net-misc/vino: apply 3 security fixes and misc upstream fixes

Adds patchset for a plethora of translation updates and a couple
bug fixes pending in master without any releases for years.
The security fixes are not found in upstream and are ported
separately from libvncserver commits.

Bug: https://bugs.gentoo.org/701836
Package-Manager: Portage-2.3.84, Repoman-2.3.20
Signed-off-by: Mart Raudsepp <leio@gentoo.org>

3 files changed, 121 insertions, 0 deletions

diff --git a/net-misc/vino/files/CVE-2014-6053.patch b/net-misc/vino/files/CVE-2014-6053.patch
new file mode 100644
index 000000000000..8830c30f870d
--- /dev/null
+++ b/net-misc/vino/files/CVE-2014-6053.patch
@@ -0,0 +1,31 @@
+From b1bfadcbfd88970c6d48672e2dbcca8713c91411 Mon Sep 17 00:00:00 2001
+From: Nicolas Ruff <nruff@google.com>
+Date: Mon, 18 Aug 2014 15:16:16 +0200
+Subject: [PATCH 1/3] Check malloc() return value on client->server
+ ClientCutText message. Client can send up to 2**32-1 bytes of text, and such
+ a large allocation is likely to fail in case of high memory pressure. This
+ would in a server crash (write at address 0).
+
+---
+ server/libvncserver/rfbserver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
+index a880b53..2615dc3 100644
+--- a/server/libvncserver/rfbserver.c
++++ b/server/libvncserver/rfbserver.c
+@@ -853,6 +853,11 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
+ 	msg.cct.length = Swap32IfLE(msg.cct.length);
+ 
+ 	str = (char *)malloc(msg.cct.length);
++	if (str == NULL) {
++		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
++		rfbCloseClient(cl);
++		return;
++	}
+ 
+ 	if ((n = ReadExact(cl, str, msg.cct.length)) <= 0) {
+ 	    if (n != 0)
+-- 
+2.20.1
+
diff --git a/net-misc/vino/files/CVE-2018-7225.patch b/net-misc/vino/files/CVE-2018-7225.patch
new file mode 100644
index 000000000000..1b1186b4fe78
--- /dev/null
+++ b/net-misc/vino/files/CVE-2018-7225.patch
@@ -0,0 +1,64 @@
+From d8a663541ef358a13fed2fbb39e7d323454369dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 26 Feb 2018 13:48:00 +0100
+Subject: [PATCH 2/3] Limit client cut text length to 1 MB
+
+This patch constrains a client cut text length to 1 MB. Otherwise
+a client could make server allocate 2 GB of memory and that seems to
+be to much to classify it as a denial of service.
+
+The limit also prevents from an integer overflow followed by copying
+an uninitilized memory when processing msg.cct.length value larger
+than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg.
+
+This patch also corrects accepting length value of zero (malloc(0) is
+interpreted on differnet systems differently).
+
+CVE-2018-7225
+<https://github.com/LibVNC/libvncserver/issues/218>
+---
+ server/libvncserver/rfbserver.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
+index 2615dc3..2224edb 100644
+--- a/server/libvncserver/rfbserver.c
++++ b/server/libvncserver/rfbserver.c
+@@ -59,6 +59,9 @@
+ #define DEBUGPROTO(x)
+ #endif
+ 
++/* PRIu32 */
++#include <inttypes.h>
++
+ rfbClientPtr pointerClient = NULL;  /* Mutex for pointer events */
+ 
+ static void rfbProcessClientProtocolVersion(rfbClientPtr cl);
+@@ -852,7 +855,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
+ 
+ 	msg.cct.length = Swap32IfLE(msg.cct.length);
+ 
+-	str = (char *)malloc(msg.cct.length);
++	/* uint32_t input is passed to malloc()'s size_t argument,
++	 * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
++	 * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
++	 * argument. Here we impose a limit of 1 MB so that the value fits
++	 * into all of the types to prevent from misinterpretation and thus
++	 * from accessing uninitialized memory (CVE-2018-7225) and also to
++	 * prevent from a denial-of-service by allocating to much memory in
++	 * the server. */
++	if (msg.cct.length > 1<<20) {
++	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
++		    msg.cct.length);
++	    rfbCloseClient(cl);
++	    return;
++	}
++
++	/* Allow zero-length client cut text. */
++	str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+ 	if (str == NULL) {
+ 		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
+ 		rfbCloseClient(cl);
+-- 
+2.20.1
+
diff --git a/net-misc/vino/files/CVE-2019-15681.patch b/net-misc/vino/files/CVE-2019-15681.patch
new file mode 100644
index 000000000000..31bb47ee9b27
--- /dev/null
+++ b/net-misc/vino/files/CVE-2019-15681.patch
@@ -0,0 +1,26 @@
+From d9f3fa0ede556c6a751a8ca6c8bc37e769715233 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH 3/3] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+---
+ server/libvncserver/rfbserver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
+index 2224edb..ca4f59b 100644
+--- a/server/libvncserver/rfbserver.c
++++ b/server/libvncserver/rfbserver.c
+@@ -1565,6 +1565,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
+     rfbServerCutTextMsg sct;
+     rfbClientIteratorPtr iterator;
+ 
++    memset((char *)&sct, 0, sizeof(sct));
++
+     iterator = rfbGetClientIterator(rfbScreen);
+     while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
+         /* Client is not authenticated, ignore. See GNOME bug 678434. */
+-- 
+2.20.1
+