GNU bug report logs -
#39228
[PATCH] gnu: Add libvnc.
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 39228 in the body.
You can then email your comments to 39228 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#39228; Package
guix-patches.
(Tue, 21 Jan 2020 21:12:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Hartmut Goebel <h.goebel <at> crazy-compilers.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 21 Jan 2020 21:12:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/libvnc.scm: New file.
* gnu/lokal.mk: Add it.
---
gnu/local.mk | 1 +
gnu/packages/libvnc.scm | 63 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 64 insertions(+)
create mode 100644 gnu/packages/libvnc.scm
diff --git a/gnu/local.mk b/gnu/local.mk
index 286bcb67dd..edc3dda97e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -311,6 +311,7 @@ GNU_SYSTEM_MODULES = \
%D%/packages/libunistring.scm \
%D%/packages/libusb.scm \
%D%/packages/libunwind.scm \
+ %D%/packages/libvnc.scm \
%D%/packages/lighting.scm \
%D%/packages/linux.scm \
%D%/packages/lirc.scm \
diff --git a/gnu/packages/libvnc.scm b/gnu/packages/libvnc.scm
new file mode 100644
index 0000000000..74a62c2483
--- /dev/null
+++ b/gnu/packages/libvnc.scm
@@ -0,0 +1,63 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017, 2020 Hartmut Goebel <h.goebel <at> crazy-compilers.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages libvnc)
+ #:use-module (guix build-system cmake)
+ #:use-module (guix git-download)
+ #:use-module ((guix licenses) #:prefix license:)
+ #:use-module (guix packages)
+ #:use-module (guix utils)
+ #:use-module (gnu packages)
+ #:use-module (gnu packages compression)
+ #:use-module (gnu packages gnupg)
+ #:use-module (gnu packages image)
+ #:use-module (gnu packages pkg-config)
+ #:use-module (gnu packages sdl)
+ #:use-module (gnu packages tls))
+
+(define-public libvnc
+ (package
+ (name "libvnc")
+ (version "0.9.12")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/LibVNC/libvncserver.git")
+ (commit (string-append "LibVNCServer-" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "1226hb179l914919f5nm2mlf8rhaarqbf48aa649p4rwmghyx9vm"))))
+ (build-system cmake-build-system)
+ (native-inputs
+ `(("pkg-config" ,pkg-config)))
+ (inputs
+ `(("gnutls" ,gnutls)
+ ("libgcrypt" ,libgcrypt)
+ ("libjpeg" ,libjpeg)
+ ("libpng" ,libpng)
+ ("lzo" ,lzo)
+ ("sdl2" ,sdl2)))
+ (home-page "https://libvnc.github.io/")
+ (synopsis "Cross-platform C libraries for implementing VNC server or
+client")
+ (description "This package provides @code{LibVNCServer} and
+@code{LibVNCClient}. These are cross-platform C libraries that allow you to
+easily implement VNC server or client functionality in your program.")
+ (license ;; GPL for programs, FDL for documentation
+ (list license:gpl2+ license:fdl1.2+))))
--
2.21.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#39228; Package
guix-patches.
(Tue, 21 Jan 2020 21:53:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 39228 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/libvnc.scm,
gnu/packages/patches/libvnc-CVE-2018-20750.patch,
gnu/packages/patches/libvnc-CVE-2019-15681.patch: New files.
* gnu/lokal.mk: Add them.
---
gnu/local.mk | 3 +
gnu/packages/libvnc.scm | 65 +++++++++++++++++++
.../patches/libvnc-CVE-2018-20750.patch | 44 +++++++++++++
.../patches/libvnc-CVE-2019-15681.patch | 23 +++++++
4 files changed, 135 insertions(+)
create mode 100644 gnu/packages/libvnc.scm
create mode 100644 gnu/packages/patches/libvnc-CVE-2018-20750.patch
create mode 100644 gnu/packages/patches/libvnc-CVE-2019-15681.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 286bcb67dd..f1107bf728 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -311,6 +311,7 @@ GNU_SYSTEM_MODULES = \
%D%/packages/libunistring.scm \
%D%/packages/libusb.scm \
%D%/packages/libunwind.scm \
+ %D%/packages/libvnc.scm \
%D%/packages/lighting.scm \
%D%/packages/linux.scm \
%D%/packages/lirc.scm \
@@ -1122,6 +1123,8 @@ dist_patch_DATA = \
%D%/packages/patches/libutils-add-includes.patch \
%D%/packages/patches/libutils-remove-damaging-includes.patch \
%D%/packages/patches/libvdpau-va-gl-unbundle.patch \
+ %D%/packages/patches/libvnc-CVE-2018-20750.patch \
+ %D%/packages/patches/libvnc-CVE-2019-15681.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
%D%/packages/patches/libvpx-use-after-free-in-postproc.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
diff --git a/gnu/packages/libvnc.scm b/gnu/packages/libvnc.scm
new file mode 100644
index 0000000000..091d331ce9
--- /dev/null
+++ b/gnu/packages/libvnc.scm
@@ -0,0 +1,65 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017, 2020 Hartmut Goebel <h.goebel <at> crazy-compilers.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages libvnc)
+ #:use-module (guix build-system cmake)
+ #:use-module (guix git-download)
+ #:use-module ((guix licenses) #:prefix license:)
+ #:use-module (guix packages)
+ #:use-module (guix utils)
+ #:use-module (gnu packages)
+ #:use-module (gnu packages compression)
+ #:use-module (gnu packages gnupg)
+ #:use-module (gnu packages image)
+ #:use-module (gnu packages pkg-config)
+ #:use-module (gnu packages sdl)
+ #:use-module (gnu packages tls))
+
+(define-public libvnc
+ (package
+ (name "libvnc")
+ (version "0.9.12")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/LibVNC/libvncserver.git")
+ (commit (string-append "LibVNCServer-" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "1226hb179l914919f5nm2mlf8rhaarqbf48aa649p4rwmghyx9vm"))
+ (patches (search-patches "libvnc-CVE-2018-20750.patch"
+ "libvnc-CVE-2019-15681.patch"))))
+ (build-system cmake-build-system)
+ (native-inputs
+ `(("pkg-config" ,pkg-config)))
+ (inputs
+ `(("gnutls" ,gnutls)
+ ("libgcrypt" ,libgcrypt)
+ ("libjpeg" ,libjpeg)
+ ("libpng" ,libpng)
+ ("lzo" ,lzo)
+ ("sdl2" ,sdl2)))
+ (home-page "https://libvnc.github.io/")
+ (synopsis "Cross-platform C libraries for implementing VNC server or
+client")
+ (description "This package provides @code{LibVNCServer} and
+@code{LibVNCClient}. These are cross-platform C libraries that allow you to
+easily implement VNC server or client functionality in your program.")
+ (license ;; GPL for programs, FDL for documentation
+ (list license:gpl2+ license:fdl1.2+))))
diff --git a/gnu/packages/patches/libvnc-CVE-2018-20750.patch b/gnu/packages/patches/libvnc-CVE-2018-20750.patch
new file mode 100644
index 0000000000..146243670a
--- /dev/null
+++ b/gnu/packages/patches/libvnc-CVE-2018-20750.patch
@@ -0,0 +1,44 @@
+From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar <at> redhat.com>
+Date: Mon, 7 Jan 2019 10:40:01 +0100
+Subject: [PATCH] Limit lenght to INT_MAX bytes in
+ rfbProcessFileTransferReadBuffer()
+
+This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap
+out-of-bound write access in rfbProcessFileTransferReadBuffer() when
+reading a transfered file content in a server. The former fix did not
+work on platforms with a 32-bit int type (expected by rfbReadExact()).
+
+CVE-2018-15127
+<https://github.com/LibVNC/libvncserver/issues/243>
+<https://github.com/LibVNC/libvncserver/issues/273>
+---
+ libvncserver/rfbserver.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index 7af84906..f2edbeea 100644
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -88,6 +88,8 @@
+ #include <errno.h>
+ /* strftime() */
+ #include <time.h>
++/* INT_MAX */
++#include <limits.h>
+
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ #include "rfbssl.h"
+@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
+ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
+ will safely be allocated since this check will never trigger and malloc() can digest length+1
+ without problems as length is a uint32_t.
++ We also later pass length to rfbReadExact() that expects a signed int type and
++ that might wrap on platforms with a 32-bit int type if length is bigger
++ than 0X7FFFFFFF.
+ */
+- if(length == SIZE_MAX) {
++ if(length == SIZE_MAX || length > INT_MAX) {
+ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
+ rfbCloseClient(cl);
+ return NULL;
diff --git a/gnu/packages/patches/libvnc-CVE-2019-15681.patch b/gnu/packages/patches/libvnc-CVE-2019-15681.patch
new file mode 100644
index 0000000000..e328d87920
--- /dev/null
+++ b/gnu/packages/patches/libvnc-CVE-2019-15681.patch
@@ -0,0 +1,23 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind <at> freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+---
+ libvncserver/rfbserver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index 3bacc891..310e5487 100644
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
+ rfbServerCutTextMsg sct;
+ rfbClientIteratorPtr iterator;
+
++ memset((char *)&sct, 0, sizeof(sct));
++
+ iterator = rfbGetClientIterator(rfbScreen);
+ while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
+ sct.type = rfbServerCutText;
--
2.21.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#39228; Package
guix-patches.
(Tue, 21 Jan 2020 21:59:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 39228 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Jan 21, 2020 at 10:10:56PM +0100, Hartmut Goebel wrote:
> * gnu/packages/libvnc.scm: New file.
> * gnu/lokal.mk: Add it.
s/lokal/local
> +(define-public libvnc
> + (package
> + (name "libvnc")
Overall LGTM.
I notice we have a package module 'gnu/packages/tigervnc.scm'. Maybe we
can combine that module with this one as 'gnu/packages/vnc.scm'?
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#39228; Package
guix-patches.
(Wed, 22 Jan 2020 08:49:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 39228 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Am 21.01.20 um 22:57 schrieb Leo Famulari:
> I notice we have a package module 'gnu/packages/tigervnc.scm'. Maybe we
> can combine that module with this one as 'gnu/packages/vnc.scm'?
I thought about this, too, but hesitated. The module `tighervnc` seems
to not be used anywhere, thus renaming it would be easy.
If this is okay, I would go forward and:
1. renaming `tigervnc.scm` into `vnc.scm` (as proposed by you)
2. add libvnc to this module.
3. push to master.
--
Regards
Hartmut Goebel
| Hartmut Goebel | h.goebel <at> crazy-compilers.com |
| www.crazy-compilers.com | compilers which you thought are impossible |
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#39228; Package
guix-patches.
(Wed, 22 Jan 2020 09:17:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 39228 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Jan 22, 2020 at 09:47:58AM +0100, Hartmut Goebel wrote:
> Am 21.01.20 um 22:57 schrieb Leo Famulari:
> > I notice we have a package module 'gnu/packages/tigervnc.scm'. Maybe we
> > can combine that module with this one as 'gnu/packages/vnc.scm'?
>
> I thought about this, too, but hesitated. The module `tighervnc` seems
> to not be used anywhere, thus renaming it would be easy.
>
> If this is okay, I would go forward and:
>
> 1. renaming `tigervnc.scm` into `vnc.scm` (as proposed by you)
>
> 2. add libvnc to this module.
>
> 3. push to master.
>
Sounds good to me
--
Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Hartmut Goebel <h.goebel <at> crazy-compilers.com>:
You have taken responsibility.
(Wed, 22 Jan 2020 12:10:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Hartmut Goebel <h.goebel <at> crazy-compilers.com>:
bug acknowledged by developer.
(Wed, 22 Jan 2020 12:10:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 39228-close <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Done. Pushed as a789f654a0f370720b2c6b7856b9971dcc1d5eb1
Thanks for the review.
--
Regards
Hartmut Goebel
| Hartmut Goebel | h.goebel <at> crazy-compilers.com |
| www.crazy-compilers.com | compilers which you thought are impossible |
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#39228; Package
guix-patches.
(Wed, 22 Jan 2020 12:18:01 GMT)
Full text and
rfc822 format available.
Message #25 received at 39228 <at> debbugs.gnu.org (full text, mbox):
94c7ef932a5857020c2a5349ff1970b1809a080e which is right before adding
libvnc has the wrong commit headline:
gnu: Rename module gnutls to tls.
should be
gnu: Rename module tigervnc to vnc.
Just for the record :P
On 22.01.20 13:09, Hartmut Goebel wrote:
> Done. Pushed as a789f654a0f370720b2c6b7856b9971dcc1d5eb1
>
> Thanks for the review.
>
Information forwarded
to
guix-patches <at> gnu.org:
bug#39228; Package
guix-patches.
(Wed, 22 Jan 2020 12:23:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 39228 <at> debbugs.gnu.org (full text, mbox):
Am 22.01.20 um 13:17 schrieb Jonathan Brielmaier:
> gnu: Rename module gnutls to tls.
>
> should be
>
> gnu: Rename module tigervnc to vnc.
ARGL! I should not do this kind of work when traveling.
@efraim: Any chance to clean this up?
--
Regards
Hartmut Goebel
| Hartmut Goebel | h.goebel <at> crazy-compilers.com |
| www.crazy-compilers.com | compilers which you thought are impossible |
Information forwarded
to
guix-patches <at> gnu.org:
bug#39228; Package
guix-patches.
(Wed, 22 Jan 2020 17:34:02 GMT)
Full text and
rfc822 format available.
Message #31 received at 39228 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Jan 22, 2020 at 01:21:59PM +0100, Hartmut Goebel wrote:
> Am 22.01.20 um 13:17 schrieb Jonathan Brielmaier:
> > gnu: Rename module gnutls to tls.
> >
> > should be
> >
> > gnu: Rename module tigervnc to vnc.
>
> ARGL! I should not do this kind of work when traveling.
>
> @efraim: Any chance to clean this up?
We don't rewrite the commits after they are pushed to Savannah's master
branch. So, it's important to be careful when pushing, but please "don't
beat yourself up" over this :)
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#39228; Package
guix-patches.
(Wed, 22 Jan 2020 17:45:01 GMT)
Full text and
rfc822 format available.
Message #34 received at 39228 <at> debbugs.gnu.org (full text, mbox):
On 22.01.20 18:33, Leo Famulari wrote:
> On Wed, Jan 22, 2020 at 01:21:59PM +0100, Hartmut Goebel wrote:
>> Am 22.01.20 um 13:17 schrieb Jonathan Brielmaier:
>>> gnu: Rename module gnutls to tls.
>>>
>>> should be
>>>
>>> gnu: Rename module tigervnc to vnc.
>>
>> ARGL! I should not do this kind of work when traveling.
>>
>> @efraim: Any chance to clean this up?
>
> We don't rewrite the commits after they are pushed to Savannah's master
> branch. So, it's important to be careful when pushing, but please "don't
> beat yourself up" over this :)
>
As well as the body of the commit message is correct:
* gnu/packages/tigervnc.scm: Rename to...
* gnu/packages/vnc.scm: ... this. Change module name accordingly. Sort
used modules.
* gnu-system.am (GNU_SYSTEM_MODULES): Rename tigervnc module to vnc.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 20 Feb 2020 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 61 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.