Bug#947255: stretch-pu: package tightvnc/1.3.9-9+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
I have just uploaded a range of low and not so low security fixes for
tightvnc to stretch-pu:
+ * Security upload. (Closes: #945364).
+ * CVE-2014-6053: Check malloc() return value on client->server ClientCutText
+ message.
+ * CVE-2019-8287 (aka CVE-2018-20020): Fix heap out-of-bound write
+ vulnerability inside structure in VNC client code.
+ * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+ * CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+ * CVE-2018-7225: Uninitialized and potentially sensitive data could be
+ accessed by remote attackers because the msg.cct.length in rfbserver.c was
+ not sanitized.
+ * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB.
+ * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore
+ server-sent reason strings longer than 1MB (see CVE-2018-20748/
+ libvncserver).
+ * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name
+ length received before allocating memory for it and limit it to 1MB.
+ * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c.
+ * CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
None of them is so urgent that a DSA is justified, IMHO.
light+love,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru tightvnc-1.3.9/debian/changelog tightvnc-1.3.9/debian/changelog
--- tightvnc-1.3.9/debian/changelog 2017-01-27 22:08:21.000000000 +0100
+++ tightvnc-1.3.9/debian/changelog 2019-12-21 10:35:50.000000000 +0100
@@ -1,3 +1,26 @@
+tightvnc (1:1.3.9-9+deb9u1) stretch; urgency=medium
+
+ * Security upload. (Closes: #945364).
+ * CVE-2014-6053: Check malloc() return value on client->server ClientCutText
+ message.
+ * CVE-2019-8287 (aka CVE-2018-20020): Fix heap out-of-bound write
+ vulnerability inside structure in VNC client code.
+ * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+ * CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+ * CVE-2018-7225: Uninitialized and potentially sensitive data could be
+ accessed by remote attackers because the msg.cct.length in rfbserver.c was
+ not sanitized.
+ * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB.
+ * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore
+ server-sent reason strings longer than 1MB (see CVE-2018-20748/
+ libvncserver).
+ * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name
+ length received before allocating memory for it and limit it to 1MB.
+ * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c.
+ * CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 21 Dec 2019 10:35:50 +0100
+
tightvnc (1:1.3.9-9) unstable; urgency=high
* Reverted the transition. Tigervnc is not ready for being a full
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch
--- tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch 1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch 2019-12-19 21:39:14.000000000 +0100
@@ -0,0 +1,29 @@
+From 6037a9074d52b1963c97cb28ea1096c7c14cbf28 Mon Sep 17 00:00:00 2001
+From: Nicolas Ruff <nruff@google.com>
+Date: Mon, 18 Aug 2014 15:16:16 +0200
+Subject: [PATCH] Check malloc() return value on client->server ClientCutText
+ message. Client can send up to 2**32-1 bytes of text, and such a large
+ allocation is likely to fail in case of high memory pressure. This would in a
+ server crash (write at address 0).
+
+[sunweaver] port libvncserver patch over to tightvnc's vnc server code
+
+---
+ libvncserver/rfbserver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -891,6 +891,12 @@
+
+ str = (char *)xalloc(msg.cct.length);
+
++ if (str == NULL) {
++ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
++ rfbCloseSock(cl->sock);
++ return;
++ }
++
+ if ((n = ReadExact(cl->sock, str, msg.cct.length)) <= 0) {
+ if (n != 0)
+ rfbLogPerror("rfbProcessClientNormalMessage: read");
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch 1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch 2019-12-19 21:38:55.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] port libvncclient patch over to tightvnc's vncviewer code
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1021,7 +1021,7 @@
+ bytesPerLine = rect.r.w * myFormat.bitsPerPixel / 8;
+ linesToRead = BUFFER_SIZE / bytesPerLine;
+
+- while (rect.r.h > 0) {
++ while (linesToRead && rect.r.h > 0) {
+ if (linesToRead > rect.r.h)
+ linesToRead = rect.r.h;
+
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch 1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch 2019-12-19 21:47:41.000000000 +0100
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abused for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] ported from libvncclient to tightvnc's vncviewer code
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -886,6 +886,7 @@
+ {
+ rfbKeyEventMsg ke;
+
++ memset(&ke, 0, sizeof(ke));
+ ke.type = rfbKeyEvent;
+ ke.down = down ? 1 : 0;
+ ke.key = Swap32IfLE(key);
+@@ -906,6 +907,7 @@
+ free(serverCutText);
+ serverCutText = NULL;
+
++ memset(&cct, 0, sizeof(cct));
+ cct.type = rfbClientCutText;
+ cct.length = Swap32IfLE(len);
+ return (WriteExact(rfbsock, (char *)&cct, sz_rfbClientCutTextMsg) &&
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch 1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch 2019-12-19 21:39:37.000000000 +0100
@@ -0,0 +1,51 @@
+From: Mike Gabriel <sunweaver@debian.org>
+Date: Tue, 5 Jun 2018 14:04:07 +0200
+Subject: CVE-2018-7225
+
+Bug-Debian: https://bugs.debian.org/894045
+Origin: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee
+
+[sunweaver] port libvncserver patch over to tightvnc's VNC server code
+
+---
+ libvncserver/rfbserver.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -43,6 +43,9 @@
+ #include <vncserverctrl.h>
+ #endif
+
++/* PRIu32 */
++#include <inttypes.h>
++
+ char updateBuf[UPDATE_BUF_SIZE];
+ int ublen;
+
+@@ -889,7 +892,23 @@
+
+ msg.cct.length = Swap32IfLE(msg.cct.length);
+
+- str = (char *)xalloc(msg.cct.length);
++ /* uint32_t input is passed to malloc()'s size_t argument,
++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
++ * argument. Here we impose a limit of 1 MB so that the value fits
++ * into all of the types to prevent from misinterpretation and thus
++ * from accessing uninitialized memory (CVE-2018-7225) and also to
++ * prevent from a denial-of-service by allocating to much memory in
++ * the server. */
++ if (msg.cct.length > 1<<20) {
++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
++ msg.cct.length);
++ rfbCloseSock(cl->sock);
++ return;
++ }
++
++ /* Allow zero-length client cut text. */
++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+
+ if (str == NULL) {
+ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch 1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch 2019-12-20 22:32:50.000000000 +0100
@@ -0,0 +1,28 @@
+From e34bcbb759ca5bef85809967a268fdf214c1ad2c Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sat, 29 Dec 2018 14:40:53 +0100
+Subject: [PATCH] LibVNCClient: ignore server-sent reason strings longer than
+ 1MB
+
+Fixes #273
+
+[sunweaver] Extract these few lines from the above referenced patch and port to tightvnc.
+ This patch was part of the fix series for CVE-2018-20748/libvncserver
+
+---
+ libvncclient/rfbproto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1293,6 +1293,10 @@
+
+ if (ReadFromRFBServer((char *)&reasonLen, sizeof(reasonLen))) {
+ reasonLen = Swap32IfLE(reasonLen);
++ if(reasonLen > 1<<20) {
++ fprintf(stderr, "VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen);
++ return;
++ }
+ if ((reason = malloc(reasonLen)) != NULL &&
+ ReadFromRFBServer(reason, reasonLen)) {
+ fprintf(stderr,"%.*s\n", (int)reasonLen, reason);
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch 1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch 2019-12-20 22:32:35.000000000 +0100
@@ -0,0 +1,28 @@
+From c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sat, 29 Dec 2018 14:16:58 +0100
+Subject: [PATCH] LibVNCClient: ignore server-sent cut text longer than 1MB
+
+This is in line with how LibVNCServer does it
+(28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273.
+
+[sunweaver] Port to tightvnc.
