc() can digest length+1 + without problems as length is a uint32_t. */ + if(length == SIZE_MAX) { + rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); + rfbCloseClient(cl); + return NULL; + } + if (length>0) { - buffer=malloc((uint64_t)length+1); + buffer=malloc((size_t)length+1); if (buffer!=NULL) { if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { if (n != 0) debian/patches/CVE-2016-9942.patch0000644000000000000000000000360313033712066013251 0ustar From 5fff4353f66427b467eb29e5fdc1da4f2be028bb Mon Sep 17 00:00:00 2001 From: Josef Gajdusek Date: Mon, 14 Nov 2016 12:38:05 +0100 Subject: [PATCH] Fix heap overflow in the ultra.c decoder The Ultra type tile decoder does not use the _safe variant of the LZO decompress function, which allows a maliciuous server to overwrite parts of the heap by sending a larger-than-specified LZO data stream. --- libvncclient/ultra.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c index dac89b5..32a1b2b 100644 --- a/libvncclient/ultra.c +++ b/libvncclient/ultra.c @@ -86,14 +86,14 @@ HandleUltraBPP (rfbClient* client, int rx, int ry, int rw, int rh) /* uncompress the data */ uncompressedBytes = client->raw_buffer_size; - inflateResult = lzo1x_decompress( + inflateResult = lzo1x_decompress_safe( (lzo_byte *)client->ultra_buffer, toRead, (lzo_byte *)client->raw_buffer, (lzo_uintp) &uncompressedBytes, NULL); - + /* Note that uncompressedBytes will be 0 on output overrun */ if ((rw * rh * (BPP / 8)) != uncompressedBytes) - rfbClientLog("Ultra decompressed too little (%d < %d)", (rw * rh * (BPP / 8)), uncompressedBytes); + rfbClientLog("Ultra decompressed unexpected amount of data (%d != %d)\n", (rw * rh * (BPP / 8)), uncompressedBytes); /* Put the uncompressed contents of the update on the screen. */ if ( inflateResult == LZO_E_OK ) @@ -168,7 +168,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) /* uncompress the data */ uncompressedBytes = client->raw_buffer_size; - inflateResult = lzo1x_decompress( + inflateResult = lzo1x_decompress_safe( (lzo_byte *)client->ultra_buffer, toRead, (lzo_byte *)client->raw_buffer, &uncompressedBytes, NULL); if ( inflateResult != LZO_E_OK ) debian/patches/CVE-2014-6055.patch0000644000000000000000000001344512411033533013236 0ustar Description: fix denial of service and possible code execution via stack overflows in File Transfer feature Origin: backport, https://github.com/newsoft/libvncserver/commit/06ccdf016154fde8eccb5355613ba04c59127b2e Origin: backport, https://github.com/newsoft/libvncserver/commit/f528072216dec01cee7ca35d94e171a3b909e677 Origin: backport, https://github.com/newsoft/libvncserver/commit/256964b884c980038cd8b2f0d180fbb295b1c748 Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2014-09-25 11:20:22.972070915 -0400 +++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2014-09-25 11:20:40.368071381 -0400 @@ -1237,21 +1237,35 @@ #define RFB_FILE_ATTRIBUTE_TEMPORARY 0x100 #define RFB_FILE_ATTRIBUTE_COMPRESSED 0x800 -rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, char *path, char *unixPath) +rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, /* in */ char *path, /* out */ char *unixPath, size_t unixPathMaxLen ) { int x; char *home=NULL; FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE); + /* + * Do not use strncpy() - truncating the file name would probably have undesirable side effects + * Instead check if destination buffer is big enough + */ + + if (strlen(path) >= unixPathMaxLen) + return FALSE; + /* C: */ if (path[0]=='C' && path[1]==':') + { strcpy(unixPath, &path[2]); + } else { home = getenv("HOME"); if (home!=NULL) { + /* Re-check buffer size */ + if ((strlen(path) + strlen(home) + 1) >= unixPathMaxLen) + return FALSE; + strcpy(unixPath, home); strcat(unixPath,"/"); strcat(unixPath, path); @@ -1289,7 +1303,8 @@ FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE); /* Client thinks we are Winblows */ - rfbFilenameTranslate2UNIX(cl, buffer, path); + if (!rfbFilenameTranslate2UNIX(cl, buffer, path, sizeof(path))) + return FALSE; if (DB) rfbLog("rfbProcessFileTransfer() rfbDirContentRequest: rfbRDirContent: \"%s\"->\"%s\"\n",buffer, path); @@ -1566,7 +1581,9 @@ /* add some space to the end of the buffer as we will be adding a timespec to it */ if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; /* The client requests a File */ - rfbFilenameTranslate2UNIX(cl, buffer, filename1); + if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) + goto fail; + cl->fileTransfer.fd=open(filename1, O_RDONLY, 0744); /* @@ -1660,16 +1677,17 @@ */ if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; - /* Parse the FileTime */ + /* Parse the FileTime + * TODO: FileTime is actually never used afterwards + */ p = strrchr(buffer, ','); if (p!=NULL) { *p = '\0'; - strcpy(szFileTime, p+1); + strncpy(szFileTime, p+1, sizeof(szFileTime)); + szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */ } else szFileTime[0]=0; - - /* Need to read in sizeHtmp */ if ((n = rfbReadExact(cl, (char *)&sizeHtmp, 4)) <= 0) { if (n != 0) @@ -1681,7 +1699,8 @@ } sizeHtmp = Swap32IfLE(sizeHtmp); - rfbFilenameTranslate2UNIX(cl, buffer, filename1); + if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) + goto fail; /* If the file exists... We can send a rfbFileChecksums back to the client before we send an rfbFileAcceptHeader */ /* TODO: Delta Transfer */ @@ -1810,7 +1829,9 @@ if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; switch (contentParam) { case rfbCDirCreate: /* Client requests the creation of a directory */ - rfbFilenameTranslate2UNIX(cl, buffer, filename1); + if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) + goto fail; + retval = mkdir(filename1, 0755); if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCDirCreate(\"%s\"->\"%s\") %s\n", buffer, filename1, (retval==-1?"Failed":"Success")); /* @@ -1819,7 +1840,9 @@ if (buffer!=NULL) free(buffer); return retval; case rfbCFileDelete: /* Client requests the deletion of a file */ - rfbFilenameTranslate2UNIX(cl, buffer, filename1); + if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) + goto fail; + if (stat(filename1,&statbuf)==0) { if (S_ISDIR(statbuf.st_mode)) @@ -1837,8 +1860,12 @@ { /* Split into 2 filenames ('*' is a seperator) */ *p = '\0'; - rfbFilenameTranslate2UNIX(cl, buffer, filename1); - rfbFilenameTranslate2UNIX(cl, p+1, filename2); + if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) + goto fail; + + if (!rfbFilenameTranslate2UNIX(cl, p+1, filename2, sizeof(filename2))) + goto fail; + retval = rename(filename1,filename2); if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCFileRename(\"%s\"->\"%s\" -->> \"%s\"->\"%s\") %s\n", buffer, filename1, p+1, filename2, (retval==-1?"Failed":"Success")); /* @@ -1858,6 +1885,10 @@ /* NOTE: don't forget to free(buffer) if you return early! */ if (buffer!=NULL) free(buffer); return TRUE; + +fail: + if (buffer!=NULL) free(buffer); + return FALSE; } /* debian/patches/no_x11vnc_subdir.patch0000644000000000000000000003206311751317566015042 0ustar Description: Do not build x11vnc Author: Luca Falavigna Index: libvncserver/Makefile.am =================================================================== --- libvncserver.orig/Makefile.am 2012-05-05 14:11:54.881069520 +0200 +++ libvncserver/Makefile.am 2012-05-05 14:13:47.061072956 +0200 @@ -1,8 +1,4 @@ -if WITH_X11VNC -X11VNC=x11vnc -endif - -SUBDIRS=libvncserver examples libvncclient vncterm client_examples test $(X11VNC) +SUBDIRS=libvncserver examples libvncclient vncterm client_examples test DIST_SUBDIRS=libvncserver examples libvncclient vncterm client_examples test EXTRA_DIST = CMakeLists.txt rfb/rfbint.h.cmake rfb/rfbconfig.h.cmake Index: libvncserver/configure.ac =================================================================== --- libvncserver.orig/configure.ac 2012-05-05 14:11:54.881069520 +0200 +++ libvncserver/configure.ac 2012-05-05 14:16:43.925078374 +0200 @@ -153,60 +153,6 @@ else build_x11vnc="no" fi - -# x11vnc only: -if test "$build_x11vnc" = "yes"; then - -AH_TEMPLATE(HAVE_XSHM, [MIT-SHM extension build environment present]) -AH_TEMPLATE(HAVE_XTEST, [XTEST extension build environment present]) -AH_TEMPLATE(HAVE_XTESTGRABCONTROL, [XTEST extension has XTestGrabControl]) -AH_TEMPLATE(HAVE_XKEYBOARD, [XKEYBOARD extension build environment present]) -AH_TEMPLATE(HAVE_LIBXINERAMA, [XINERAMA extension build environment present]) -AH_TEMPLATE(HAVE_LIBXRANDR, [XRANDR extension build environment present]) -AH_TEMPLATE(HAVE_LIBXFIXES, [XFIXES extension build environment present]) -AH_TEMPLATE(HAVE_LIBXDAMAGE, [XDAMAGE extension build environment present]) -AH_TEMPLATE(HAVE_LIBXTRAP, [DEC-XTRAP extension build environment present]) -AH_TEMPLATE(HAVE_RECORD, [RECORD extension build environment present]) -AH_TEMPLATE(HAVE_SOLARIS_XREADSCREEN, [Solaris XReadScreen available]) -AH_TEMPLATE(HAVE_IRIX_XREADDISPLAY, [IRIX XReadDisplay available]) -AH_TEMPLATE(HAVE_FBPM, [FBPM extension build environment present]) -AH_TEMPLATE(HAVE_DPMS, [DPMS extension build environment present]) -AH_TEMPLATE(HAVE_LINUX_VIDEODEV_H, [video4linux build environment present]) -AH_TEMPLATE(HAVE_LINUX_FB_H, [linux fb device build environment present]) -AH_TEMPLATE(HAVE_LINUX_INPUT_H, [linux/input.h present]) -AH_TEMPLATE(HAVE_LINUX_UINPUT_H, [linux uinput device build environment present]) -AH_TEMPLATE(HAVE_MACOSX_NATIVE_DISPLAY, [build MacOS X native display support]) -AH_TEMPLATE(HAVE_MACOSX_OPENGL_H, [MacOS X OpenGL present]) - -AC_ARG_WITH(xkeyboard, -[ --without-xkeyboard disable xkeyboard extension support],,) -AC_ARG_WITH(xinerama, -[ --without-xinerama disable xinerama extension support],,) -AC_ARG_WITH(xrandr, -[ --without-xrandr disable xrandr extension support],,) -AC_ARG_WITH(xfixes, -[ --without-xfixes disable xfixes extension support],,) -AC_ARG_WITH(xdamage, -[ --without-xdamage disable xdamage extension support],,) -AC_ARG_WITH(xtrap, -[ --without-xtrap disable xtrap extension support],,) -AC_ARG_WITH(xrecord, -[ --without-xrecord disable xrecord extension support],,) -AC_ARG_WITH(fbpm, -[ --without-fbpm disable fbpm extension support],,) -AC_ARG_WITH(dpms, -[ --without-dpms disable dpms extension support],,) -AC_ARG_WITH(v4l, -[ --without-v4l disable video4linux support],,) -AC_ARG_WITH(fbdev, -[ --without-fbdev disable linux fb device support],,) -AC_ARG_WITH(uinput, -[ --without-uinput disable linux uinput device support],,) -AC_ARG_WITH(macosx-native, -[ --without-macosx-native disable MacOS X native display support],,) - -fi -# end x11vnc only. if test "x$with_x" = "xno"; then HAVE_X11="false" @@ -214,221 +160,11 @@ AC_CHECK_LIB(X11, XGetImage, [AC_DEFINE(HAVE_X11) HAVE_X11="true"], HAVE_X11="false", $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - - # x11vnc only: - if test $HAVE_X11 = "true" -a "$build_x11vnc" = "yes"; then - X_PRELIBS="$X_PRELIBS -lXext" - - AC_CHECK_LIB(Xext, XShmGetImage, - [AC_DEFINE(HAVE_XSHM)], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - - AC_CHECK_LIB(Xext, XReadScreen, - [AC_DEFINE(HAVE_SOLARIS_XREADSCREEN)], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - - AC_CHECK_HEADER(X11/extensions/readdisplay.h, - [AC_DEFINE(HAVE_IRIX_XREADDISPLAY)], , - [#include ]) - - if test "x$with_fbpm" != "xno"; then - AC_CHECK_LIB(Xext, FBPMForceLevel, - [AC_DEFINE(HAVE_FBPM)], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - fi - - if test "x$with_dpms" != "xno"; then - AC_CHECK_LIB(Xext, DPMSForceLevel, - [AC_DEFINE(HAVE_DPMS)], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - fi - - AC_CHECK_LIB(Xtst, XTestGrabControl, - X_PRELIBS="-lXtst $X_PRELIBS" - [AC_DEFINE(HAVE_XTESTGRABCONTROL) HAVE_XTESTGRABCONTROL="true"], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - - AC_CHECK_LIB(Xtst, XTestFakeKeyEvent, - X_PRELIBS="-lXtst $X_PRELIBS" - [AC_DEFINE(HAVE_XTEST) HAVE_XTEST="true"], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - - if test "x$with_xrecord" != "xno"; then - AC_CHECK_LIB(Xtst, XRecordEnableContextAsync, - X_PRELIBS="-lXtst $X_PRELIBS" - [AC_DEFINE(HAVE_RECORD)], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - fi - - # we use XTRAP on X11R5, or user can set X11VNC_USE_XTRAP - if test "x$with_xtrap" != "xno"; then - if test ! -z "$X11VNC_USE_XTRAP" -o -z "$HAVE_XTESTGRABCONTROL"; then - AC_CHECK_LIB(XTrap, XETrapSetGrabServer, - X_PRELIBS="$X_PRELIBS -lXTrap" - [AC_DEFINE(HAVE_LIBXTRAP)], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - # tru64 uses libXETrap.so - AC_CHECK_LIB(XETrap, XETrapSetGrabServer, - X_PRELIBS="$X_PRELIBS -lXETrap" - [AC_DEFINE(HAVE_LIBXTRAP)], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - fi - fi - - if test "x$with_xkeyboard" != "xno"; then - saved_CPPFLAGS="$CPPFLAGS" - CPPFLAGS="$CPPFLAGS $X_CFLAGS" - AC_CHECK_HEADER(X11/XKBlib.h, HAVE_XKBLIB_H="true", - HAVE_XKBLIB_H="false", [#include ]) - CPPFLAGS="$saved_CPPFLAGS" - if test $HAVE_XKBLIB_H = "true"; then - AC_CHECK_LIB(X11, XkbSelectEvents, - [AC_DEFINE(HAVE_XKEYBOARD)], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - fi - fi - - if test "x$with_xinerama" != "xno"; then - AC_CHECK_LIB(Xinerama, XineramaQueryScreens, - X_PRELIBS="$X_PRELIBS -lXinerama" - [AC_DEFINE(HAVE_LIBXINERAMA)], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - fi - - if test "x$with_xrandr" != "xno"; then - AC_CHECK_LIB(Xrandr, XRRSelectInput, - X_PRELIBS="$X_PRELIBS -lXrandr" - [AC_DEFINE(HAVE_LIBXRANDR) HAVE_LIBXRANDR="true"], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - fi - - if test "x$with_xfixes" != "xno"; then - AC_CHECK_LIB(Xfixes, XFixesGetCursorImage, - X_PRELIBS="$X_PRELIBS -lXfixes" - [AC_DEFINE(HAVE_LIBXFIXES) HAVE_LIBXFIXES="true"], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - fi - - if test "x$with_xdamage" != "xno"; then - AC_CHECK_LIB(Xdamage, XDamageQueryExtension, - X_PRELIBS="$X_PRELIBS -lXdamage" - [AC_DEFINE(HAVE_LIBXDAMAGE) HAVE_LIBXDAMAGE="true"], , - $X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS) - fi - - if test ! -z "$HAVE_LIBXFIXES" -o ! -z "$HAVE_LIBXDAMAGE"; then - # need /usr/sfw/lib in RPATH for Solaris 10 and later - case `(uname -sr) 2>/dev/null` in - "SunOS 5"*) X_EXTRA_LIBS="$X_EXTRA_LIBS -R/usr/sfw/lib" ;; - esac - fi - if test ! -z "$HAVE_LIBXRANDR"; then - # also need /usr/X11/include for Solaris 10 10/08 and later - case `(uname -sr) 2>/dev/null` in - "SunOS 5"*) CPPFLAGS="$CPPFLAGS -I/usr/X11/include" ;; - esac - fi - - X_LIBS="$X_LIBS $X_PRELIBS -lX11 $X_EXTRA_LIBS" - fi - # end x11vnc only. fi AC_SUBST(X_LIBS) AM_CONDITIONAL(HAVE_X11, test $HAVE_X11 != "false") -# x11vnc only: -if test "$build_x11vnc" = "yes"; then - -if test "x$HAVE_X11" = "xfalse" -a "x$with_x" != "xno"; then - AC_MSG_ERROR([ -========================================================================== -*** A working X window system build environment is required to build *** -x11vnc. Make sure any required X development packages are installed. -If they are installed in non-standard locations, one can use the ---x-includes=DIR and --x-libraries=DIR configure options or set the -CPPFLAGS and LDFLAGS environment variables to indicate where the X -window system header files and libraries may be found. On 64+32 bit -machines you may need to point to lib64 or lib32 directories to pick up -the correct word size. - -If you want to build x11vnc without X support (e.g. for -rawfb use only -or for native Mac OS X), specify the --without-x configure option. -========================================================================== -]) -fi - -if test "x$HAVE_X11" = "xtrue" -a "x$HAVE_XTEST" != "xtrue"; then - AC_MSG_WARN([ -========================================================================== -*** A working build environment for the XTEST extension was not found *** -(libXtst). An x11vnc built this way will be *ONLY BARELY USABLE*. -You will be able to move the mouse but not click or type. There can -also be deadlocks if an application grabs the X server. - -It is recommended that you install the necessary development packages -for XTEST (perhaps it is named something like libxtst-dev) and run -configure again. -========================================================================== -]) - sleep 5 -fi - -if test "x$with_v4l" != "xno"; then - AC_CHECK_HEADER(linux/videodev.h, - [AC_DEFINE(HAVE_LINUX_VIDEODEV_H)],,) -fi -if test "x$with_fbdev" != "xno"; then - AC_CHECK_HEADER(linux/fb.h, - [AC_DEFINE(HAVE_LINUX_FB_H)],,) -fi -if test "x$with_uinput" != "xno"; then - AC_CHECK_HEADER(linux/input.h, - [AC_DEFINE(HAVE_LINUX_INPUT_H) HAVE_LINUX_INPUT_H="true"],,) - if test "x$HAVE_LINUX_INPUT_H" = "xtrue"; then - AC_CHECK_HEADER(linux/uinput.h, - [AC_DEFINE(HAVE_LINUX_UINPUT_H)],, [#include ]) - fi -fi - -if test "x$with_macosx_native" != "xno"; then - AC_DEFINE(HAVE_MACOSX_NATIVE_DISPLAY) -fi - -# Check for OS X opengl header -AC_CHECK_HEADER(OpenGL/OpenGL.h, - [AC_DEFINE(HAVE_MACOSX_OPENGL_H) HAVE_MACOSX_OPENGL_H="true"],,) - -AH_TEMPLATE(HAVE_AVAHI, [Avahi/mDNS client build environment present]) -AC_ARG_WITH(avahi, -[ --without-avahi disable support for Avahi/mDNS] -[ --with-avahi=DIR use avahi include/library files in DIR],,) -if test "x$with_avahi" != "xno"; then - printf "checking for avahi... " - if test ! -z "$with_avahi" -a "x$with_avahi" != "xyes"; then - AVAHI_CFLAGS="-I$with_avahi/include" - AVAHI_LIBS="-L$with_avahi/lib -lavahi-common -lavahi-client" - echo "using $with_avahi" - with_avahi=yes - elif pkg-config --atleast-version=0.6.4 avahi-client >/dev/null 2>&1; then - AVAHI_CFLAGS=`pkg-config --cflags avahi-client` - AVAHI_LIBS=`pkg-config --libs avahi-client` - with_avahi=yes - echo yes - else - with_avahi=no - echo no - fi -fi -if test "x$with_avahi" = "xyes"; then - AC_DEFINE(HAVE_AVAHI) - AC_SUBST(AVAHI_CFLAGS) - AC_SUBST(AVAHI_LIBS) -fi - -fi -# end x11vnc only. - # only used in x11vnc/Makefile.am but needs to always be defined: AM_CONDITIONAL(OSX_OPENGL, test "$HAVE_MACOSX_OPENGL_H" = "true") @@ -873,11 +609,6 @@ AC_HEADER_STDC AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h sys/socket.h sys/time.h sys/timeb.h syslog.h unistd.h ws2tcpip.h]) -# x11vnc only: -if test "$build_x11vnc" = "yes"; then - AC_CHECK_HEADERS([pwd.h sys/wait.h utmpx.h termios.h sys/ioctl.h sys/stropts.h]) -fi - # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST AC_C_INLINE @@ -919,10 +650,6 @@ fi AC_CHECK_FUNCS([ftime gethostbyname gethostname gettimeofday inet_ntoa memmove memset mmap mkfifo select socket strchr strcspn strdup strerror strstr]) -# x11vnc only: -if test "$build_x11vnc" = "yes"; then - AC_CHECK_FUNCS([setsid setpgrp getpwuid getpwnam getspnam getuid geteuid setuid setgid seteuid setegid initgroups waitpid setutxent grantpt shmat]) -fi # check, if shmget is in cygipc.a AC_CHECK_LIB(cygipc,shmget) @@ -975,36 +702,6 @@ test/Makefile libvncserver-config LibVNCServer.spec]) -# -# x11vnc only: -# -if test "$build_x11vnc" = "yes"; then - # - # NOTE: if you are using the LibVNCServer-X.Y.Z.tar.gz source - # tarball and nevertheless want to run autoconf (i.e. aclocal, - # autoheader, automake, autoconf) AGAIN (perhaps you have a - # special target system, e.g. embedded) then you will need to - # comment out the following 'AC_CONFIG_FILES' line to avoid - # automake error messages like: - # - # configure.ac:690: required file `x11vnc/Makefile.in' not found - # - AC_CONFIG_FILES([x11vnc/Makefile x11vnc/misc/Makefile x11vnc/misc/turbovnc/Makefile]) - - if test ! -z "$with_system_libvncserver" -a "x$with_system_libvncserver" != "xno"; then - # need to move local tarball rfb headers aside: - hdrs="rfb.h rfbclient.h rfbproto.h rfbregion.h rfbint.h" - echo "with-system-libvncserver: moving aside headers $hdrs" - for hdr in $hdrs - do - if test -f "rfb/$hdr"; then - echo "with-system-libvncserver: moving rfb/$hdr to rfb/$hdr.ORIG" - mv rfb/$hdr rfb/$hdr.ORIG - fi - done - echo "with-system-libvncserver: *NOTE* move them back manually to start over." - fi -fi AC_CONFIG_COMMANDS([chmod-libvncserver-config],[chmod a+x libvncserver-config]) AC_OUTPUT debian/patches/ignore_webclients.patch0000644000000000000000000000246011751317566015356 0ustar Description: Do not consider webclients directory during build phase Author: Luca Falavigna Index: libvncserver/Makefile.am =================================================================== --- libvncserver.orig/Makefile.am 2012-05-05 12:59:59.840937327 +0200 +++ libvncserver/Makefile.am 2012-05-05 13:43:43.681017709 +0200 @@ -2,8 +2,8 @@ X11VNC=x11vnc endif -SUBDIRS=libvncserver examples libvncclient vncterm webclients client_examples test $(X11VNC) -DIST_SUBDIRS=libvncserver examples libvncclient vncterm webclients client_examples test +SUBDIRS=libvncserver examples libvncclient vncterm client_examples test $(X11VNC) +DIST_SUBDIRS=libvncserver