Version in base suite: 1.24+dfsg-1 Base version: renderdoc_1.24+dfsg-1 Target version: renderdoc_1.24+dfsg-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/renderdoc/renderdoc_1.24+dfsg-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/renderdoc/renderdoc_1.24+dfsg-1+deb12u1.dsc changelog | 10 patches/0001-Verify-array-sizes-when-serialising-for-strings.patch | 69 ++++ patches/0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch | 70 ++++ patches/0003-Sanitise-strings-printed-when-received-from-target-c.patch | 171 ++++++++++ patches/0004-Don-t-open-symlinks-when-opening-logfile.patch | 27 + patches/0005-Fix-incorrect-return-type.patch | 39 ++ patches/series | 5 7 files changed, 391 insertions(+) diff -Nru renderdoc-1.24+dfsg/debian/changelog renderdoc-1.24+dfsg/debian/changelog --- renderdoc-1.24+dfsg/debian/changelog 2022-12-14 10:16:36.000000000 +0000 +++ renderdoc-1.24+dfsg/debian/changelog 2024-12-08 12:42:02.000000000 +0000 @@ -1,3 +1,13 @@ +renderdoc (1.24+dfsg-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2023-33863: integer overflow + * CVE-2023-33864: integer overflow + * CVE-2023-33865: symlink attack + * Closes: #1037208 + + -- Adrian Bunk Sun, 08 Dec 2024 14:42:02 +0200 + renderdoc (1.24+dfsg-1) unstable; urgency=medium * New upstream release diff -Nru renderdoc-1.24+dfsg/debian/patches/0001-Verify-array-sizes-when-serialising-for-strings.patch renderdoc-1.24+dfsg/debian/patches/0001-Verify-array-sizes-when-serialising-for-strings.patch --- renderdoc-1.24+dfsg/debian/patches/0001-Verify-array-sizes-when-serialising-for-strings.patch 1970-01-01 00:00:00.000000000 +0000 +++ renderdoc-1.24+dfsg/debian/patches/0001-Verify-array-sizes-when-serialising-for-strings.patch 2024-12-08 06:11:19.000000000 +0000 @@ -0,0 +1,69 @@ +From ee66bc7263e3aa5d81dd4725929feb816063155c Mon Sep 17 00:00:00 2001 +From: baldurk +Date: Fri, 19 May 2023 09:57:03 +0100 +Subject: Verify array sizes when serialising for strings + +* We also limit the array size to 1GB for 32-bit. The 4GB/1GB limit is far + larger than reasonable for strings but can be handled the same way regardless. +--- + renderdoc/serialise/serialiser.h | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/renderdoc/serialise/serialiser.h b/renderdoc/serialise/serialiser.h +index 541a9ce7c..0dd3d2bec 100644 +--- a/renderdoc/serialise/serialiser.h ++++ b/renderdoc/serialise/serialiser.h +@@ -727,7 +727,7 @@ public: + arr.ReserveChildren((size_t)size); + + if(IsReading()) +- el.resize((int)size); ++ el.resize((size_t)size); + + if(m_LazyThreshold > 0 && size > m_LazyThreshold) + { +@@ -762,7 +762,7 @@ public: + else + { + if(IsReading()) +- el.resize((int)size); ++ el.resize((size_t)size); + + for(size_t i = 0; i < (size_t)size; i++) + SerialiseDispatch::Do(*this, el[i]); +@@ -1311,7 +1311,8 @@ public: + if(IsReading()) + { + m_Read->Read(len); +- el.resize((int)len); ++ VerifyArraySize(len); ++ el.resize((size_t)len); + if(len > 0) + m_Read->Read(&el[0], len); + } +@@ -1426,13 +1427,20 @@ private: + } + }; + +- void VerifyArraySize(uint64_t &count) ++ template ++ void VerifyArraySize(intSize &count) + { + uint64_t size = m_Read->GetSize(); + +- // for streaming, just take 4GB as a 'semi reasonable' upper limit for array