Your message dated Fri, 18 Mar 2022 18:33:39 +0100 with message-id <38b8161cf8772f875e4a1384bb5e536e77446fe3.camel@g-e-u-e-r.de> and subject line Re: Bug#1007239: tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679 has caused the Debian Bug report #1007239, regarding tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1007239: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007239 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679
- From: Neil Williams <codehelp@debian.org>
- Date: Mon, 14 Mar 2022 12:02:34 +0000
- Message-id: <[🔎] 164725935458.7266.5766546605407831536.reportbug@debian-sid.codehelp>
Source: tightvnc Version: 1:1.3.10-5 Severity: important Tags: security X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for tightvnc. CVE-2022-23967[0]: | In TightVNC 1.3.10, there is an integer signedness error and resultant | heap-based buffer overflow in InitialiseRFBConnection in rfbproto.c | (for the vncviewer component). There is no check on the size given to | malloc, e.g., -1 is accepted. This allocates a chunk of size zero, | which will give a heap pointer. However, one can send 0xffffffff bytes | of data, which can have a DoS impact or lead to remote code execution. Note: It seems plausible that the Debian patch for CVE-2019-15679 would also fix this new CVE as that patch does not appear in the current upstream code referenced in the new CVE. I have tried to reproduce the PoC for the new CVE in unstable but I have been unable to get the PoC to work as described in the new CVE. (The PoC requires some unpackaged Python modules, so a virtualenv of some kind (or a test VM) would be needed.) In my test VM with local changes for the PoC, the PoC script failed at line 24. https://github.com/MaherAzzouzi/CVE-2022-23967/blob/main/poc.py Please could you check if the patch for CVE-2019-15679 does indeed fix the newly reported CVE? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-23967 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23967 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.16.0-4-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: 1007239-done@bugs.debian.org
- Subject: Re: Bug#1007239: tightvnc: CVE-2022-23967 - overflow in vncviewer, possible duplicate report of CVE-2019-15679
- From: Sven Geuer <debmaint@g-e-u-e-r.de>
- Date: Fri, 18 Mar 2022 18:33:39 +0100
- Message-id: <38b8161cf8772f875e4a1384bb5e536e77446fe3.camel@g-e-u-e-r.de>
- In-reply-to: <[🔎] c1532e23a8c5b3abad9083b8341b7448f1761c1f.camel@g-e-u-e-r.de>
- References: <[🔎] 164725935458.7266.5766546605407831536.reportbug@debian-sid.codehelp> <[🔎] 164725935458.7266.5766546605407831536.reportbug@debian-sid.codehelp> <[🔎] c1532e23a8c5b3abad9083b8341b7448f1761c1f.camel@g-e-u-e-r.de>
Control: forcemerge -1 947133 X-Debbugs-Cc: Debian Security Team <team@security.debian.org> The patch for CVS-2019-15679 already fixes CVE-2022-23967. In Debian all versions starting from 1:1.3.9-9.1 including 1:1.3.9-9+deb9u1 and 1:1.3.9-9+deb10u1 are not vulnerable to CVE-2022-23967, i.e., all releases from stretch onward are not vulnerable. I close this ticket therefore. Please see below for details. Sven On Mon, 2022-03-14 at 21:46 +0100, Sven Geuer wrote: > Hello Neil, > > On Mon, 2022-03-14 at 12:02 +0000, Neil Williams wrote: > > Source: tightvnc > > Version: 1:1.3.10-5 > > Severity: important > > Tags: security > > X-Debbugs-Cc: codehelp@debian.org, Debian Security Team > > <team@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for tightvnc. > > > > CVE-2022-23967[0]: > > > In TightVNC 1.3.10, there is an integer signedness error and > > > resultant > > > heap-based buffer overflow in InitialiseRFBConnection in > > > rfbproto.c > > > (for the vncviewer component). There is no check on the size > > > given > > > to > > > malloc, e.g., -1 is accepted. This allocates a chunk of size > > > zero, > > > which will give a heap pointer. However, one can send 0xffffffff > > > bytes > > > of data, which can have a DoS impact or lead to remote code > > > execution. > > > > Note: It seems plausible that the Debian patch for CVE-2019-15679 > > would also fix this new CVE as that patch does not appear in the > > current upstream code referenced in the new CVE. > > > > I have tried to reproduce the PoC for the new CVE in unstable but I > > have been unable to get the PoC to work as described in the new > > CVE. > > (The PoC requires some unpackaged Python modules, so a virtualenv > > of some kind (or a test VM) would be needed.) In my test VM with > > local changes for the PoC, the PoC script failed at line 24. > > > > https://github.com/MaherAzzouzi/CVE-2022-23967/blob/main/poc.py > > > > Please could you check if the patch for CVE-2019-15679 does indeed > > fix the newly reported CVE? > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog > > entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2022-23967 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23967 > > > > Please adjust the affected versions in the BTS as needed. > > > > I did set up the PoC in a VM as follows: > > - Installed and started a minimal Debian unstable VM based > on https://people.debian.org/~gio/dqib/https://people.debian.org/~gio > /dqib/ , Images for amd64-pc. > - In the VM > - Installed git, python3 and python3-pip using apt. > - Installed pwn using pip by 'pip install pwn'. > - Installed the PoC by 'git clone > https://github.com/MaherAzzouzi/CVE-2022-23967'. > - Ran the PoC by 'python3 poc.py'. > > I ran xtightvncviewer 1.3.10-5 against the PoC which resulted in > > $ xtightvncviewer -via debian@amd64 127.0.0.1::5671 > debian@amd64's password: > Connected to RFB server, using protocol version 3.3 > No authentication needed > Too big desktop name length sent by server: 4294967295 B > 1 MB > > I re-built xtightvncvierwer 1.3.10-5 locally with the CVE-2019-15679 > patch removed. > > I re-started the PoC and ran the modified xtightvncviewer against it > which resulted in > > $ xtightvncviewer -via debian@amd64 127.0.0.1::6658 > debian@amd64's password: > Connected to RFB server, using protocol version 3.3 > No authentication needed > xtightvncviewer: read: Bad address > Segmentation fault > > Conclusion: The patch for CVS-2019-15679 already fixes CVE-2022- > 23967. > In Debian all versions starting from 1:1.3.9-9.1 including 1:1.3.9- > 9+deb9u1 and 1:1.3.9-9+deb10u1 are not vulnerable to CVE-2022-23967. > > I believe this bug can therefore be closed without further action. > Let > me know if more is needed from my side. > > > -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---