Package: vino Version: 3.22.0-5 Tags: security upstream
Dear maintainers of vino,last month, I have started working on a audit regarding libvncserver+libvncclient in Debian. Code portions from either of those libraries have been bundled in the Debian src:pkg "vino":
CVE-2019-15681[0]: | LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains | a memory leak (CWE-655) in VNC server code, which allow an attacker to | read stack memory and can be abused for information disclosure. | Combined with another vulnerability, it can be used to leak stack | memory and bypass ASLR. This attack appear to be exploitable via | network connectivity. These vulnerabilities have been fixed in commit | d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a. CVE-2018-7225 | An issue was discovered in LibVNCServer through 0.9.11. | rfbProcessClientNormalMessage() in rfbserver.c does not | sanitize msg.cct.length, leading to access to uninitialized and | potentially sensitive data or possibly unspecified other impact | (e.g., an integer overflow) via specially crafted VNC packets. CVE-2014-6053 | The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c | in LibVNCServer 0.9.9 and earlier does not properly handle attempts to | send a large amount of ClientCutText data, which allows remote attackers | to cause a denial of service (memory consumption or daemon crash) via | a crafted message that is processed by using a single unchecked malloc.Find attached a .debdiff (targetting the vino version in testing/unstable) that resolves the above libvncserver related issues in vino.
With my LTS team member hat on, I will upload vino to jessie LTS within the next hours.
Please let me know, if you will also handle uploads to stretch-security and buster-security. Thanks.
Please note, that I have not runtime-tested the vino 3.22.0-5.1 version, the .debdiff is a simple forward port of what I have been working on for Debian jessie LTS. Thanks.
Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru vino-3.22.0/debian/changelog vino-3.22.0/debian/changelog --- vino-3.22.0/debian/changelog 2018-12-28 00:58:27.000000000 +0100 +++ vino-3.22.0/debian/changelog 2019-11-28 16:37:03.000000000 +0100 @@ -1,3 +1,16 @@ +vino (3.22.0-5.1) unstable; urgency=medium + + * Non-maintainer upload. + * Porting of libvncserver security patches: + - CVE-2014-6053: Check malloc() return value on client->server ClientCutText + message. + - CVE-2018-7225: Uninitialized and potentially sensitive data could be + accessed by remote attackers because the msg.cct.length in rfbserver.c was + not sanitized. + - CVE-2019-15681: rfbserver: don't leak stack memory to the remote. + + -- Mike Gabriel <sunwea...@debian.org> Thu, 28 Nov 2019 16:37:03 +0100 + vino (3.22.0-5) unstable; urgency=medium * Build-Depend on debhelper-compat 12 and drop debian/compat diff -Nru vino-3.22.0/debian/patches/libvncserver_CVE-2014-6053.patch vino-3.22.0/debian/patches/libvncserver_CVE-2014-6053.patch --- vino-3.22.0/debian/patches/libvncserver_CVE-2014-6053.patch 1970-01-01 01:00:00.000000000 +0100 +++ vino-3.22.0/debian/patches/libvncserver_CVE-2014-6053.patch 2019-11-28 15:57:25.000000000 +0100 @@ -0,0 +1,22 @@ +Description: Check malloc() return value (CVE-2014-6053) + Check malloc() return value on client->server ClientCutText + message. Client can send up to 2**32-1 bytes of text, and such a large + allocation is likely to fail in case of high memory pressure. This would in a + server crash (write at address 0). +Origin: https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/server/libvncserver/rfbserver.c ++++ b/server/libvncserver/rfbserver.c +@@ -851,6 +851,11 @@ + msg.cct.length = Swap32IfLE(msg.cct.length); + + str = (char *)malloc(msg.cct.length); ++ if (str == NULL) { ++ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); ++ rfbCloseClient(cl); ++ return; ++ } + + if ((n = ReadExact(cl, str, msg.cct.length)) <= 0) { + if (n != 0) diff -Nru vino-3.22.0/debian/patches/libvncserver_CVE-2018-7225.patch vino-3.22.0/debian/patches/libvncserver_CVE-2018-7225.patch --- vino-3.22.0/debian/patches/libvncserver_CVE-2018-7225.patch 1970-01-01 01:00:00.000000000 +0100 +++ vino-3.22.0/debian/patches/libvncserver_CVE-2018-7225.patch 2019-11-28 16:11:44.000000000 +0100 @@ -0,0 +1,46 @@ +From: Markus Koschany <a...@debian.org> +Date: Tue, 5 Jun 2018 14:04:07 +0200 +Subject: CVE-2018-7225 + +Bug-Debian: https://bugs.debian.org/894045 +Origin: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee +--- + libvncserver/rfbserver.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/server/libvncserver/rfbserver.c ++++ b/server/libvncserver/rfbserver.c +@@ -58,6 +58,8 @@ + #else + #define DEBUGPROTO(x) + #endif ++/* PRIu32 */ ++#include <inttypes.h> + + rfbClientPtr pointerClient = NULL; /* Mutex for pointer events */ + +@@ -850,7 +852,23 @@ + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)malloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we impose a limit of 1 MB so that the value fits ++ * into all of the types to prevent from misinterpretation and thus ++ * from accessing uninitialized memory (CVE-2018-7225) and also to ++ * prevent from a denial-of-service by allocating to much memory in ++ * the server. */ ++ if (msg.cct.length > 1<<20) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseClient(cl); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); diff -Nru vino-3.22.0/debian/patches/libvncserver_CVE-2019-15681.patch vino-3.22.0/debian/patches/libvncserver_CVE-2019-15681.patch --- vino-3.22.0/debian/patches/libvncserver_CVE-2019-15681.patch 1970-01-01 01:00:00.000000000 +0100 +++ vino-3.22.0/debian/patches/libvncserver_CVE-2019-15681.patch 2019-11-28 16:15:57.000000000 +0100 @@ -0,0 +1,21 @@ +From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001 +From: Christian Beier <dontm...@freeshell.org> +Date: Mon, 19 Aug 2019 22:32:25 +0200 +Subject: [PATCH] rfbserver: don't leak stack memory to the remote + +Thanks go to Pavel Cheremushkin of Kaspersky for reporting. +--- + libvncserver/rfbserver.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/server/libvncserver/rfbserver.c ++++ b/server/libvncserver/rfbserver.c +@@ -1557,6 +1557,8 @@ + rfbServerCutTextMsg sct; + rfbClientIteratorPtr iterator; + ++ memset((char *)&sct, 0, sizeof(sct)); ++ + iterator = rfbGetClientIterator(rfbScreen); + while ((cl = rfbClientIteratorNext(iterator)) != NULL) { + /* Client is not authenticated, ignore. See GNOME bug 678434. */ diff -Nru vino-3.22.0/debian/patches/series vino-3.22.0/debian/patches/series --- vino-3.22.0/debian/patches/series 2018-12-28 00:58:27.000000000 +0100 +++ vino-3.22.0/debian/patches/series 2019-11-28 16:37:03.000000000 +0100 @@ -9,3 +9,6 @@ 0008-Properly-remove-watches-when-changing-server-props.patch 0009-Return-empty-string-instead-of-NULL-to-prevent-criti.patch 0010-Fix-various-defects-reported-by-covscan.patch +libvncserver_CVE-2014-6053.patch +libvncserver_CVE-2018-7225.patch +libvncserver_CVE-2019-15681.patch
pgpww5nbKw0Xk.pgp
Description: Digitale PGP-Signatur
