various security issues in VNC related packages

To: team@security.debian.org
Cc: debian-lts@lists.debian.org, debian-security@lists.debian.org
Subject: various security issues in VNC related packages
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Wed, 30 Oct 2019 15:09:56 +0000
Message-id: <[🔎] 20191030150956.Horde.kUTDPHsuqNNgfPJe0AhCMuS@mail.das-netzwerkteam.de>

Hi all,

today I looked into libvncserver/CVE-2019-15681. The VNC situation isnon-optimal in Debian...

The gist (which also applies to Debian) can be found in [1]. Thanks toPavel Cheremushkin from Kaspersky for publishing his findings.

I looked at all packages I could think of that are related to VNC andcame up with this list:


  x11vnc -> uses system's libvncserver and system's libvncclient, but still
            bundles older versions of both in the orig tarball. (See [2]).
            NOT AFFECTED

  italc  -> bundles libvncserver (shame on myself+upstream) and uses it. It
            probably needs to be listed for all libvncserver CVEs we have seen
            in the past (luckily italc has been removed from unstable recently
            and replaced by veyon)
            AFFECTED (LOVE NEEDED)

krfb -> ships rfbserver.c from libvncserver, but uses its ownimplementation

            of an rfbserver rewritten in C++/Qt
            NOT AFFECTED

ssvnc -> VNC client only; ships libvncclient code files, probablyaffected by

            all libvncclient CVEs
            NEEDS MORE TRIAGING

  veyon  -> uses system-wide libvncserver, but still bundles libvncclient
            (this will be resolved with veyon 4.3.0, I heard from upstream)
            NEEDS MORE TRIAGING

  vino   -> bundles libvncserver and uses it. It probably needs to
            be listed for all libvncserver CVEs we have seen in the past
            AFFECTED (LOVE NEEDED)

  vncsnapshot -> contains a small subset the libvncclient files
            NEEDS MORE TRIAGING

  tightvnc -> has copy+pasted code from libvncserver, e.g. rfbserver.(ch)
            and also from libvncclient
            PARTIALLY AFFECTED (LOVE NEEDED)

  tigervnc -> VNC code has been entirely rewritten in C++, not related
              to libvncserver / libvncclient (anymore?) as it seems

Please add more packages, if you see fit, that belong to the samecategory of packages. Please provide feedback if you think otherwiseon statements I made above.


light+love
Mike

[1] https://www.openwall.com/lists/oss-security/2018/12/10/5
[2] https://bugs.debian.org/943833
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpg21tU73BjY.pgp
Description: Digitale PGP-Signatur

Reply to:

Follow-Ups:
- Re: various security issues in VNC related packages
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: cpio and CVE-2019-14866 for testing
Next by Date: Re: various security issues in VNC related packages
Previous by thread: cpio and CVE-2019-14866 for testing
Next by thread: Re: various security issues in VNC related packages
Index(es):
- Date
- Thread