Bug#849479: tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling

2016-12-29 Thread Ola Lundqvist 
Hi

Yes you are right. I misread the code. Thank you very much for noticing.

// Ola

On 29 December 2016 at 06:07, Salvatore Bonaccorso  wrote:
> Example, we have the following code in Image.cxx (all Debian patches
> applied):
>
>  75 void Image::Init(int width, int height)
>  76 {
>  77   Visual* vis = DefaultVisual(dpy, DefaultScreen(dpy));
>  78   trueColor = (vis->c_class == TrueColor);
>  79
>  80   xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
>  81  ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
>  82
>  83   xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
>
> The referenced Red Hat patch will first validate xim->byptes_per_line
> et al.
>
> Regards,
> Salvatore



-- 
 - Ola Lundqvist ---
/  o...@debian.org Folkebogatan 26  \
|  o...@inguza.com  654 68 KARLSTAD  |
|  http://inguza.com/  +46 (0)70-332 1551   |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---

Bug#849479: tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling

2016-12-28 Thread Salvatore Bonaccorso 
Example, we have the following code in Image.cxx (all Debian patches
applied):

 75 void Image::Init(int width, int height) 
  
 76 {
 77   Visual* vis = DefaultVisual(dpy, DefaultScreen(dpy));
 78   trueColor = (vis->c_class == TrueColor);
 79 
 80   xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
 81  ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
 82 
 83   xim->data = (char *)malloc(xim->bytes_per_line * xim->height);

The referenced Red Hat patch will first validate xim->byptes_per_line
et al.

Regards,
Salvatore

Bug#849479: tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling

2016-12-27 Thread Salvatore Bonaccorso 
Source: tigervnc
Version: 1.6.0+dfsg-4
Severity: grave
Tags: security patch upstream
Justification: user security hole

Hi,

the following vulnerability was published for tigervnc.

CVE-2014-8240[0]:
| Integer overflow in TigerVNC allows remote VNC servers to cause a
| denial of service (crash) and possibly execute arbitrary code via
| vectors related to screen size handling, which triggers a heap-based
| buffer overflow, a similar issue to CVE-2014-6051.

More details are in the Red Hat bug[1] which includes a patch[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-8240
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8240
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1151307
[2] https://bugzilla.redhat.com/attachment.cgi?id=947578

Regards,
Salvatore