Hello community, here is the log from the commit of package vino for openSUSE:11.2 checked in at Mon May 9 16:58:43 CEST 2011. -------- --- old-versions/11.2/UPDATES/all/vino/vino.changes 2009-11-14 16:53:33.000000000 +0100 +++ 11.2/vino/vino.changes 2011-05-02 15:47:12.000000000 +0200 @@ -1,0 +2,8 @@ +Mon May 2 15:44:57 CEST 2011 - vuntz@opensuse.org + +- Add vino-CVE-2011-0904_0905.patch to fix security vulnerabilities + that lead to an out-of-bounds memory write and read with a + crafted client framebuffer update request packet. +- Fixes CVE-2011-0904, CVE-2011-0905 and bnc#691207. + +------------------------------------------------------------------- calling whatdependson for 11.2-i586 New: ---- vino-CVE-2011-0904_0905.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vino.spec ++++++ --- /var/tmp/diff_new_pack.EPfLpB/_old 2011-05-09 16:58:29.000000000 +0200 +++ /var/tmp/diff_new_pack.EPfLpB/_new 2011-05-09 16:58:29.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package vino (Version 2.28.1) +# spec file for package vino # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -36,10 +36,12 @@ License: GPLv2+ Group: Productivity/Networking/Remote Desktop Version: 2.28.1 -Release: 2.<RELEASE1> +Release: 2.<RELEASE3> Requires: %{name}-lang = %{version} Summary: GNOME VNC Server Source: vino-%{version}.tar.bz2 +# PATCH-FIX-UPSTREAM vino-CVE-2011-0904_0905.patch bnc#691207 vuntz@opensuse.org -- Fix security issues +Patch0: vino-CVE-2011-0904_0905.patch Url: http://www.gnome.org BuildRoot: %{_tmppath}/%{name}-%{version}-build %gconf_schemas_prereq @@ -70,6 +72,7 @@ %prep %setup translation-update-upstream +%patch0 -p1 %build %configure\ ++++++ vino-CVE-2011-0904_0905.patch ++++++

From af7847f11681770018ed6e7f86e7a31feabf9963 Mon Sep 17 00:00:00 2001 From: David King <amigadave@amigadave.com> Date: Tue, 26 Apr 2011 22:31:36 +0200 Subject: [PATCH] Avoid out-of-bounds memory accesses

This fixes two critical security vulnerabilities that lead to an out-of-bounds memory write and read with a crafted client framebuffer update request packet. The dimensions of the update from the packet are checked to ensure that they are within the screen dimensions. Thanks to Kevin Chen from the Bitblaze group for the reports in bugs 641802 and 641803. The CVE identifiers for these vulnerabilities are CVE-2011-0904 and CVE-2011-0905. --- server/libvncserver/rfbserver.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c index 8c35853..f02a7f9 100644 --- a/server/libvncserver/rfbserver.c +++ b/server/libvncserver/rfbserver.c @@ -1163,6 +1163,10 @@ rfbSendFramebufferUpdate(rfbClientPtr cl, cl->rfbRawBytesEquivalent += (sz_rfbFramebufferUpdateRectHeader + w * (cl->format.bitsPerPixel / 8) * h); + /* Validate the rectangle given by the update packet. */ + if (w + x > cl->screen->width || h + y > cl->screen->height) + goto tx_error; + switch (cl->preferredEncoding) { case rfbEncodingRaw: if (!rfbSendRectEncodingRaw(cl, x, y, w, h)) -- 1.7.3.4 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org