From jhein@timing.com  Wed Dec 24 00:58:25 2008
Return-Path: <jhein@timing.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 21E371065673
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Dec 2008 00:58:25 +0000 (UTC)
	(envelope-from jhein@timing.com)
Received: from Daffy.timing.com (smtp.timing.com [206.168.13.218])
	by mx1.freebsd.org (Postfix) with ESMTP id DA08C8FC1B
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Dec 2008 00:58:24 +0000 (UTC)
	(envelope-from jhein@timing.com)
Received: from marvin.timing.com (marvin.timing.com [206.168.13.207])
	by Daffy.timing.com (8.13.1/8.13.1) with ESMTP id mBO0wNm8019696
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 23 Dec 2008 17:58:24 -0700 (MST)
	(envelope-from jhein@timing.com)
Received: from marvin.timing.com (localhost [127.0.0.1])
	by marvin.timing.com (8.14.3/8.14.3) with ESMTP id mBO0wNC1065899
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 23 Dec 2008 17:58:23 -0700 (MST)
	(envelope-from jhein@marvin.timing.com)
Received: (from jhein@localhost)
	by marvin.timing.com (8.14.3/8.14.3/Submit) id mBO0wNoN065898;
	Tue, 23 Dec 2008 17:58:23 -0700 (MST)
	(envelope-from jhein)
Message-Id: <200812240058.mBO0wNoN065898@marvin.timing.com>
Date: Tue, 23 Dec 2008 17:58:23 -0700 (MST)
From: "John E. Hein" <jhein@timing.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [patch][vulnerability fix] update vnc port

>Number:         129894
>Category:       ports
>Synopsis:       [patch] fix broken net/vnc port
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    wxs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 24 01:00:14 UTC 2008
>Closed-Date:    Sat Dec 27 03:09:38 UTC 2008
>Last-Modified:  Sat Dec 27 03:10:09 UTC 2008
>Originator:     John Hein
>Release:        FreeBSD 7.1-PRERELEASE i386
>Organization:
>Environment:


>Description:

realvnc.com released a new version (in Oct), but the fetch doesn't know
the difference and, despite the port unsuspectingly fetching the latest
4.1.3 version, forces the output filename to vnc-4_1_2-unixsrc.tar.gz
with -o...

/usr/bin/fetch -ApRr -o vnc-4_1_3-unixsrc.tar.gz 'http://www.realvnc.com/cgi-bin/download.cgi?product=free4/src/unix&acceptLicense=1&haveDetails=1&filetype=tar_gz'

Adding '&filever=4.1.2' to the cgi download url would work around this
since the 4.1.2 tarball is still available, but we should update
to 4.1.3.

Only one code change: to bounds check bounds on a decoders array index before
dereferencing in vnc-4_1_3-unixsrc/common/rfb/CMsgReader.cxx ...

+    if (encoding > encodingMax)
+      throw Exception("Unknown rect encoding");

Other than that, there were some minor 'configure' changes
(for instance, to support solaris better it seems) and
some changes to .vcproj (visual studio c ide project files).

For us, the only change should be the one instance
of better bounds checking shown above.

There is a reported vulnerability for 4.1.2 fixed by the
change shown above - supposedly a remote code execution
vulnerability...

http://www.net-security.org/vuln.php?id=6135

>How-To-Repeat:

>Fix:

Update to the latest release 4.1.3 and add 'filever'
to fetch instruction so the inadvertent
broken checksum doesn't happen again.

Index: Makefile
===================================================================
RCS file: /base/FreeBSD-CVS/ports/net/vnc/Makefile,v
retrieving revision 1.61
diff -u -p -r1.61 Makefile
--- Makefile	16 Dec 2008 04:28:21 -0000	1.61
+++ Makefile	24 Dec 2008 00:41:49 -0000
@@ -6,11 +6,11 @@
 #
 
 PORTNAME=	vnc
-PORTVERSION=	4.1.2
-PORTREVISION=	5
+PORTVERSION=	4.1.3
+PORTREVISION=	0
 CATEGORIES=	net ipv6
 MASTER_SITES=	http://www.realvnc.com/:vnc
-DISTNAME=	vnc-4_1_2-unixsrc
+DISTNAME=	vnc-4_1_3-unixsrc
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX}:vnc
 DIST_SUBDIR=	xc
 
@@ -20,8 +20,6 @@ COMMENT=	Display X and Win32 desktops on
 RUN_DEPENDS=	xorg-fonts>=7.2:${PORTSDIR}/x11-fonts/xorg-fonts \
 		xauth:${PORTSDIR}/x11/xauth
 
-BROKEN=		checksum mismatch
-
 GNU_CONFIGURE=	yes
 # The vnc supplied zlib seg. faults if compiled with -O
 CONFIGURE_ARGS=	--with-installed-zlib
@@ -73,7 +71,7 @@ PLIST_SUB+=	SERVER="@comment "
 # No direct URL for VNC -- have to pseudo-submit their webform.
 pre-fetch:
 	@${MKDIR} ${DISTDIR}/${DIST_SUBDIR} && cd ${DISTDIR}/${DIST_SUBDIR} && \
-	${FETCH_CMD} -o ${DISTNAME}.tar.gz 'http://www.realvnc.com/cgi-bin/download.cgi?product=free4/src/unix&acceptLicense=1&haveDetails=1&filetype=tar_gz'
+	${FETCH_CMD} -o ${DISTNAME}.tar.gz 'http://www.realvnc.com/cgi-bin/download.cgi?product=free4/src/unix&acceptLicense=1&haveDetails=1&filetype=tar_gz&filever=4.1.3'
 
 post-extract:
 .if !defined(WITHOUT_SERVER)
Index: distinfo
===================================================================
RCS file: /base/FreeBSD-CVS/ports/net/vnc/distinfo,v
retrieving revision 1.19
diff -u -p -r1.19 distinfo
--- distinfo	18 May 2006 16:06:35 -0000	1.19
+++ distinfo	24 Dec 2008 00:20:15 -0000
@@ -1,6 +1,6 @@
-MD5 (xc/vnc-4_1_2-unixsrc.tar.gz) = cf9a6fe8f592286b5e0fdde686504ffb
-SHA256 (xc/vnc-4_1_2-unixsrc.tar.gz) = ed73cd1abf4c4044032929fa2dd023d851f5fe37f88009523d3b08b7d836d542
-SIZE (xc/vnc-4_1_2-unixsrc.tar.gz) = 537713
+MD5 (xc/vnc-4_1_3-unixsrc.tar.gz) = a119f3c75ad2767c0588260e2abe39be
+SHA256 (xc/vnc-4_1_3-unixsrc.tar.gz) = a5897cbeaef74e02f23d43b89905f5a218041292743ed469f45092073c2bc047
+SIZE (xc/vnc-4_1_3-unixsrc.tar.gz) = 550870
 MD5 (xc/X430src-1.tgz) = 4f241a4f867363f40efa2b00dca292af
 SHA256 (xc/X430src-1.tgz) = 5276b045e154948fce7abba7d686406c65862d90b43b50f2546b33e38378f0d7
 SIZE (xc/X430src-1.tgz) = 10993622
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->wxs 
Responsible-Changed-By: wxs 
Responsible-Changed-When: Thu Dec 25 15:30:42 UTC 2008 
Responsible-Changed-Why:  
I'll take it as I'm hoping to handle all the net/vnc PRs in the upcoming 
weeks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129894 
State-Changed-From-To: open->closed 
State-Changed-By: wxs 
State-Changed-When: Sat Dec 27 03:09:37 UTC 2008 
State-Changed-Why:  
Updated to 4.1.3 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129894 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/129894: commit references a PR
Date: Sat, 27 Dec 2008 03:08:37 +0000 (UTC)

 wxs         2008-12-27 03:08:15 UTC
 
   FreeBSD ports repository
 
   Modified files:
     net/vnc              Makefile distinfo 
   Log:
   - Update to 4.1.3
   - This is still buggy on AMD64, I'm working on a fix.
   
   PR:             ports/128510, ports/128515, ports/129289, ports/129894
   Submitted by:   Lots of people
   
   Revision  Changes    Path
   1.62      +3 -6      ports/net/vnc/Makefile
   1.20      +3 -3      ports/net/vnc/distinfo
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
 fix broken vnc port
 From: John Hein <jhein>
 Reply-To: John Hein <jhein>
 Cc: ports@freebsd.org
 BCc: jhein
 X-send-pr-version: 3.113
 X-GNATS-Notify: 
 
 
