[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#961936: marked as done (buster-pu: package ssvnc/1.0.29-4+deb10u1)

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #961936,
regarding buster-pu: package ssvnc/1.0.29-4+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
961936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961936
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I just uploaded this ssvnc update to Debian buster:

+  * Non-maintainer upload by the LTS team.

@Magnus: Thanks for fixing ssnvc in testing/unstable regarding below CVE
issues. I saw that those issues haven't been convered in stretch+buster,
so I was so brisk and dput fixes straight away.

+  * Porting of libvncclient security patches (Closes: #945827):
+    - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+      in VNC client code.
+    - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+    - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+    - CVE-2018-20024: null pointer dereference that can result DoS.

@release team: The upload fixes the not-so-critical CVEs given above.

Thanks+Greets,
Mike


-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru ssvnc-1.0.29/debian/changelog ssvnc-1.0.29/debian/changelog
--- ssvnc-1.0.29/debian/changelog	2018-06-24 19:39:53.000000000 +0200
+++ ssvnc-1.0.29/debian/changelog	2020-05-31 20:58:21.000000000 +0200
@@ -1,3 +1,15 @@
+ssvnc (1.0.29-4+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload by the LTS team.
+  * Porting of libvncclient security patches (Closes: #945827):
+    - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+      in VNC client code.
+    - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+    - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+    - CVE-2018-20024: null pointer dereference that can result DoS.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sun, 31 May 2020 20:58:21 +0200
+
 ssvnc (1.0.29-4) unstable; urgency=low
 
   * default-jdk-headless is enough to build.
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch	1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch	2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20020
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/corre.c
++++ b/vnc_unixsrc/vncviewer/corre.c
+@@ -76,7 +76,7 @@
+     FillRectangle(rx, ry, rw, rh, gcv.foreground);
+ #endif
+ 
+-    if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++    if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ 	return False;
+ 
+     ptr = (CARD8 *)buffer;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch	1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch	2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -3156,7 +3156,7 @@
+ 			if (db) fprintf(stderr, "Raw:     %dx%d+%d+%d\n", rect.r.w, rect.r.h, rect.r.x, rect.r.y);
+ 			area_raw += rect.r.w * rect.r.h;
+ 
+-			while (rect.r.h > 0) {
++			while (linesToRead && rect.r.h > 0) {
+ 				if (linesToRead > rect.r.h) {
+ 					linesToRead = rect.r.h;
+ 				}
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch	1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch	2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abuse for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -2447,6 +2447,7 @@
+ 		}
+ 	}
+ 
++	memset(&ke, 0, sizeof(ke));
+ 	ke.type = rfbKeyEvent;
+ 	ke.down = down ? 1 : 0;
+ 	ke.key = Swap32IfLE(key);
+@@ -2480,6 +2481,7 @@
+ 		return True;
+ 	}
+ 
++	memset(&cct, 0, sizeof(cct));
+ 	cct.type = rfbClientCutText;
+ 	cct.length = Swap32IfLE((unsigned int) len);
+ 	currentMsg = rfbClientCutText;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch	1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch	2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,43 @@
+Description: CVE-2018-20024
+ null pointer dereference in VNC client code that can result DoS.
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7
+Bug: https://github.com/LibVNC/libvncserver/issues/254
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in zrle.c and zlib.c.
+            The ultra.c code that this has originally been reported against is not present in
+            ssvnc.
+
+--- a/vnc_unixsrc/vncviewer/zlib.c
++++ b/vnc_unixsrc/vncviewer/zlib.c
+@@ -55,6 +55,11 @@
+     raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+     raw_buffer = (char*) malloc( raw_buffer_size );
+ 
++    if (raw_buffer == NULL) {
++
++	return False;
++
++    }
+   }
+ 
+   if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
+--- a/vnc_unixsrc/vncviewer/zrle.c
++++ b/vnc_unixsrc/vncviewer/zrle.c
+@@ -132,6 +132,12 @@
+ 		raw_buffer_size = min_buffer_size;
+ 		raw_buffer = (char*) malloc( raw_buffer_size );
+ 
++		if ( raw_buffer == NULL ) {
++
++			return False;
++
++		}
++
+ 	}
+ 
+ 	if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader))
diff -Nru ssvnc-1.0.29/debian/patches/series ssvnc-1.0.29/debian/patches/series
--- ssvnc-1.0.29/debian/patches/series	2016-07-30 23:09:13.000000000 +0200
+++ ssvnc-1.0.29/debian/patches/series	2020-05-31 20:57:56.000000000 +0200
@@ -6,3 +6,7 @@
 openssl1.1.patch
 auto-scale.patch
 samemachine_ip6_overflow.patch
+libvncclient_CVE-2018-20020.patch
+libvncclient_CVE-2018-20021.patch
+libvncclient_CVE-2018-20022.patch
+libvncclient_CVE-2018-20024.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: