Bug#849479: tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling
Hi Yes you are right. I misread the code. Thank you very much for noticing. // Ola On 29 December 2016 at 06:07, Salvatore Bonaccorsowrote: > Example, we have the following code in Image.cxx (all Debian patches > applied): > > 75 void Image::Init(int width, int height) > 76 { > 77 Visual* vis = DefaultVisual(dpy, DefaultScreen(dpy)); > 78 trueColor = (vis->c_class == TrueColor); > 79 > 80 xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)), > 81 ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0); > 82 > 83 xim->data = (char *)malloc(xim->bytes_per_line * xim->height); > > The referenced Red Hat patch will first validate xim->byptes_per_line > et al. > > Regards, > Salvatore -- - Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Bug#849479: tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling
Example, we have the following code in Image.cxx (all Debian patches applied): 75 void Image::Init(int width, int height) 76 { 77 Visual* vis = DefaultVisual(dpy, DefaultScreen(dpy)); 78 trueColor = (vis->c_class == TrueColor); 79 80 xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)), 81 ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0); 82 83 xim->data = (char *)malloc(xim->bytes_per_line * xim->height); The referenced Red Hat patch will first validate xim->byptes_per_line et al. Regards, Salvatore
Bug#849479: tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling
Source: tigervnc Version: 1.6.0+dfsg-4 Severity: grave Tags: security patch upstream Justification: user security hole Hi, the following vulnerability was published for tigervnc. CVE-2014-8240[0]: | Integer overflow in TigerVNC allows remote VNC servers to cause a | denial of service (crash) and possibly execute arbitrary code via | vectors related to screen size handling, which triggers a heap-based | buffer overflow, a similar issue to CVE-2014-6051. More details are in the Red Hat bug[1] which includes a patch[2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-8240 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8240 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1151307 [2] https://bugzilla.redhat.com/attachment.cgi?id=947578 Regards, Salvatore