Re: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)

[Michael Tokarev]

04.07.2023 12:39, Mauro Matteo Cascella wrote:
> On Tue, Jul 4, 2023 at 11:03 AM Marc-André Lureau
> <marcandre.lureau@gmail.com> wrote:
> > On Tue, Jul 4, 2023 at 10:42 AM Mauro Matteo Cascella <mcascell@redhat.com> 
> > wrote:
> > > A wrong exit condition may lead to an infinite loop when inflating a
> > > valid zlib buffer containing some extra bytes in the `inflate_buffer`
> > > function. The bug only occurs post-authentication. Return the buffer
> > > immediately if the end of the compressed data has been reached
> > > (Z_STREAM_END).
> > >
> > > Fixes: CVE-2023-3255
> > > Fixes: 0bf41cab ("ui/vnc: clipboard support")
> > > Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
> > > Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> >
> >
> > Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> > Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> >
> > Note: we may want to disconnect the client when there are extra bytes in the 
> > message, or print some warnings.
>
> Sure, I guess we can call vnc_disconnect_finish or vnc_client_error
> for disconnecting, not sure how to properly print warnings. Feel free
> to add that yourself when applying the patch. Or I can try to send v2
> if you prefer.

Ping, for 8.1 and -stable?

Thanks,

/mjt