r27841 - in /desktop/experimental/vino/debian: changelog patches/05_avoid_out-of-bounds_memory_accesses.patch patches/series
ah at users.alioth.debian.org
ah at users.alioth.debian.org
Mon May 2 19:36:15 UTC 2011
Author: ah
Date: Mon May 2 19:36:08 2011
New Revision: 27841
URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=27841
Log:
Import changes uploaded as 3.0.0-3
Added:
desktop/experimental/vino/debian/patches/05_avoid_out-of-bounds_memory_accesses.patch
Modified:
desktop/experimental/vino/debian/changelog
desktop/experimental/vino/debian/patches/series
Modified: desktop/experimental/vino/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/experimental/vino/debian/changelog?rev=27841&op=diff
==============================================================================
--- desktop/experimental/vino/debian/changelog [utf-8] (original)
+++ desktop/experimental/vino/debian/changelog [utf-8] Mon May 2 19:36:08 2011
@@ -1,3 +1,10 @@
+vino (3.0.0-3) experimental; urgency=high
+
+ * 05_avoid_out-of-bounds_memory_accesses.patch:
+ from upstream fixing CVE-2011-0904 and CVE-2011-0905
+
+ -- Andreas Henriksson <andreas at fatal.se> Fri, 29 Apr 2011 20:49:28 +0200
+
vino (3.0.0-2) experimental; urgency=low
* Request NetworkManager support only if building on a Linux arch.
Added: desktop/experimental/vino/debian/patches/05_avoid_out-of-bounds_memory_accesses.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/experimental/vino/debian/patches/05_avoid_out-of-bounds_memory_accesses.patch?rev=27841&op=file
==============================================================================
--- desktop/experimental/vino/debian/patches/05_avoid_out-of-bounds_memory_accesses.patch (added)
+++ desktop/experimental/vino/debian/patches/05_avoid_out-of-bounds_memory_accesses.patch [utf-8] Mon May 2 19:36:08 2011
@@ -1,0 +1,35 @@
+From af7847f11681770018ed6e7f86e7a31feabf9963 Mon Sep 17 00:00:00 2001
+From: David King <amigadave at amigadave.com>
+Date: Tue, 26 Apr 2011 22:31:36 +0200
+Subject: [PATCH] Avoid out-of-bounds memory accesses
+
+This fixes two critical security vulnerabilities that lead to an
+out-of-bounds memory write and read with a crafted client framebuffer
+update request packet. The dimensions of the update from the packet are
+checked to ensure that they are within the screen dimensions.
+
+Thanks to Kevin Chen from the Bitblaze group for the reports in bugs
+641802 and 641803. The CVE identifiers for these vulnerabilities are
+CVE-2011-0904 and CVE-2011-0905.
+---
+ server/libvncserver/rfbserver.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
+index 8c35853..f02a7f9 100644
+--- a/server/libvncserver/rfbserver.c
++++ b/server/libvncserver/rfbserver.c
+@@ -1163,6 +1163,10 @@ rfbSendFramebufferUpdate(rfbClientPtr cl,
+ cl->rfbRawBytesEquivalent += (sz_rfbFramebufferUpdateRectHeader
+ + w * (cl->format.bitsPerPixel / 8) * h);
+
++ /* Validate the rectangle given by the update packet. */
++ if (w + x > cl->screen->width || h + y > cl->screen->height)
++ goto tx_error;
++
+ switch (cl->preferredEncoding) {
+ case rfbEncodingRaw:
+ if (!rfbSendRectEncodingRaw(cl, x, y, w, h))
+--
+1.7.3.4
+
Modified: desktop/experimental/vino/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/experimental/vino/debian/patches/series?rev=27841&op=diff
==============================================================================
--- desktop/experimental/vino/debian/patches/series [utf-8] (original)
+++ desktop/experimental/vino/debian/patches/series [utf-8] Mon May 2 19:36:08 2011
@@ -1,4 +1,5 @@
01_ipv6-fix.patch
02_server_sm-disable.patch
03_config_h_defines.patch
+05_avoid_out-of-bounds_memory_accesses.patch
11_hurd_maxhostnamelen.patch
More information about the pkg-gnome-commits
mailing list