sizes ++// for streaming, just take 4GB as a 'semi reasonable' upper limit for array sizes ++// use 1GB on 32-bit to avoid overflows ++#if ENABLED(RDOC_X64) + if(m_DataStreaming) + size = 0xFFFFFFFFU; ++#else ++ if(m_DataStreaming) ++ size = 0x3FFFFFFFU; ++#endif + + if(count > size) + { +-- +2.30.2 + diff -Nru renderdoc-1.24+dfsg/debian/patches/0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch renderdoc-1.24+dfsg/debian/patches/0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch --- renderdoc-1.24+dfsg/debian/patches/0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch 1970-01-01 00:00:00.000000000 +0000 +++ renderdoc-1.24+dfsg/debian/patches/0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch 2024-12-08 06:11:19.000000000 +0000 @@ -0,0 +1,70 @@ +From fb34c1861df395d2b206363bd2cd7c8edfce6c06 Mon Sep 17 00:00:00 2001 +From: baldurk +Date: Fri, 19 May 2023 09:58:49 +0100 +Subject: Don't call ReadLargeBuffer for socket reads + +* In ReadLargeBuffer we read directly into an external buffer with ReadExternal, + but for sockets when reading externally we want to read ahead of the current + spot (non-blocking) as much as possible to batch small reads together. Rather + than making ReadExternal handle or detect reads to external buffers, we + instead avoid ReadLargeBuffer as it is an optimisation for direct I/O to avoid + unnecessary memcpy's and is not relevant for sockets. +--- + renderdoc/serialise/streamio.cpp | 11 ++++++++++- + renderdoc/serialise/streamio.h | 4 +++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/renderdoc/serialise/streamio.cpp b/renderdoc/serialise/streamio.cpp +index 5669c2c01..ebddd33c8 100644 +--- a/renderdoc/serialise/streamio.cpp ++++ b/renderdoc/serialise/streamio.cpp +@@ -270,7 +270,7 @@ bool StreamReader::Reserve(uint64_t numBytes) + + bool StreamReader::ReadLargeBuffer(void *buffer, uint64_t length) + { +- RDCASSERT(m_Sock || m_File || m_Decompressor); ++ RDCASSERT(m_File || m_Decompressor); + + byte *dest = (byte *)buffer; + +@@ -398,6 +398,9 @@ bool StreamReader::ReadFromExternal(void *buffer, uint64_t length) + // first get the required data blocking (this will sleep the thread until it comes in). + byte *readDest = (byte *)buffer; + ++ // we expect to be reading into our window buffer ++ RDCASSERT(readDest >= m_BufferBase && readDest <= m_BufferBase + m_BufferSize); ++ + success = m_Sock->RecvDataBlocking(readDest, (uint32_t)length); + + if(success) +@@ -407,6 +410,12 @@ bool StreamReader::ReadFromExternal(void *buffer, uint64_t length) + + uint32_t bufSize = uint32_t(m_BufferSize - m_InputSize); + ++ if(m_InputSize > m_BufferSize) ++ { ++ bufSize = 0; ++ RDCERR("Invalid read in ReadFromExternal!"); ++ } ++ + // now read more, as much as possible, to try and batch future reads + success = m_Sock->RecvDataNonBlocking(readDest, bufSize); + +diff --git a/renderdoc/serialise/streamio.h b/renderdoc/serialise/streamio.h +index ec7b53a8a..8b296b876 100644 +--- a/renderdoc/serialise/streamio.h ++++ b/renderdoc/serialise/streamio.h +@@ -180,7 +180,9 @@ public: + // and larger by just skating over the limit each time, but that's fine because the main + // case we want to catch is a window that's only a few MB and then suddenly we read 100s of + // MB. +- if(numBytes >= 10 * 1024 * 1024 && Available() + 128 < numBytes) ++ // We don't do this on sockets since we want to opportunistically read more into the window ++ // to batch lots of small reads together. ++ if(m_Sock == NULL && numBytes >= 10 * 1024 * 1024 && Available() + 128 < numBytes) + { + success = ReadLargeBuffer(data, numBytes); + alreadyread = true; +-- +2.30.2 + diff -Nru renderdoc-1.24+dfsg/debian/patches/0003-Sanitise-strings-printed-when-received-from-target-c.patch renderdoc-1.24+dfsg/debian/patches/0003-Sanitise-strings-printed-when-received-from-target-c.patch --- renderdoc-1.24+dfsg/debian/patches/0003-Sanitise-strings-printed-when-received-from-target-c.patch 1970-01-01 00:00:00.000000000 +0000 +++ renderdoc-1.24+dfsg/debian/patches/0003-Sanitise-strings-printed-when-received-from-target-c.patch 2024-12-08 06:11:19.000000000 +0000 @@ -0,0 +1,171 @@ +From 1006007cc88d6727a993c1e9bbe6eb58dafa88ab Mon Sep 17 00:00:00 2001 +From: baldurk +Date: Fri, 19 May 2023 10:28:58 +0100 +Subject: Sanitise strings printed when received from target control/remote + server + +* Given socket corruption or network errors these strings could contain + unprintable characters so we sanitise them reasonably. This also ameliorates a + potential security concern with arbitrary strings being written to a log, but + these connections are still considered trusted and users should not be + exposing RenderDoc ports to the internet. +--- + renderdoc/common/common.cpp | 11 +++++++++++ + renderdoc/core/remote_server.cpp | 2 +- + renderdoc/core/target_control.cpp | 29 ++++++++++++++++++----------- + renderdoc/strings/string_utils.cpp | 12 ++++++++++++ + renderdoc/strings/string_utils.h | 5 +++++ + 5 files changed, 47 insertions(+), 12 deletions(-) + +diff --git a/renderdoc/common/common.cpp b/renderdoc/common/common.cpp +index f026eea16..670b3fbd0 100644 +--- a/renderdoc/common/common.cpp ++++ b/renderdoc/common/common.cpp +@@ -473,6 +473,17 @@ void rdclog_direct(time_t utcTime, uint32_t pid, LogType type, const char *proje + va_end(args2); + } + ++ // normalise newlines ++ { ++ char *nl = base; ++ while(*nl) ++ { ++ if(*nl == '\r') ++ *nl = '\n'; ++ nl++; ++ } ++ } ++ + // likely path - string contains no newlines + char *nl = strchr(base, '\n'); + if(nl == NULL) +diff --git a/renderdoc/core/remote_server.cpp b/renderdoc/core/remote_server.cpp +index 4944ab394..5153562f2 100644 +--- a/renderdoc/core/remote_server.cpp ++++ b/renderdoc/core/remote_server.cpp +@@ -464,7 +464,7 @@ static void ActiveRemoteClientThread(ClientThread *threadData, + + reader.EndChunk(); + +- RDCLOG("Taking ownership of '%s'.", path.c_str()); ++ RDCLOG("Taking ownership of capture."); + + tempFiles.push_back(path); + } +diff --git a/renderdoc/core/target_control.cpp b/renderdoc/core/target_control.cpp +index a63a4a2e6..bfc6a3ddd 100644 +--- a/renderdoc/core/target_control.cpp ++++ b/renderdoc/core/target_control.cpp +@@ -31,6 +31,7 @@ + #include "os/os_specific.h" + #include "replay/replay_driver.h" + #include "serialise/serialiser.h" ++#include "strings/string_utils.h" + + static const uint32_t TargetControlProtocolVersion = 9; + +@@ -484,6 +485,8 @@ void RenderDoc::TargetControlServerThread(Network::Socket *sock) + + ser.EndChunk(); + ++ strip_nonbasic(newClient); ++ + if(newClient.empty() || !IsProtocolVersionSupported(version)) + { + RDCLOG("Invalid/Unsupported handshake '%s' / %d", newClient.c_str(), version); +@@ -605,12 +608,23 @@ public: + + m_Version = 0; + ++ if(type == ePacket_Handshake) + { + READ_DATA_SCOPE(); + SERIALISE_ELEMENT(m_Version); + SERIALISE_ELEMENT(m_Target); + SERIALISE_ELEMENT(m_PID); + } ++ else if(type == ePacket_Busy) ++ { ++ READ_DATA_SCOPE(); ++ SERIALISE_ELEMENT(m_Version); ++ SERIALISE_ELEMENT(m_Target); ++ SERIALISE_ELEMENT(m_BusyClient); ++ } ++ ++ strip_nonbasic(m_Target); ++ strip_nonbasic(m_BusyClient); + + reader.EndChunk(); + +@@ -745,17 +759,6 @@ public: + reader.EndChunk(); + return msg; + } +- else if(type == ePacket_Busy) +- { +- READ_DATA_SCOPE(); +- SERIALISE_ELEMENT(msg.busy.clientName).Named("Client Name"_lit); +- +- SAFE_DELETE(m_Socket); +- +- RDCLOG("Got busy signal: '%s", msg.busy.clientName.c_str()); +- msg.type = TargetControlMessageType::Busy; +- return msg; +- } + else if(type == ePacket_NewChild) + { + msg.type = TargetControlMessageType::NewChild; +@@ -884,8 +887,12 @@ public: + RDCLOG("Used API: %s (%s & %s)", msg.apiUse.name.c_str(), + presenting ? "Presenting" : "Not presenting", + supported ? "supported" : "not supported"); ++ + if(!supportMessage.empty()) ++ { ++ strip_nonbasic(supportMessage); + RDCLOG("Support: %s", supportMessage.c_str()); ++ } + + reader.EndChunk(); + return msg; +diff --git a/renderdoc/strings/string_utils.cpp b/renderdoc/strings/string_utils.cpp +index 100ec9773..b2d02c8b4 100644 +--- a/renderdoc/strings/string_utils.cpp ++++ b/renderdoc/strings/string_utils.cpp +@@ -141,6 +141,18 @@ rdcstr strip_extension(const rdcstr &path) + return path.substr(0, offs); + } + ++rdcstr strip_nonbasic(rdcstr &str) ++{ ++ for(char &c : str) ++ { ++ if((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '.' || ++ c == ' ') ++ continue; ++ ++ c = '_'; ++ } ++} ++ + void split(const rdcstr &in, rdcarray &out, const char sep) + { + if(in.empty()) +diff --git a/renderdoc/strings/string_utils.h b/renderdoc/strings/string_utils.h +index e833b7263..bb6c45a2f 100644 +--- a/renderdoc/strings/string_utils.h ++++ b/renderdoc/strings/string_utils.h +@@ -37,5 +37,10 @@ rdcstr get_basename(const rdcstr &path); + rdcstr get_dirname(const rdcstr &path); + rdcstr strip_extension(const rdcstr &path); + ++// remove everything but alphanumeric ' ' and '.' ++// It replaces everything else with _ ++// for logging strings where they might contain garbage characters ++rdcstr strip_nonbasic(rdcstr &str); ++ + void split(const rdcstr &in, rdcarray &out, const char sep); + void merge(const rdcarray &in, rdcstr &out, const char sep); +-- +2.30.2 + diff -Nru renderdoc-1.24+dfsg/debian/patches/0004-Don-t-open-symlinks-when-opening-logfile.patch renderdoc-1.24+dfsg/debian/patches/0004-Don-t-open-symlinks-when-opening-logfile.patch --- renderdoc-1.24+dfsg/debian/patches/0004-Don-t-open-symlinks-when-opening-logfile.patch 1970-01-01 00:00:00.000000000 +0000 +++ renderdoc-1.24+dfsg/debian/patches/0004-Don-t-open-symlinks-when-opening-logfile.patch 2024-12-08 06:11:19.000000000 +0000 @@ -0,0 +1,27 @@ +From bcdc4f166b433710ff7ca3684ee339065a711f9a Mon Sep 17 00:00:00 2001 +From: baldurk +Date: Fri, 19 May 2023 10:47:12 +0100 +Subject: Don't open symlinks when opening logfile + +--- + renderdoc/os/posix/posix_stringio.