Your message dated Sat, 21 Mar 2020 11:49:51 +0000
with message-id <[email protected]>
and subject line Bug#945784: fixed in vino 3.22.0-6
has caused the Debian Bug report #945784,
regarding [vino] fix libvncserver bundle security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
945784: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945784
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: vino
Version: 3.22.0-5
Tags: security upstream
Dear maintainers of vino,
last month, I have started working on a audit regarding
libvncserver+libvncclient in Debian. Code portions from either of
those libraries have been bundled in the Debian src:pkg "vino":
CVE-2019-15681[0]:
| LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains
| a memory leak (CWE-655) in VNC server code, which allow an attacker to
| read stack memory and can be abused for information disclosure.
| Combined with another vulnerability, it can be used to leak stack
| memory and bypass ASLR. This attack appear to be exploitable via
| network connectivity. These vulnerabilities have been fixed in commit
| d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a.
CVE-2018-7225
| An issue was discovered in LibVNCServer through 0.9.11.
| rfbProcessClientNormalMessage() in rfbserver.c does not
| sanitize msg.cct.length, leading to access to uninitialized and
| potentially sensitive data or possibly unspecified other impact
| (e.g., an integer overflow) via specially crafted VNC packets.
CVE-2014-6053
| The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c
| in LibVNCServer 0.9.9 and earlier does not properly handle attempts to
| send a large amount of ClientCutText data, which allows remote attackers
| to cause a denial of service (memory consumption or daemon crash) via
| a crafted message that is processed by using a single unchecked malloc.
Find attached a .debdiff (targetting the vino version in
testing/unstable) that resolves the above libvncserver related issues
in vino.
With my LTS team member hat on, I will upload vino to jessie LTS
within the next hours.
Please let me know, if you will also handle uploads to
stretch-security and buster-security. Thanks.
Please note, that I have not runtime-tested the vino 3.22.0-5.1
version, the .debdiff is a simple forward port of what I have been
working on for Debian jessie LTS. Thanks.
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://das-netzwerkteam.de
diff -Nru vino-3.22.0/debian/changelog vino-3.22.0/debian/changelog
--- vino-3.22.0/debian/changelog 2018-12-28 00:58:27.000000000 +0100
+++ vino-3.22.0/debian/changelog 2019-11-28 16:37:03.000000000 +0100
@@ -1,3 +1,16 @@
+vino (3.22.0-5.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Porting of libvncserver security patches:
+ - CVE-2014-6053: Check malloc() return value on client->server
ClientCutText
+ message.
+ - CVE-2018-7225: Uninitialized and potentially sensitive data could be
+ accessed by remote attackers because the msg.cct.length in rfbserver.c
was
+ not sanitized.
+ - CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
+
+ -- Mike Gabriel <[email protected]> Thu, 28 Nov 2019 16:37:03 +0100
+
vino (3.22.0-5) unstable; urgency=medium
* Build-Depend on debhelper-compat 12 and drop debian/compat
diff -Nru vino-3.22.0/debian/patches/libvncserver_CVE-2014-6053.patch
vino-3.22.0/debian/patches/libvncserver_CVE-2014-6053.patch
--- vino-3.22.0/debian/patches/libvncserver_CVE-2014-6053.patch 1970-01-01
01:00:00.000000000 +0100
+++ vino-3.22.0/debian/patches/libvncserver_CVE-2014-6053.patch 2019-11-28
15:57:25.000000000 +0100
@@ -0,0 +1,22 @@
+Description: Check malloc() return value (CVE-2014-6053)
+ Check malloc() return value on client->server ClientCutText
+ message. Client can send up to 2**32-1 bytes of text, and such a large
+ allocation is likely to fail in case of high memory pressure. This would in a
+ server crash (write at address 0).
+Origin:
https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/server/libvncserver/rfbserver.c
++++ b/server/libvncserver/rfbserver.c
+@@ -851,6 +851,11 @@
+ msg.cct.length = Swap32IfLE(msg.cct.length);
+
+ str = (char *)malloc(msg.cct.length);
++ if (str == NULL) {
++ rfbLogPerror("rfbProcessClientNormalMessage: not enough
memory");
++ rfbCloseClient(cl);
++ return;
++ }
+
+ if ((n = ReadExact(cl, str, msg.cct.length)) <= 0) {
+ if (n != 0)
diff -Nru vino-3.22.0/debian/patches/libvncserver_CVE-2018-7225.patch
vino-3.22.0/debian/patches/libvncserver_CVE-2018-7225.patch
--- vino-3.22.0/debian/patches/libvncserver_CVE-2018-7225.patch 1970-01-01
01:00:00.000000000 +0100
+++ vino-3.22.0/debian/patches/libvncserver_CVE-2018-7225.patch 2019-11-28
16:11:44.000000000 +0100
@@ -0,0 +1,46 @@
+From: Markus Koschany <[email protected]>
+Date: Tue, 5 Jun 2018 14:04:07 +0200
+Subject: CVE-2018-7225
+
+Bug-Debian: https://bugs.debian.org/894045
+Origin:
https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee
+---
+ libvncserver/rfbserver.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/server/libvncserver/rfbserver.c
++++ b/server/libvncserver/rfbserver.c
+@@ -58,6 +58,8 @@
+ #else
+ #define DEBUGPROTO(x)
+ #endif
++/* PRIu32 */
++#include <inttypes.h>
+
+ rfbClientPtr pointerClient = NULL; /* Mutex for pointer events */
+
+@@ -850,7 +852,23 @@
+
+ msg.cct.length = Swap32IfLE(msg.cct.length);
+
+- str = (char *)malloc(msg.cct.length);
++ /* uint32_t input is passed to malloc()'s size_t argument,
++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s
int
++ * argument. Here we impose a limit of 1 MB so that the value fits
++ * into all of the types to prevent from misinterpretation and thus
++ * from accessing uninitialized memory (CVE-2018-7225) and also to
++ * prevent from a denial-of-service by allocating to much memory in
++ * the server. */
++ if (msg.cct.length > 1<<20) {
++ rfbLog("rfbClientCutText: too big cut text length requested: %"
PRIu32 "\n",
++ msg.cct.length);
++ rfbCloseClient(cl);
++ return;
++ }
++
++ /* Allow zero-length client cut text. */
++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+ if (str == NULL) {
+ rfbLogPerror("rfbProcessClientNormalMessage: not enough
memory");
+ rfbCloseClient(cl);
diff -Nru vino-3.22.0/debian/patches/libvncserver_CVE-2019-15681.patch
vino-3.22.0/debian/patches/libvncserver_CVE-2019-15681.patch
--- vino-3.22.0/debian/patches/libvncserver_CVE-2019-15681.patch
1970-01-01 01:00:00.000000000 +0100
+++ vino-3.22.0/debian/patches/libvncserver_CVE-2019-15681.patch
2019-11-28 16:15:57.000000000 +0100
@@ -0,0 +1,21 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <[email protected]>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+---
+ libvncserver/rfbserver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/server/libvncserver/rfbserver.c
++++ b/server/libvncserver/rfbserver.c
+@@ -1557,6 +1557,8 @@
+ rfbServerCutTextMsg sct;
+ rfbClientIteratorPtr iterator;
+
++ memset((char *)&sct, 0, sizeof(sct));
++
+ iterator = rfbGetClientIterator(rfbScreen);
+ while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
+ /* Client is not authenticated, ignore. See GNOME bug 678434. */
diff -Nru vino-3.22.0/debian/patches/series vino-3.22.0/debian/patches/series
--- vino-3.22.0/debian/patches/series 2018-12-28 00:58:27.000000000 +0100
+++ vino-3.22.0/debian/patches/series 2019-11-28 16:37:03.000000000 +0100
@@ -9,3 +9,6 @@
0008-Properly-remove-watches-when-changing-server-props.patch
0009-Return-empty-string-instead-of-NULL-to-prevent-criti.patch
0010-Fix-various-defects-reported-by-covscan.patch
+libvncserver_CVE-2014-6053.patch
+libvncserver_CVE-2018-7225.patch
+libvncserver_CVE-2019-15681.patch
pgpIaGfeo4ugj.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
Source: vino
Source-Version: 3.22.0-6
Done: Laurent Bigonville <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vino, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurent Bigonville <[email protected]> (supplier of updated vino package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 21 Mar 2020 12:31:55 +0100
Source: vino
Architecture: source
Version: 3.22.0-6
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Laurent Bigonville <[email protected]>
Closes: 945784
Changes:
vino (3.22.0-6) unstable; urgency=medium
.
* debian/control.in: Bump Standards-Version to 4.5.0 (no further changes)
* debian/rules: Move the vino-server executable to /usr/libexec
* Fix several security issues: CVE-2014-6053, CVE-2018-7225, CVE-2019-15681.
Thanks to Mike Gabriel <[email protected]> (Closes: #945784)
Checksums-Sha1:
53189809fbc1bd178d7cddd20cea74725fadc4d7 2034 vino_3.22.0-6.dsc
c7deba63247ff737105dd1da027e21204206d475 19268 vino_3.22.0-6.debian.tar.xz
a4bca5860595709c69d2481e92d4a5cd847f1c02 14083 vino_3.22.0-6_source.buildinfo
Checksums-Sha256:
8b7be5f0e2ba8016995ff23796c0949c6b45a1c7a8dd3c0287613db9f964409e 2034
vino_3.22.0-6.dsc
cee9961f115eb1a7cf9f0950287080751545b322e66983f53085c4ed75c09d49 19268
vino_3.22.0-6.debian.tar.xz
c02ceee1fc62b16862711b6994cd58282dbafb49c916765ba4ffa9e4ec064d29 14083
vino_3.22.0-6_source.buildinfo
Files:
f1e3a3bffac066240a999377fc43b673 2034 gnome optional vino_3.22.0-6.dsc
c9e2d1001e89e1bc53f09529e885bd87 19268 gnome optional
vino_3.22.0-6.debian.tar.xz
aaea188cda6674636ae440f5f14032ee 14083 gnome optional
vino_3.22.0-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFFBAEBCAAvFiEEmRrdqQAhuF2x31DwH8WJHrqwQ9UFAl51/B8RHGJpZ29uQGRl
Ymlhbi5vcmcACgkQH8WJHrqwQ9VDVQgAgi8gJO4w2j4C9N+d7LFEKcqbq9nZN4b5
aU07kuYodpkliq5QQBhVayc7V8qIi5f722IofR3aihUz3ZZmJT5hyCvWHJzoi6WY
j7z5ve4tth1CXb2AyGNQrTxsW5tUfhgoTpm4QfMK8K1/dF7+U2kI96GYm6igB7YX
zpxztZnGefxiiTy00GzZQIrD9ZZExGgE4205r5c/NzjshAtvXyp5ysMqH3rvp9xD
9G8h2Feg32aUvB0Pi3vwwTdRHQfvKChuQ8x38CI5t3d6XZnMUUw87990M3dQtfTE
a3qpAlTgG4GMHub0JRJ6tabzOpDXfzJwL7FxIzwllzQt9opyxH/U4Q==
=91wQ
-----END PGP SIGNATURE-----
--- End Message ---
