Your message dated Sat, 13 Jun 2020 15:47:10 +0000
with message-id <e1jk8nc-000cdk...@fasolo.debian.org>
and subject line Bug#945827: fixed in ssvnc 1.0.29-4+deb10u1
has caused the Debian Bug report #945827,
regarding ssvnc: fix libvncclient bundle security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
945827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945827
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ssvnc
Severity: grave
X-Debbugs-CC: t...@security.debian.org
Version: 1.0.29-4
Tags: security patch
The following vulnerabilites have recently been discovered in ssvnc's
bundled (and rather old) version of libvncclient code:
CVE-2018-20020[0]:
| LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains
| heap out-of-bound write vulnerability inside structure in VNC client
| code that can result remote code execution
CVE-2018-20021[1]:
| LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains
| a CWE-835: Infinite loop vulnerability in VNC client code.
| Vulnerability allows attacker to consume excessive amount of resources
| like CPU and RAM
CVE-2018-20022[2]:
| LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains
| multiple weaknesses CWE-665: Improper Initialization vulnerability in
| VNC client code that allows attacker to read stack memory and can be
| abuse for information disclosure. Combined with another vulnerability,
| it can be used to leak stack memory layout and in bypassing ASLR
CVE-2018-20024[3]:
| LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains
| null pointer dereference in VNC client code that can result DoS.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
As I have worked on a fix for these issues for ssvnc in Debian jessie
LTS (with my LTS team member hat on, that is), I have attached the
proposed .debdiff (that applies against ssvnc 1.0.29-2) to this mail.
It should be easy to forward-port the security fixes to ssvnc in
stretch, buster and testing/unstable.
Regarding the upload to jessie LTS, please let me know, if I can
proceed with the upload asap or if you want to take a closer look at
the proposed changeset. Thanks.
Regards,
Mike
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20020
[1] https://security-tracker.debian.org/tracker/CVE-2018-20021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20021
[2] https://security-tracker.debian.org/tracker/CVE-2018-20022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20022
[3] https://security-tracker.debian.org/tracker/CVE-2018-20024
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20024
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru ssvnc-1.0.29/debian/changelog ssvnc-1.0.29/debian/changelog
--- ssvnc-1.0.29/debian/changelog 2011-11-11 08:11:09.000000000 +0100
+++ ssvnc-1.0.29/debian/changelog 2019-11-29 12:15:33.000000000 +0100
@@ -1,3 +1,15 @@
+ssvnc (1.0.29-2+deb8u1) jessie-security; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Porting of libvncclient security patches:
+ - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+ in VNC client code.
+ - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+ - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+ - CVE-2018-20024: null pointer dereference that can result DoS.
+
+ -- Mike Gabriel <sunwea...@debian.org> Fri, 29 Nov 2019 12:15:33 +0100
+
ssvnc (1.0.29-2) unstable; urgency=low
* Also get CPPFLAGS from dpkg-buildflags. Pass it as EXTRA_DEFINES to
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
2019-11-29 12:15:33.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20020
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/corre.c
++++ b/vnc_unixsrc/vncviewer/corre.c
+@@ -76,7 +76,7 @@
+ FillRectangle(rx, ry, rw, rh, gcv.foreground);
+ #endif
+
+- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) ||
!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ return False;
+
+ ptr = (CARD8 *)buffer;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
2019-11-29 11:44:25.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -3156,7 +3156,7 @@
+ if (db) fprintf(stderr, "Raw: %dx%d+%d+%d\n",
rect.r.w, rect.r.h, rect.r.x, rect.r.y);
+ area_raw += rect.r.w * rect.r.h;
+
+- while (rect.r.h > 0) {
++ while (linesToRead && rect.r.h > 0) {
+ if (linesToRead > rect.r.h) {
+ linesToRead = rect.r.h;
+ }
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
2019-11-29 11:45:49.000000000 +0100
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abuse for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -2447,6 +2447,7 @@
+ }
+ }
+
++ memset(&ke, 0, sizeof(ke));
+ ke.type = rfbKeyEvent;
+ ke.down = down ? 1 : 0;
+ ke.key = Swap32IfLE(key);
+@@ -2480,6 +2481,7 @@
+ return True;
+ }
+
++ memset(&cct, 0, sizeof(cct));
+ cct.type = rfbClientCutText;
+ cct.length = Swap32IfLE((unsigned int) len);
+ currentMsg = rfbClientCutText;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
2019-11-29 11:57:19.000000000 +0100
@@ -0,0 +1,43 @@
+Description: CVE-2018-20024
+ null pointer dereference in VNC client code that can result DoS.
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7
+Bug: https://github.com/LibVNC/libvncserver/issues/254
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in
zrle.c and zlib.c.
+ The ultra.c code that this has originally been reported against is
not present in
+ ssvnc.
+
+--- a/vnc_unixsrc/vncviewer/zlib.c
++++ b/vnc_unixsrc/vncviewer/zlib.c
+@@ -55,6 +55,11 @@
+ raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+ raw_buffer = (char*) malloc( raw_buffer_size );
+
++ if (raw_buffer == NULL) {
++
++ return False;
++
++ }
+ }
+
+ if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
+--- a/vnc_unixsrc/vncviewer/zrle.c
++++ b/vnc_unixsrc/vncviewer/zrle.c
+@@ -132,6 +132,12 @@
+ raw_buffer_size = min_buffer_size;
+ raw_buffer = (char*) malloc( raw_buffer_size );
+
++ if ( raw_buffer == NULL ) {
++
++ return False;
++
++ }
++
+ }
+
+ if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader))
diff -Nru ssvnc-1.0.29/debian/patches/series ssvnc-1.0.29/debian/patches/series
--- ssvnc-1.0.29/debian/patches/series 2011-11-11 08:11:09.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/series 2019-11-29 12:15:33.000000000 +0100
@@ -3,3 +3,7 @@
buildflags.patch
nostrip.patch
format-security.patch
+libvncclient_CVE-2018-20020.patch
+libvncclient_CVE-2018-20021.patch
+libvncclient_CVE-2018-20022.patch
+libvncclient_CVE-2018-20024.patch
pgpsEpIJieUBs.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
Source: ssvnc
Source-Version: 1.0.29-4+deb10u1
Done: Mike Gabriel <sunwea...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ssvnc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 945...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated ssvnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 31 May 2020 20:58:21 +0200
Source: ssvnc
Architecture: source
Version: 1.0.29-4+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Magnus Holmgren <holmg...@debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Closes: 945827
Changes:
ssvnc (1.0.29-4+deb10u1) buster; urgency=medium
.
* Non-maintainer upload by the LTS team.
* Porting of libvncclient security patches (Closes: #945827):
- CVE-2018-20020: heap out-of-bound write vulnerability inside structure
in VNC client code.
- CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
- CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
- CVE-2018-20024: null pointer dereference that can result DoS.
Checksums-Sha1:
3d20f87dd974ba4a5f857c35094505f927cc9f14 1963 ssvnc_1.0.29-4+deb10u1.dsc
a9ea58138bca0d6b780366ffbad99fdec1c0ff9d 13316
ssvnc_1.0.29-4+deb10u1.debian.tar.xz
0da89bf4d2f135645784a24cc94a8d19037bbd97 9110
ssvnc_1.0.29-4+deb10u1_source.buildinfo
Checksums-Sha256:
5f9a15709b2ee3bb14bd37495e00db07791cb46551fd29ca2f4aa5b6f0ef920a 1963
ssvnc_1.0.29-4+deb10u1.dsc
e22e029996bce20c2052937acb821c6e522ef52a51b7bfe7ad0834f7f94656ff 13316
ssvnc_1.0.29-4+deb10u1.debian.tar.xz
11b9c639ae052ca24295b8c141d081939445686c2f81ce90354b4e6a343e3e8c 9110
ssvnc_1.0.29-4+deb10u1_source.buildinfo
Files:
031c38abd4d775c536d9b697e26cf5f1 1963 net optional ssvnc_1.0.29-4+deb10u1.dsc
2c13ae4df1eecb930696ce6086482a26 13316 net optional
ssvnc_1.0.29-4+deb10u1.debian.tar.xz
96f4c83039229adecc377d59186a0fc3 9110 net optional
ssvnc_1.0.29-4+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl7T/sAVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxlxEP/2K74gWXcYh90tqraKDHDJrcLEeV
VThlGeh903lyiN4hbWPLWyRXWhSAIDD7otCeM/+w1kZoOrj7dctT2F64gePBfKni
4fQAofI5pflltCtB2KhDDxTyWgWwZSm2sJwvSZdfCH7y2oR3FhWfxmzCNe2HsWZc
GGMfJlEyDiKHaw/ErTuar+NW7y9PNNofvDn0QEJ+RsO0zijkAu4pjiK3CGhYlwM4
uc6rKvFcE3u7hSQa/amKN0zLHDqqmYC+rnxigX6InFlnVX40fZYO25QcFjUMKpc+
ybBzRBdvKrPaM/2GBWnX9YR1MKfAD3BeLQUHRR6KHjLU8c21irXfTTG0njJRweaJ
1vPLvLu1aIwzrc/9oUukTiIc1d+B7srabvAymGPS2T6oWJZHj/tepvWtdEsmmBvt
i9FqGrrquZH8HzKlVHViV4WBZRy9qzWFN+60FcebKKM9YSW60mxJVGNacKBPF3ed
fWirhpZQ3gLpQNngyOz51ednebLifqNIU/Toe5Ehh9NMVyUfrSKUkLfuhEM9h2rv
6LJh4HrD+PqYqYGxz5bVf/K5BzsD1sfUtOpMaZzcrieUWS/ozmHEqob9Dfa8WDH7
AfPTc8goiT05nn2ypOltC0RVxbEjLp5S4AyzUrFlmuUqS6YOh67gemfSYOWUKJya
i9tvorwMoLFmOK1U
=9gVB
-----END PGP SIGNATURE-----
--- End Message ---
