Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Dear Release Team,

I have just uploaded a range of low and not so low security fixes for
tightvnc to buster-pu:

+  * CVE-2014-6053: Check malloc() return value on client->server ClientCutText
+    message.
+  * CVE-2018-20020: Fix heap out-of-bound write vulnerability inside structure
+    in VNC client code.
+  * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+  * CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+  * CVE-2018-7225: Uninitialized and potentially sensitive data could be
+    accessed by remote attackers because the msg.cct.length in rfbserver.c was
+    not sanitized.
+  * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB.
+  * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore
+    server-sent reason strings longer than 1MB (see CVE-2018-20748/
+    libvncserver).
+  * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name
+    length received before allocating memory for it and limit it to 1MB.
+  * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c.
+  * CVE-2019-15681: rfbserver: don't leak stack memory to the remote.

None of the above issue is so urgend that a DSA is justified, IMHO.

light+love
Mike

-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru tightvnc-1.3.9/debian/changelog tightvnc-1.3.9/debian/changelog
--- tightvnc-1.3.9/debian/changelog     2017-01-27 22:08:21.000000000 +0100
+++ tightvnc-1.3.9/debian/changelog     2019-12-21 10:35:50.000000000 +0100
@@ -1,3 +1,26 @@
+tightvnc (1:1.3.9-9+deb10u1) buster; urgency=medium
+
+  * Security upload. (Closes: #945364).
+  * CVE-2014-6053: Check malloc() return value on client->server ClientCutText
+    message.
+  * CVE-2018-20020: Fix heap out-of-bound write vulnerability inside structure
+    in VNC client code.
+  * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+  * CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+  * CVE-2018-7225: Uninitialized and potentially sensitive data could be
+    accessed by remote attackers because the msg.cct.length in rfbserver.c was
+    not sanitized.
+  * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB.
+  * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore
+    server-sent reason strings longer than 1MB (see CVE-2018-20748/
+    libvncserver).
+  * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name
+    length received before allocating memory for it and limit it to 1MB.
+  * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c.
+  * CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
+
+ -- Mike Gabriel <sunwea...@debian.org>  Sat, 21 Dec 2019 10:35:50 +0100
+
 tightvnc (1:1.3.9-9) unstable; urgency=high
 
