r27842 - in /desktop/unstable/vino/debian: changelog patches/05_avoid_out-of-bounds_memory_accesses.patch

ah at users.alioth.debian.org ah at users.alioth.debian.org
Mon May 2 19:48:12 UTC 2011 

Author: ah
Date: Mon May  2 19:48:11 2011
New Revision: 27842

URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=27842
Log:
Import changes uploaded as 2.28.2-3


Added:
    desktop/unstable/vino/debian/patches/05_avoid_out-of-bounds_memory_accesses.patch
Modified:
    desktop/unstable/vino/debian/changelog

Modified: desktop/unstable/vino/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/vino/debian/changelog?rev=27842&op=diff
==============================================================================
--- desktop/unstable/vino/debian/changelog [utf-8] (original)
+++ desktop/unstable/vino/debian/changelog [utf-8] Mon May  2 19:48:11 2011
@@ -1,3 +1,10 @@
+vino (2.28.2-3) unstable; urgency=high
+
+  * 05_avoid_out-of-bounds_memory_accesses.patch:
+    from upstream fixing CVE-2011-0904 and CVE-2011-0905
+
+ -- Andreas Henriksson <andreas at fatal.se>  Fri, 29 Apr 2011 20:43:39 +0200
+
 vino (2.28.2-2) unstable; urgency=low
 
   [ Josselin Mouette ]

Added: desktop/unstable/vino/debian/patches/05_avoid_out-of-bounds_memory_accesses.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/vino/debian/patches/05_avoid_out-of-bounds_memory_accesses.patch?rev=27842&op=file
==============================================================================
--- desktop/unstable/vino/debian/patches/05_avoid_out-of-bounds_memory_accesses.patch (added)
+++ desktop/unstable/vino/debian/patches/05_avoid_out-of-bounds_memory_accesses.patch [utf-8] Mon May  2 19:48:11 2011
@@ -1,0 +1,35 @@
+From af7847f11681770018ed6e7f86e7a31feabf9963 Mon Sep 17 00:00:00 2001
+From: David King <amigadave at amigadave.com>
+Date: Tue, 26 Apr 2011 22:31:36 +0200
+Subject: [PATCH] Avoid out-of-bounds memory accesses
+
+This fixes two critical security vulnerabilities that lead to an
+out-of-bounds memory write and read with a crafted client framebuffer
+update request packet. The dimensions of the update from the packet are
+checked to ensure that they are within the screen dimensions.
+
+Thanks to Kevin Chen from the Bitblaze group for the reports in bugs
+641802 and 641803. The CVE identifiers for these vulnerabilities are
+CVE-2011-0904 and CVE-2011-0905.
+---
+ server/libvncserver/rfbserver.c |    4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
+index 8c35853..f02a7f9 100644
+--- a/server/libvncserver/rfbserver.c
++++ b/server/libvncserver/rfbserver.c
+@@ -1163,6 +1163,10 @@ rfbSendFramebufferUpdate(rfbClientPtr cl,
+         cl->rfbRawBytesEquivalent += (sz_rfbFramebufferUpdateRectHeader
+                                       + w * (cl->format.bitsPerPixel / 8) * h);
+ 
++        /* Validate the rectangle given by the update packet. */
++        if (w + x > cl->screen->width || h + y > cl->screen->height)
++            goto tx_error;
++
+         switch (cl->preferredEncoding) {
+         case rfbEncodingRaw:
+             if (!rfbSendRectEncodingRaw(cl, x, y, w, h))
+-- 
+1.7.3.4
+

More information about the pkg-gnome-commits mailing list