[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#947255: marked as done (stretch-pu: package tightvnc/1.3.9-9+deb9u1)

Your message dated Sat, 08 Feb 2020 14:23:35 +0000
with message-id <a894a0233c2d264936953d7a69507573c4a5742a.camel@adam-barratt.org.uk>
and subject line Closing bugs included in 9.12
has caused the Debian Bug report #947255,
regarding stretch-pu: package tightvnc/1.3.9-9+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
947255: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947255
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu


Dear Release Team,

I have just uploaded a range of low and not so low security fixes for
tightvnc to stretch-pu:

+  * Security upload. (Closes: #945364).
+  * CVE-2014-6053: Check malloc() return value on client->server ClientCutText
+    message.
+  * CVE-2019-8287 (aka CVE-2018-20020): Fix heap out-of-bound write
+    vulnerability inside structure in VNC client code.
+  * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+  * CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+  * CVE-2018-7225: Uninitialized and potentially sensitive data could be
+    accessed by remote attackers because the msg.cct.length in rfbserver.c was
+    not sanitized.
+  * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB.
+  * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore
+    server-sent reason strings longer than 1MB (see CVE-2018-20748/
+    libvncserver).
+  * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name
+    length received before allocating memory for it and limit it to 1MB.
+  * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c.
+  * CVE-2019-15681: rfbserver: don't leak stack memory to the remote.

None of them is so urgent that a DSA is justified, IMHO.

light+love,
Mike


-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru tightvnc-1.3.9/debian/changelog tightvnc-1.3.9/debian/changelog
--- tightvnc-1.3.9/debian/changelog	2017-01-27 22:08:21.000000000 +0100
+++ tightvnc-1.3.9/debian/changelog	2019-12-21 10:35:50.000000000 +0100
@@ -1,3 +1,26 @@
+tightvnc (1:1.3.9-9+deb9u1) stretch; urgency=medium
+
+  * Security upload. (Closes: #945364).
+  * CVE-2014-6053: Check malloc() return value on client->server ClientCutText
+    message.
+  * CVE-2019-8287 (aka CVE-2018-20020): Fix heap out-of-bound write
+    vulnerability inside structure in VNC client code.
+  * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+  * CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+  * CVE-2018-7225: Uninitialized and potentially sensitive data could be
+    accessed by remote attackers because the msg.cct.length in rfbserver.c was
+    not sanitized.
+  * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB.
+  * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore
+    server-sent reason strings longer than 1MB (see CVE-2018-20748/
+    libvncserver).
+  * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name
+    length received before allocating memory for it and limit it to 1MB.
+  * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c.
+  * CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sat, 21 Dec 2019 10:35:50 +0100
+
 tightvnc (1:1.3.9-9) unstable; urgency=high
 
   * Reverted the transition. Tigervnc is not ready for being a full
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch
--- tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch	1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch	2019-12-19 21:39:14.000000000 +0100
@@ -0,0 +1,29 @@
+From 6037a9074d52b1963c97cb28ea1096c7c14cbf28 Mon Sep 17 00:00:00 2001
+From: Nicolas Ruff <nruff@google.com>
+Date: Mon, 18 Aug 2014 15:16:16 +0200
+Subject: [PATCH] Check malloc() return value on client->server ClientCutText
+ message. Client can send up to 2**32-1 bytes of text, and such a large
+ allocation is likely to fail in case of high memory pressure. This would in a
+ server crash (write at address 0).
+
+[sunweaver] port libvncserver patch over to tightvnc's vnc server code
+
+---
+ libvncserver/rfbserver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -891,6 +891,12 @@
+ 
+ 	str = (char *)xalloc(msg.cct.length);
+ 
++	if (str == NULL) {
++		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
++		rfbCloseSock(cl->sock);
++		return;
++	}
++
+ 	if ((n = ReadExact(cl->sock, str, msg.cct.length)) <= 0) {
+ 	    if (n != 0)
+ 		rfbLogPerror("rfbProcessClientNormalMessage: read");
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch	1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch	2019-12-19 21:38:55.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] port libvncclient patch over to tightvnc's vncviewer code
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1021,7 +1021,7 @@
+ 	bytesPerLine = rect.r.w * myFormat.bitsPerPixel / 8;
+ 	linesToRead = BUFFER_SIZE / bytesPerLine;
+ 
+-	while (rect.r.h > 0) {
++	while (linesToRead && rect.r.h > 0) {
+ 	  if (linesToRead > rect.r.h)
+ 	    linesToRead = rect.r.h;
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch	1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch	2019-12-19 21:47:41.000000000 +0100
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abused for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] ported from libvncclient to tightvnc's vncviewer code
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -886,6 +886,7 @@
+ {
+   rfbKeyEventMsg ke;
+ 
++  memset(&ke, 0, sizeof(ke));
+   ke.type = rfbKeyEvent;
+   ke.down = down ? 1 : 0;
+   ke.key = Swap32IfLE(key);
+@@ -906,6 +907,7 @@
+     free(serverCutText);
+   serverCutText = NULL;
+ 
++  memset(&cct, 0, sizeof(cct));
+   cct.type = rfbClientCutText;
+   cct.length = Swap32IfLE(len);
+   return  (WriteExact(rfbsock, (char *)&cct, sz_rfbClientCutTextMsg) &&
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch	1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch	2019-12-19 21:39:37.000000000 +0100
@@ -0,0 +1,51 @@
+From: Mike Gabriel <sunweaver@debian.org>
+Date: Tue, 5 Jun 2018 14:04:07 +0200
+Subject: CVE-2018-7225
+
+Bug-Debian: https://bugs.debian.org/894045
+Origin: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee
+
+[sunweaver] port libvncserver patch over to tightvnc's VNC server code
+
+---
+ libvncserver/rfbserver.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -43,6 +43,9 @@
+ #include <vncserverctrl.h>
+ #endif
+ 
++/* PRIu32 */
++#include <inttypes.h>
++
+ char updateBuf[UPDATE_BUF_SIZE];
+ int ublen;
+ 
+@@ -889,7 +892,23 @@
+ 
+ 	msg.cct.length = Swap32IfLE(msg.cct.length);
+ 
+-	str = (char *)xalloc(msg.cct.length);
++	/* uint32_t input is passed to malloc()'s size_t argument,
++	 * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
++	 * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
++	 * argument. Here we impose a limit of 1 MB so that the value fits
++	 * into all of the types to prevent from misinterpretation and thus
++	 * from accessing uninitialized memory (CVE-2018-7225) and also to
++	 * prevent from a denial-of-service by allocating to much memory in
++	 * the server. */
++	if (msg.cct.length > 1<<20) {
++	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
++	            msg.cct.length);
++	    rfbCloseSock(cl->sock);
++	    return;
++	}
++
++	/* Allow zero-length client cut text. */
++	str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+ 
+ 	if (str == NULL) {
+ 		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch	1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch	2019-12-20 22:32:50.000000000 +0100
@@ -0,0 +1,28 @@
+From e34bcbb759ca5bef85809967a268fdf214c1ad2c Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sat, 29 Dec 2018 14:40:53 +0100
+Subject: [PATCH] LibVNCClient: ignore server-sent reason strings longer than
+ 1MB
+
+Fixes #273
+
+[sunweaver] Extract these few lines from the above referenced patch and port to tightvnc.
+            This patch was part of the fix series for CVE-2018-20748/libvncserver
+
+---
+ libvncclient/rfbproto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1293,6 +1293,10 @@
+ 
+   if (ReadFromRFBServer((char *)&reasonLen, sizeof(reasonLen))) {
+     reasonLen = Swap32IfLE(reasonLen);
++    if(reasonLen > 1<<20) {
++      fprintf(stderr, "VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen);
++      return;
++    }
+     if ((reason = malloc(reasonLen)) != NULL &&
+         ReadFromRFBServer(reason, reasonLen)) {
+       fprintf(stderr,"%.*s\n", (int)reasonLen, reason);
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch	1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch	2019-12-20 22:32:35.000000000 +0100
@@ -0,0 +1,28 @@
+From c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sat, 29 Dec 2018 14:16:58 +0100
+Subject: [PATCH] LibVNCClient: ignore server-sent cut text longer than 1MB
+
+This is in line with how LibVNCServer does it
+(28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273.
+
+[sunweaver] Port to tightvnc.
+
+---
+ libvncclient/rfbproto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1214,6 +1214,11 @@
+ 
+     msg.sct.length = Swap32IfLE(msg.sct.length);
+ 
++    if (msg.sct.length > 1<<20) {
++	    fprintf(stderr, "Ignoring too big cut text length sent by server: %u B > 1 MB\n", (unsigned int)msg.sct.length);
++	    return False;
++    }
++
+     if (serverCutText)
+       free(serverCutText);
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch	1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch	2019-12-20 22:32:08.000000000 +0100
@@ -0,0 +1,33 @@
+From c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 6 Jan 2019 14:20:37 +0100
+Subject: [PATCH] LibVNCClient: fail on server-sent desktop name lengths longer
+ than 1MB
+
+re #273
+---
+ libvncclient/rfbproto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+[sunweaver] Ported over to tightvnc.
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -303,13 +303,11 @@
+   si.format.blueMax = Swap16IfLE(si.format.blueMax);
+   si.nameLength = Swap32IfLE(si.nameLength);
+ 
+-  /* FIXME: Check arguments to malloc() calls. */
+-  desktopName = malloc(si.nameLength + 1);
+-  if (!desktopName) {
+-    fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",
+-            (unsigned long)si.nameLength);
+-    return False;
++  if (si.nameLength > 1<<20) {
++      fprintf(stderr, "Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)si.nameLength);
++      return FALSE;
+   }
++  desktopName = malloc(si.nameLength + 1);
+ 
+   if (!ReadFromRFBServer(desktopName, si.nameLength)) return False;
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch	1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch	2019-12-20 16:07:49.000000000 +0100
@@ -0,0 +1,16 @@
+Origin: https://github.com/LibVNC/libvncserver/pull/360/commits/85d00057b5daf71675462c9b175d8cb2d47cd0e1
+
+--- a/vncviewer/zlib.c
++++ b/vncviewer/zlib.c
+@@ -55,6 +55,11 @@
+     raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+     raw_buffer = (char*) malloc( raw_buffer_size );
+ 
++    if (raw_buffer == NULL) {
++
++       return False;
++
++    }
+   }
+ 
+   if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch	1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch	2019-12-19 21:39:44.000000000 +0100
@@ -0,0 +1,20 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+
+[sunweaver] Ported to rfbserver.c in tightvnc
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -1481,6 +1481,8 @@
+     rfbClientPtr cl, nextCl;
+     rfbServerCutTextMsg sct;
+ 
++    memset((char *)&sct, 0, sizeof(sct));
++
+     if (rfbViewOnly)
+ 	return;
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch	1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch	2019-12-20 21:43:49.000000000 +0100
@@ -0,0 +1,23 @@
+Description: CVE-2019-8287
+ (same as CVE-2018-20020/libvncserver)
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] port libvncclient patch over to tightvnc's vncviewer code
+
+--- a/vncviewer/corre.c
++++ b/vncviewer/corre.c
+@@ -56,7 +56,7 @@
+     XChangeGC(dpy, gc, GCForeground, &gcv);
+     XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh);
+ 
+-    if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++    if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ 	return False;
+ 
+     ptr = (CARD8 *)buffer;
diff -Nru tightvnc-1.3.9/debian/patches/series tightvnc-1.3.9/debian/patches/series
--- tightvnc-1.3.9/debian/patches/series	2016-06-19 13:22:20.000000000 +0200
+++ tightvnc-1.3.9/debian/patches/series	2019-12-21 10:35:39.000000000 +0100
@@ -6,3 +6,13 @@
 ppc64el.patch
 782620-crashfix.patch
 more-arm64-fixes.patch
+CVE-2019-15680.patch
+CVE-2019-15681.patch
+CVE-2014-6053.patch
+CVE-2018-7225.patch
+CVE-2018-20021.patch
+CVE-2019-8287.patch
+CVE-2018-20022.patch
+CVE-2019-15679.patch
+CVE-2019-15678.patch
+CVE-2019-15678-addon.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.12

Hi,

Each of the uploads referred to by these bugs was included in today's
oldstable point release.

Regards,

Adam

--- End Message ---
Reply to: