Hi all,today I looked into libvncserver/CVE-2019-15681. The VNC situation is non-optimal in Debian...
The gist (which also applies to Debian) can be found in . Thanks to Pavel Cheremushkin from Kaspersky for publishing his findings.
I looked at all packages I could think of that are related to VNC and came up with this list:
x11vnc -> uses system's libvncserver and system's libvncclient, but still bundles older versions of both in the orig tarball. (See ). NOT AFFECTED italc -> bundles libvncserver (shame on myself+upstream) and uses it. It probably needs to be listed for all libvncserver CVEs we have seen in the past (luckily italc has been removed from unstable recently and replaced by veyon) AFFECTED (LOVE NEEDED)krfb -> ships rfbserver.c from libvncserver, but uses its own implementation
of an rfbserver rewritten in C++/Qt NOT AFFECTEDssvnc -> VNC client only; ships libvncclient code files, probably affected by
all libvncclient CVEs NEEDS MORE TRIAGING veyon -> uses system-wide libvncserver, but still bundles libvncclient (this will be resolved with veyon 4.3.0, I heard from upstream) NEEDS MORE TRIAGING vino -> bundles libvncserver and uses it. It probably needs to be listed for all libvncserver CVEs we have seen in the past AFFECTED (LOVE NEEDED) vncsnapshot -> contains a small subset the libvncclient files NEEDS MORE TRIAGING tightvnc -> has copy+pasted code from libvncserver, e.g. rfbserver.(ch) and also from libvncclient PARTIALLY AFFECTED (LOVE NEEDED) tigervnc -> VNC code has been entirely rewritten in C++, not related to libvncserver / libvncclient (anymore?) as it seemsPlease add more packages, if you see fit, that belong to the same category of packages. Please provide feedback if you think otherwise on statements I made above.
light+love Mike  https://www.openwall.com/lists/oss-security/2018/12/10/5  https://bugs.debian.org/943833 -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: email@example.com, http://das-netzwerkteam.de
Description: Digitale PGP-Signatur