Hello Debian Security Team, CVE-2022-23967 is still in status 'undetermined' although it has been worked on Bug#1007239 with the result of tightvnc not being vulnerable. For details see [1] and [2] or the email forward below. Please update the status of CVE-2022-23967 to reflect the result. Let me know if more is needed as for my part. Best, Sven [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007239#10 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007239#20 -------- Forwarded Message -------- Von: Sven Geuer <debmaint@g-e-u-e-r.de> An: 1007239-done@bugs.debian.org Betreff: Re: Bug#1007239: tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679 Datum: Fri, 18 Mar 2022 18:33:39 +0100 > Control: forcemerge -1 947133 > X-Debbugs-Cc: Debian Security Team <team@security.debian.org> > > The patch for CVS-2019-15679 already fixes CVE-2022-23967. > > In Debian all versions starting from 1:1.3.9-9.1 including > 1:1.3.9-9+deb9u1 and 1:1.3.9-9+deb10u1 are not vulnerable > to CVE-2022-23967, i.e., all releases from stretch onward > are not vulnerable. > > I close this ticket therefore. > > Please see below for details. > > Sven > > On Mon, 2022-03-14 at 21:46 +0100, Sven Geuer wrote: > > Hello Neil, > > > > On Mon, 2022-03-14 at 12:02 +0000, Neil Williams wrote: > > > Source: tightvnc > > > Version: 1:1.3.10-5 > > > Severity: important > > > Tags: security > > > X-Debbugs-Cc: codehelp@debian.org, Debian Security Team > > > <team@security.debian.org> > > > > > > Hi, > > > > > > The following vulnerability was published for tightvnc. > > > > > > CVE-2022-23967[0]: > > > > In TightVNC 1.3.10, there is an integer signedness error and > > > > resultant > > > > heap-based buffer overflow in InitialiseRFBConnection in > > > > rfbproto.c > > > > (for the vncviewer component). There is no check on the size > > > > given > > > > to > > > > malloc, e.g., -1 is accepted. This allocates a chunk of size > > > > zero, > > > > which will give a heap pointer. However, one can send > > > > 0xffffffff > > > > bytes > > > > of data, which can have a DoS impact or lead to remote code > > > > execution. > > > > > > Note: It seems plausible that the Debian patch for CVE-2019-15679 > > > would also fix this new CVE as that patch does not appear in the > > > current upstream code referenced in the new CVE. > > > > > > I have tried to reproduce the PoC for the new CVE in unstable but > > > I > > > have been unable to get the PoC to work as described in the new > > > CVE. > > > (The PoC requires some unpackaged Python modules, so a virtualenv > > > of some kind (or a test VM) would be needed.) In my test VM with > > > local changes for the PoC, the PoC script failed at line 24. > > > > > > https://github.com/MaherAzzouzi/CVE-2022-23967/blob/main/poc.py > > > > > > Please could you check if the patch for CVE-2019-15679 does > > > indeed > > > fix the newly reported CVE? > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog > > > entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2022-23967 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23967 > > > > > > Please adjust the affected versions in the BTS as needed. > > > > > > > I did set up the PoC in a VM as follows: > > > > - Installed and started a minimal Debian unstable VM based > > on > > https://people.debian.org/~gio/dqib/https://people.debian.org/~gio > > /dqib/ , Images for amd64-pc. > > - In the VM > > - Installed git, python3 and python3-pip using apt. > > - Installed pwn using pip by 'pip install pwn'. > > - Installed the PoC by 'git clone > > https://github.com/MaherAzzouzi/CVE-2022-23967'. > > - Ran the PoC by 'python3 poc.py'. > > > > I ran xtightvncviewer 1.3.10-5 against the PoC which resulted in > > > > $ xtightvncviewer -via debian@amd64 127.0.0.1::5671 > > debian@amd64's password: > > Connected to RFB server, using protocol version 3.3 > > No authentication needed > > Too big desktop name length sent by server: 4294967295 B > 1 MB > > > > I re-built xtightvncvierwer 1.3.10-5 locally with the CVE-2019- > > 15679 > > patch removed. > > > > I re-started the PoC and ran the modified xtightvncviewer against > > it > > which resulted in > > > > $ xtightvncviewer -via debian@amd64 127.0.0.1::6658 > > debian@amd64's password: > > Connected to RFB server, using protocol version 3.3 > > No authentication needed > > xtightvncviewer: read: Bad address > > Segmentation fault > > > > Conclusion: The patch for CVS-2019-15679 already fixes CVE-2022- > > 23967. > > In Debian all versions starting from 1:1.3.9-9.1 including 1:1.3.9- > > 9+deb9u1 and 1:1.3.9-9+deb10u1 are not vulnerable to CVE-2022- > > 23967. > > > > I believe this bug can therefore be closed without further action. > > Let > > me know if more is needed from my side. > > > > > > > > -- > GPG Fingerprint > 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
Attachment:
signature.asc
Description: This is a digitally signed message part