Your message dated Mon, 16 Dec 2019 19:05:30 +0000
with message-id <e1igvgq-0000gr...@fasolo.debian.org>
and subject line Bug#945827: fixed in ssvnc 1.0.29-5
has caused the Debian Bug report #945827,
regarding ssvnc: fix libvncclient bundle security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
945827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945827
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ssvnc
Severity: grave
X-Debbugs-CC: t...@security.debian.org
Version: 1.0.29-4
Tags: security patch
The following vulnerabilites have recently been discovered in ssvnc's
bundled (and rather old) version of libvncclient code:
CVE-2018-20020[0]:
| LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains
| heap out-of-bound write vulnerability inside structure in VNC client
| code that can result remote code execution
CVE-2018-20021[1]:
| LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains
| a CWE-835: Infinite loop vulnerability in VNC client code.
| Vulnerability allows attacker to consume excessive amount of resources
| like CPU and RAM
CVE-2018-20022[2]:
| LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains
| multiple weaknesses CWE-665: Improper Initialization vulnerability in
| VNC client code that allows attacker to read stack memory and can be
| abuse for information disclosure. Combined with another vulnerability,
| it can be used to leak stack memory layout and in bypassing ASLR
CVE-2018-20024[3]:
| LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains
| null pointer dereference in VNC client code that can result DoS.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
As I have worked on a fix for these issues for ssvnc in Debian jessie
LTS (with my LTS team member hat on, that is), I have attached the
proposed .debdiff (that applies against ssvnc 1.0.29-2) to this mail.
It should be easy to forward-port the security fixes to ssvnc in
stretch, buster and testing/unstable.
Regarding the upload to jessie LTS, please let me know, if I can
proceed with the upload asap or if you want to take a closer look at
the proposed changeset. Thanks.
Regards,
Mike
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20020
[1] https://security-tracker.debian.org/tracker/CVE-2018-20021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20021
[2] https://security-tracker.debian.org/tracker/CVE-2018-20022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20022
[3] https://security-tracker.debian.org/tracker/CVE-2018-20024
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20024
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru ssvnc-1.0.29/debian/changelog ssvnc-1.0.29/debian/changelog
--- ssvnc-1.0.29/debian/changelog 2011-11-11 08:11:09.000000000 +0100
+++ ssvnc-1.0.29/debian/changelog 2019-11-29 12:15:33.000000000 +0100
@@ -1,3 +1,15 @@
+ssvnc (1.0.29-2+deb8u1) jessie-security; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Porting of libvncclient security patches:
+ - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+ in VNC client code.
+ - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+ - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+ - CVE-2018-20024: null pointer dereference that can result DoS.
+
+ -- Mike Gabriel <sunwea...@debian.org> Fri, 29 Nov 2019 12:15:33 +0100
+
ssvnc (1.0.29-2) unstable; urgency=low
* Also get CPPFLAGS from dpkg-buildflags. Pass it as EXTRA_DEFINES to
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
2019-11-29 12:15:33.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20020
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/corre.c
++++ b/vnc_unixsrc/vncviewer/corre.c
+@@ -76,7 +76,7 @@
+ FillRectangle(rx, ry, rw, rh, gcv.foreground);
+ #endif
+
+- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) ||
!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ return False;
+
+ ptr = (CARD8 *)buffer;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
2019-11-29 11:44:25.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -3156,7 +3156,7 @@
+ if (db) fprintf(stderr, "Raw: %dx%d+%d+%d\n",
rect.r.w, rect.r.h, rect.r.x, rect.r.y);
+ area_raw += rect.r.w * rect.r.h;
+
+- while (rect.r.h > 0) {
++ while (linesToRead && rect.r.h > 0) {
+ if (linesToRead > rect.r.h) {
+ linesToRead = rect.r.h;
+ }
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
2019-11-29 11:45:49.000000000 +0100
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abuse for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -2447,6 +2447,7 @@
+ }
+ }
+
++ memset(&ke, 0, sizeof(ke));
+ ke.type = rfbKeyEvent;
+ ke.down = down ? 1 : 0;
+ ke.key = Swap32IfLE(key);
+@@ -2480,6 +2481,7 @@
+ return True;
+ }
+
++ memset(&cct, 0, sizeof(cct));
+ cct.type = rfbClientCutText;
+ cct.length = Swap32IfLE((unsigned int) len);
+ currentMsg = rfbClientCutText;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
2019-11-29 11:57:19.000000000 +0100
@@ -0,0 +1,43 @@
+Description: CVE-2018-20024
+ null pointer dereference in VNC client code that can result DoS.
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7
+Bug: https://github.com/LibVNC/libvncserver/issues/254
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in
zrle.c and zlib.c.
+ The ultra.c code that this has originally been reported against is
not present in
+ ssvnc.
+
+--- a/vnc_unixsrc/vncviewer/zlib.c
++++ b/vnc_unixsrc/vncviewer/zlib.c
+@@ -55,6 +55,11 @@
+ raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+ raw_buffer = (char*) malloc( raw_buffer_size );
+
++ if (raw_buffer == NULL) {
++
++ return False;
++
++ }
+ }
+
+ if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
+--- a/vnc_unixsrc/vncviewer/zrle.c
++++ b/vnc_unixsrc/vncviewer/zrle.c
+@@ -132,6 +132,12 @@
+ raw_buffer_size = min_buffer_size;
+ raw_buffer = (char*) malloc( raw_buffer_size );
+
++ if ( raw_buffer == NULL ) {
++
++ return False;
++
++ }
++
+ }
+
+ if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader))
diff -Nru ssvnc-1.0.29/debian/patches/series ssvnc-1.0.29/debian/patches/series
--- ssvnc-1.0.29/debian/patches/series 2011-11-11 08:11:09.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/series 2019-11-29 12:15:33.000000000 +0100
@@ -3,3 +3,7 @@
buildflags.patch
nostrip.patch
format-security.patch
+libvncclient_CVE-2018-20020.patch
+libvncclient_CVE-2018-20021.patch
+libvncclient_CVE-2018-20022.patch
+libvncclient_CVE-2018-20024.patch
pgpaN2KSuIJIc.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
Source: ssvnc
Source-Version: 1.0.29-5
We believe that the bug you reported is fixed in the latest version of
ssvnc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 945...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Magnus Holmgren <holmg...@debian.org> (supplier of updated ssvnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Dec 2019 19:46:31 +0100
Source: ssvnc
Architecture: source
Version: 1.0.29-5
Distribution: unstable
Urgency: high
Maintainer: Magnus Holmgren <holmg...@debian.org>
Changed-By: Magnus Holmgren <holmg...@debian.org>
Closes: 945827
Changes:
ssvnc (1.0.29-5) unstable; urgency=high
.
* Porting of libvncclient security patches by the jessie LTS team
(Closes: #945827):
- CVE-2018-20020: heap out-of-bound write vulnerability inside structure
in VNC client code.
- CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
- CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
- CVE-2018-20024: null pointer dereference that can result DoS.
* Bump Standards-Version to 4.4.1.
Checksums-Sha1:
4a4efc6a97fa3f562473a60f10e929327b41f658 1902 ssvnc_1.0.29-5.dsc
96f489e79c4a0ab9092031c24c48a329c7b6faa5 13292 ssvnc_1.0.29-5.debian.tar.xz
7546a52e1c4468ff406fdbe9e4118e3fc91c6151 8114 ssvnc_1.0.29-5_source.buildinfo
Checksums-Sha256:
fc582c45b15964a0fa054ada91eb775535c83e3b83a51153a5c71c93d4b6b616 1902
ssvnc_1.0.29-5.dsc
f563d356ce42bc27bf9a4ac5ee586eb7c8dbf550ae65d6e14141ac8be5913c71 13292
ssvnc_1.0.29-5.debian.tar.xz
982b29a01fde37c5146c2b1f5a26f9a5ae1a81a4f4c2cd569cc9cce8b01c7caf 8114
ssvnc_1.0.29-5_source.buildinfo
Files:
025cad4f04207b33c7bf46e8e07a6f4b 1902 net optional ssvnc_1.0.29-5.dsc
83eae4a38588d37f0f84d1fef75ab69c 13292 net optional
ssvnc_1.0.29-5.debian.tar.xz
194217435647dde0bda486b432916a9b 8114 net optional
ssvnc_1.0.29-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEzSoHOzhhVBcKQILo1PIZv+yZhIkFAl330RYACgkQ1PIZv+yZ
hIlOYhAAnltCM+ZWG3YQmmVGURnjSt2/zK22OY2XAbmbGDtmeKjix2CsKAu1jpXL
TTgw0DEMc7pEmOMFTG6X8abxPNdcOHeoe0ubThYzpwlpdoDSBJ8Nn0oeByJmrZGM
hFSszwxj4/yNMfGNXzW8d2oh/hnRfRL7ysCctN3I1y9ffYg76/t9toTu3J7DDOBS
c+LomAi8PGfOtVL2+R12FLk607IO4RSuBJO0LTAkz4JlNwfEG1bJn7pSL4SjXCc+
h48oDj1SdtEGsMNUEMqBqERAaf3lxSUPF6bQE5ag7MYnnycJAwdVNLQNBs5sSSM0
Npy8Hf253SJ77ZoDw0eXlUFcuZP7kxg55uMS7brbwl/Q7CuhcU7XqyhvxquVqP0G
kIQzXI8Rn9ULHPutkMQkYWUU433fSGd+FDcYSlkKA1ox12j7eeDXHSnFzX/RSoWR
u9fRckH7ttUsZkVW5KBvEi7tIwmBzS75hK809VN4HMpLewxMplG7rSRNx7LJsiMh
idfgWzWVZojfdUoV5ht9QmteE85Yx9snYFmtcMprntrEPB5fXIcUKjt8MxYGdozK
w//ceW+UD6HhZu6h5Avt7BqUFF9lbvqfOAA19Qmh7OpWnwCJSZzhhbOHjBWFRfvt
F+nBohT7wLp3QKSV4pSdbNUWLjSqZ+DlCqS7+dOoz+tWbWFh+2A=
=xhdk
-----END PGP SIGNATURE-----
--- End Message ---