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/renderdoc/os/posix/posix_stringio.cpp b/renderdoc/os/posix/posix_stringio.cpp +index f27bad820..495f2def0 100644 +--- a/renderdoc/os/posix/posix_stringio.cpp ++++ b/renderdoc/os/posix/posix_stringio.cpp +@@ -505,8 +505,8 @@ rdcstr logfile_readall(uint64_t offset, const rdcstr &filename) + + LogFileHandle *logfile_open(const rdcstr &filename) + { +- int fd = +- open(filename.c_str(), O_APPEND | O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); ++ int fd = open(filename.c_str(), O_APPEND | O_WRONLY | O_CREAT | O_NOFOLLOW, ++ S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + + if(fd < 0) + { +-- +2.30.2 + diff -Nru renderdoc-1.24+dfsg/debian/patches/0005-Fix-incorrect-return-type.patch renderdoc-1.24+dfsg/debian/patches/0005-Fix-incorrect-return-type.patch --- renderdoc-1.24+dfsg/debian/patches/0005-Fix-incorrect-return-type.patch 1970-01-01 00:00:00.000000000 +0000 +++ renderdoc-1.24+dfsg/debian/patches/0005-Fix-incorrect-return-type.patch 2024-12-08 06:11:19.000000000 +0000 @@ -0,0 +1,39 @@ +From c949b20cb634ea1fd101a2c0ecf6c4f401990c52 Mon Sep 17 00:00:00 2001 +From: baldurk +Date: Fri, 19 May 2023 10:58:29 +0100 +Subject: Fix incorrect return type + +--- + renderdoc/strings/string_utils.cpp | 2 +- + renderdoc/strings/string_utils.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/renderdoc/strings/string_utils.cpp b/renderdoc/strings/string_utils.cpp +index b2d02c8b4..61addb115 100644 +--- a/renderdoc/strings/string_utils.cpp ++++ b/renderdoc/strings/string_utils.cpp +@@ -141,7 +141,7 @@ rdcstr strip_extension(const rdcstr &path) + return path.substr(0, offs); + } + +-rdcstr strip_nonbasic(rdcstr &str) ++void strip_nonbasic(rdcstr &str) + { + for(char &c : str) + { +diff --git a/renderdoc/strings/string_utils.h b/renderdoc/strings/string_utils.h +index bb6c45a2f..3a5a5983a 100644 +--- a/renderdoc/strings/string_utils.h ++++ b/renderdoc/strings/string_utils.h +@@ -40,7 +40,7 @@ rdcstr strip_extension(const rdcstr &path); + // remove everything but alphanumeric ' ' and '.' + // It replaces everything else with _ + // for logging strings where they might contain garbage characters +-rdcstr strip_nonbasic(rdcstr &str); ++void strip_nonbasic(rdcstr &str); + + void split(const rdcstr &in, rdcarray &out, const char sep); + void merge(const rdcarray &in, rdcstr &out, const char sep); +-- +2.30.2 + diff -Nru renderdoc-1.24+dfsg/debian/patches/series renderdoc-1.24+dfsg/debian/patches/series --- renderdoc-1.24+dfsg/debian/patches/series 2022-12-14 10:12:23.000000000 +0000 +++ renderdoc-1.24+dfsg/debian/patches/series 2024-12-08 12:42:00.000000000 +0000 @@ -16,3 +16,8 @@ 0016-qrenderdoc-Fix-misspelling-hiearchy-hierarchy.patch 0017-renderdoc-Fix-misspelling-persistant-persistent.patch 0018-renderdoc-Patch-for-glslang-11.12.0.patch +0001-Verify-array-sizes-when-serialising-for-strings.patch +0002-Don-t-call-ReadLargeBuffer-for-socket-reads.patch +0003-Sanitise-strings-printed-when-received-from-target-c.patch +0004-Don-t-open-symlinks-when-opening-logfile.patch +0005-Fix-incorrect-return-type.patch