Bug#894045: libvncserver: CVE-2018-7225
Hi Markus, On Fri, Jun 08, 2018 at 10:46:19PM +0200, Markus Koschany wrote: > Hi Salvatore, > > Am 08.06.2018 um 22:38 schrieb Salvatore Bonaccorso: > > Hi Markus, > > > > On Tue, Jun 05, 2018 at 02:52:58PM +0200, Markus Koschany wrote: > >> Control: tags -1 patch > >> > >> Dear maintainer, > >> > >> I've prepared a patch fixing CVE-2018-7225. I am also going to send the > >> debdiffs for stretch and jessie to the security team. > >> > >> Please find attached the debdiff for sid. > > > > Are you planning to upload a fix proposing a NMU (In case maintainer > > has no time to work on it)? I did raise the severity to RC now, given > > Moritz has released the DSA with your updates for jessie- and > > stretch-security. > > Sure, I can do that. I just wanted to give the maintainer some time but > I can upload the fix at the weekend. Sure there is no pressure. Regards, Salvatore
Bug#894045: libvncserver: CVE-2018-7225
Hi Salvatore, Am 08.06.2018 um 22:38 schrieb Salvatore Bonaccorso: > Hi Markus, > > On Tue, Jun 05, 2018 at 02:52:58PM +0200, Markus Koschany wrote: >> Control: tags -1 patch >> >> Dear maintainer, >> >> I've prepared a patch fixing CVE-2018-7225. I am also going to send the >> debdiffs for stretch and jessie to the security team. >> >> Please find attached the debdiff for sid. > > Are you planning to upload a fix proposing a NMU (In case maintainer > has no time to work on it)? I did raise the severity to RC now, given > Moritz has released the DSA with your updates for jessie- and > stretch-security. Sure, I can do that. I just wanted to give the maintainer some time but I can upload the fix at the weekend. Cheers, Markus signature.asc Description: OpenPGP digital signature
Bug#894045: libvncserver: CVE-2018-7225
Hi Markus, On Tue, Jun 05, 2018 at 02:52:58PM +0200, Markus Koschany wrote: > Control: tags -1 patch > > Dear maintainer, > > I've prepared a patch fixing CVE-2018-7225. I am also going to send the > debdiffs for stretch and jessie to the security team. > > Please find attached the debdiff for sid. Are you planning to upload a fix proposing a NMU (In case maintainer has no time to work on it)? I did raise the severity to RC now, given Moritz has released the DSA with your updates for jessie- and stretch-security. Regards, Salvatore
Bug#894045: libvncserver: CVE-2018-7225
Control: tags -1 patch Dear maintainer, I've prepared a patch fixing CVE-2018-7225. I am also going to send the debdiffs for stretch and jessie to the security team. Please find attached the debdiff for sid. Regards, Markus diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog --- libvncserver-0.9.11+dfsg/debian/changelog 2017-01-03 11:50:27.0 +0100 +++ libvncserver-0.9.11+dfsg/debian/changelog 2018-06-05 14:43:47.0 +0200 @@ -1,3 +1,12 @@ +libvncserver (0.9.11+dfsg-1+deb9u1) stretch-security; urgency=high + + * Non-maintainer upload. + * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be +accessed by remote attackers because the msg.cct.length in rfbserver.c was +not sanitized. (Closes: #894045) + + -- Markus Koschany Tue, 05 Jun 2018 14:43:47 +0200 + libvncserver (0.9.11+dfsg-1) unstable; urgency=high * New upstream release, containing security fixes for diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-7225.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-7225.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-7225.patch 1970-01-01 01:00:00.0 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-7225.patch 2018-06-05 14:43:47.0 +0200 @@ -0,0 +1,48 @@ +From: Markus Koschany +Date: Tue, 5 Jun 2018 14:42:36 +0200 +Subject: CVE-2018-7225 + +Bug-Debian: https://bugs.debian.org/894045 +Origin: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee +--- + libvncserver/rfbserver.c | 20 +++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index bc9cc11..08563c7 100644 +--- a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +@@ -85,6 +85,8 @@ + #include + /* strftime() */ + #include ++/* PRIu32 */ ++#include + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -2577,7 +2579,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)malloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we impose a limit of 1 MB so that the value fits ++ * into all of the types to prevent from misinterpretation and thus ++ * from accessing uninitialized memory (CVE-2018-7225) and also to ++ * prevent from a denial-of-service by allocating to much memory in ++ * the server. */ ++ if (msg.cct.length > 1<<20) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseClient(cl); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series --- libvncserver-0.9.11+dfsg/debian/patches/series 2017-01-03 11:50:27.0 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/series 2018-06-05 14:43:47.0 +0200 @@ -1,2 +1,3 @@ remove-libpng.patch 0001-ignore_webclients.patch +CVE-2018-7225.patch signature.asc Description: OpenPGP digital signature
Bug#894045: libvncserver: CVE-2018-7225
Source: libvncserver Version: 0.9.11+dfsg-1 Severity: important Tags: patch security upstream Forwarded: https://github.com/LibVNC/libvncserver/issues/218 Hi, the following vulnerability was published for libvncserver. CVE-2018-7225[0]: | An issue was discovered in LibVNCServer through 0.9.11. | rfbProcessClientNormalMessage() in rfbserver.c does not sanitize | msg.cct.length, leading to access to uninitialized and potentially | sensitive data or possibly unspecified other impact (e.g., an integer | overflow) via specially crafted VNC packets. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-7225 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225 [1] https://github.com/LibVNC/libvncserver/issues/218 Please adjust the affected versions in the BTS as needed. Regards, Salvatore