Bug#1007239: tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1007239: tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679
From: Neil Williams <codehelp@debian.org>
Date: Mon, 14 Mar 2022 12:02:34 +0000
Message-id: <[🔎] 164725935458.7266.5766546605407831536.reportbug@debian-sid.codehelp>
Reply-to: Neil Williams <codehelp@debian.org>, 1007239@bugs.debian.org

Source: tightvnc
Version: 1:1.3.10-5
Severity: important
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for tightvnc.

CVE-2022-23967[0]:
| In TightVNC 1.3.10, there is an integer signedness error and resultant
| heap-based buffer overflow in InitialiseRFBConnection in rfbproto.c
| (for the vncviewer component). There is no check on the size given to
| malloc, e.g., -1 is accepted. This allocates a chunk of size zero,
| which will give a heap pointer. However, one can send 0xffffffff bytes
| of data, which can have a DoS impact or lead to remote code execution.

Note: It seems plausible that the Debian patch for CVE-2019-15679
would also fix this new CVE as that patch does not appear in the
current upstream code referenced in the new CVE.

I have tried to reproduce the PoC for the new CVE in unstable but I
have been unable to get the PoC to work as described in the new CVE.
(The PoC requires some unpackaged Python modules, so a virtualenv
of some kind (or a test VM) would be needed.) In my test VM with
local changes for the PoC, the PoC script failed at line 24.

https://github.com/MaherAzzouzi/CVE-2022-23967/blob/main/poc.py

Please could you check if the patch for CVE-2019-15679 does indeed
fix the newly reported CVE?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-23967
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23967

Please adjust the affected versions in the BTS as needed.




-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.16.0-4-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply to:

Follow-Ups:
- Bug#1007239: tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679
  - From: Sven Geuer <debmaint@g-e-u-e-r.de>
- Bug#1007239: marked as done (tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: xorgxrdp is marked for autoremoval from testing
Next by Date: Bug#1007239: tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679
Previous by thread: xorgxrdp is marked for autoremoval from testing
Next by thread: Bug#1007239: tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679
Index(es):
- Date
- Thread