From 2482f8b8dca0f57466d20f9dcf2ff3d5cd16adbf Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Sun, 24 Nov 2019 18:44:01 +0000
Subject: [PATCH] tightvnc: add patches for four CVEs

Security fixes for:
* CVE-2019-8287
* CVE-2019-15678
* CVE-2019-15679
* CVE-2019-15680

mostly adapted from patches fixing similar issues in the actively
maintained libvnc

(#73970)
---
 .../tightvnc/1.3.10-CVE-2019-15678.patch      | 18 ++++++++++++++++++
 .../tightvnc/1.3.10-CVE-2019-15679.patch      | 19 +++++++++++++++++++
 .../tightvnc/1.3.10-CVE-2019-15680.patch      | 16 ++++++++++++++++
 .../admin/tightvnc/1.3.10-CVE-2019-8287.patch | 14 ++++++++++++++
 pkgs/tools/admin/tightvnc/default.nix         |  7 +++++++
 5 files changed, 74 insertions(+)
 create mode 100644 pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch
 create mode 100644 pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch
 create mode 100644 pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch
 create mode 100644 pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch

diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch
new file mode 100644
index 000000000000..cd65d2fb5dd9
--- /dev/null
+++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch
@@ -0,0 +1,18 @@
+Adapted from https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a
+diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
+index 04b0230..47a6863 100644
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1217,6 +1217,12 @@ HandleRFBServerMessage()
+     if (serverCutText)
+       free(serverCutText);
+ 
++    if (msg.sct.length > 1<<20) {
++      fprintf(stderr,"Ignoring too big cut text length sent by server: %u B > 1 MB\n",
++              (unsigned int)msg.sct.length);
++      return False;
++    }
++
+     serverCutText = malloc(msg.sct.length+1);
+ 
+     if (!ReadFromRFBServer(serverCutText, msg.sct.length))
diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch
new file mode 100644
index 000000000000..6d7b3e89e0c4
--- /dev/null
+++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch
@@ -0,0 +1,19 @@
+Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7
+diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
+index 04b0230..bd11b54 100644
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -303,7 +303,12 @@ InitialiseRFBConnection(void)
+   si.format.blueMax = Swap16IfLE(si.format.blueMax);
+   si.nameLength = Swap32IfLE(si.nameLength);
+ 
+-  /* FIXME: Check arguments to malloc() calls. */
++  if (si.nameLength > 1<<20) {
++    fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n",
++            (unsigned long)si.nameLength);
++    return False;
++  }
++
+   desktopName = malloc(si.nameLength + 1);
+   if (!desktopName) {
+     fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",
diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch
new file mode 100644
index 000000000000..7426a2b58b10
--- /dev/null
+++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch
@@ -0,0 +1,16 @@
+diff --git a/vncviewer/zlib.c b/vncviewer/zlib.c
+index 80c4eee..76998d8 100644
+--- a/vncviewer/zlib.c
++++ b/vncviewer/zlib.c
+@@ -55,6 +55,11 @@ HandleZlibBPP (int rx, int ry, int rw, int rh)
+     raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+     raw_buffer = (char*) malloc( raw_buffer_size );
+ 
++    if ( raw_buffer == NULL ) {
++      fprintf(stderr,
++              "couldn't allocate raw_buffer in HandleZlibBPP");
++      return False;
++    }
+   }
+ 
+   if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch
new file mode 100644
index 000000000000..5bfd1b9ea87f
--- /dev/null
+++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch
@@ -0,0 +1,14 @@
+Adapted from https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+diff --git a/vncviewer/corre.c b/vncviewer/corre.c
+index c846a10..a4c272d 100644
+--- a/vncviewer/corre.c
++++ b/vncviewer/corre.c
+@@ -56,7 +56,7 @@ HandleCoRREBPP (int rx, int ry, int rw, int rh)
+     XChangeGC(dpy, gc, GCForeground, &gcv);
+     XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh);
+ 
+-    if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++    if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ 	return False;
+ 
+     ptr = (CARD8 *)buffer;
diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix
index 5a76b500d149..1a65c31102e9 100644
--- a/pkgs/tools/admin/tightvnc/default.nix
+++ b/pkgs/tools/admin/tightvnc/default.nix
@@ -9,6 +9,13 @@ stdenv.mkDerivation {
     sha256 = "f48c70fea08d03744ae18df6b1499976362f16934eda3275cead87baad585c0d";
   };
 
+  patches = [
+    ./1.3.10-CVE-2019-15678.patch
+    ./1.3.10-CVE-2019-15679.patch
+    ./1.3.10-CVE-2019-15680.patch
+    ./1.3.10-CVE-2019-8287.patch
+  ];
+
   # for the builder script
   inherit fontDirectories;