[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#961937: marked as done (stretch-pu: package ssvnc/1.0.29-3+deb9u1)

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id <b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.camel@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #961937,
regarding stretch-pu: package ssvnc/1.0.29-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
961937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961937
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I just uploaded this ssvnc update to Debian stretch:

+  * Non-maintainer upload by the LTS team.

@Magnus: Thanks for fixing ssnvc in testing/unstable regarding below CVE
issues. I saw that those issues haven't been covered for in stretch+buster,
so I was so brisk and dput fixes straight away.

+  * Porting of libvncclient security patches (Closes: #945827):
+    - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+      in VNC client code.
+    - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+    - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+    - CVE-2018-20024: null pointer dereference that can result DoS.

@release team: The upload fixes the not-so-critical CVEs given above.

Thanks+Greets,
Mike

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru ssvnc-1.0.29/debian/changelog ssvnc-1.0.29/debian/changelog
--- ssvnc-1.0.29/debian/changelog	2016-07-30 23:10:11.000000000 +0200
+++ ssvnc-1.0.29/debian/changelog	2020-05-31 20:59:43.000000000 +0200
@@ -1,3 +1,15 @@
+ssvnc (1.0.29-3+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload by the LTS team.
+  * Porting of libvncclient security patches (Closes: #945827):
+    - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+      in VNC client code.
+    - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+    - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+    - CVE-2018-20024: null pointer dereference that can result DoS.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sun, 31 May 2020 20:59:43 +0200
+
 ssvnc (1.0.29-3) unstable; urgency=low
 
   * debian/rules: Add call to dh_strip_nondeterminism.
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch	1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch	2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20020
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/corre.c
++++ b/vnc_unixsrc/vncviewer/corre.c
+@@ -76,7 +76,7 @@
+     FillRectangle(rx, ry, rw, rh, gcv.foreground);
+ #endif
+ 
+-    if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++    if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ 	return False;
+ 
+     ptr = (CARD8 *)buffer;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch	1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch	2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -3156,7 +3156,7 @@
+ 			if (db) fprintf(stderr, "Raw:     %dx%d+%d+%d\n", rect.r.w, rect.r.h, rect.r.x, rect.r.y);
+ 			area_raw += rect.r.w * rect.r.h;
+ 
+-			while (rect.r.h > 0) {
++			while (linesToRead && rect.r.h > 0) {
+ 				if (linesToRead > rect.r.h) {
+ 					linesToRead = rect.r.h;
+ 				}
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch	1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch	2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abuse for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -2447,6 +2447,7 @@
+ 		}
+ 	}
+ 
++	memset(&ke, 0, sizeof(ke));
+ 	ke.type = rfbKeyEvent;
+ 	ke.down = down ? 1 : 0;
+ 	ke.key = Swap32IfLE(key);
+@@ -2480,6 +2481,7 @@
+ 		return True;
+ 	}
+ 
++	memset(&cct, 0, sizeof(cct));
+ 	cct.type = rfbClientCutText;
+ 	cct.length = Swap32IfLE((unsigned int) len);
+ 	currentMsg = rfbClientCutText;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch	1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch	2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,43 @@
+Description: CVE-2018-20024
+ null pointer dereference in VNC client code that can result DoS.
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7
+Bug: https://github.com/LibVNC/libvncserver/issues/254
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in zrle.c and zlib.c.
+            The ultra.c code that this has originally been reported against is not present in
+            ssvnc.
+
+--- a/vnc_unixsrc/vncviewer/zlib.c
++++ b/vnc_unixsrc/vncviewer/zlib.c
+@@ -55,6 +55,11 @@
+     raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+     raw_buffer = (char*) malloc( raw_buffer_size );
+ 
++    if (raw_buffer == NULL) {
++
++	return False;
++
++    }
+   }
+ 
+   if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
+--- a/vnc_unixsrc/vncviewer/zrle.c
++++ b/vnc_unixsrc/vncviewer/zrle.c
+@@ -132,6 +132,12 @@
+ 		raw_buffer_size = min_buffer_size;
+ 		raw_buffer = (char*) malloc( raw_buffer_size );
+ 
++		if ( raw_buffer == NULL ) {
++
++			return False;
++
++		}
++
+ 	}
+ 
+ 	if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader))
diff -Nru ssvnc-1.0.29/debian/patches/series ssvnc-1.0.29/debian/patches/series
--- ssvnc-1.0.29/debian/patches/series	2016-07-30 23:09:13.000000000 +0200
+++ ssvnc-1.0.29/debian/patches/series	2020-05-31 20:59:43.000000000 +0200
@@ -6,3 +6,7 @@
 openssl1.1.patch
 auto-scale.patch
 samemachine_ip6_overflow.patch
+libvncclient_CVE-2018-20020.patch
+libvncclient_CVE-2018-20021.patch
+libvncclient_CVE-2018-20022.patch
+libvncclient_CVE-2018-20024.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---
Reply to: