From 5288f14c756d91662af200e80db9c63059a1f8b0f76758e6be21b5637cec0ac8 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Thu, 8 Sep 2022 08:26:49 +0000 Subject: [PATCH] - security update - added patches fix CVE-2020-29260 [bsc#1203106], memory leakage via rfbClientCleanup() + LibVNCServer-CVE-2020-29260.patch OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/LibVNCServer?expand=0&rev=67 --- LibVNCServer-CVE-2020-29260.patch | 14 ++++++++++++++ LibVNCServer.changes | 8 ++++++++ LibVNCServer.spec | 4 +++- 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 LibVNCServer-CVE-2020-29260.patch diff --git a/LibVNCServer-CVE-2020-29260.patch b/LibVNCServer-CVE-2020-29260.patch new file mode 100644 index 0000000..6d99d1a --- /dev/null +++ b/LibVNCServer-CVE-2020-29260.patch @@ -0,0 +1,14 @@ +diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c +index d6b91f02b..0a1bdcf6a 100644 +--- a/libvncclient/vncviewer.c ++++ b/libvncclient/vncviewer.c +@@ -534,6 +534,8 @@ void rfbClientCleanup(rfbClient* client) { + client->clientData = next; + } + ++ free(client->vncRec); ++ + if (client->sock != RFB_INVALID_SOCKET) + rfbCloseSocket(client->sock); + if (client->listenSock != RFB_INVALID_SOCKET) + diff --git a/LibVNCServer.changes b/LibVNCServer.changes index ccc38f6..01a9016 100644 --- a/LibVNCServer.changes +++ b/LibVNCServer.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Sep 8 08:26:25 UTC 2022 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2020-29260 [bsc#1203106], memory leakage via rfbClientCleanup() + + LibVNCServer-CVE-2020-29260.patch + ------------------------------------------------------------------- Fri Sep 17 07:14:46 UTC 2021 - pgajdos@suse.com diff --git a/LibVNCServer.spec b/LibVNCServer.spec index 1caa9e7..1b06e0b 100644 --- a/LibVNCServer.spec +++ b/LibVNCServer.spec @@ -1,7 +1,7 @@ # # spec file for package LibVNCServer # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -38,6 +38,8 @@ Patch12: 0003-libvncserver-auth-don-t-keep-security-handlers-from-.patch Patch13: 0004-zlib-Clear-buffer-pointers-on-cleanup-444.patch # PATCH-FIX-UPSTREAM Fix another crasher glgo#GNOME/gnome-remote-desktop#45 rh#1882718 Patch14: 0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch +# CVE-2020-29260 [bsc#1203106], memory leakage via rfbClientCleanup() +Patch15: LibVNCServer-CVE-2020-29260.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: libavahi-devel