--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package ssvnc/1.0.29-4+deb10u1
- From: Mike Gabriel <sunweaver@debian.org>
- Date: Sun, 31 May 2020 21:09:27 +0200
- Message-id: <159095216747.15835.17185565503921189971.reportbug@minobo.das-netzwerkteam.de>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I just uploaded this ssvnc update to Debian buster:
+ * Non-maintainer upload by the LTS team.
@Magnus: Thanks for fixing ssnvc in testing/unstable regarding below CVE
issues. I saw that those issues haven't been convered in stretch+buster,
so I was so brisk and dput fixes straight away.
+ * Porting of libvncclient security patches (Closes: #945827):
+ - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+ in VNC client code.
+ - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+ - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+ - CVE-2018-20024: null pointer dereference that can result DoS.
@release team: The upload fixes the not-so-critical CVEs given above.
Thanks+Greets,
Mike
-- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru ssvnc-1.0.29/debian/changelog ssvnc-1.0.29/debian/changelog
--- ssvnc-1.0.29/debian/changelog 2018-06-24 19:39:53.000000000 +0200
+++ ssvnc-1.0.29/debian/changelog 2020-05-31 20:58:21.000000000 +0200
@@ -1,3 +1,15 @@
+ssvnc (1.0.29-4+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Porting of libvncclient security patches (Closes: #945827):
+ - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+ in VNC client code.
+ - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+ - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+ - CVE-2018-20024: null pointer dereference that can result DoS.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sun, 31 May 2020 20:58:21 +0200
+
ssvnc (1.0.29-4) unstable; urgency=low
* default-jdk-headless is enough to build.
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch 1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch 2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20020
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/corre.c
++++ b/vnc_unixsrc/vncviewer/corre.c
+@@ -76,7 +76,7 @@
+ FillRectangle(rx, ry, rw, rh, gcv.foreground);
+ #endif
+
+- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ return False;
+
+ ptr = (CARD8 *)buffer;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch 1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch 2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -3156,7 +3156,7 @@
+ if (db) fprintf(stderr, "Raw: %dx%d+%d+%d\n", rect.r.w, rect.r.h, rect.r.x, rect.r.y);
+ area_raw += rect.r.w * rect.r.h;
+
+- while (rect.r.h > 0) {
++ while (linesToRead && rect.r.h > 0) {
+ if (linesToRead > rect.r.h) {
+ linesToRead = rect.r.h;
+ }
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch 1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch 2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abuse for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -2447,6 +2447,7 @@
+ }
+ }
+
++ memset(&ke, 0, sizeof(ke));
+ ke.type = rfbKeyEvent;
+ ke.down = down ? 1 : 0;
+ ke.key = Swap32IfLE(key);
+@@ -2480,6 +2481,7 @@
+ return True;
+ }
+
++ memset(&cct, 0, sizeof(cct));
+ cct.type = rfbClientCutText;
+ cct.length = Swap32IfLE((unsigned int) len);
+ currentMsg = rfbClientCutText;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch 1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch 2019-12-16 19:37:52.000000000 +0100
@@ -0,0 +1,43 @@
+Description: CVE-2018-20024
+ null pointer dereference in VNC client code that can result DoS.
+---
+
+Author: Abhijith PA <abhijith@debian.org>
+Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7
+Bug: https://github.com/LibVNC/libvncserver/issues/254
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in zrle.c and zlib.c.
+ The ultra.c code that this has originally been reported against is not present in
+ ssvnc.
+
+--- a/vnc_unixsrc/vncviewer/zlib.c
++++ b/vnc_unixsrc/vncviewer/zlib.c
+@@ -55,6 +55,11 @@
+ raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+ raw_buffer = (char*) malloc( raw_buffer_size );
+
++ if (raw_buffer == NULL) {
++
++ return False;
++
++ }
+ }
+
+ if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
+--- a/vnc_unixsrc/vncviewer/zrle.c
++++ b/vnc_unixsrc/vncviewer/zrle.c
+@@ -132,6 +132,12 @@
+ raw_buffer_size = min_buffer_size;
+ raw_buffer = (char*) malloc( raw_buffer_size );
+
++ if ( raw_buffer == NULL ) {
++
++ return False;
++
++ }
++
+ }
+
+ if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader))
diff -Nru ssvnc-1.0.29/debian/patches/series ssvnc-1.0.29/debian/patches/series
--- ssvnc-1.0.29/debian/patches/series 2016-07-30 23:09:13.000000000 +0200
+++ ssvnc-1.0.29/debian/patches/series 2020-05-31 20:57:56.000000000 +0200
@@ -6,3 +6,7 @@
openssl1.1.patch
auto-scale.patch
samemachine_ip6_overflow.patch
+libvncclient_CVE-2018-20020.patch
+libvncclient_CVE-2018-20021.patch
+libvncclient_CVE-2018-20022.patch
+libvncclient_CVE-2018-20024.patch
--- End Message ---