subject:"Bug#894045\: libvncserver\: CVE\-2018\-7225"

Bug#894045: libvncserver: CVE-2018-7225

2018-06-08 Thread Salvatore Bonaccorso

Hi Markus,

On Fri, Jun 08, 2018 at 10:46:19PM +0200, Markus Koschany wrote:
> Hi Salvatore,
> 
> Am 08.06.2018 um 22:38 schrieb Salvatore Bonaccorso:
> > Hi Markus,
> > 
> > On Tue, Jun 05, 2018 at 02:52:58PM +0200, Markus Koschany wrote:
> >> Control: tags -1 patch
> >>
> >> Dear maintainer,
> >>
> >> I've prepared a patch fixing CVE-2018-7225. I am also going to send the
> >> debdiffs for stretch and jessie to the security team.
> >>
> >> Please find attached the debdiff for sid.
> > 
> > Are you planning to upload a fix proposing a NMU (In case maintainer
> > has no time to work on it)? I did raise the severity to RC now, given
> > Moritz has released the DSA with your updates for jessie- and
> > stretch-security.
> 
> Sure, I can do that. I just wanted to give the maintainer some time but
> I can upload the fix at the weekend.

Sure there is no pressure.

Regards,
Salvatore

Bug#894045: libvncserver: CVE-2018-7225

2018-06-08 Thread Markus Koschany

Hi Salvatore,

Am 08.06.2018 um 22:38 schrieb Salvatore Bonaccorso:
> Hi Markus,
> 
> On Tue, Jun 05, 2018 at 02:52:58PM +0200, Markus Koschany wrote:
>> Control: tags -1 patch
>>
>> Dear maintainer,
>>
>> I've prepared a patch fixing CVE-2018-7225. I am also going to send the
>> debdiffs for stretch and jessie to the security team.
>>
>> Please find attached the debdiff for sid.
> 
> Are you planning to upload a fix proposing a NMU (In case maintainer
> has no time to work on it)? I did raise the severity to RC now, given
> Moritz has released the DSA with your updates for jessie- and
> stretch-security.

Sure, I can do that. I just wanted to give the maintainer some time but
I can upload the fix at the weekend.

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#894045: libvncserver: CVE-2018-7225

2018-06-08 Thread Salvatore Bonaccorso

Hi Markus,

On Tue, Jun 05, 2018 at 02:52:58PM +0200, Markus Koschany wrote:
> Control: tags -1 patch
> 
> Dear maintainer,
> 
> I've prepared a patch fixing CVE-2018-7225. I am also going to send the
> debdiffs for stretch and jessie to the security team.
> 
> Please find attached the debdiff for sid.

Are you planning to upload a fix proposing a NMU (In case maintainer
has no time to work on it)? I did raise the severity to RC now, given
Moritz has released the DSA with your updates for jessie- and
stretch-security.

Regards,
Salvatore

Bug#894045: libvncserver: CVE-2018-7225

2018-06-05 Thread Markus Koschany

Control: tags -1 patch

Dear maintainer,

I've prepared a patch fixing CVE-2018-7225. I am also going to send the
debdiffs for stretch and jessie to the security team.

Please find attached the debdiff for sid.

Regards,

Markus
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog 
libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog   2017-01-03 11:50:27.0 
+0100
+++ libvncserver-0.9.11+dfsg/debian/changelog   2018-06-05 14:43:47.0 
+0200
@@ -1,3 +1,12 @@
+libvncserver (0.9.11+dfsg-1+deb9u1) stretch-security; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be
+accessed by remote attackers because the msg.cct.length in rfbserver.c was
+not sanitized. (Closes: #894045)
+
+ -- Markus Koschany   Tue, 05 Jun 2018 14:43:47 +0200
+
 libvncserver (0.9.11+dfsg-1) unstable; urgency=high
 
   * New upstream release, containing security fixes for
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-7225.patch 
libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-7225.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-7225.patch 1970-01-01 
01:00:00.0 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-7225.patch 2018-06-05 
14:43:47.0 +0200
@@ -0,0 +1,48 @@
+From: Markus Koschany 
+Date: Tue, 5 Jun 2018 14:42:36 +0200
+Subject: CVE-2018-7225
+
+Bug-Debian: https://bugs.debian.org/894045
+Origin: 
https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee
+---
+ libvncserver/rfbserver.c | 20 +++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index bc9cc11..08563c7 100644
+--- a/libvncserver/rfbserver.c
 b/libvncserver/rfbserver.c
+@@ -85,6 +85,8 @@
+ #include 
+ /* strftime() */
+ #include 
++/* PRIu32 */
++#include 
+ 
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ #include "rfbssl.h"
+@@ -2577,7 +2579,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
+ 
+   msg.cct.length = Swap32IfLE(msg.cct.length);
+ 
+-  str = (char *)malloc(msg.cct.length);
++  /* uint32_t input is passed to malloc()'s size_t argument,
++   * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
++   * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s 
int
++   * argument. Here we impose a limit of 1 MB so that the value fits
++   * into all of the types to prevent from misinterpretation and thus
++   * from accessing uninitialized memory (CVE-2018-7225) and also to
++   * prevent from a denial-of-service by allocating to much memory in
++   * the server. */
++  if (msg.cct.length > 1<<20) {
++  rfbLog("rfbClientCutText: too big cut text length requested: %" 
PRIu32 "\n",
++  msg.cct.length);
++  rfbCloseClient(cl);
++  return;
++  }
++
++  /* Allow zero-length client cut text. */
++  str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+   if (str == NULL) {
+   rfbLogPerror("rfbProcessClientNormalMessage: not enough 
memory");
+   rfbCloseClient(cl);
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series 
libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series  2017-01-03 
11:50:27.0 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series  2018-06-05 
14:43:47.0 +0200
@@ -1,2 +1,3 @@
 remove-libpng.patch
 0001-ignore_webclients.patch
+CVE-2018-7225.patch


signature.asc
Description: OpenPGP digital signature

Bug#894045: libvncserver: CVE-2018-7225

2018-03-25 Thread Salvatore Bonaccorso

Source: libvncserver
Version: 0.9.11+dfsg-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/LibVNC/libvncserver/issues/218

Hi,

the following vulnerability was published for libvncserver.

CVE-2018-7225[0]:
| An issue was discovered in LibVNCServer through 0.9.11.
| rfbProcessClientNormalMessage() in rfbserver.c does not sanitize
| msg.cct.length, leading to access to uninitialized and potentially
| sensitive data or possibly unspecified other impact (e.g., an integer
| overflow) via specially crafted VNC packets.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225
[1] https://github.com/LibVNC/libvncserver/issues/218

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#894045: libvncserver: CVE-2018-7225

Bug#894045: libvncserver: CVE-2018-7225

Bug#894045: libvncserver: CVE-2018-7225

Bug#894045: libvncserver: CVE-2018-7225

Bug#894045: libvncserver: CVE-2018-7225

5 matches

Site Navigation

Mail list logo

Footer information