examples libvncclient vncterm client_examples test EXTRA_DIST = CMakeLists.txt rfb/rfbint.h.cmake rfb/rfbconfig.h.cmake bin_SCRIPTS = libvncserver-config Index: libvncserver/configure.ac =================================================================== --- libvncserver.orig/configure.ac 2012-05-05 12:59:59.856937327 +0200 +++ libvncserver/configure.ac 2012-05-05 13:43:13.749016792 +0200 @@ -970,9 +970,6 @@ examples/Makefile examples/android/Makefile vncterm/Makefile - webclients/Makefile - webclients/java-applet/Makefile - webclients/java-applet/ssl/Makefile libvncclient/Makefile client_examples/Makefile test/Makefile debian/patches/CVE-2018-20023/0000755000000000000000000000000013424371661012275 5ustar debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch0000644000000000000000000000326113424371661025646 0ustar From: Christian Beier Date: Sat, 29 Sep 2018 20:55:24 +0200 Subject: When connecting to a repeater, only send initialised string Origin: https://github.com/LibVNC/libvncserver/commit/8b06f835e259652b0ff026898014fc7297ade858 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20023 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/253 Closes #253 --- examples/repeater.c | 10 ++++++++-- libvncclient/rfbproto.c | 8 ++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) Index: libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncclient/rfbproto.c 2019-01-30 13:57:50.369618633 -0500 +++ libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c 2019-01-30 13:57:50.369618633 -0500 @@ -464,6 +464,7 @@ rfbBool ConnectToRFBRepeater(rfbClient* rfbProtocolVersionMsg pv; int major,minor; char tmphost[250]; + int tmphostlen; #ifdef LIBVNCSERVER_IPv6 client->sock = ConnectClientToTcpAddr6(repeaterHost, repeaterPort); @@ -499,8 +500,11 @@ rfbBool ConnectToRFBRepeater(rfbClient* rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor); - snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort); - if (!WriteToRFBServer(client, tmphost, sizeof(tmphost))) + tmphostlen = snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort); + if(tmphostlen < 0 || tmphostlen >= (int)sizeof(tmphost)) + return FALSE; /* snprintf error or output truncated */ + + if (!WriteToRFBServer(client, tmphost, tmphostlen + 1)) return FALSE; return TRUE; debian/patches/CVE-2014-6053.patch0000644000000000000000000000143712411033523013231 0ustar Description: fix denial of service via large ClientCutText message Origin: backport, https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2012-05-04 10:19:00.000000000 -0400 +++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2014-09-25 11:12:36.124058413 -0400 @@ -2457,6 +2457,11 @@ msg.cct.length = Swap32IfLE(msg.cct.length); str = (char *)malloc(msg.cct.length); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); + return; + } if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) { if (n != 0) debian/patches/CVE-2018-20020/0000755000000000000000000000000013424365115012267 5ustar debian/patches/CVE-2018-20020/0001-LibVNCClient-make-sure-ReadFromRFBServer-does-not-wr.patch0000644000000000000000000000175313413154075025370 0ustar From: Christian Beier Date: Sat, 29 Sep 2018 22:07:27 +0200 Subject: LibVNCClient: make sure ReadFromRFBServer() does not write after buffer end in CoRRE decoding Origin: https://github.com/LibVNC/libvncserver/commit/09f2f3fb6a5a163e453e5c2979054670c39694bc Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20020 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/250 Closes #250 --- libvncclient/corre.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/libvncclient/corre.c +++ b/libvncclient/corre.c @@ -48,7 +48,7 @@ HandleCoRREBPP (rfbClient* client, int r FillRectangle(client, rx, ry, rw, rh, pix); - if (!ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) + if (hdr.nSubrects * (4 + (BPP / 8)) > RFB_BUFFER_SIZE || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) return FALSE; ptr = (uint8_t *)client->buffer; debian/patches/CVE-2018-20020/0002-LibVNCClient-really-fix-250.patch0000644000000000000000000000172213413154075020462 0ustar From: Christian Beier Date: Thu, 4 Oct 2018 22:27:39 +0200 Subject: LibVNCClient: really fix #250 Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20020 Bug-Debian: https://bugs.debian.org/916941 Bug: https://github.com/LibVNC/libvncserver/issues/250 --- libvncclient/corre.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/libvncclient/corre.c +++ b/libvncclient/corre.c @@ -48,7 +48,7 @@ HandleCoRREBPP (rfbClient* client, int r FillRectangle(client, rx, ry, rw, rh, pix); - if (hdr.nSubrects * (4 + (BPP / 8)) > RFB_BUFFER_SIZE || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) + if (hdr.nSubrects > RFB_BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) return FALSE; ptr = (uint8_t *)client->buffer; debian/patches/format-security.diff0000644000000000000000000000073012255552120014603 0ustar Index: b/client_examples/gtkvncviewer.c =================================================================== --- a/client_examples/gtkvncviewer.c 2012-05-04 14:19:00.000000000 +0000 +++ b/client_examples/gtkvncviewer.c 2013-12-22 12:00:13.401288669 +0000 @@ -563,7 +563,7 @@ time (&log_clock); strftime (buf, 255, "%d/%m/%Y %X ", localtime (&log_clock)); - fprintf (stdout, buf); + fprintf (stdout, "%s", buf); vfprintf (stdout, format, args); fflush (stdout); debian/libvncserver-config.install0000644000000000000000000000003411751317566014536 0ustar usr/bin/libvncserver-config debian/compat0000644000000000000000000000000211751317566010400 0ustar 9 debian/copyright0000644000000000000000000001550211751317566011140 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: LibVNCServer Source: http://sourceforge.net/projects/libvncserver/files/ Files: * Copyright: 2001, Johannes E. Schindelin 1999, AT&T Laboratories Cambridge 2001,2002 Constantin Kaplinsky 2000, Tridia Corporation 2009, Vic Lee 2012, Christian Beier 2005, Novell Inc. License: GPL-2+ Files: client_examples/gtkvncviewer.c Copyright: 2007, Mateus Cesar Groess License: GPL-2+ Files: client_examples/vnc2mpg.c Copyright: 2003, Fabrice Bellard 2004, Johannes E. Schindelin License: Expat Files: common/d3des.* Copyright: 1999, AT&T Laboratories Cambridge License: AT&T Files: common/*lzo* Copyright: 1996-2010, Markus Franz Xaver Johannes Oberhumer License: GPL-2+ Files: common/md5.* Copyright: 1995-2005, The Free Software Foundation License: LGPL-2.1+ Files: common/sha1.* Copyright: 2001, The Internet Society License: ISC Files: common/turbojpeg.* Copyright: 2009-2012, D. R. Commander License: BSD-3 Files: common/vncauth.c Copyright: 1999, AT&T Laboratories Cambridge License: GPL-2+ Files: common/zywrletemplate.c Copyright: 2006, Hitachi Systems & Services, Ltd. License: BSD-3 Files: test/tj* Copyright: 2009-2012, D. R. Commander License: BSD-3 License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the full text of the GNU General Public License version 2 can be found in the file `/usr/share/common-licenses/GPL-2'. License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. License: AT&T This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. License: LGPL-2.1+ libgdamm is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 2.1 of the License, or (at your option) any later version. . libgdamm is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . You should have received a copy of the GNU Lesser General Public License along with this library. If not, see . . On Debian systems, the complete text of the GNU Lesser General Public License version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1". License: ISC This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. . The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. . This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. License: BSD-3 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. . 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . 3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/linuxvnc.docs0000644000000000000000000000005611751317566011723 0ustar vncterm/ChangeLog vncterm/README vncterm/TODO debian/libvncserver-config.manpages0000644000000000000000000000003511751317566014664 0ustar debian/libvncserver-config.1 debian/source/0000755000000000000000000000000011751317566010502 5ustar debian/source/format0000644000000000000000000000001411751317566011710 0ustar 3.0 (quilt) debian/linuxvnc.manpages0000644000000000000000000000002211751317566012557 0ustar debian/linuxvnc.1 debian/linuxvnc.10000644000000000000000000000357711751317566011146 0ustar .TH linuxvnc 1 "19 November 2011" .SH NAME linuxvnc \- export a tty to any VNC client .SH SYNOPSIS .B linuxvnc \fI[tty_number [args]] .SH DESCRIPTION It follows the same idea as WinVNC, x11vnc or OSXvnc, i.e. it takes an existing desktop and exports it via RFB (VNC), just that LinuxVNC exports text. .PP If you want to export another tty, specify it as 'tty_number'. You can also pass VNC options to tune what encodings are used for the VNC session. You can read x11vnc man page for more information on this. .SH OPTIONS .IP "-rfbport port" TCP port for RFB protocol. .IP "-rfbwait time" Max time in ms to wait for RFB client. .IP "-rfbauth passwd-file" Use authentication on RFB protocol (use 'storepasswd' to create passwd file). .IP "-rfbversion 3.x" Set the version of the RFB we choose to advertise. .IP "-permitfiletransfer" Permit file transfer support. .IP "-passwd plain-password" Use authentication (use plain-password as password, USE AT YOUR RISK). .IP "-deferupdate time" Time in ms to defer updates (default 40). .IP "-deferptrupdate time" Time in ms to defer pointer updates (default none). .IP "-desktop name" VNC desktop name (default "LibVNCServer"). .IP "-alwaysshared" Always treat new clients as shared. .IP "-nevershared" Never treat new clients as shared. .IP "-dontdisconnect" Don't disconnect existing clients when a new non-shared connection comes in (refuse new connection instead). .IP "-httpdir dir-path" Enable http server using dir-path home. .IP "-httpport portnum" Use portnum for http connection. .IP "-enablehttpproxy" Enable http proxy support. .IP "-progressive height" Enable progressive updating for slow links. .IP "-listen ipaddr" Listen for connections only on network interface with addr ipaddr. .SH SEE ALSO .BR x11vnc (1). .SH AUTHOR This manual page was written by Ludovic Drolez , for the Debian project (but may be used by others). debian/libvncserver-dev.install0000644000000000000000000000027611751317566014057 0ustar usr/include/rfb usr/lib/*/libvncclient.a usr/lib/*/libvncclient.so usr/lib/*/libvncserver.a usr/lib/*/libvncserver.so usr/lib/*/pkgconfig/libvncserver.pc usr/lib/*/pkgconfig/libvncclient.pc debian/changelog0000644000000000000000000002605513424374114011053 0ustar libvncserver (0.9.9+dfsg-1ubuntu1.4) trusty-security; urgency=medium * SECURITY UPDATE: Multiple security issues - debian/patches/CVE-2018-*.patch: add upstream commits to fix multiple security issues. - CVE-2018-6307, CVE-2018-15126, CVE-2018-15127, CVE-2018-20019, CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20023, CVE-2018-20024, CVE-2018-20748, CVE-2018-20749, CVE-2018-20750 -- Marc Deslauriers Wed, 30 Jan 2019 14:00:33 -0500 libvncserver (0.9.9+dfsg-1ubuntu1.3) trusty-security; urgency=medium * SECURITY UPDATE: integer overflow or memory access - debian/patches/CVE-2018-7225.patch: limit client cut text length to 1 MB in libvncserver/rfbserver.c. - CVE-2018-7225 -- Marc Deslauriers Fri, 30 Mar 2018 10:46:20 -0400 libvncserver (0.9.9+dfsg-1ubuntu1.2) trusty-security; urgency=medium * SECURITY UPDATE: heap overflows in rectangle fill functions - debian/patches/CVE-2016-9941.patch: add bounds checking to libvncclient/rfbproto.c. - CVE-2016-9941 * SECURITY UPDATE: heap overflow in Ultra type tile decoder - debian/patches/CVE-2016-9942.patch: use _safe variant in libvncclient/ultra.c. - CVE-2016-9942 -- Marc Deslauriers Fri, 06 Jan 2017 07:57:31 -0500 libvncserver (0.9.9+dfsg-1ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service and possible code execution via integer overflow and lack of malloc error handling in MallocFrameBuffer() - debian/patches/CVE-2014-6051-6052.patch: check size and handle return code in libvncclient/vncviewer.c, handle return code in libvncclient/rfbproto.c. - CVE-2014-6051 - CVE-2014-6052 * SECURITY UPDATE: denial of service via large ClientCutText message - debian/patches/CVE-2014-6053.patch: check malloc result in libvncserver/rfbserver.c. - CVE-2014-6053 * SECURITY UPDATE: denial of service via zero scaling factor - debian/patches/CVE-2014-6054.patch: prevent zero scaling factor in libvncserver/rfbserver.c, check for integer overflow in libvncserver/scale.c. - CVE-2014-6054 * SECURITY UPDATE: denial of service and possible code execution via stack overflows in File Transfer feature - debian/patches/CVE-2014-6055.patch: check sizes in libvncserver/rfbserver.c. - CVE-2014-6055 -- Marc Deslauriers Thu, 25 Sep 2014 11:40:15 -0400 libvncserver (0.9.9+dfsg-1ubuntu1) trusty; urgency=medium * Patch acinclude.m4 for ppc64el. * Fix build failure with -Wformat-security. * Enable verbose build. -- Matthias Klose Sun, 22 Dec 2013 12:56:20 +0100 libvncserver (0.9.9+dfsg-1) unstable; urgency=low * New upstream release. * Patches refreshed for the new upstream version. * Multi-arch support (Closes: #664883). * debian/patches/format_string.patch: - Use format string argument with fprintf. * debian/patches/02_linux_test.patch: - Removed, applied upstream. * debian/patches/04_rename_linuxvnc.patch: - Removed, applied upstream. * debian/patches/05_GnuTLS.patch: - Removed, applied upstream. * debian/compat: - Bump compatibility level to 9. * debian/control: - Add libvncserver-config binary package, needed for Multi-arch. - Bump Standards-Version to 3.9.3. * debian/copyright: - Convert to DEP5 format. * debian/libvncserver-config.1: - Fix hyphen-used-as-minus-sign lintian warning. * debian/rules: - Implement a get-orig-source target to get rid of webclients directory, which contains Java classes without sources. * debian/watch: - Mangle "+dfsg" prefix from version number. -- Luca Falavigna Sat, 05 May 2012 23:45:15 +0200 libvncserver (0.9.8.2-2) unstable; urgency=low * debian/*.1: - Refresh man pages to consider new parameters (Closes: #518617). * debian/libvncserver-dev.install: - Install libvncserver.pc and libvncclient files (Closes: #649481). -- Luca Falavigna Thu, 08 Dec 2011 11:55:19 +0100 libvncserver (0.9.8.2-1) unstable; urgency=low * New upstream bugfix release. - Fix a regression in libvncclient with Apple Remote Desktop support that prevented viewers to connect to ARD servers (Closes: #644455). -- Luca Falavigna Wed, 09 Nov 2011 23:31:28 +0100 libvncserver (0.9.8.1-1) unstable; urgency=low * New upstream bugfix release. - Fix ABI break (Closes: #644455). * debian/compat: - Bump compatibility to 8. * debian/control: - Adopting package. - Add Vcs-* fields. - Build-depend on dh-autoreconf instead of automake and libtool. - Add libgnutls-dev to libvncserver-dev dependencies. * debian/not-installed: - Not needed, removed. * debian/rules: - Build with autoreconf support. -- Luca Falavigna Wed, 12 Oct 2011 19:59:26 +0200 libvncserver (0.9.8-2) unstable; urgency=low * QA upload. * debian/control: - Build-depend on libgnutls-dev for GNUTLS support. -- Luca Falavigna Sun, 02 Oct 2011 14:27:56 +0200 libvncserver (0.9.8-1) unstable; urgency=low * QA upload. * New upstream release (Closes: #621705). - Fix segfault launching "linuxvnc 1 -help" (Closes: #399501). - Close socket when connection ends (Closes: #525226). - Fix no input caused by stucked CTRL key (Closes: #555988). * debian/patches/*: - Refresh patches for new upstream release. * debian/patches/05_GnuTLS.patch: - Backport patch from upstream repository to drop deprecated GnuTLS functions (gnutls_*_set_priority -> gnutls_priority_set_direct). * debian/control: - Build-depend on pkg-config. - Remove duplicate section field for libvncserver0 binary. - Bump Standards-Version to 3.9.2. * debian/libvncserver-config.1: - Use minus signs instead of hypens. * debian/README.source: - Dropped, no longer needed. * debian/watch: - Provide watch file. -- Luca Falavigna Sun, 02 Oct 2011 02:54:05 +0200 libvncserver (0.9.7-3) unstable; urgency=low * QA upload * Change (build-)depdendencies on libjpeg62-dev to libjpeg-dev (closes: #629976). * Migrate to source format 3.0 (quilt): - add debian/source/format - remove build-dependency on quilt - debian/rules: drop --with-quilt from dh invocation * debian/rules, clean target: also remove generated file _configs.sed -- Ralf Treinen Fri, 10 Jun 2011 19:39:44 +0200 libvncserver (0.9.7-2) unstable; urgency=low * QA upload. * Don't build linuxvnc on non-linux architectures (Closes: #542592). * Add a debian/README.source. -- Aurelien Jarno Sun, 30 Aug 2009 17:15:14 +0200 libvncserver (0.9.7-1) unstable; urgency=low * QA upload. * New upstream release (Closes: #529010): - x11vnc is removed upstream from libvncserver sources. Now, it is released separately. * Added patches: - 03_no_x11vnc_subdir.patch Remove x11vnc remaining occurrences from the build system. - 04_rename_linuxvnc.patch Rename LinuxVNC to linuxvnc. * Bumped debian/compat from 5 to 7. * Updated debian/control: - Cleanuped build dependencies. - Switched to quilt patch system. - Added Homepage field. - Added libjpeg62-dev and zlib1g-dev dependencies to libvncserver-dev. (Closes: #515029) - Added priority extra and section debug to libvncserver0-dbg. - Removed x11vnc package. * Added debian/not-installed: - *.la files are not installed anymore in libvncserver-dev. * Switched debian/rules from cdbs to dh usage. -- Fathi Boudra Fri, 07 Aug 2009 15:45:36 +0200 libvncserver (0.9.3.dfsg.1-2) unstable; urgency=low * QA upload. * Drop useless build-depends on linux-libc-dev. -- Aurelien Jarno Wed, 13 May 2009 20:11:07 +0200 libvncserver (0.9.3.dfsg.1-1) unstable; urgency=low * QA upload. * New upstream release. (Closes: #448942) - CVS tag X11VNC_REL_0_9_3 * Switched rules to CDBS. * Bumped compat to 5. * Bumped Standards-Version to 3.7.2 * Enabled shared libraries. (Closes: #373298) * Dropped vncommand, since it isn't installed by make install. - All hate-mail should be sent to debian@pusling.com * Added debug package. * Removed the classes/ dir, there are no sources for the jar files. - Appended .dfsg.1 to source version. - Added patch 01_ignore_classes to allow building without classes/ dir. * Added patch 02_linux_test to look for /usr/include/linux instead of /dev/vcsa -- Matthew Rosewarne Mon, 05 Nov 2007 03:22:20 -0500 libvncserver (0.8.2-2) unstable; urgency=low * Orphaning package -- Ludovic Drolez Wed, 25 Apr 2007 12:00:32 +0200 libvncserver (0.8.2-1) unstable; urgency=high * New upstream release. Closes: #373808 * This new release fixes a security bug which might be present in the previous release of the package. Closes: #376824 * urgency=high because a probable security bug was fixed. -- Ludovic Drolez Mon, 17 Jul 2006 20:43:38 +0200 libvncserver (0.7.1-5) unstable; urgency=high * Re-upload with urgency=high because the package in testing is unusable -- Ludovic Drolez Thu, 12 Jan 2006 15:30:00 +0100 libvncserver (0.7.1-4) unstable; urgency=low * Put x11vnc 0.7.3 sources in their own directory. Closes: #333880 * Updated build-depends. Closes: #347019 -- Ludovic Drolez Mon, 9 Jan 2006 23:13:15 +0100 libvncserver (0.7.1-3) unstable; urgency=low * Added x11vnc 0.7.3 sources. Closes: #328943 * Added the x11vnc FAQ which is in the README. Closes: #325479 * Added build dependencies on libxdamage-dev, libfixes-dev, libxrandr-dev -- Ludovic Drolez Wed, 28 Sep 2005 19:00:05 +0200 libvncserver (0.7.1-2) unstable; urgency=low * Removed the /dev/vcsa1 test to fix the pbuilder bug. Closes: #322643 * new vncommand package: allows you to attach a VNC server to any command -- Ludovic Drolez Fri, 26 Aug 2005 18:02:16 +0200 libvncserver (0.7.1-1) unstable; urgency=low * New upstream release. Closes: #309385 -- Ludovic Drolez Fri, 25 Mar 2005 20:48:38 +0100 libvncserver (0.7-1) unstable; urgency=low * New upstream release * New upstream x11vnc man page. Closes: Bug#277510 -- Ludovic Drolez Mon, 31 Jan 2005 23:06:17 +0100 libvncserver (0.6-3) unstable; urgency=low * Added the latest x11vnc.c (0.6.1) which has the -scale option. * Added the scale option in the manual. -- Ludovic Drolez Fri, 16 Jul 2004 16:26:09 +0200 libvncserver (0.6-2) unstable; urgency=low * Added the latest x11vnc.c from the CVS. Closes: Bug#246205 -- Ludovic Drolez Thu, 29 Apr 2004 22:09:53 +0200 libvncserver (0.6-1) unstable; urgency=low * Initial Release. * Integrated the last release of x11vnc. -- Ludovic Drolez Wed, 10 Mar 2004 23:42:26 +0100