Hello Neil, On Mon, 2022-03-14 at 12:02 +0000, Neil Williams wrote: > Source: tightvnc > Version: 1:1.3.10-5 > Severity: important > Tags: security > X-Debbugs-Cc: codehelp@debian.org, Debian Security Team > <team@security.debian.org> > > Hi, > > The following vulnerability was published for tightvnc. > > CVE-2022-23967[0]: > > In TightVNC 1.3.10, there is an integer signedness error and > > resultant > > heap-based buffer overflow in InitialiseRFBConnection in rfbproto.c > > (for the vncviewer component). There is no check on the size given > > to > > malloc, e.g., -1 is accepted. This allocates a chunk of size zero, > > which will give a heap pointer. However, one can send 0xffffffff > > bytes > > of data, which can have a DoS impact or lead to remote code > > execution. > > Note: It seems plausible that the Debian patch for CVE-2019-15679 > would also fix this new CVE as that patch does not appear in the > current upstream code referenced in the new CVE. > > I have tried to reproduce the PoC for the new CVE in unstable but I > have been unable to get the PoC to work as described in the new CVE. > (The PoC requires some unpackaged Python modules, so a virtualenv > of some kind (or a test VM) would be needed.) In my test VM with > local changes for the PoC, the PoC script failed at line 24. > > https://github.com/MaherAzzouzi/CVE-2022-23967/blob/main/poc.py > > Please could you check if the patch for CVE-2019-15679 does indeed > fix the newly reported CVE? > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-23967 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23967 > > Please adjust the affected versions in the BTS as needed. > I did set up the PoC in a VM as follows: - Installed and started a minimal Debian unstable VM based on https://people.debian.org/~gio/dqib/https://people.debian.org/~gio/dqib/ , Images for amd64-pc. - In the VM - Installed git, python3 and python3-pip using apt. - Installed pwn using pip by 'pip install pwn'. - Installed the PoC by 'git clone https://github.com/MaherAzzouzi/CVE-2022-23967'. - Ran the PoC by 'python3 poc.py'. I ran xtightvncviewer 1.3.10-5 against the PoC which resulted in $ xtightvncviewer -via debian@amd64 127.0.0.1::5671 debian@amd64's password: Connected to RFB server, using protocol version 3.3 No authentication needed Too big desktop name length sent by server: 4294967295 B > 1 MB I re-built xtightvncvierwer 1.3.10-5 locally with the CVE-2019-15679 patch removed. I re-started the PoC and ran the modified xtightvncviewer against it which resulted in $ xtightvncviewer -via debian@amd64 127.0.0.1::6658 debian@amd64's password: Connected to RFB server, using protocol version 3.3 No authentication needed xtightvncviewer: read: Bad address Segmentation fault Conclusion: The patch for CVS-2019-15679 already fixes CVE-2022-23967. In Debian all versions starting from 1:1.3.9-9.1 including 1:1.3.9- 9+deb9u1 and 1:1.3.9-9+deb10u1 are not vulnerable to CVE-2022-23967. I believe this bug can therefore be closed without further action. Let me know if more is needed from my side. -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
Attachment:
signature.asc
Description: This is a digitally signed message part