From 369a02be4da385aca62393c390229d3311e6bb78 Mon Sep 17 00:00:00 2001
From: Alexander Tsoy <alexander@tsoy.me>
Date: Mon, 23 Mar 2020 18:40:08 +0300
Subject: net-libs/libvncserver: Fix CVE-2019-15690

Bug: https://bugs.gentoo.org/714054
Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
Closes: https://github.com/gentoo/gentoo/pull/15070
Signed-off-by: Joonas Niilola <juippis@gentoo.org>
---
 .../files/libvncserver-0.9.12-CVE-2019-15690.patch | 39 +++++++++++
 .../libvncserver/libvncserver-0.9.12-r5.ebuild     | 75 ++++++++++++++++++++++
 2 files changed, 114 insertions(+)
 create mode 100644 net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15690.patch
 create mode 100644 net-libs/libvncserver/libvncserver-0.9.12-r5.ebuild

(limited to 'net-libs/libvncserver')

diff --git a/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15690.patch b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15690.patch
new file mode 100644
index 000000000000..5ef290129c72
--- /dev/null
+++ b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15690.patch
@@ -0,0 +1,39 @@
+From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 17 Nov 2019 17:18:35 +0100
+Subject: [PATCH] libvncclient/cursor: limit width/height input values
+
+Avoids a possible heap overflow reported by Pavel Cheremushkin
+<Pavel.Cheremushkin@kaspersky.com>.
+
+re #275
+---
+ libvncclient/cursor.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
+index 67f4572..40ffb3b 100644
+--- a/libvncclient/cursor.c
++++ b/libvncclient/cursor.c
+@@ -28,6 +28,8 @@
+ #define OPER_SAVE     0
+ #define OPER_RESTORE  1
+ 
++#define MAX_CURSOR_SIZE 1024
++
+ #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
+    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255             \
+     << client->format.redShift |                                              \
+@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
+   if (width * height == 0)
+     return TRUE;
+ 
++  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
++    return FALSE;
++
+   /* Allocate memory for pixel data and temporary mask data. */
+   if(client->rcSource)
+     free(client->rcSource);
+-- 
+2.24.1
+
diff --git a/net-libs/libvncserver/libvncserver-0.9.12-r5.ebuild b/net-libs/libvncserver/libvncserver-0.9.12-r5.ebuild
new file mode 100644
index 000000000000..87aad2363035
--- /dev/null
+++ b/net-libs/libvncserver/libvncserver-0.9.12-r5.ebuild
@@ -0,0 +1,75 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit cmake
+
+MY_P="LibVNCServer-${PV}"
+
+DESCRIPTION="library for creating vnc servers"
+HOMEPAGE="https://libvnc.github.io/"
+SRC_URI="https://github.com/LibVNC/${PN}/archive/${MY_P}.tar.gz"
+S="${WORKDIR}/${PN}-${MY_P}"
+
+# libvncserver/tightvnc-filetransfer/*: GPL-2, but we don't build it
+# common/d3des.*: https://github.com/LibVNC/libvncserver/issues/88
+LICENSE="GPL-2+ LGPL-2.1+ BSD MIT"
+# no sub slot wanted (yet), see #578958
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux"
+IUSE="+24bpp gcrypt gnutls ipv6 +jpeg libressl lzo +png sasl ssl systemd +threads +zlib"
+# https://bugs.gentoo.org/690202
+# https://bugs.gentoo.org/435326
+# https://bugs.gentoo.org/550916
+REQUIRED_USE="jpeg? ( zlib ) png? ( zlib ) ssl? ( !gnutls? ( threads ) )"
+
+DEPEND="
+	gcrypt? ( >=dev-libs/libgcrypt-1.5.3:0= )
+	ssl? (
+		!gnutls? (
+			!libressl? ( >=dev-libs/openssl-1.0.2:0= )
+			libressl? ( >=dev-libs/libressl-2.7.0:0= )
+		)
+		gnutls? ( >=net-libs/gnutls-2.12.23-r6:0= )
+	)
+	jpeg? ( >=virtual/jpeg-0-r2:0 )
+	lzo? ( dev-libs/lzo )
+	png? ( >=media-libs/libpng-1.6.10:0= )
+	sasl? ( dev-libs/cyrus-sasl )
+	systemd? ( sys-apps/systemd:= )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1:0= )"
+RDEPEND="${DEPEND}"
+
+DOCS=( AUTHORS ChangeLog NEWS README.md TODO )
+
+PATCHES=(
+	"${FILESDIR}"/${P}-cmake-libdir.patch
+	"${FILESDIR}"/${P}-pkgconfig-libdir.patch
+	"${FILESDIR}"/${P}-libgcrypt.patch
+	"${FILESDIR}"/${P}-sparc-unaligned.patch
+	"${FILESDIR}"/${P}-CVE-2018-20750.patch
+	"${FILESDIR}"/${P}-CVE-2019-15681.patch
+	"${FILESDIR}"/${P}-fix-tight-raw-decoding.patch
+	"${FILESDIR}"/${P}-fix-shutdown-crash.patch
+	"${FILESDIR}"/${P}-CVE-2019-15690.patch
+)
+
+src_configure() {
+	local mycmakeargs=(
+		-DWITH_ZLIB=$(usex zlib ON OFF)
+		-DWITH_LZO=$(usex lzo ON OFF)
+		-DWITH_JPEG=$(usex jpeg ON OFF)
+		-DWITH_PNG=$(usex png ON OFF)
+		-DWITH_THREADS=$(usex threads ON OFF)
+		-DWITH_GNUTLS=$(usex gnutls $(usex ssl ON OFF) OFF)
+		-DWITH_OPENSSL=$(usex gnutls OFF $(usex ssl ON OFF))
+		-DWITH_GCRYPT=$(usex gcrypt ON OFF)
+		-DWITH_SYSTEMD=$(usex systemd ON OFF)
+		-DWITH_FFMPEG=OFF
+		-DWITH_24BPP=$(usex 24bpp ON OFF)
+		-DWITH_IPv6=$(usex ipv6 ON OFF)
+		-DWITH_SASL=$(usex sasl ON OFF)
+	)
+	cmake_src_configure
+}
-- 
cgit v1.2.3-65-gdbad