Your message dated Mon, 15 Jun 2020 19:02:26 +0000 with message-id <e1jkung-0006bi...@fasolo.debian.org> and subject line Bug#945827: fixed in ssvnc 1.0.29-3+deb9u1 has caused the Debian Bug report #945827, regarding ssvnc: fix libvncclient bundle security issues to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 945827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945827 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ssvnc Severity: grave X-Debbugs-CC: t...@security.debian.org Version: 1.0.29-4 Tags: security patchThe following vulnerabilites have recently been discovered in ssvnc's bundled (and rather old) version of libvncclient code:CVE-2018-20020[0]: | LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains | heap out-of-bound write vulnerability inside structure in VNC client | code that can result remote code execution CVE-2018-20021[1]: | LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains | a CWE-835: Infinite loop vulnerability in VNC client code. | Vulnerability allows attacker to consume excessive amount of resources | like CPU and RAM CVE-2018-20022[2]: | LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains | multiple weaknesses CWE-665: Improper Initialization vulnerability in | VNC client code that allows attacker to read stack memory and can be | abuse for information disclosure. Combined with another vulnerability, | it can be used to leak stack memory layout and in bypassing ASLR CVE-2018-20024[3]: | LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains | null pointer dereference in VNC client code that can result DoS. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.As I have worked on a fix for these issues for ssvnc in Debian jessie LTS (with my LTS team member hat on, that is), I have attached the proposed .debdiff (that applies against ssvnc 1.0.29-2) to this mail. It should be easy to forward-port the security fixes to ssvnc in stretch, buster and testing/unstable.Regarding the upload to jessie LTS, please let me know, if I can proceed with the upload asap or if you want to take a closer look at the proposed changeset. Thanks.Regards, Mike For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20020 [1] https://security-tracker.debian.org/tracker/CVE-2018-20021 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20021 [2] https://security-tracker.debian.org/tracker/CVE-2018-20022 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20022 [3] https://security-tracker.debian.org/tracker/CVE-2018-20024 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20024 -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.dediff -Nru ssvnc-1.0.29/debian/changelog ssvnc-1.0.29/debian/changelog --- ssvnc-1.0.29/debian/changelog 2011-11-11 08:11:09.000000000 +0100 +++ ssvnc-1.0.29/debian/changelog 2019-11-29 12:15:33.000000000 +0100 @@ -1,3 +1,15 @@ +ssvnc (1.0.29-2+deb8u1) jessie-security; urgency=medium + + * Non-maintainer upload by the LTS team. + * Porting of libvncclient security patches: + - CVE-2018-20020: heap out-of-bound write vulnerability inside structure + in VNC client code. + - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. + - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. + - CVE-2018-20024: null pointer dereference that can result DoS. + + -- Mike Gabriel <sunwea...@debian.org> Fri, 29 Nov 2019 12:15:33 +0100 + ssvnc (1.0.29-2) unstable; urgency=low * Also get CPPFLAGS from dpkg-buildflags. Pass it as EXTRA_DEFINES to diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch 2019-11-29 12:15:33.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2018-20020 + heap out-of-bound write vulnerability inside structure in VNC client code that + can result remote code execution +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d +Bug: https://github.com/LibVNC/libvncserver/issues/250 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/vnc_unixsrc/vncviewer/corre.c ++++ b/vnc_unixsrc/vncviewer/corre.c +@@ -76,7 +76,7 @@ + FillRectangle(rx, ry, rw, rh, gcv.foreground); + #endif + +- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) ++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) + return False; + + ptr = (CARD8 *)buffer; diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch 2019-11-29 11:44:25.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2018-20021 + CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows + attacker to consume excessive amount of resources like CPU and RAM +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c +Bug: https://github.com/LibVNC/libvncserver/issues/251 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/vnc_unixsrc/vncviewer/rfbproto.c ++++ b/vnc_unixsrc/vncviewer/rfbproto.c +@@ -3156,7 +3156,7 @@ + if (db) fprintf(stderr, "Raw: %dx%d+%d+%d\n", rect.r.w, rect.r.h, rect.r.x, rect.r.y); + area_raw += rect.r.w * rect.r.h; + +- while (rect.r.h > 0) { ++ while (linesToRead && rect.r.h > 0) { + if (linesToRead > rect.r.h) { + linesToRead = rect.r.h; + } diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch 2019-11-29 11:45:49.000000000 +0100 @@ -0,0 +1,31 @@ +Description: CVE-2018-20022 + multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC + client code that allows attacker to read stack memory and can be abuse for + information disclosure. Combined with another vulnerability, it can be used + to leak stack memory layout and in bypassing ASLR +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 +Bug: https://github.com/LibVNC/libvncserver/issues/252 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/vnc_unixsrc/vncviewer/rfbproto.c ++++ b/vnc_unixsrc/vncviewer/rfbproto.c +@@ -2447,6 +2447,7 @@ + } + } + ++ memset(&ke, 0, sizeof(ke)); + ke.type = rfbKeyEvent; + ke.down = down ? 1 : 0; + ke.key = Swap32IfLE(key); +@@ -2480,6 +2481,7 @@ + return True; + } + ++ memset(&cct, 0, sizeof(cct)); + cct.type = rfbClientCutText; + cct.length = Swap32IfLE((unsigned int) len); + currentMsg = rfbClientCutText; diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch 2019-11-29 11:57:19.000000000 +0100 @@ -0,0 +1,43 @@ +Description: CVE-2018-20024 + null pointer dereference in VNC client code that can result DoS. +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 +Bug: https://github.com/LibVNC/libvncserver/issues/254 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in zrle.c and zlib.c. + The ultra.c code that this has originally been reported against is not present in + ssvnc. + +--- a/vnc_unixsrc/vncviewer/zlib.c ++++ b/vnc_unixsrc/vncviewer/zlib.c +@@ -55,6 +55,11 @@ + raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); + raw_buffer = (char*) malloc( raw_buffer_size ); + ++ if (raw_buffer == NULL) { ++ ++ return False; ++ ++ } + } + + if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) +--- a/vnc_unixsrc/vncviewer/zrle.c ++++ b/vnc_unixsrc/vncviewer/zrle.c +@@ -132,6 +132,12 @@ + raw_buffer_size = min_buffer_size; + raw_buffer = (char*) malloc( raw_buffer_size ); + ++ if ( raw_buffer == NULL ) { ++ ++ return False; ++ ++ } ++ + } + + if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader)) diff -Nru ssvnc-1.0.29/debian/patches/series ssvnc-1.0.29/debian/patches/series --- ssvnc-1.0.29/debian/patches/series 2011-11-11 08:11:09.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/series 2019-11-29 12:15:33.000000000 +0100 @@ -3,3 +3,7 @@ buildflags.patch nostrip.patch format-security.patch +libvncclient_CVE-2018-20020.patch +libvncclient_CVE-2018-20021.patch +libvncclient_CVE-2018-20022.patch +libvncclient_CVE-2018-20024.patchpgpELJDLqUnSk.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---Source: ssvnc Source-Version: 1.0.29-3+deb9u1 Done: Mike Gabriel <sunwea...@debian.org> We believe that the bug you reported is fixed in the latest version of ssvnc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 945...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated ssvnc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 31 May 2020 20:59:43 +0200 Source: ssvnc Architecture: source Version: 1.0.29-3+deb9u1 Distribution: stretch Urgency: medium Maintainer: Magnus Holmgren <holmg...@debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Closes: 945827 Changes: ssvnc (1.0.29-3+deb9u1) stretch; urgency=medium . * Non-maintainer upload by the LTS team. * Porting of libvncclient security patches (Closes: #945827): - CVE-2018-20020: heap out-of-bound write vulnerability inside structure in VNC client code. - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. - CVE-2018-20024: null pointer dereference that can result DoS. Checksums-Sha1: 55558f3f57693db3c45eacacf09cf1fc60d6ee4c 1946 ssvnc_1.0.29-3+deb9u1.dsc 3236fab26e43561625c1d9fa81a212a1d9975d9c 13196 ssvnc_1.0.29-3+deb9u1.debian.tar.xz 13a59471b473e70de2a01c67b4b5d69a7ddb017c 9993 ssvnc_1.0.29-3+deb9u1_source.buildinfo Checksums-Sha256: 98d7f88760053e50dc9fa338bfd6ddf8319a2c02b22f123dd0c5dcfec08a5e99 1946 ssvnc_1.0.29-3+deb9u1.dsc cd259bc9f99d3ee0747f9dd74a5176a1322083b8f724d08da54ce9724698fb14 13196 ssvnc_1.0.29-3+deb9u1.debian.tar.xz 4c6e3e9a298d5712b17dc8a1f52848848344f86b4354cb16e3fdbe970ee350ce 9993 ssvnc_1.0.29-3+deb9u1_source.buildinfo Files: c461cf0cec91ca18789002b0e919ddea 1946 net extra ssvnc_1.0.29-3+deb9u1.dsc 3dd3bf4f063ede8127c660489b1e9c7b 13196 net extra ssvnc_1.0.29-3+deb9u1.debian.tar.xz 859520c6bf556a00f5a9cef43c2b790e 9993 net extra ssvnc_1.0.29-3+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl7T/40VHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxob8P+wR+vsCJoi1guKf1dR/x5ncjSuiQ cIwtelOxPnFG8iuk8jas/IhD+IsNfRYFVPraZAkj00lmBLKbDWftsx+IXr5rqeWW tIC3lFg5DOLfJ5xWjhY+Lt02OL+qRIk3cZprU0Fy526N2k6Z6qn6gay4mhzg85g5 do7CU0qu5Z98S6+iX67qGQ9SJKFQyzka4Tbj93YMRttSGGnM4mnZLjuPMBiQvSfN we6QLB2rdmUa0KJVML8hAmmOfL3u/VVMYTbFIiHD33DpVc4Td83AdXR7aOG8BfI/ Fy0UxU1+z2LMiZdD+OwWcWVRvY82fYxDJIcejpLvG4xGheVopDv3xawuYNNKWhHp DwWJXBvkIQVvPGBVW0W0gjz7FM+OcHiBGfpy2D6WxSc/IYxLShgsd1p8NkeAPYG2 W4IuLqtU4/Fbeu7ZJvgf9vZ26wjpoSUqvhCvehKgMcPMlHsEeIisGpEM2x5pynow fqiNebrGl0DGUj/xA/yu+FNqApkiXQok2lAJ4JyLMEppGbAAzyuKqZMXg9F6E/iU 55A7CDYTv6/M8BfBbDOLp9pBTarLZwFhjbywxlW5PFouBkZxODFAkoyAbHLxtosi OYGqpg/U9KxECtXvjg40DN53kwJtksz+OL92gM60LjyazrRtq6eYlVEGrzI10RzU LsOXDgJIWdooP24Z =pe98 -----END PGP SIGNATURE-----
--- End Message ---