[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: various security issues in VNC related packages


I agree that the VNC situation in Debian is sub-optimal. Frankly speaking not just in Debian. This popular software has diverged quite a lot with lot of packages sharing similar code-base.

I had a brief look at vnc4 as well. It does not seem to share the same code base as libvncserver so it should not be affected.

Best regards

// Ola

On Wed, 30 Oct 2019 at 16:10, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
Hi all,

today I looked into libvncserver/CVE-2019-15681. The VNC situation is 
non-optimal in Debian...

The gist (which also applies to Debian) can be found in [1]. Thanks to 
Pavel Cheremushkin from Kaspersky for publishing his findings.

I looked at all packages I could think of that are related to VNC and 
came up with this list:

   x11vnc -> uses system's libvncserver and system's libvncclient, but still
             bundles older versions of both in the orig tarball. (See [2]).
             NOT AFFECTED

   italc  -> bundles libvncserver (shame on myself+upstream) and uses it. It
             probably needs to be listed for all libvncserver CVEs we have seen
             in the past (luckily italc has been removed from unstable recently
             and replaced by veyon)

   krfb   -> ships rfbserver.c from libvncserver, but uses its own 
             of an rfbserver rewritten in C++/Qt
             NOT AFFECTED

   ssvnc  -> VNC client only; ships libvncclient code files, probably 
affected by
             all libvncclient CVEs

   veyon  -> uses system-wide libvncserver, but still bundles libvncclient
             (this will be resolved with veyon 4.3.0, I heard from upstream)

   vino   -> bundles libvncserver and uses it. It probably needs to
             be listed for all libvncserver CVEs we have seen in the past

   vncsnapshot -> contains a small subset the libvncclient files

   tightvnc -> has copy+pasted code from libvncserver, e.g. rfbserver.(ch)
             and also from libvncclient

   tigervnc -> VNC code has been entirely rewritten in C++, not related
               to libvncserver / libvncclient (anymore?) as it seems

Please add more packages, if you see fit, that belong to the same 
category of packages. Please provide feedback if you think otherwise 
on statements I made above.


[1] https://www.openwall.com/lists/oss-security/2018/12/10/5
[2] https://bugs.debian.org/943833

c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: