| Message ID | 20240115095119.654271-1-berrange@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | ui: reject extended clipboard message if not activated | expand |
On Mon, Jan 15, 2024 at 1:52 PM Daniel P. Berrangé <berrange@redhat.com> wrote: > > The extended clipboard message protocol requires that the client > activate the extension by requesting a psuedo encoding. If this > is not done, then any extended clipboard messages from the client > should be considered invalid and the client dropped. > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > --- > > The need for fix was identified as part of investigation for > CVE-2023-6683. This does NOT, however, fix that CVE as it only > addresses one of the problem codepaths that can trigger that > CVE. > > ui/vnc.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/ui/vnc.c b/ui/vnc.c > index 4f23a0fa79..3b2c71e653 100644 > --- a/ui/vnc.c > +++ b/ui/vnc.c > @@ -2445,6 +2445,11 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) > } > > if (read_s32(data, 4) < 0) { > + if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) { > + error_report("vnc: extended clipboard message while disabled"); > + vnc_client_error(vs); > + break; > + } > if (dlen < 4) { > error_report("vnc: malformed payload (header less than 4 bytes)" > " in extended clipboard pseudo-encoding."); > -- > 2.43.0 > >
15.01.2024 12:51, Daniel P. Berrangé wrote: > The extended clipboard message protocol requires that the client > activate the extension by requesting a psuedo encoding. If this > is not done, then any extended clipboard messages from the client > should be considered invalid and the client dropped. > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > --- > > The need for fix was identified as part of investigation for > CVE-2023-6683. This does NOT, however, fix that CVE as it only > addresses one of the problem codepaths that can trigger that > CVE. This might be a good pick for -stable too, in addition to the actual CVE-2023-6683 fix (adding -stable). /mjt
On Wed, Jan 17, 2024 at 03:10:30PM +0300, Michael Tokarev wrote: > 15.01.2024 12:51, Daniel P. Berrangé wrote: > > The extended clipboard message protocol requires that the client > > activate the extension by requesting a psuedo encoding. If this > > is not done, then any extended clipboard messages from the client > > should be considered invalid and the client dropped. > > > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > > --- > > > > The need for fix was identified as part of investigation for > > CVE-2023-6683. This does NOT, however, fix that CVE as it only > > addresses one of the problem codepaths that can trigger that > > CVE. > > This might be a good pick for -stable too, in addition to the actual > CVE-2023-6683 fix (adding -stable). Agreed, both would be a good idea for stable. With regards, Daniel
diff --git a/ui/vnc.c b/ui/vnc.c index 4f23a0fa79..3b2c71e653 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -2445,6 +2445,11 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) } if (read_s32(data, 4) < 0) { + if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) { + error_report("vnc: extended clipboard message while disabled"); + vnc_client_error(vs); + break; + } if (dlen < 4) { error_report("vnc: malformed payload (header less than 4 bytes)" " in extended clipboard pseudo-encoding.");
The extended clipboard message protocol requires that the client activate the extension by requesting a psuedo encoding. If this is not done, then any extended clipboard messages from the client should be considered invalid and the client dropped. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- The need for fix was identified as part of investigation for CVE-2023-6683. This does NOT, however, fix that CVE as it only addresses one of the problem codepaths that can trigger that CVE. ui/vnc.c | 5 +++++ 1 file changed, 5 insertions(+)