Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear Release Team, I have just uploaded a range of low and not so low security fixes for tightvnc to buster-pu: + * CVE-2014-6053: Check malloc() return value on client->server ClientCutText + message. + * CVE-2018-20020: Fix heap out-of-bound write vulnerability inside structure + in VNC client code. + * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. + * CVE-2018-20022: CWE-665: Improper Initialization vulnerability. + * CVE-2018-7225: Uninitialized and potentially sensitive data could be + accessed by remote attackers because the msg.cct.length in rfbserver.c was + not sanitized. + * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB. + * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore + server-sent reason strings longer than 1MB (see CVE-2018-20748/ + libvncserver). + * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name + length received before allocating memory for it and limit it to 1MB. + * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c. + * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. None of the above issue is so urgend that a DSA is justified, IMHO. light+love Mike -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru tightvnc-1.3.9/debian/changelog tightvnc-1.3.9/debian/changelog --- tightvnc-1.3.9/debian/changelog 2017-01-27 22:08:21.000000000 +0100 +++ tightvnc-1.3.9/debian/changelog 2019-12-21 10:35:50.000000000 +0100 @@ -1,3 +1,26 @@ +tightvnc (1:1.3.9-9+deb10u1) buster; urgency=medium + + * Security upload. (Closes: #945364). + * CVE-2014-6053: Check malloc() return value on client->server ClientCutText + message. + * CVE-2018-20020: Fix heap out-of-bound write vulnerability inside structure + in VNC client code. + * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. + * CVE-2018-20022: CWE-665: Improper Initialization vulnerability. + * CVE-2018-7225: Uninitialized and potentially sensitive data could be + accessed by remote attackers because the msg.cct.length in rfbserver.c was + not sanitized. + * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB. + * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore + server-sent reason strings longer than 1MB (see CVE-2018-20748/ + libvncserver). + * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name + length received before allocating memory for it and limit it to 1MB. + * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c. + * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. + + -- Mike Gabriel <sunwea...@debian.org> Sat, 21 Dec 2019 10:35:50 +0100 + tightvnc (1:1.3.9-9) unstable; urgency=high * Reverted the transition. Tigervnc is not ready for being a full diff -Nru tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch --- tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch 1970-01-01 01:00:00.000000000 +0100 +++ tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch 2019-12-19 21:39:14.000000000 +0100 @@ -0,0 +1,29 @@ +From 6037a9074d52b1963c97cb28ea1096c7c14cbf28 Mon Sep 17 00:00:00 2001 +From: Nicolas Ruff <nr...@google.com> +Date: Mon, 18 Aug 2014 15:16:16 +0200 +Subject: [PATCH] Check malloc() return value on client->server ClientCutText + message. Client can send up to 2**32-1 bytes of text, and such a large + allocation is likely to fail in case of high memory pressure. This would in a + server crash (write at address 0). + +[sunweaver] port libvncserver patch over to tightvnc's vnc server code + +--- + libvncserver/rfbserver.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c ++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c +@@ -891,6 +891,12 @@ + + str = (char *)xalloc(msg.cct.length); + ++ if (str == NULL) { ++ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); ++ rfbCloseSock(cl->sock); ++ return; ++ } ++ + if ((n = ReadExact(cl->sock, str, msg.cct.length)) <= 0) { + if (n != 0) + rfbLogPerror("rfbProcessClientNormalMessage: read"); diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch --- tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch 1970-01-01 01:00:00.000000000 +0100 +++ tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch 2019-12-19 21:38:55.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2018-20021 + CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows + attacker to consume excessive amount of resources like CPU and RAM +--- + +Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c +Bug: https://github.com/LibVNC/libvncserver/issues/251 +Bug-Debian: https://bugs.debian.org/916941 + +[sunweaver] port libvncclient patch over to tightvnc's vncviewer code + +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -1021,7 +1021,7 @@ + bytesPerLine = rect.r.w * myFormat.bitsPerPixel / 8; + linesToRead = BUFFER_SIZE / bytesPerLine; + +- while (rect.r.h > 0) { ++ while (linesToRead && rect.r.h > 0) { + if (linesToRead > rect.r.h) + linesToRead = rect.r.h; + diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch --- tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch 1970-01-01 01:00:00.000000000 +0100 +++ tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch 2019-12-19 21:47:41.000000000 +0100 @@ -0,0 +1,31 @@ +Description: CVE-2018-20022 + multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC + client code that allows attacker to read stack memory and can be abused for + information disclosure. Combined with another vulnerability, it can be used + to leak stack memory layout and in bypassing ASLR +--- + +Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 +Bug: https://github.com/LibVNC/libvncserver/issues/252 +Bug-Debian: https://bugs.debian.org/916941 + +[sunweaver] ported from libvncclient to tightvnc's vncviewer code + +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -886,6 +886,7 @@ + { + rfbKeyEventMsg ke; + ++ memset(&ke, 0, sizeof(ke)); + ke.type = rfbKeyEvent; + ke.down = down ? 1 : 0; + ke.key = Swap32IfLE(key); +@@ -906,6 +907,7 @@ + free(serverCutText); + serverCutText = NULL; + ++ memset(&cct, 0, sizeof(cct)); + cct.type = rfbClientCutText; + cct.length = Swap32IfLE(len); + return (WriteExact(rfbsock, (char *)&cct, sz_rfbClientCutTextMsg) && diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch --- tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch 1970-01-01 01:00:00.000000000 +0100 +++ tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch 2019-12-19 21:39:37.000000000 +0100 @@ -0,0 +1,51 @@ +From: Mike Gabriel <sunwea...@debian.org> +Date: Tue, 5 Jun 2018 14:04:07 +0200 +Subject: CVE-2018-7225 + +Bug-Debian: https://bugs.debian.org/894045 +Origin: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee + +[sunweaver] port libvncserver patch over to tightvnc's VNC server code + +--- + libvncserver/rfbserver.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + + +--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c ++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c +@@ -43,6 +43,9 @@ + #include <vncserverctrl.h> + #endif + ++/* PRIu32 */ ++#include <inttypes.h> ++ + char updateBuf[UPDATE_BUF_SIZE]; + int ublen; + +@@ -889,7 +892,23 @@ + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)xalloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we impose a limit of 1 MB so that the value fits ++ * into all of the types to prevent from misinterpretation and thus ++ * from accessing uninitialized memory (CVE-2018-7225) and also to ++ * prevent from a denial-of-service by allocating to much memory in ++ * the server. */ ++ if (msg.cct.length > 1<<20) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseSock(cl->sock); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); + + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch --- tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch 1970-01-01 01:00:00.000000000 +0100 +++ tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch 2019-12-20 22:32:50.000000000 +0100 @@ -0,0 +1,28 @@ +From e34bcbb759ca5bef85809967a268fdf214c1ad2c Mon Sep 17 00:00:00 2001 +From: Christian Beier <dontm...@freeshell.org> +Date: Sat, 29 Dec 2018 14:40:53 +0100 +Subject: [PATCH] LibVNCClient: ignore server-sent reason strings longer than + 1MB + +Fixes #273 + +[sunweaver] Extract these few lines from the above referenced patch and port to tightvnc. + This patch was part of the fix series for CVE-2018-20748/libvncserver + +--- + libvncclient/rfbproto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -1293,6 +1293,10 @@ + + if (ReadFromRFBServer((char *)&reasonLen, sizeof(reasonLen))) { + reasonLen = Swap32IfLE(reasonLen); ++ if(reasonLen > 1<<20) { ++ fprintf(stderr, "VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen); ++ return; ++ } + if ((reason = malloc(reasonLen)) != NULL && + ReadFromRFBServer(reason, reasonLen)) { + fprintf(stderr,"%.*s\n", (int)reasonLen, reason); diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch --- tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch 1970-01-01 01:00:00.000000000 +0100 +++ tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch 2019-12-20 22:32:35.000000000 +0100 @@ -0,0 +1,28 @@ +From c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a Mon Sep 17 00:00:00 2001 +From: Christian Beier <dontm...@freeshell.org> +Date: Sat, 29 Dec 2018 14:16:58 +0100 +Subject: [PATCH] LibVNCClient: ignore server-sent cut text longer than 1MB + +This is in line with how LibVNCServer does it +(28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273. + +[sunweaver] Port to tightvnc. + +--- + libvncclient/rfbproto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -1214,6 +1214,11 @@ + + msg.sct.length = Swap32IfLE(msg.sct.length); + ++ if (msg.sct.length > 1<<20) { ++ fprintf(stderr, "Ignoring too big cut text length sent by server: %u B > 1 MB\n", (unsigned int)msg.sct.length); ++ return False; ++ } ++ + if (serverCutText) + free(serverCutText); + diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch --- tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch 1970-01-01 01:00:00.000000000 +0100 +++ tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch 2019-12-20 22:32:08.000000000 +0100 @@ -0,0 +1,33 @@ +From c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 Mon Sep 17 00:00:00 2001 +From: Christian Beier <dontm...@freeshell.org> +Date: Sun, 6 Jan 2019 14:20:37 +0100 +Subject: [PATCH] LibVNCClient: fail on server-sent desktop name lengths longer + than 1MB + +re #273 +--- + libvncclient/rfbproto.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +[sunweaver] Ported over to tightvnc. + +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -303,13 +303,11 @@ + si.format.blueMax = Swap16IfLE(si.format.blueMax); + si.nameLength = Swap32IfLE(si.nameLength); + +- /* FIXME: Check arguments to malloc() calls. */ +- desktopName = malloc(si.nameLength + 1); +- if (!desktopName) { +- fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n", +- (unsigned long)si.nameLength); +- return False; ++ if (si.nameLength > 1<<20) { ++ fprintf(stderr, "Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)si.nameLength); ++ return FALSE; + } ++ desktopName = malloc(si.nameLength + 1); + + if (!ReadFromRFBServer(desktopName, si.nameLength)) return False; + diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch --- tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch 1970-01-01 01:00:00.000000000 +0100 +++ tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch 2019-12-20 16:07:49.000000000 +0100 @@ -0,0 +1,16 @@ +Origin: https://github.com/LibVNC/libvncserver/pull/360/commits/85d00057b5daf71675462c9b175d8cb2d47cd0e1 + +--- a/vncviewer/zlib.c ++++ b/vncviewer/zlib.c +@@ -55,6 +55,11 @@ + raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); + raw_buffer = (char*) malloc( raw_buffer_size ); + ++ if (raw_buffer == NULL) { ++ ++ return False; ++ ++ } + } + + if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch --- tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch 1970-01-01 01:00:00.000000000 +0100 +++ tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch 2019-12-19 21:39:44.000000000 +0100 @@ -0,0 +1,20 @@ +From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001 +From: Christian Beier <dontm...@freeshell.org> +Date: Mon, 19 Aug 2019 22:32:25 +0200 +Subject: [PATCH] rfbserver: don't leak stack memory to the remote + +Thanks go to Pavel Cheremushkin of Kaspersky for reporting. + +[sunweaver] Ported to rfbserver.c in tightvnc + +--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c ++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c +@@ -1481,6 +1481,8 @@ + rfbClientPtr cl, nextCl; + rfbServerCutTextMsg sct; + ++ memset((char *)&sct, 0, sizeof(sct)); ++ + if (rfbViewOnly) + return; + diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch --- tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch 1970-01-01 01:00:00.000000000 +0100 +++ tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch 2019-12-20 21:43:49.000000000 +0100 @@ -0,0 +1,23 @@ +Description: CVE-2019-8287 + (same as CVE-2018-20020/libvncserver) + heap out-of-bound write vulnerability inside structure in VNC client code that + can result remote code execution +--- + +Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d +Bug: https://github.com/LibVNC/libvncserver/issues/250 +Bug-Debian: https://bugs.debian.org/916941 + +[sunweaver] port libvncclient patch over to tightvnc's vncviewer code + +--- a/vncviewer/corre.c ++++ b/vncviewer/corre.c +@@ -56,7 +56,7 @@ + XChangeGC(dpy, gc, GCForeground, &gcv); + XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh); + +- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) ++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) + return False; + + ptr = (CARD8 *)buffer; diff -Nru tightvnc-1.3.9/debian/patches/series tightvnc-1.3.9/debian/patches/series --- tightvnc-1.3.9/debian/patches/series 2016-06-19 13:22:20.000000000 +0200 +++ tightvnc-1.3.9/debian/patches/series 2019-12-21 10:35:39.000000000 +0100 @@ -6,3 +6,13 @@ ppc64el.patch 782620-crashfix.patch more-arm64-fixes.patch +CVE-2019-15680.patch +CVE-2019-15681.patch +CVE-2014-6053.patch +CVE-2018-7225.patch +CVE-2018-20021.patch +CVE-2019-8287.patch +CVE-2018-20022.patch +CVE-2019-15679.patch +CVE-2019-15678.patch +CVE-2019-15678-addon.patch