Your message dated Mon, 15 Jun 2020 19:02:26 +0000
with message-id <e1jkung-0006bi...@fasolo.debian.org>
and subject line Bug#945827: fixed in ssvnc 1.0.29-3+deb9u1
has caused the Debian Bug report #945827,
regarding ssvnc: fix libvncclient bundle security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
945827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945827
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ssvnc
Severity: grave
X-Debbugs-CC: t...@security.debian.org
Version: 1.0.29-4
Tags: security patch
The following vulnerabilites have recently been discovered in ssvnc's
bundled (and rather old) version of libvncclient code:
CVE-2018-20020[0]:
| LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains
| heap out-of-bound write vulnerability inside structure in VNC client
| code that can result remote code execution
CVE-2018-20021[1]:
| LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains
| a CWE-835: Infinite loop vulnerability in VNC client code.
| Vulnerability allows attacker to consume excessive amount of resources
| like CPU and RAM
CVE-2018-20022[2]:
| LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains
| multiple weaknesses CWE-665: Improper Initialization vulnerability in
| VNC client code that allows attacker to read stack memory and can be
| abuse for information disclosure. Combined with another vulnerability,
| it can be used to leak stack memory layout and in bypassing ASLR
CVE-2018-20024[3]:
| LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains
| null pointer dereference in VNC client code that can result DoS.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
As I have worked on a fix for these issues for ssvnc in Debian jessie
LTS (with my LTS team member hat on, that is), I have attached the
proposed .debdiff (that applies against ssvnc 1.0.29-2) to this mail.
It should be easy to forward-port the security fixes to ssvnc in
stretch, buster and testing/unstable.
Regarding the upload to jessie LTS, please let me know, if I can
proceed with the upload asap or if you want to take a closer look at
the proposed changeset. Thanks.
Regards,
Mike
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20020
[1] https://security-tracker.debian.org/tracker/CVE-2018-20021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20021
[2] https://security-tracker.debian.org/tracker/CVE-2018-20022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20022
[3] https://security-tracker.debian.org/tracker/CVE-2018-20024
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20024
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru ssvnc-1.0.29/debian/changelog ssvnc-1.0.29/debian/changelog
--- ssvnc-1.0.29/debian/changelog 2011-11-11 08:11:09.000000000 +0100
+++ ssvnc-1.0.29/debian/changelog 2019-11-29 12:15:33.000000000 +0100
@@ -1,3 +1,15 @@
+ssvnc (1.0.29-2+deb8u1) jessie-security; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Porting of libvncclient security patches:
+ - CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+ in VNC client code.
+ - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+ - CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+ - CVE-2018-20024: null pointer dereference that can result DoS.
+
+ -- Mike Gabriel <sunwea...@debian.org> Fri, 29 Nov 2019 12:15:33 +0100
+
ssvnc (1.0.29-2) unstable; urgency=low
* Also get CPPFLAGS from dpkg-buildflags. Pass it as EXTRA_DEFINES to
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
2019-11-29 12:15:33.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20020
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/corre.c
++++ b/vnc_unixsrc/vncviewer/corre.c
+@@ -76,7 +76,7 @@
+ FillRectangle(rx, ry, rw, rh, gcv.foreground);
+ #endif
+
+- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) ||
!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+ return False;
+
+ ptr = (CARD8 *)buffer;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
2019-11-29 11:44:25.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -3156,7 +3156,7 @@
+ if (db) fprintf(stderr, "Raw: %dx%d+%d+%d\n",
rect.r.w, rect.r.h, rect.r.x, rect.r.y);
+ area_raw += rect.r.w * rect.r.h;
+
+- while (rect.r.h > 0) {
++ while (linesToRead && rect.r.h > 0) {
+ if (linesToRead > rect.r.h) {
+ linesToRead = rect.r.h;
+ }
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch
2019-11-29 11:45:49.000000000 +0100
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abuse for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/rfbproto.c
++++ b/vnc_unixsrc/vncviewer/rfbproto.c
+@@ -2447,6 +2447,7 @@
+ }
+ }
+
++ memset(&ke, 0, sizeof(ke));
+ ke.type = rfbKeyEvent;
+ ke.down = down ? 1 : 0;
+ ke.key = Swap32IfLE(key);
+@@ -2480,6 +2481,7 @@
+ return True;
+ }
+
++ memset(&cct, 0, sizeof(cct));
+ cct.type = rfbClientCutText;
+ cct.length = Swap32IfLE((unsigned int) len);
+ currentMsg = rfbClientCutText;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
1970-01-01 01:00:00.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch
2019-11-29 11:57:19.000000000 +0100
@@ -0,0 +1,43 @@
+Description: CVE-2018-20024
+ null pointer dereference in VNC client code that can result DoS.
+---
+
+Author: Abhijith PA <abhij...@debian.org>
+Origin:
https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7
+Bug: https://github.com/LibVNC/libvncserver/issues/254
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in
zrle.c and zlib.c.
+ The ultra.c code that this has originally been reported against is
not present in
+ ssvnc.
+
+--- a/vnc_unixsrc/vncviewer/zlib.c
++++ b/vnc_unixsrc/vncviewer/zlib.c
+@@ -55,6 +55,11 @@
+ raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+ raw_buffer = (char*) malloc( raw_buffer_size );
+
++ if (raw_buffer == NULL) {
++
++ return False;
++
++ }
+ }
+
+ if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
+--- a/vnc_unixsrc/vncviewer/zrle.c
++++ b/vnc_unixsrc/vncviewer/zrle.c
+@@ -132,6 +132,12 @@
+ raw_buffer_size = min_buffer_size;
+ raw_buffer = (char*) malloc( raw_buffer_size );
+
++ if ( raw_buffer == NULL ) {
++
++ return False;
++
++ }
++
+ }
+
+ if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader))
diff -Nru ssvnc-1.0.29/debian/patches/series ssvnc-1.0.29/debian/patches/series
--- ssvnc-1.0.29/debian/patches/series 2011-11-11 08:11:09.000000000 +0100
+++ ssvnc-1.0.29/debian/patches/series 2019-11-29 12:15:33.000000000 +0100
@@ -3,3 +3,7 @@
buildflags.patch
nostrip.patch
format-security.patch
+libvncclient_CVE-2018-20020.patch
+libvncclient_CVE-2018-20021.patch
+libvncclient_CVE-2018-20022.patch
+libvncclient_CVE-2018-20024.patch
pgpELJDLqUnSk.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
Source: ssvnc
Source-Version: 1.0.29-3+deb9u1
Done: Mike Gabriel <sunwea...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ssvnc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 945...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated ssvnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 31 May 2020 20:59:43 +0200
Source: ssvnc
Architecture: source
Version: 1.0.29-3+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Magnus Holmgren <holmg...@debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Closes: 945827
Changes:
ssvnc (1.0.29-3+deb9u1) stretch; urgency=medium
.
* Non-maintainer upload by the LTS team.
* Porting of libvncclient security patches (Closes: #945827):
- CVE-2018-20020: heap out-of-bound write vulnerability inside structure
in VNC client code.
- CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
- CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
- CVE-2018-20024: null pointer dereference that can result DoS.
Checksums-Sha1:
55558f3f57693db3c45eacacf09cf1fc60d6ee4c 1946 ssvnc_1.0.29-3+deb9u1.dsc
3236fab26e43561625c1d9fa81a212a1d9975d9c 13196
ssvnc_1.0.29-3+deb9u1.debian.tar.xz
13a59471b473e70de2a01c67b4b5d69a7ddb017c 9993
ssvnc_1.0.29-3+deb9u1_source.buildinfo
Checksums-Sha256:
98d7f88760053e50dc9fa338bfd6ddf8319a2c02b22f123dd0c5dcfec08a5e99 1946
ssvnc_1.0.29-3+deb9u1.dsc
cd259bc9f99d3ee0747f9dd74a5176a1322083b8f724d08da54ce9724698fb14 13196
ssvnc_1.0.29-3+deb9u1.debian.tar.xz
4c6e3e9a298d5712b17dc8a1f52848848344f86b4354cb16e3fdbe970ee350ce 9993
ssvnc_1.0.29-3+deb9u1_source.buildinfo
Files:
c461cf0cec91ca18789002b0e919ddea 1946 net extra ssvnc_1.0.29-3+deb9u1.dsc
3dd3bf4f063ede8127c660489b1e9c7b 13196 net extra
ssvnc_1.0.29-3+deb9u1.debian.tar.xz
859520c6bf556a00f5a9cef43c2b790e 9993 net extra
ssvnc_1.0.29-3+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl7T/40VHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxob8P+wR+vsCJoi1guKf1dR/x5ncjSuiQ
cIwtelOxPnFG8iuk8jas/IhD+IsNfRYFVPraZAkj00lmBLKbDWftsx+IXr5rqeWW
tIC3lFg5DOLfJ5xWjhY+Lt02OL+qRIk3cZprU0Fy526N2k6Z6qn6gay4mhzg85g5
do7CU0qu5Z98S6+iX67qGQ9SJKFQyzka4Tbj93YMRttSGGnM4mnZLjuPMBiQvSfN
we6QLB2rdmUa0KJVML8hAmmOfL3u/VVMYTbFIiHD33DpVc4Td83AdXR7aOG8BfI/
Fy0UxU1+z2LMiZdD+OwWcWVRvY82fYxDJIcejpLvG4xGheVopDv3xawuYNNKWhHp
DwWJXBvkIQVvPGBVW0W0gjz7FM+OcHiBGfpy2D6WxSc/IYxLShgsd1p8NkeAPYG2
W4IuLqtU4/Fbeu7ZJvgf9vZ26wjpoSUqvhCvehKgMcPMlHsEeIisGpEM2x5pynow
fqiNebrGl0DGUj/xA/yu+FNqApkiXQok2lAJ4JyLMEppGbAAzyuKqZMXg9F6E/iU
55A7CDYTv6/M8BfBbDOLp9pBTarLZwFhjbywxlW5PFouBkZxODFAkoyAbHLxtosi
OYGqpg/U9KxECtXvjg40DN53kwJtksz+OL92gM60LjyazrRtq6eYlVEGrzI10RzU
LsOXDgJIWdooP24Z
=pe98
-----END PGP SIGNATURE-----
--- End Message ---