+
+---
+ libvncclient/rfbproto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1214,6 +1214,11 @@
+
+ msg.sct.length = Swap32IfLE(msg.sct.length);
+
++ if (msg.sct.length > 1<<20) {
++ fprintf(stderr, "Ignoring too big cut text length sent by server: %u B > 1 MB\n", (unsigned int)msg.sct.length);
++ return False;
++ }
++
+ if (serverCutText)
+ free(serverCutText);
+
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch 1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch 2019-12-20 22:32:08.000000000 +0100
@@ -0,0 +1,33 @@
+From c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 6 Jan 2019 14:20:37 +0100
+Subject: [PATCH] LibVNCClient: fail on server-sent desktop name lengths longer
+ than 1MB
+
+re #273
+---
+ libvncclient/rfbproto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+[sunweaver] Ported over to tightvnc.
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -303,13 +303,11 @@
+ si.format.blueMax = Swap16IfLE(si.format.blueMax);
+ si.nameLength = Swap32IfLE(si.nameLength);
+
+- /* FIXME: Check arguments to malloc() calls. */
+- desktopName = malloc(si.nameLength + 1);
+- if (!desktopName) {
+- fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",
+- (unsigned long)si.nameLength);
+- return False;
++ if (si.nameLength > 1<<20) {
++ fprintf(stderr, "Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)si.nameLength);
++ return FALSE;
+ }
++ desktopName = malloc(si.nameLength + 1);
+
+ if (!ReadFromRFBServer(desktopName, si.nameLength)) return False;
+
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch 1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch 2019-12-20 16:07:49.000000000 +0100
@@ -0,0 +1,16 @@
+Origin: https://github.com/LibVNC/libvncserver/pull/360/commits/85d00057b5daf71675462c9b175d8cb2d47cd0e1
+
+--- a/vncviewer/zlib.c
++++ b/vncviewer/zlib.c
+@@ -55,6 +55,11 @@
+ raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+ raw_buffer = (char*) malloc( raw_buffer_size );
+
++ if (raw_buffer == NULL) {
++
++ return False;
++
++ }
+ }
+
+ if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch 1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch 2019-12-19 21:39:44.000000000 +0100
@@ -0,0 +1,20 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+
+[sunweaver] Ported to rfbserver.c in tightvnc
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -1481,6 +1481,8 @@
+ rfbClientPtr cl, nextCl;
+ rfbServerCutTextMsg sct;
+
++ memset((char *)&sct, 0, sizeof(sct));
++
+ if (rfbViewOnly)
+ return;
+
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch 1970-01-01 01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch 2019-12-20 21:43:49.000000000 +0100
@@ -0,0 +1,23 @@
+Description: CVE-2019-8287
+ (same as CVE-2018-20020/libvncserver)
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] port libvncclient patch over to tightvnc's vncviewer code
+
+--- a/vncviewer/corre.c
++++ b/vncviewer/corre.c
+@@ -56,7 +56,7 @@
+ XChangeGC(dpy, gc, GCForeground, &gcv);
+ XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh);
+
+- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ return False;
+
+ ptr = (CARD8 *)buffer;
diff -Nru tightvnc-1.3.9/debian/patches/series tightvnc-1.3.9/debian/patches/series
--- tightvnc-1.3.9/debian/patches/series 2016-06-19 13:22:20.000000000 +0200
+++ tightvnc-1.3.9/debian/patches/series 2019-12-21 10:35:39.000000000 +0100
@@ -6,3 +6,13 @@
ppc64el.patch
782620-crashfix.patch
more-arm64-fixes.patch
+CVE-2019-15680.patch
+CVE-2019-15681.patch
+CVE-2014-6053.patch
+CVE-2018-7225.patch
+CVE-2018-20021.patch
+CVE-2019-8287.patch
+CVE-2018-20022.patch
+CVE-2019-15679.patch
+CVE-2019-15678.patch
+CVE-2019-15678-addon.patch
Reply to: