Version in base suite: 1.3.9-9

Base version: tightvnc_1.3.9-9
Target version: tightvnc_1.3.9-9+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tightvnc/tightvnc_1.3.9-9.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tightvnc/tightvnc_1.3.9-9+deb10u1.dsc

 changelog                          |   23 ++++++++++++++++
 patches/CVE-2014-6053.patch        |   29 +++++++++++++++++++++
 patches/CVE-2018-20021.patch       |   22 +++++++++++++++
 patches/CVE-2018-20022.patch       |   31 ++++++++++++++++++++++
 patches/CVE-2018-7225.patch        |   51 +++++++++++++++++++++++++++++++++++++
 patches/CVE-2019-15678-addon.patch |   28 ++++++++++++++++++++
 patches/CVE-2019-15678.patch       |   28 ++++++++++++++++++++
 patches/CVE-2019-15679.patch       |   33 +++++++++++++++++++++++
 patches/CVE-2019-15680.patch       |   16 +++++++++++
 patches/CVE-2019-15681.patch       |   20 ++++++++++++++
 patches/CVE-2019-8287.patch        |   23 ++++++++++++++++
 patches/series                     |   10 +++++++
 12 files changed, 314 insertions(+)

diff -Nru tightvnc-1.3.9/debian/changelog tightvnc-1.3.9/debian/changelog
--- tightvnc-1.3.9/debian/changelog	2017-01-27 21:08:21.000000000 +0000
+++ tightvnc-1.3.9/debian/changelog	2019-12-21 09:35:50.000000000 +0000
@@ -1,3 +1,26 @@
+tightvnc (1:1.3.9-9+deb10u1) buster; urgency=medium
+
+  * Security upload. (Closes: #945364).
+  * CVE-2014-6053: Check malloc() return value on client->server ClientCutText
+    message.
+  * CVE-2018-20020: Fix heap out-of-bound write vulnerability inside structure
+    in VNC client code.
+  * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+  * CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+  * CVE-2018-7225: Uninitialized and potentially sensitive data could be
+    accessed by remote attackers because the msg.cct.length in rfbserver.c was
+    not sanitized.
+  * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB.
+  * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore
+    server-sent reason strings longer than 1MB (see CVE-2018-20748/
+    libvncserver).
+  * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name
+    length received before allocating memory for it and limit it to 1MB.
+  * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c.
+  * CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sat, 21 Dec 2019 10:35:50 +0100
+
 tightvnc (1:1.3.9-9) unstable; urgency=high
 
   * Reverted the transition. Tigervnc is not ready for being a full
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch
--- tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch	1970-01-01 00:00:00.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch	2019-12-19 20:39:14.000000000 +0000
@@ -0,0 +1,29 @@
+From 6037a9074d52b1963c97cb28ea1096c7c14cbf28 Mon Sep 17 00:00:00 2001
+From: Nicolas Ruff <nruff@google.com>
+Date: Mon, 18 Aug 2014 15:16:16 +0200
+Subject: [PATCH] Check malloc() return value on client->server ClientCutText
+ message. Client can send up to 2**32-1 bytes of text, and such a large
+ allocation is likely to fail in case of high memory pressure. This would in a
+ server crash (write at address 0).
+
+[sunweaver] port libvncserver patch over to tightvnc's vnc server code
+
+---
+ libvncserver/rfbserver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -891,6 +891,12 @@
+ 
+ 	str = (char *)xalloc(msg.cct.length);
+ 
++	if (str == NULL) {
++		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
++		rfbCloseSock(cl->sock);
++		return;
++	}
++
+ 	if ((n = ReadExact(cl->sock, str, msg.cct.length)) <= 0) {
+ 	    if (n != 0)
+ 		rfbLogPerror("rfbProcessClientNormalMessage: read");
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch	1970-01-01 00:00:00.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch	2019-12-19 20:38:55.000000000 +0000
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] port libvncclient patch over to tightvnc's vncviewer code
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1021,7 +1021,7 @@
+ 	bytesPerLine = rect.r.w * myFormat.bitsPerPixel / 8;
+ 	linesToRead = BUFFER_SIZE / bytesPerLine;
+ 
+-	while (rect.r.h > 0) {
++	while (linesToRead && rect.r.h > 0) {
+ 	  if (linesToRead > rect.r.h)
+ 	    linesToRead = rect.r.h;
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch	1970-01-01 00:00:00.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch	2019-12-19 20:47:41.000000000 +0000
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abused for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] ported from libvncclient to tightvnc's vncviewer code
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -886,6 +886,7 @@
+ {
+   rfbKeyEventMsg ke;
+ 
++  memset(&ke, 0, sizeof(ke));
+   ke.type = rfbKeyEvent;
+   ke.down = down ? 1 : 0;
+   ke.key = Swap32IfLE(key);
+@@ -906,6 +907,7 @@
+     free(serverCutText);
+   serverCutText = NULL;
+ 
++  memset(&cct, 0, sizeof(cct));
+   cct.type = rfbClientCutText;
+   cct.length = Swap32IfLE(len);
+   return  (WriteExact(rfbsock, (char *)&cct, sz_rfbClientCutTextMsg) &&
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch	1970-01-01 00:00:00.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch	2019-12-19 20:39:37.000000000 +0000
@@ -0,0 +1,51 @@
+From: Mike Gabriel <sunweaver@debian.org>
+Date: Tue, 5 Jun 2018 14:04:07 +0200
+Subject: CVE-2018-7225
+
+Bug-Debian: https://bugs.debian.org/894045
+Origin: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee
+
+[sunweaver] port libvncserver patch over to tightvnc's VNC server code
+
+---
+ libvncserver/rfbserver.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -43,6 +43,9 @@
+ #include <vncserverctrl.h>
+ #endif
+ 
++/* PRIu32 */
++#include <inttypes.h>
++
+ char updateBuf[UPDATE_BUF_SIZE];
+ int ublen;
+ 
+@@ -889,7 +892,23 @@
+ 
+ 	msg.cct.length = Swap32IfLE(msg.cct.length);
+ 
+-	str = (char *)xalloc(msg.cct.length);
++	/* uint32_t input is passed to malloc()'s size_t argument,
++	 * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
++	 * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
++	 * argument. Here we impose a limit of 1 MB so that the value fits
++	 * into all of the types to prevent from misinterpretation and thus
++	 * from accessing uninitialized memory (CVE-2018-7225) and also to
++	 * prevent from a denial-of-service by allocating to much memory in
++	 * the server. */
++	if (msg.cct.length > 1<<20) {
++	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
++	            msg.cct.length);
++	    rfbCloseSock(cl->sock);
++	    return;
++	}
++
++	/* Allow zero-length client cut text. */
++	str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+ 
+ 	if (str == NULL) {
+ 		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch	1970-01-01 00:00:00.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch	2019-12-20 21:32:50.000000000 +0000
@@ -0,0 +1,28 @@
+From e34bcbb759ca5bef85809967a268fdf214c1ad2c Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sat, 29 Dec 2018 14:40:53 +0100
+Subject: [PATCH] LibVNCClient: ignore server-sent reason strings longer than
+ 1MB
+
+Fixes #273
+
+[sunweaver] Extract these few lines from the above referenced patch and port to tightvnc.
+            This patch was part of the fix series for CVE-2018-20748/libvncserver
+
+---
+ libvncclient/rfbproto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1293,6 +1293,10 @@
+ 
+   if (ReadFromRFBServer((char *)&reasonLen, sizeof(reasonLen))) {
+     reasonLen = Swap32IfLE(reasonLen);
++    if(reasonLen > 1<<20) {
++      fprintf(stderr, "VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen);
++      return;
++    }
+     if ((reason = malloc(reasonLen)) != NULL &&
+         ReadFromRFBServer(reason, reasonLen)) {
+       fprintf(stderr,"%.*s\n", (int)reasonLen, reason);
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch	1970-01-01 00:00:00.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch	2019-12-20 21:32:35.000000000 +0000
@@ -0,0 +1,28 @@
+From c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sat, 29 Dec 2018 14:16:58 +0100
+Subject: [PATCH] LibVNCClient: ignore server-sent cut text longer than 1MB
+
+This is in line with how LibVNCServer does it
+(28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273.
+
+[sunweaver] Port to tightvnc.
+
+---
+ libvncclient/rfbproto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1214,6 +1214,11 @@
+ 
+     msg.sct.length = Swap32IfLE(msg.sct.length);
+ 
++    if (msg.sct.length > 1<<20) {
++	    fprintf(stderr, "Ignoring too big cut text length sent by server: %u B > 1 MB\n", (unsigned int)msg.sct.length);
++	    return False;
++    }
++
+     if (serverCutText)
+       free(serverCutText);
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch	1970-01-01 00:00:00.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch	2019-12-20 21:32:08.000000000 +0000
@@ -0,0 +1,33 @@
+From c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 6 Jan 2019 14:20:37 +0100
+Subject: [PATCH] LibVNCClient: fail on server-sent desktop name lengths longer
+ than 1MB
+
+re #273
+---
+ libvncclient/rfbproto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+[sunweaver] Ported over to tightvnc.
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -303,13 +303,11 @@
+   si.format.blueMax = Swap16IfLE(si.format.blueMax);
+   si.nameLength = Swap32IfLE(si.nameLength);
+ 
+-  /* FIXME: Check arguments to malloc() calls. */
+-  desktopName = malloc(si.nameLength + 1);
+-  if (!desktopName) {
+-    fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",
+-            (unsigned long)si.nameLength);
+-    return False;
++  if (si.nameLength > 1<<20) {
++      fprintf(stderr, "Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)si.nameLength);
++      return FALSE;
+   }
++  desktopName = malloc(si.nameLength + 1);
+ 
+   if (!ReadFromRFBServer(desktopName, si.nameLength)) return False;
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch	1970-01-01 00:00:00.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch	2019-12-20 15:07:49.000000000 +0000
@@ -0,0 +1,16 @@
+Origin: https://github.com/LibVNC/libvncserver/pull/360/commits/85d00057b5daf71675462c9b175d8cb2d47cd0e1
+
+--- a/vncviewer/zlib.c
++++ b/vncviewer/zlib.c
+@@ -55,6 +55,11 @@
+     raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+     raw_buffer = (char*) malloc( raw_buffer_size );
+ 
++    if (raw_buffer == NULL) {
++
++       return False;
++
++    }
+   }
+ 
+   if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch	1970-01-01 00:00:00.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch	2019-12-19 20:39:44.000000000 +0000
@@ -0,0 +1,20 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+
+[sunweaver] Ported to rfbserver.c in tightvnc
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -1481,6 +1481,8 @@
+     rfbClientPtr cl, nextCl;
+     rfbServerCutTextMsg sct;
+ 
++    memset((char *)&sct, 0, sizeof(sct));
++
+     if (rfbViewOnly)
+ 	return;
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch	1970-01-01 00:00:00.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch	2019-12-20 20:43:49.000000000 +0000
@@ -0,0 +1,23 @@
+Description: CVE-2019-8287
+ (same as CVE-2018-20020/libvncserver)
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] port libvncclient patch over to tightvnc's vncviewer code
+
+--- a/vncviewer/corre.c
++++ b/vncviewer/corre.c
+@@ -56,7 +56,7 @@
+     XChangeGC(dpy, gc, GCForeground, &gcv);
+     XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh);
+ 
+-    if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++    if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ 	return False;
+ 
+     ptr = (CARD8 *)buffer;
diff -Nru tightvnc-1.3.9/debian/patches/series tightvnc-1.3.9/debian/patches/series
--- tightvnc-1.3.9/debian/patches/series	2016-06-19 11:22:20.000000000 +0000
+++ tightvnc-1.3.9/debian/patches/series	2019-12-21 09:35:39.000000000 +0000
@@ -6,3 +6,13 @@
 ppc64el.patch
 782620-crashfix.patch
 more-arm64-fixes.patch
+CVE-2019-15680.patch
+CVE-2019-15681.patch
+CVE-2014-6053.patch
+CVE-2018-7225.patch
+CVE-2018-20021.patch
+CVE-2019-8287.patch
+CVE-2018-20022.patch
+CVE-2019-15679.patch
+CVE-2019-15678.patch
+CVE-2019-15678-addon.patch