Commit 1c85dc7d authored by Johannes Huber's avatar Johannes Huber
Browse files

CVE-2014-4607: Unbundle libvncserver

http://seclists.org/oss-sec/2014/q2/676

REVIEW: 119548
parent 83767fea
......@@ -32,6 +32,8 @@ set(CMAKE_MODULE_PATH
${CMAKE_MODULE_PATH}
)
find_package(LibVNCServer REQUIRED)
macro_optional_find_package(TelepathyQt4)
macro_log_feature(TelepathyQt4_FOUND "telepathy-qt" "Telepathy Qt Bindings" "http://telepathy.freedesktop.org" FALSE "0.9" "Needed to build Telepathy Tubes support.")
......@@ -44,8 +46,6 @@ macro_bool_to_01(X11_XShm_FOUND HAVE_XSHM)
include_directories ("${CMAKE_CURRENT_BINARY_DIR}/krfb"
"${CMAKE_CURRENT_SOURCE_DIR}/krfb"
"${CMAKE_CURRENT_SOURCE_DIR}/krfb/ui"
"${CMAKE_CURRENT_SOURCE_DIR}/libvncserver/"
"${CMAKE_CURRENT_BINARY_DIR}/libvncserver/"
)
if(Q_WS_X11)
......@@ -54,9 +54,8 @@ if(Q_WS_X11)
endif(NOT X11_XTest_FOUND)
endif(Q_WS_X11)
add_subdirectory(libvncserver)
add_subdirectory(krfb)
add_subdirectory (framebuffers)
add_subdirectory(framebuffers)
add_subdirectory(doc)
if (NOT INSIDE_KDENETWORK)
......
# cmake macro to test LIBVNCSERVER LIB
# Copyright (c) 2006, Alessandro Praduroux <pradu@pradu.it>
# Copyright (c) 2007, Urs Wolfer <uwolfer @ kde.org>
#
# Redistribution and use is allowed according to the terms of the BSD license.
# For details see the accompanying COPYING-CMAKE-SCRIPTS file.
INCLUDE(CheckPointerMember)
IF (LIBVNCSERVER_INCLUDE_DIR AND LIBVNCSERVER_LIBRARIES)
# Already in cache, be silent
SET(LIBVNCSERVER_FIND_QUIETLY TRUE)
ENDIF (LIBVNCSERVER_INCLUDE_DIR AND LIBVNCSERVER_LIBRARIES)
FIND_PATH(LIBVNCSERVER_INCLUDE_DIR rfb/rfb.h)
FIND_LIBRARY(LIBVNCSERVER_LIBRARIES NAMES vncserver libvncserver)
# libvncserver and libvncclient are in the same package, so it does
# not make sense to add a new cmake script for finding libvncclient.
# instead just find the libvncclient also in this file.
FIND_PATH(LIBVNCCLIENT_INCLUDE_DIR rfb/rfbclient.h)
FIND_LIBRARY(LIBVNCCLIENT_LIBRARIES NAMES vncclient libvncclient)
IF (LIBVNCSERVER_INCLUDE_DIR AND LIBVNCSERVER_LIBRARIES)
SET(CMAKE_REQUIRED_INCLUDES "${LIBVNCSERVER_INCLUDE_DIR}" "${CMAKE_REQUIRED_INCLUDES}")
CHECK_POINTER_MEMBER(rfbClient* GotXCutText rfb/rfbclient.h LIBVNCSERVER_FOUND)
ENDIF (LIBVNCSERVER_INCLUDE_DIR AND LIBVNCSERVER_LIBRARIES)
IF (LIBVNCSERVER_FOUND)
IF (NOT LIBVNCSERVER_FIND_QUIETLY)
MESSAGE(STATUS "Found LibVNCServer: ${LIBVNCSERVER_LIBRARIES}")
ENDIF (NOT LIBVNCSERVER_FIND_QUIETLY)
ELSE (LIBVNCSERVER_FOUND)
IF (LIBVNCSERVER_FIND_REQUIRED)
MESSAGE(FATAL_ERROR "Could NOT find acceptable version of LibVNCServer (version 0.9 or later required).")
ENDIF (LIBVNCSERVER_FIND_REQUIRED)
ENDIF (LIBVNCSERVER_FOUND)
MARK_AS_ADVANCED(LIBVNCSERVER_INCLUDE_DIR LIBVNCSERVER_LIBRARIES)
\ No newline at end of file
......@@ -20,6 +20,7 @@ target_link_libraries (krfbprivate
${QT_QTCORE_LIBRARY}
${QT_QTGUI_LIBRARY}
${X11_X11_LIB}
${LIBVNCSERVER_LIBRARIES}
)
set_target_properties (krfbprivate PROPERTIES
......@@ -103,6 +104,7 @@ target_link_libraries (krfb
${QT_QTNETWORK_LIBRARY}
${KDE4_KDNSSD_LIBS}
${KDE4_KDEUI_LIBS}
${LIBVNCSERVER_LIBRARIES}
)
if(TelepathyQt4_FOUND)
......
......@@ -6,7 +6,7 @@
#ifndef KRFB_RFB_H
#define KRFB_RFB_H
#include "../libvncserver/rfb/rfb.h"
#include "rfb/rfb.h"
#undef TRUE
#undef FALSE
......
# Striped down version of libvncserver's original CMakeLists.txt
project(LibVNCServer)
include(CheckFunctionExists)
include(CheckIncludeFile)
include(CheckTypeSize)
include(TestBigEndian)
include(MacroBoolTo01)
set(FULL_PACKAGE_NAME "Krfb LibVNCServer")
set(PACKAGE_VERSION "0.9.8-10-g17ce0c5")
include_directories(${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
macro_optional_find_package(ZLIB)
macro_log_feature(ZLIB_FOUND "ZLib" "The Zlib compression library" "http://www.zlib.net" FALSE "" "Used by the vncserver library.")
macro_optional_find_package(JPEG)
macro_log_feature(JPEG_FOUND "LibJPEG" "The JPEG library" "" FALSE "" "Used by the vncserver library")
macro_bool_to_01(ZLIB_FOUND LIBVNCSERVER_HAVE_LIBZ)
macro_bool_to_01(JPEG_FOUND LIBVNCSERVER_HAVE_LIBJPEG)
option(LIBVNCSERVER_ALLOW24BPP "Allow 24 bpp" ON)
# if(GNUTLS_FOUND)
# set(LIBVNCSERVER_WITH_CLIENT_TLS 1)
# endif(GNUTLS_FOUND)
# if(LIBGCRYPT_LIBRARIES)
# message(STATUS "Found libgcrypt: ${LIBGCRYPT_LIBRARIES}")
# set(LIBVNCSERVER_WITH_CLIENT_GCRYPT 1)
# endif(LIBGCRYPT_LIBRARIES)
check_include_file("fcntl.h" LIBVNCSERVER_HAVE_FCNTL_H)
check_include_file("netinet/in.h" LIBVNCSERVER_HAVE_NETINET_IN_H)
check_include_file("sys/socket.h" LIBVNCSERVER_HAVE_SYS_SOCKET_H)
check_include_file("sys/stat.h" LIBVNCSERVER_HAVE_SYS_STAT_H)
check_include_file("sys/time.h" LIBVNCSERVER_HAVE_SYS_TIME_H)
check_include_file("sys/types.h" LIBVNCSERVER_HAVE_SYS_TYPES_H)
check_include_file("sys/wait.h" LIBVNCSERVER_HAVE_SYS_WAIT_H)
check_include_file("unistd.h" LIBVNCSERVER_HAVE_UNISTD_H)
# headers needed for check_type_size()
check_include_file("arpa/inet.h" HAVE_ARPA_INET_H)
check_include_file("stdint.h" HAVE_STDINT_H)
check_include_file("stddef.h" HAVE_STDDEF_H)
check_include_file("sys/types.h" HAVE_SYS_TYPES_H)
check_function_exists(gettimeofday LIBVNCSERVER_HAVE_GETTIMEOFDAY)
macro_bool_to_01(CMAKE_USE_PTHREADS_INIT LIBVNCSERVER_HAVE_LIBPTHREAD)
if(LIBVNCSERVER_HAVE_SYS_SOCKET_H)
# socklen_t
list(APPEND CMAKE_EXTRA_INCLUDE_FILES "sys/socket.h")
endif(LIBVNCSERVER_HAVE_SYS_SOCKET_H)
if(HAVE_ARPA_INET_H)
# in_addr_t
list(APPEND CMAKE_EXTRA_INCLUDE_FILES "arpa/inet.h")
endif(HAVE_ARPA_INET_H)
check_type_size(pid_t LIBVNCSERVER_PID_T)
check_type_size(size_t LIBVNCSERVER_SIZE_T)
check_type_size(socklen_t LIBVNCSERVER_SOCKLEN_T)
check_type_size(in_addr_t LIBVNCSERVER_IN_ADDR_T)
if(NOT HAVE_LIBVNCSERVER_IN_ADDR_T)
set(LIBVNCSERVER_NEED_INADDR_T 1)
endif(NOT HAVE_LIBVNCSERVER_IN_ADDR_T)
test_big_endian(LIBVNCSERVER_WORDS_BIGENDIAN)
configure_file (${CMAKE_CURRENT_SOURCE_DIR}/libvncserver-config.h.cmake
${CMAKE_CURRENT_BINARY_DIR}/libvncserver-config.h
)
set(LIBVNCSERVER_SOURCES
main.c
rfbserver.c
rfbregion.c
auth.c
sockets.c
stats.c
corre.c
hextile.c
rre.c
translate.c
cutpaste.c
httpd.c
cursor.c
font.c
draw.c
selbox.c
d3des.c
vncauth.c
cargs.c
minilzo.c
ultra.c
scale.c
)
if(ZLIB_FOUND)
add_definitions(-DLIBVNCSERVER_HAVE_LIBZ)
include_directories(${ZLIB_INCLUDE_DIR})
set(LIBVNCSERVER_SOURCES
${LIBVNCSERVER_SOURCES}
zlib.c
zrle.c
zrleoutstream.c
zrlepalettehelper.c
)
endif(ZLIB_FOUND)
if(JPEG_FOUND)
add_definitions(-DLIBVNCSERVER_HAVE_LIBJPEG)
include_directories(${JPEG_INCLUDE_DIR})
set(LIBVNCSERVER_SOURCES
${LIBVNCSERVER_SOURCES}
tight.c
)
endif(JPEG_FOUND)
add_library(vncserver STATIC ${LIBVNCSERVER_SOURCES})
if(WIN32)
set(ADDITIONAL_LIBS ws2_32)
endif(WIN32)
target_link_libraries(vncserver
${ADDITIONAL_LIBS}
${ZLIB_LIBRARIES}
${JPEG_LIBRARIES}
)
/*
* auth.c - deal with authentication.
*
* This file implements the VNC authentication protocol when setting up an RFB
* connection.
*/
/*
* Copyright (C) 2005 Rohit Kumar, Johannes E. Schindelin
* OSXvnc Copyright (C) 2001 Dan McGuirk <mcguirk@incompleteness.net>.
* Original Xvnc code Copyright (C) 1999 AT&T Laboratories Cambridge.
* All Rights Reserved.
*
* This is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this software; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
* USA.
*/
#include "rfb/rfb.h"
/* RFB 3.8 clients are well informed */
void rfbClientSendString(rfbClientPtr cl, const char *reason);
/*
* Handle security types
*/
static rfbSecurityHandler* securityHandlers = NULL;
/*
* This method registers a list of new security types.
* It avoids same security type getting registered multiple times.
* The order is not preserved if multiple security types are
* registered at one-go.
*/
void
rfbRegisterSecurityHandler(rfbSecurityHandler* handler)
{
rfbSecurityHandler *head = securityHandlers, *next = NULL;
if(handler == NULL)
return;
next = handler->next;
while(head != NULL) {
if(head == handler) {
rfbRegisterSecurityHandler(next);
return;
}
head = head->next;
}
handler->next = securityHandlers;
securityHandlers = handler;
rfbRegisterSecurityHandler(next);
}
/*
* This method unregisters a list of security types.
* These security types won't be available for any new
* client connection.
*/
void
rfbUnregisterSecurityHandler(rfbSecurityHandler* handler)
{
rfbSecurityHandler *cur = NULL, *pre = NULL;
if(handler == NULL)
return;
if(securityHandlers == handler) {
securityHandlers = securityHandlers->next;
rfbUnregisterSecurityHandler(handler->next);
return;
}
cur = pre = securityHandlers;
while(cur) {
if(cur == handler) {
pre->next = cur->next;
break;
}
pre = cur;
cur = cur->next;
}
rfbUnregisterSecurityHandler(handler->next);
}
/*
* Send the authentication challenge.
*/
static void
rfbVncAuthSendChallenge(rfbClientPtr cl)
{
/* 4 byte header is alreay sent. Which is rfbSecTypeVncAuth
(same as rfbVncAuth). Just send the challenge. */
rfbRandomBytes(cl->authChallenge);
if (rfbWriteExact(cl, (char *)cl->authChallenge, CHALLENGESIZE) < 0) {
rfbLogPerror("rfbAuthNewClient: write");
rfbCloseClient(cl);
return;
}
/* Dispatch client input to rfbVncAuthProcessResponse. */
cl->state = RFB_AUTHENTICATION;
}
/*
* Send the NO AUTHENTICATION. SCARR
*/
static void
rfbVncAuthNone(rfbClientPtr cl)
{
uint32_t authResult;
if (cl->protocolMajorVersion==3 && cl->protocolMinorVersion > 7) {
rfbLog("rfbProcessClientSecurityType: returning securityResult for client rfb version >= 3.8\n");
authResult = Swap32IfLE(rfbVncAuthOK);
if (rfbWriteExact(cl, (char *)&authResult, 4) < 0) {
rfbLogPerror("rfbAuthProcessClientMessage: write");
rfbCloseClient(cl);
return;
}
}
cl->state = RFB_INITIALISATION;
return;
}
/*
* Advertise the supported security types (protocol 3.7). Here before sending
* the list of security types to the client one more security type is added
* to the list if primaryType is not set to rfbSecTypeInvalid. This security
* type is the standard vnc security type which does the vnc authentication
* or it will be security type for no authentication.
* Different security types will be added by applications using this library.
*/
static rfbSecurityHandler VncSecurityHandlerVncAuth = {
rfbSecTypeVncAuth,
rfbVncAuthSendChallenge,
NULL
};
static rfbSecurityHandler VncSecurityHandlerNone = {
rfbSecTypeNone,
rfbVncAuthNone,
NULL
};
static void
rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType)
{
/* The size of the message is the count of security types +1,
* since the first byte is the number of types. */
int size = 1;
rfbSecurityHandler* handler;
#define MAX_SECURITY_TYPES 255
uint8_t buffer[MAX_SECURITY_TYPES+1];
/* Fill in the list of security types in the client structure. (NOTE: Not really in the client structure) */
switch (primaryType) {
case rfbSecTypeNone:
rfbRegisterSecurityHandler(&VncSecurityHandlerNone);
break;
case rfbSecTypeVncAuth:
rfbRegisterSecurityHandler(&VncSecurityHandlerVncAuth);
break;
}
for (handler = securityHandlers;
handler && size<MAX_SECURITY_TYPES; handler = handler->next) {
buffer[size] = handler->type;
size++;
}
buffer[0] = (unsigned char)size-1;
/* Send the list. */
if (rfbWriteExact(cl, (char *)buffer, size) < 0) {
rfbLogPerror("rfbSendSecurityTypeList: write");
rfbCloseClient(cl);
return;
}
/*
* if count is 0, we need to send the reason and close the connection.
*/
if(size <= 1) {
/* This means total count is Zero and so reason msg should be sent */
/* The execution should never reach here */
char* reason = "No authentication mode is registered!";
rfbClientSendString(cl, reason);
return;
}
/* Dispatch client input to rfbProcessClientSecurityType. */
cl->state = RFB_SECURITY_TYPE;
}
/*
* Tell the client what security type will be used (protocol 3.3).
*/
static void
rfbSendSecurityType(rfbClientPtr cl, int32_t securityType)
{
uint32_t value32;
/* Send the value. */
value32 = Swap32IfLE(securityType);
if (rfbWriteExact(cl, (char *)&value32, 4) < 0) {
rfbLogPerror("rfbSendSecurityType: write");
rfbCloseClient(cl);
return;
}
/* Decide what to do next. */
switch (securityType) {
case rfbSecTypeNone:
/* Dispatch client input to rfbProcessClientInitMessage. */
cl->state = RFB_INITIALISATION;
break;
case rfbSecTypeVncAuth:
/* Begin the standard VNC authentication procedure. */
rfbVncAuthSendChallenge(cl);
break;
default:
/* Impossible case (hopefully). */
rfbLogPerror("rfbSendSecurityType: assertion failed");
rfbCloseClient(cl);
}
}
/*
* rfbAuthNewClient is called right after negotiating the protocol
* version. Depending on the protocol version, we send either a code
* for authentication scheme to be used (protocol 3.3), or a list of
* possible "security types" (protocol 3.7).
*/
void
rfbAuthNewClient(rfbClientPtr cl)
{
int32_t securityType = rfbSecTypeInvalid;
if (!cl->screen->authPasswdData || cl->reverseConnection) {
/* chk if this condition is valid or not. */
securityType = rfbSecTypeNone;
} else if (cl->screen->authPasswdData) {
securityType = rfbSecTypeVncAuth;
}
if (cl->protocolMajorVersion==3 && cl->protocolMinorVersion < 7)
{
/* Make sure we use only RFB 3.3 compatible security types. */
if (securityType == rfbSecTypeInvalid) {
rfbLog("VNC authentication disabled - RFB 3.3 client rejected\n");
rfbClientConnFailed(cl, "Your viewer cannot handle required "
"authentication methods");
return;
}
rfbSendSecurityType(cl, securityType);
} else {
/* Here it's ok when securityType is set to rfbSecTypeInvalid. */
rfbSendSecurityTypeList(cl, securityType);
}
}
/*
* Read the security type chosen by the client (protocol 3.7).
*/
void
rfbProcessClientSecurityType(rfbClientPtr cl)
{
int n;
uint8_t chosenType;
rfbSecurityHandler* handler;
/* Read the security type. */
n = rfbReadExact(cl, (char *)&chosenType, 1);
if (n <= 0) {
if (n == 0)
rfbLog("rfbProcessClientSecurityType: client gone\n");
else
rfbLogPerror("rfbProcessClientSecurityType: read");
rfbCloseClient(cl);
return;
}
/* Make sure it was present in the list sent by the server. */
for (handler = securityHandlers; handler; handler = handler->next) {
if (chosenType == handler->type) {
rfbLog("rfbProcessClientSecurityType: executing handler for type %d\n", chosenType);
handler->handler(cl);
return;
}
}
rfbLog("rfbProcessClientSecurityType: wrong security type (%d) requested\n", chosenType);
rfbCloseClient(cl);
}
/*
* rfbAuthProcessClientMessage is called when the client sends its
* authentication response.
*/
void
rfbAuthProcessClientMessage(rfbClientPtr cl)
{
int n;
uint8_t response[CHALLENGESIZE];
uint32_t authResult;
if ((n = rfbReadExact(cl, (char *)response, CHALLENGESIZE)) <= 0) {
if (n != 0)
rfbLogPerror("rfbAuthProcessClientMessage: read");
rfbCloseClient(cl);
return;
}
if(!cl->screen->passwordCheck(cl,(const char*)response,CHALLENGESIZE)) {
rfbErr("rfbAuthProcessClientMessage: password check failed\n");
authResult = Swap32IfLE(rfbVncAuthFailed);
if (rfbWriteExact(cl, (char *)&authResult, 4) < 0) {
rfbLogPerror("rfbAuthProcessClientMessage: write");
}
/* support RFB 3.8 clients, they expect a reason *why* it was disconnected */
if (cl->protocolMinorVersion > 7) {
rfbClientSendString(cl, "password check failed!");
}
else
rfbCloseClient(cl);
return;
}
authResult = Swap32IfLE(rfbVncAuthOK);
if (rfbWriteExact(cl, (char *)&authResult, 4) < 0) {
rfbLogPerror("rfbAuthProcessClientMessage: write");
rfbCloseClient(cl);
return;
}
cl->state = RFB_INITIALISATION;
}
/*
* This parses the command line arguments. It was seperated from main.c by
* Justin Dearing <jdeari01@longisland.poly.edu>.
*/
/*
* LibVNCServer (C) 2001 Johannes E. Schindelin <Johannes.Schindelin@gmx.de>
* Original OSXvnc (C) 2001 Dan McGuirk <mcguirk@incompleteness.net>.
* Original Xvnc (C) 1999 AT&T Laboratories Cambridge.
* All Rights Reserved.
*
* see GPL (latest version) for full details
*/
#include "rfb/rfb.h"
extern int rfbStringToAddr(char *str, in_addr_t *iface);
void
rfbUsage(void)
{
rfbProtocolExtension* extension;
fprintf(stderr, "-rfbport port TCP port for RFB protocol\n");
fprintf(stderr, "-rfbwait time max time in ms to wait for RFB client\n");
fprintf(stderr, "-rfbauth passwd-file use authentication on RFB protocol\n"