Hello community,
here is the log from the commit of package tigervnc for openSUSE:Factory checked in at 2014-11-03 13:11:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tigervnc (Old)
and /work/SRC/openSUSE:Factory/.tigervnc.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tigervnc"
Changes:
--------
--- /work/SRC/openSUSE:Factory/tigervnc/tigervnc.changes 2014-10-14 07:10:21.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.tigervnc.new/tigervnc.changes 2014-11-03 13:11:59.000000000 +0100
@@ -1,0 +2,7 @@
+Thu Oct 30 13:33:27 UTC 2014 - msrb@suse.com
+
+- u_tigervnc-cve-2014-8240.patch
+ * Prevent potentially dangerous integer overflow.
+ (bnc#900896 CVE-2014-8240)
+
+-------------------------------------------------------------------
New:
----
u_tigervnc-cve-2014-8240.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tigervnc.spec ++++++
--- /var/tmp/diff_new_pack.nN6nd0/_old 2014-11-03 13:12:00.000000000 +0100
+++ /var/tmp/diff_new_pack.nN6nd0/_new 2014-11-03 13:12:00.000000000 +0100
@@ -113,6 +113,7 @@
Patch9: U_include-vencrypt-only-if-any-subtype-present.patch
Patch10: u_tigervnc-check-shm-harder.patch
Patch11: u_tigervnc-use_preferred_mode.patch
+Patch12: u_tigervnc-cve-2014-8240.patch
# Xserver patches
Patch20: tigervnc-1.2.80-fix-int-to-pointer.patch
@@ -157,6 +158,7 @@
%patch9 -p0
%patch10 -p0
%patch11 -p0
+%patch12 -p1
pushd unix/xserver
patch -p1 < ../xserver114.patch
++++++ u_tigervnc-cve-2014-8240.patch ++++++
Patch-Mainline: To be upstreamed
References: bnc#900896 CVE-2014-8240
Signed-off-by: Michal Srb
diff -up tigervnc-1.3.1/unix/x0vncserver/Image.cxx.CVE-2014-8240 tigervnc-1.3.1/unix/x0vncserver/Image.cxx
--- tigervnc-1.3.1/unix/x0vncserver/Image.cxx.CVE-2014-8240 2008-03-19 16:14:48.000000000 +0000
+++ tigervnc-1.3.1/unix/x0vncserver/Image.cxx 2014-10-16 12:23:08.013339234 +0100
@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ exit(1);
+ }
+
xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
if (xim->data == NULL) {
vlog.error("malloc() failed");
@@ -254,6 +262,17 @@ void ShmImage::Init(int width, int heigh
delete shminfo;
shminfo = NULL;
return;
+ }
+
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ return;
}
shminfo->shmid = shmget(IPC_PRIVATE,
diff -up tigervnc-1.3.1/vncviewer/X11PixelBuffer.cxx.CVE-2014-8240 tigervnc-1.3.1/vncviewer/X11PixelBuffer.cxx
--- tigervnc-1.3.1/vncviewer/X11PixelBuffer.cxx.CVE-2014-8240 2011-08-23 13:04:46.000000000 +0100
+++ tigervnc-1.3.1/vncviewer/X11PixelBuffer.cxx 2014-10-16 12:22:53.053261132 +0100
@@ -105,6 +105,15 @@ PlatformPixelBuffer::PlatformPixelBuffer
ZPixmap, 0, 0, width, height, BitmapPad(fl_display), 0);
assert(xim);
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ if (xim)
+ XDestroyImage(xim);
+ xim = NULL;
+ throw rfb::Exception("Invalid display size");
+ }
+
xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
assert(xim->data);
}
@@ -169,6 +178,16 @@ int PlatformPixelBuffer::setupShm()
if (!xim)
goto free_shminfo;
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ throw rfb::Exception("Invalid display size");
+ }
+
shminfo->shmid = shmget(IPC_PRIVATE,
xim->bytes_per_line * xim->height,
IPC_CREAT|0777);
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org