[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1007239: marked as done (tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679)

Your message dated Fri, 18 Mar 2022 18:33:39 +0100
with message-id <38b8161cf8772f875e4a1384bb5e536e77446fe3.camel@g-e-u-e-r.de>
and subject line Re: Bug#1007239: tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679
has caused the Debian Bug report #1007239,
regarding tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1007239: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007239
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: tightvnc
Version: 1:1.3.10-5
Severity: important
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for tightvnc.

CVE-2022-23967[0]:
| In TightVNC 1.3.10, there is an integer signedness error and resultant
| heap-based buffer overflow in InitialiseRFBConnection in rfbproto.c
| (for the vncviewer component). There is no check on the size given to
| malloc, e.g., -1 is accepted. This allocates a chunk of size zero,
| which will give a heap pointer. However, one can send 0xffffffff bytes
| of data, which can have a DoS impact or lead to remote code execution.

Note: It seems plausible that the Debian patch for CVE-2019-15679
would also fix this new CVE as that patch does not appear in the
current upstream code referenced in the new CVE.

I have tried to reproduce the PoC for the new CVE in unstable but I
have been unable to get the PoC to work as described in the new CVE.
(The PoC requires some unpackaged Python modules, so a virtualenv
of some kind (or a test VM) would be needed.) In my test VM with
local changes for the PoC, the PoC script failed at line 24.

https://github.com/MaherAzzouzi/CVE-2022-23967/blob/main/poc.py

Please could you check if the patch for CVE-2019-15679 does indeed
fix the newly reported CVE?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-23967
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23967

Please adjust the affected versions in the BTS as needed.




-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.16.0-4-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Control: forcemerge -1 947133
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

The patch for CVS-2019-15679 already fixes CVE-2022-23967.

In Debian all versions starting from 1:1.3.9-9.1 including 
1:1.3.9-9+deb9u1 and 1:1.3.9-9+deb10u1 are not vulnerable 
to CVE-2022-23967, i.e., all releases from stretch onward 
are not vulnerable.

I close this ticket therefore.

Please see below for details.

Sven

On Mon, 2022-03-14 at 21:46 +0100, Sven Geuer wrote:
> Hello Neil,
> 
> On Mon, 2022-03-14 at 12:02 +0000, Neil Williams wrote:
> > Source: tightvnc
> > Version: 1:1.3.10-5
> > Severity: important
> > Tags: security
> > X-Debbugs-Cc: codehelp@debian.org, Debian Security Team
> > <team@security.debian.org>
> > 
> > Hi,
> > 
> > The following vulnerability was published for tightvnc.
> > 
> > CVE-2022-23967[0]:
> > > In TightVNC 1.3.10, there is an integer signedness error and
> > > resultant
> > > heap-based buffer overflow in InitialiseRFBConnection in
> > > rfbproto.c
> > > (for the vncviewer component). There is no check on the size
> > > given
> > > to
> > > malloc, e.g., -1 is accepted. This allocates a chunk of size
> > > zero,
> > > which will give a heap pointer. However, one can send 0xffffffff
> > > bytes
> > > of data, which can have a DoS impact or lead to remote code
> > > execution.
> > 
> > Note: It seems plausible that the Debian patch for CVE-2019-15679
> > would also fix this new CVE as that patch does not appear in the
> > current upstream code referenced in the new CVE.
> > 
> > I have tried to reproduce the PoC for the new CVE in unstable but I
> > have been unable to get the PoC to work as described in the new
> > CVE.
> > (The PoC requires some unpackaged Python modules, so a virtualenv
> > of some kind (or a test VM) would be needed.) In my test VM with
> > local changes for the PoC, the PoC script failed at line 24.
> > 
> > https://github.com/MaherAzzouzi/CVE-2022-23967/blob/main/poc.py
> > 
> > Please could you check if the patch for CVE-2019-15679 does indeed
> > fix the newly reported CVE?
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog
> > entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2022-23967
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23967
> > 
> > Please adjust the affected versions in the BTS as needed.
> > 
> 
> I did set up the PoC in a VM as follows:
> 
> - Installed and started a minimal Debian unstable VM based
> on https://people.debian.org/~gio/dqib/https://people.debian.org/~gio
> /dqib/ , Images for amd64-pc.
> - In the VM
>   - Installed git, python3 and python3-pip using apt.
>   - Installed pwn using pip by 'pip install pwn'.
>   - Installed the PoC by 'git clone
> https://github.com/MaherAzzouzi/CVE-2022-23967'.
>   - Ran the PoC by 'python3 poc.py'.
> 
> I ran xtightvncviewer 1.3.10-5 against the PoC which resulted in 
> 
>  $ xtightvncviewer -via debian@amd64 127.0.0.1::5671
>  debian@amd64's password: 
>  Connected to RFB server, using protocol version 3.3
>  No authentication needed
>  Too big desktop name length sent by server: 4294967295 B > 1 MB
> 
> I re-built xtightvncvierwer 1.3.10-5 locally with the CVE-2019-15679
> patch removed.
> 
> I re-started the PoC and ran the modified xtightvncviewer against it
> which resulted in
> 
>  $ xtightvncviewer -via debian@amd64 127.0.0.1::6658
>  debian@amd64's password: 
>  Connected to RFB server, using protocol version 3.3
>  No authentication needed
>  xtightvncviewer: read: Bad address
>  Segmentation fault
> 
> Conclusion: The patch for CVS-2019-15679 already fixes CVE-2022-
> 23967.
> In Debian all versions starting from 1:1.3.9-9.1 including 1:1.3.9-
> 9+deb9u1 and 1:1.3.9-9+deb10u1 are not vulnerable to CVE-2022-23967.
> 
> I believe this bug can therefore be closed without further action.
> Let
> me know if more is needed from my side.
> 
> 
> 

-- 
GPG Fingerprint
3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
Reply to: