329031 – net-libs/libvncserver-0.9.7 (and x11-misc/x11vnc-0.9.10) has memcpy() buffer overflow in tightvnc-filetransfer/filetransfermsg.c

Bug 329031 - net-libs/libvncserver-0.9.7 (and x11-misc/x11vnc-0.9.10) has memcpy() buffer overflow in tightvnc-filetransfer/filetransfermsg.c

Summary: net-libs/libvncserver-0.9.7 (and x11-misc/x11vnc-0.9.10) has memcpy() buffer ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Mike Gilbert

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-07-20 01:05 UTC by SpanKY
Modified:	2012-03-08 03:36 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Fix buffer overflow in memcpy due to sizeof(int) instead of sizeof(unsigned long) (libvncserver-fixbufferoverflow.patch,542 bytes, patch) 2010-09-18 21:37 UTC, Joseph Yasi	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SpanKY gentoo-dev

2010-07-20 01:05:42 UTC

x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I. -I.. -DCPPFLAGS_TEST -Wall -I .. -O2 -march=k8 -pipe -g -Wimplicit-function-declaration -MT filetransfermsg.lo -MD -MP -MF .deps/filetransfermsg.Tpo -c tightvnc-filetransfer/filetransfermsg.c  -fPIC -DPIC -o .libs/filetransfermsg.o
In file included from /usr/include/string.h:640:0,
                 from tightvnc-filetransfer/filetransfermsg.c:27:
In function 'memcpy',
    inlined from 'CreateFileDownloadZeroSizeDataMsg' at tightvnc-filetransfer/filetransfermsg.c:416:8:
/usr/include/bits/string3.h:52:3: warning: call to __builtin___memcpy_chk will always overflow destination buffer



Portage 2.2_rc67 (default/linux/amd64/10.0/developer, gcc-4.5.0, glibc-2.11.2-r0, 2.6.34 x86_64)
=================================================================
System uname: Linux-2.6.34-x86_64-AMD_Phenom-tm-_II_X4_945_Processor-with-gentoo-2.0.1
Timestamp of tree: Sun, 18 Jul 2010 04:15:03 +0000
distcc 3.1 x86_64-pc-linux-gnu [disabled]
ccache version 2.4 [enabled]
app-shells/bash:     4.1_p7
dev-lang/python:     2.4.6, 2.6.5-r3, 3.1.2-r4
dev-util/ccache:     2.4-r8
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.1-r1
sys-apps/sandbox:    2.2
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.15.92.0.2-r10, 2.16-r1, 2.16.1, 2.16.1-r3, 2.16.90.0.3, 2.16.91.0.1, 2.16.91.0.2, 2.16.91.0.3, 2.16.91.0.4, 2.16.91.0.5, 2.16.91.0.6, 2.16.91.0.7, 2.16.92, 2.16.93, 2.16.94, 2.17-r1, 2.17.50.0.2, 2.17.50.0.3, 2.17.50.0.4, 2.17.50.0.5, 2.17.50.0.6, 2.17.50.0.7, 2.17.50.0.8, 2.17.50.0.9, 2.17.50.0.10, 2.17.50.0.11, 2.17.50.0.12, 2.17.50.0.13, 2.17.50.0.14, 2.17.50.0.15, 2.17.50.0.16, 2.17.50.0.17, 2.17.50.0.18, 2.18-r2, 2.18.50.0.1, 2.18.50.0.2, 2.18.50.0.3, 2.18.50.0.4, 2.18.50.0.5, 2.18.50.0.6, 2.18.50.0.7, 2.18.50.0.8, 2.18.50.0.9, 2.19, 2.19.1-r1, 2.19.50.0.1, 2.19.51.0.1, 2.19.51.0.2, 2.19.51.0.3, 2.19.51.0.4, 2.19.51.0.5, 2.19.51.0.6, 2.19.51.0.10, 2.19.51.0.11, 2.19.51.0.12, 2.19.51.0.14, 2.20, 2.20.1-r1, 2.20.51.0.1, 2.20.51.0.2, 2.20.51.0.3, 2.20.51.0.4, 2.20.51.0.5, 2.20.51.0.6, 2.20.51.0.7, 2.20.51.0.8, 2.20.51.0.9
sys-devel/gcc:       3.3.5.20050130-r2, 3.3.6-r1, 3.4.3.20050110-r2, 3.4.4-r1, 3.4.5-r1, 3.4.6-r2, 4.0.0, 4.0.1, 4.0.2-r3, 4.0.3, 4.0.4, 4.1.0-r1, 4.1.1-r3, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4-r1, 4.3.0, 4.3.1-r1, 4.3.2-r4, 4.3.3-r2, 4.3.4, 4.3.5, 4.4.0-r1, 4.4.1, 4.4.2, 4.4.3-r3, 4.4.4-r1, 4.5.0
sys-devel/gcc-config: 1.5
sys-devel/libtool:   2.2.10
virtual/os-headers:  2.6.34
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=k8 -pipe -g -Wimplicit-function-declaration"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CPPFLAGS="-DCPPFLAGS_TEST"
CXXFLAGS="-O2 -march=k8 -pipe -g"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="assume-digests buildsyspkg ccache collision-protect cvs distlocks fixpackages multilib-strict news noinfo parallel-fetch preserve-libs protect-owned sandbox sfperms sign splitdebug stricter test-fail-continue unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF8"
LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu"
LINGUAS="en en_US en_GB de"
MAKEOPTS="-j8"
PKGDIR="/usr/portage/packages"
PORTAGE_COMPRESS="xz"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/local/src/gentoo/overlays/vapier/enlightenment"
SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"
USE="3dnow X a52 aac aalib acl acpi adns agg aio alsa amd64 apache2 asf aspell audiofile berkdb bitmap-fonts bzip2 cairo caps cdaudio cddb cdparanoia cdr cli console cracklib crypt css ctype cups curl cvs cxx dba dbus divx4linux dri dts dvb dvd dvdr dvdread emboss encode exif expat extensions fbcon ffmpeg firefox flac flash fluidsynth fortran ftp gcj gd gif glib glitz glut gmp gphoto2 gpm gtk gtk2 htmlhandbook iconv imap imlib ipv6 jbig joystick jpeg jpeg2k kde kpathsea lcms libcaca libedit libnotify lzo lzw mad maildir matroska mikmod mime mjpeg mmx mng modplug modules mp3 mp4 mpeg mplayer mtp mudflap multilib multislot musepack mysql ncurses network nls nptl nptlonly nsplugin nvidia objc objc-gc offensive ogg oggvorbis openal opengl openmp pango pcre pdf perl pic png ppds pppd python qt3support qt4 quicktime readline redland reflection rss samba sdl session smp sndfile snmp speex spell spl sql sqlite sse sse2 ssl startup-notification subtitles subversion svg sysfs syslog tcl tcltk tcpd tga theora threads tiff tk truetype truetype-fonts type1-fonts unicode upnp usb vcd video vnc vorbis wavpack webkit wma wmf x264 xanim xattr xcb xcomposite xine xinerama xinetd xml xml2 xorg xpm xrandr xulrunner xv xvid xvmc zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="canon" ELIBC="glibc" INPUT_DEVICES="mouse keyboard joystick void" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US en_GB de" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia nv ati r128 radeon radeonhd vga sisusb" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CTARGET, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2010-07-20 02:39:39 UTC

