Package: ssvnc Severity: grave X-Debbugs-CC: t...@security.debian.org Version: 1.0.29-4 Tags: security patch
The following vulnerabilites have recently been discovered in ssvnc's bundled (and rather old) version of libvncclient code:
CVE-2018-20020[0]: | LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains | heap out-of-bound write vulnerability inside structure in VNC client | code that can result remote code execution CVE-2018-20021[1]: | LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains | a CWE-835: Infinite loop vulnerability in VNC client code. | Vulnerability allows attacker to consume excessive amount of resources | like CPU and RAM CVE-2018-20022[2]: | LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains | multiple weaknesses CWE-665: Improper Initialization vulnerability in | VNC client code that allows attacker to read stack memory and can be | abuse for information disclosure. Combined with another vulnerability, | it can be used to leak stack memory layout and in bypassing ASLR CVE-2018-20024[3]: | LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains | null pointer dereference in VNC client code that can result DoS. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.As I have worked on a fix for these issues for ssvnc in Debian jessie LTS (with my LTS team member hat on, that is), I have attached the proposed .debdiff (that applies against ssvnc 1.0.29-2) to this mail. It should be easy to forward-port the security fixes to ssvnc in stretch, buster and testing/unstable.
Regarding the upload to jessie LTS, please let me know, if I can proceed with the upload asap or if you want to take a closer look at the proposed changeset. Thanks.
Regards, Mike For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20020 [1] https://security-tracker.debian.org/tracker/CVE-2018-20021 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20021 [2] https://security-tracker.debian.org/tracker/CVE-2018-20022 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20022 [3] https://security-tracker.debian.org/tracker/CVE-2018-20024 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20024 -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru ssvnc-1.0.29/debian/changelog ssvnc-1.0.29/debian/changelog --- ssvnc-1.0.29/debian/changelog 2011-11-11 08:11:09.000000000 +0100 +++ ssvnc-1.0.29/debian/changelog 2019-11-29 12:15:33.000000000 +0100 @@ -1,3 +1,15 @@ +ssvnc (1.0.29-2+deb8u1) jessie-security; urgency=medium + + * Non-maintainer upload by the LTS team. + * Porting of libvncclient security patches: + - CVE-2018-20020: heap out-of-bound write vulnerability inside structure + in VNC client code. + - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. + - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. + - CVE-2018-20024: null pointer dereference that can result DoS. + + -- Mike Gabriel <sunwea...@debian.org> Fri, 29 Nov 2019 12:15:33 +0100 + ssvnc (1.0.29-2) unstable; urgency=low * Also get CPPFLAGS from dpkg-buildflags. Pass it as EXTRA_DEFINES to diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch 2019-11-29 12:15:33.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2018-20020 + heap out-of-bound write vulnerability inside structure in VNC client code that + can result remote code execution +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d +Bug: https://github.com/LibVNC/libvncserver/issues/250 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/vnc_unixsrc/vncviewer/corre.c ++++ b/vnc_unixsrc/vncviewer/corre.c +@@ -76,7 +76,7 @@ + FillRectangle(rx, ry, rw, rh, gcv.foreground); + #endif + +- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) ++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) + return False; + + ptr = (CARD8 *)buffer; diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch 2019-11-29 11:44:25.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2018-20021 + CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows + attacker to consume excessive amount of resources like CPU and RAM +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c +Bug: https://github.com/LibVNC/libvncserver/issues/251 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/vnc_unixsrc/vncviewer/rfbproto.c ++++ b/vnc_unixsrc/vncviewer/rfbproto.c +@@ -3156,7 +3156,7 @@ + if (db) fprintf(stderr, "Raw: %dx%d+%d+%d\n", rect.r.w, rect.r.h, rect.r.x, rect.r.y); + area_raw += rect.r.w * rect.r.h; + +- while (rect.r.h > 0) { ++ while (linesToRead && rect.r.h > 0) { + if (linesToRead > rect.r.h) { + linesToRead = rect.r.h; + } diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch 2019-11-29 11:45:49.000000000 +0100 @@ -0,0 +1,31 @@ +Description: CVE-2018-20022 + multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC + client code that allows attacker to read stack memory and can be abuse for + information disclosure. Combined with another vulnerability, it can be used + to leak stack memory layout and in bypassing ASLR +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 +Bug: https://github.com/LibVNC/libvncserver/issues/252 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/vnc_unixsrc/vncviewer/rfbproto.c ++++ b/vnc_unixsrc/vncviewer/rfbproto.c +@@ -2447,6 +2447,7 @@ + } + } + ++ memset(&ke, 0, sizeof(ke)); + ke.type = rfbKeyEvent; + ke.down = down ? 1 : 0; + ke.key = Swap32IfLE(key); +@@ -2480,6 +2481,7 @@ + return True; + } + ++ memset(&cct, 0, sizeof(cct)); + cct.type = rfbClientCutText; + cct.length = Swap32IfLE((unsigned int) len); + currentMsg = rfbClientCutText; diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch 2019-11-29 11:57:19.000000000 +0100 @@ -0,0 +1,43 @@ +Description: CVE-2018-20024 + null pointer dereference in VNC client code that can result DoS. +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 +Bug: https://github.com/LibVNC/libvncserver/issues/254 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in zrle.c and zlib.c. + The ultra.c code that this has originally been reported against is not present in + ssvnc. + +--- a/vnc_unixsrc/vncviewer/zlib.c ++++ b/vnc_unixsrc/vncviewer/zlib.c +@@ -55,6 +55,11 @@ + raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); + raw_buffer = (char*) malloc( raw_buffer_size ); + ++ if (raw_buffer == NULL) { ++ ++ return False; ++ ++ } + } + + if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) +--- a/vnc_unixsrc/vncviewer/zrle.c ++++ b/vnc_unixsrc/vncviewer/zrle.c +@@ -132,6 +132,12 @@ + raw_buffer_size = min_buffer_size; + raw_buffer = (char*) malloc( raw_buffer_size ); + ++ if ( raw_buffer == NULL ) { ++ ++ return False; ++ ++ } ++ + } + + if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader)) diff -Nru ssvnc-1.0.29/debian/patches/series ssvnc-1.0.29/debian/patches/series --- ssvnc-1.0.29/debian/patches/series 2011-11-11 08:11:09.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/series 2019-11-29 12:15:33.000000000 +0100 @@ -3,3 +3,7 @@ buildflags.patch nostrip.patch format-security.patch +libvncclient_CVE-2018-20020.patch +libvncclient_CVE-2018-20021.patch +libvncclient_CVE-2018-20022.patch +libvncclient_CVE-2018-20024.patch
pgpNwHKChFWYa.pgp
Description: Digitale PGP-Signatur
