diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch new file mode 100644 index 000000000000..cd65d2fb5dd9 --- /dev/null +++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch @@ -0,0 +1,18 @@ +Adapted from https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a +diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c +index 04b0230..47a6863 100644 +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -1217,6 +1217,12 @@ HandleRFBServerMessage() + if (serverCutText) + free(serverCutText); + ++ if (msg.sct.length > 1<<20) { ++ fprintf(stderr,"Ignoring too big cut text length sent by server: %u B > 1 MB\n", ++ (unsigned int)msg.sct.length); ++ return False; ++ } ++ + serverCutText = malloc(msg.sct.length+1); + + if (!ReadFromRFBServer(serverCutText, msg.sct.length)) diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch new file mode 100644 index 000000000000..6d7b3e89e0c4 --- /dev/null +++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch @@ -0,0 +1,19 @@ +Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 +diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c +index 04b0230..bd11b54 100644 +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -303,7 +303,12 @@ InitialiseRFBConnection(void) + si.format.blueMax = Swap16IfLE(si.format.blueMax); + si.nameLength = Swap32IfLE(si.nameLength); + +- /* FIXME: Check arguments to malloc() calls. */ ++ if (si.nameLength > 1<<20) { ++ fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n", ++ (unsigned long)si.nameLength); ++ return False; ++ } ++ + desktopName = malloc(si.nameLength + 1); + if (!desktopName) { + fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n", diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch new file mode 100644 index 000000000000..7426a2b58b10 --- /dev/null +++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch @@ -0,0 +1,16 @@ +diff --git a/vncviewer/zlib.c b/vncviewer/zlib.c +index 80c4eee..76998d8 100644 +--- a/vncviewer/zlib.c ++++ b/vncviewer/zlib.c +@@ -55,6 +55,11 @@ HandleZlibBPP (int rx, int ry, int rw, int rh) + raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); + raw_buffer = (char*) malloc( raw_buffer_size ); + ++ if ( raw_buffer == NULL ) { ++ fprintf(stderr, ++ "couldn't allocate raw_buffer in HandleZlibBPP"); ++ return False; ++ } + } + + if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch new file mode 100644 index 000000000000..5bfd1b9ea87f --- /dev/null +++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch @@ -0,0 +1,14 @@ +Adapted from https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d +diff --git a/vncviewer/corre.c b/vncviewer/corre.c +index c846a10..a4c272d 100644 +--- a/vncviewer/corre.c ++++ b/vncviewer/corre.c +@@ -56,7 +56,7 @@ HandleCoRREBPP (int rx, int ry, int rw, int rh) + XChangeGC(dpy, gc, GCForeground, &gcv); + XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh); + +- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) ++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) + return False; + + ptr = (CARD8 *)buffer; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 5a76b500d149..1a65c31102e9 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -9,6 +9,13 @@ stdenv.mkDerivation { sha256 = "f48c70fea08d03744ae18df6b1499976362f16934eda3275cead87baad585c0d"; }; + patches = [ + ./1.3.10-CVE-2019-15678.patch + ./1.3.10-CVE-2019-15679.patch + ./1.3.10-CVE-2019-15680.patch + ./1.3.10-CVE-2019-8287.patch + ]; + # for the builder script inherit fontDirectories;