Why bug-wranglers@?

Comment 2 SpanKY gentoo-dev

2010-07-20 02:49:45 UTC

x11vnc has same problem since it bundles libvncserver

Comment 3 sorin 2010-09-12 15:27:47 UTC

Same thing here with rdesktop... (I think it would compile fine if I take out --march=core2.)
Portage 2.1.9.4 (default/linux/amd64/10.0, gcc-4.4.4, glibc-2.12.1-r1, 2.6.34-xen-r3 x86_64)
=================================================================
System uname: Linux-2.6.34-xen-r3-x86_64-Intel-R-_Core-TM-_i7_CPU_870_@_2.93GHz-with-gentoo-2.0.1
Timestamp of tree: Sun, 12 Sep 2010 05:15:03 +0000
app-shells/bash:     4.1_p7
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.3
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.67
sys-devel/automake:  1.8.5-r4, 1.9.6-r3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.35 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -mno-tls-direct-seg-refs -march=core2"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -mno-tls-direct-seg-refs -march=core2"
DISTDIR="/var/pub/mirror/src"
FEATURES="assume-digests distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirrors.xservers.ro/gentoo/ ftp://de-mirror.org/distro/gentoo/ ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo"
LANG="en_US.utf-8"
LC_ALL="ro_RO.utf-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="ro en"
MAKEOPTS="-j9"
PKGDIR="/var/pub/mirror/pkg/gentoo"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/var/lib/portage/repos/gentoo"
PORTDIR_OVERLAY="/var/lib/portage/repos/local"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="7zip R X a52 aac accessibility acl acpi addbookmarks addressbook administrator adplug ads aesicm agg aio alisp alsa amd64 amr amrnb amrwb ao api apm ares asf assistant async auto-hinter automount autotrace avahi bash-completion berkdb bluetooth boost branding bzip2 cairo caps cdaudio cdda cddax cddb cdio cdparanoia cdr cgi chm cjk cleartype cli clucene console consolekit contactnotes contrast contrib cpudetection cracklib crypt css cue cups curl cxx daap daemon dar32 dbus designer-plugin desktopglobe dga digitalradio dirac directfb disk-partition diskio divx djvu dlz dmtf dmx dnsdb dri drmaa dts dv dvb dvd dvdnav dvdr dvdread dxr3 eap-tls ebook elf emacs emerald enca encode exif exiscan-acl expat extensible extensions extras faac faad fam fame fastcgi fax fbcon ffmpeg firefox3 fits flac fluidsynth fontconfig fontforge foomaticdb fortran ftp fts3 fuse garmin gd gdal gdbm geos gif gimp git glade glib glibc-omitfp glitz glsa gmedia gmp gnuplot gnutls google-gadgets gphoto2 gpm gps graphviz gs gsm gstreamer gtk gtk2-perl h224 h281 h323 hash highlight hipe history hpn http httpd hyperestraier i18n iax icecast iconv icu id3tag idled idn ilbc imagemagick imap inotify inquisitio ioctl ioemu iplayer ipod ipv6 irc ivr jabber java6 javascript jbig jingle jpeg json kate kde kdrive kernel-helper kipi kontact kpoll kqemu kvm ladspa lame lapack lastfm lcms ldap ldb libffi libmms libnotify libsamplerate libssh2 libtiger libv4l2 lid lightning live lm_sensors logitech-mouse loop-aes lua lzma lzo mad madwifi mail maildir marble matplotlib matroska mayavi md5sum mdnsresponder-compat mhash mixer mjpeg mktemp mmap mmx mng mod_irc mod_muc mod_pubsub modplug modules mozdevelop mozilla mp2 mp3 mp3rtp mp3tunes mp4 mp4live mpeg mpeg2 mpi mpi-threads mplayer mpx mtp mudflap multilib multimedia multiuser musepack musicbrainz ncurses nemesi net nethack netmeeting network network-cron networking nfs nls nptl nptlonly nsplugin ntfs ntp numpy nut oav ocean odbc offensive ogg opencore-amr openexr opengl openmp optimized-qmake pam pango pbs pcap pcre pdf perl phonon physfs pic pink pl2303 plasma player plotutils pmu png pnm policykit ppds pppd prediction proj pulseaudio pvr pylint python qa qalculate qos qt3support qt4 quicktime quotas qwt radio rar raw rdp readline reflection reiserfs remote replication replytolist rle romio rss rtc rtmp rtsp ruby-bindings samba sasl sbc scanner schroedinger scim scipy scrobbler sctp sdb-ldap sdl secure-delete semantic-desktop sendmail session shine shmvideo shout sip sipim skey skins skype slang smartcard smbkrb5passwd smp sms smtp smux sndfile snmp soap sockets socks5 sound soup speex sql sqlite sqlite3 srp srs srt srtp sse sse2 sse3 sse4 ssh ssl ssse3 statistics stats stream subtitles subversion svg swig symlink sysfs syslog szip taglib tcl tcpd teletext texteffect theora thin-splines threads threadsafe thumbnail thuner tiff timezone tk tntc tools traits truetype tv tv_check tv_combiner tv_pick_cgi twolame type3 udev umfpack unicode upnp urandom usb utils uuid v4l v4l2 vaapi vcd vcdinfo vcdx vde vdr vhook vhosts video vim-pager vim-syntax vim-with-x visibility vlm vnc vorbis vorbis-psy vpx vt vxml wav wavpack web webdav webkit webpresence wicd windeco winpopup wma wma-fixed wmf wmp wxwidgets wxwindows x264 xanim xattr xcb xcomposite xen xforms xine xml xmlpatterns xmlrpc xmp xorg xosd xpm xprint xrandr xscreensaver xsl xsm xulrunner xv xvid xvmc yahoo yaz yv12 zip zlib zvbi" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare extplug hooks ioplug ladspa lfloat linear meter mulaw multi plug rate route share shm softvol dsnoop" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="ro en" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" SANE_BACKENDS="net" USERLAND="GNU" VIDEO_CARDS="apm fbdev fglrx radeon svga v4l vesa vmware" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 4 Greg Turner 2010-09-15 14:31:50 UTC

(In reply to comment #3)
> Same thing here with rdesktop... (I think it would compile fine if I take out
> --march=core2.)

That didn't do it for me but ftr C{,XX}FLAGS="-O0" did.

Comment 5 Joseph Yasi 2010-09-18 21:37:02 UTC

Created attachment 247908 [details, diff]
Fix buffer overflow in memcpy due to sizeof(int) instead of sizeof(unsigned long)

The code mistakenly calculates the size of an int instead of an unsigned long when copying.  The bug #336878 for x11vnc-0.9.12 contains the same fix for x11vnc.

Comment 6 Mike Gilbert gentoo-dev

2012-03-08 03:34:52 UTC

libvncserver is fixed in the tree.

+*libvncserver-0.9.8.2-r1 (08 Mar 2012)
+
+  08 Mar 2012; Mike Gilbert <floppym@gentoo.org>
+  +files/libvncserver-memcpy.patch, +libvncserver-0.9.8.2-r1.ebuild:
+  Add patch to resolve buffer overflow. Bug 329031.
+