   * Reverted the transition. Tigervnc is not ready for being a full
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch 
tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch
--- tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch   1970-01-01 
01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2014-6053.patch   2019-12-19 
21:39:14.000000000 +0100
@@ -0,0 +1,29 @@
+From 6037a9074d52b1963c97cb28ea1096c7c14cbf28 Mon Sep 17 00:00:00 2001
+From: Nicolas Ruff <nr...@google.com>
+Date: Mon, 18 Aug 2014 15:16:16 +0200
+Subject: [PATCH] Check malloc() return value on client->server ClientCutText
+ message. Client can send up to 2**32-1 bytes of text, and such a large
+ allocation is likely to fail in case of high memory pressure. This would in a
+ server crash (write at address 0).
+
+[sunweaver] port libvncserver patch over to tightvnc's vnc server code
+
+---
+ libvncserver/rfbserver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -891,6 +891,12 @@
+ 
+       str = (char *)xalloc(msg.cct.length);
+ 
++      if (str == NULL) {
++              rfbLogPerror("rfbProcessClientNormalMessage: not enough 
memory");
++              rfbCloseSock(cl->sock);
++              return;
++      }
++
+       if ((n = ReadExact(cl->sock, str, msg.cct.length)) <= 0) {
+           if (n != 0)
+               rfbLogPerror("rfbProcessClientNormalMessage: read");
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch 
tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch  1970-01-01 
01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2018-20021.patch  2019-12-19 
21:38:55.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Origin: 
https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c
+Bug: https://github.com/LibVNC/libvncserver/issues/251
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] port libvncclient patch over to tightvnc's vncviewer code
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1021,7 +1021,7 @@
+       bytesPerLine = rect.r.w * myFormat.bitsPerPixel / 8;
+       linesToRead = BUFFER_SIZE / bytesPerLine;
+ 
+-      while (rect.r.h > 0) {
++      while (linesToRead && rect.r.h > 0) {
+         if (linesToRead > rect.r.h)
+           linesToRead = rect.r.h;
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch 
tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch  1970-01-01 
01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2018-20022.patch  2019-12-19 
21:47:41.000000000 +0100
@@ -0,0 +1,31 @@
+Description: CVE-2018-20022
+ multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
+ client code that allows attacker to read stack memory and can be abused for
+ information disclosure. Combined with another vulnerability, it can be used
+ to leak stack memory layout and in bypassing ASLR
+---
+
+Origin: 
https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838
+Bug: https://github.com/LibVNC/libvncserver/issues/252
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] ported from libvncclient to tightvnc's vncviewer code
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -886,6 +886,7 @@
+ {
+   rfbKeyEventMsg ke;
+ 
++  memset(&ke, 0, sizeof(ke));
+   ke.type = rfbKeyEvent;
+   ke.down = down ? 1 : 0;
+   ke.key = Swap32IfLE(key);
+@@ -906,6 +907,7 @@
+     free(serverCutText);
+   serverCutText = NULL;
+ 
++  memset(&cct, 0, sizeof(cct));
+   cct.type = rfbClientCutText;
+   cct.length = Swap32IfLE(len);
+   return  (WriteExact(rfbsock, (char *)&cct, sz_rfbClientCutTextMsg) &&
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch 
tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch
--- tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch   1970-01-01 
01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2018-7225.patch   2019-12-19 
21:39:37.000000000 +0100
@@ -0,0 +1,51 @@
+From: Mike Gabriel <sunwea...@debian.org>
+Date: Tue, 5 Jun 2018 14:04:07 +0200
+Subject: CVE-2018-7225
+
+Bug-Debian: https://bugs.debian.org/894045
+Origin: 
https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee
+
+[sunweaver] port libvncserver patch over to tightvnc's VNC server code
+
+---
+ libvncserver/rfbserver.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -43,6 +43,9 @@
+ #include <vncserverctrl.h>
+ #endif
+ 
++/* PRIu32 */
++#include <inttypes.h>
++
+ char updateBuf[UPDATE_BUF_SIZE];
+ int ublen;
+ 
+@@ -889,7 +892,23 @@
+ 
+       msg.cct.length = Swap32IfLE(msg.cct.length);
+ 
+-      str = (char *)xalloc(msg.cct.length);
++      /* uint32_t input is passed to malloc()'s size_t argument,
++       * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
++       * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s 
int
++       * argument. Here we impose a limit of 1 MB so that the value fits
++       * into all of the types to prevent from misinterpretation and thus
++       * from accessing uninitialized memory (CVE-2018-7225) and also to
++       * prevent from a denial-of-service by allocating to much memory in
++       * the server. */
++      if (msg.cct.length > 1<<20) {
++          rfbLog("rfbClientCutText: too big cut text length requested: %" 
PRIu32 "\n",
++                  msg.cct.length);
++          rfbCloseSock(cl->sock);
++          return;
++      }
++
++      /* Allow zero-length client cut text. */
++      str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+ 
+       if (str == NULL) {
+               rfbLogPerror("rfbProcessClientNormalMessage: not enough 
memory");
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch 
tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch    1970-01-01 
01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15678-addon.patch    2019-12-20 
22:32:50.000000000 +0100
@@ -0,0 +1,28 @@
+From e34bcbb759ca5bef85809967a268fdf214c1ad2c Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontm...@freeshell.org>
+Date: Sat, 29 Dec 2018 14:40:53 +0100
+Subject: [PATCH] LibVNCClient: ignore server-sent reason strings longer than
+ 1MB
+
+Fixes #273
+
+[sunweaver] Extract these few lines from the above referenced patch and port 
to tightvnc.
+            This patch was part of the fix series for 
CVE-2018-20748/libvncserver
+
+---
+ libvncclient/rfbproto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1293,6 +1293,10 @@
+ 
+   if (ReadFromRFBServer((char *)&reasonLen, sizeof(reasonLen))) {
+     reasonLen = Swap32IfLE(reasonLen);
++    if(reasonLen > 1<<20) {
++      fprintf(stderr, "VNC connection failed, but sent reason length of %u 
exceeds limit of 1MB",(unsigned int)reasonLen);
++      return;
++    }
+     if ((reason = malloc(reasonLen)) != NULL &&
+         ReadFromRFBServer(reason, reasonLen)) {
+       fprintf(stderr,"%.*s\n", (int)reasonLen, reason);
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch 
tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch  1970-01-01 
01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15678.patch  2019-12-20 
22:32:35.000000000 +0100
@@ -0,0 +1,28 @@
+From c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontm...@freeshell.org>
+Date: Sat, 29 Dec 2018 14:16:58 +0100
+Subject: [PATCH] LibVNCClient: ignore server-sent cut text longer than 1MB
+
+This is in line with how LibVNCServer does it
+(28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273.
+
+[sunweaver] Port to tightvnc.
+
+---
+ libvncclient/rfbproto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -1214,6 +1214,11 @@
+ 
+     msg.sct.length = Swap32IfLE(msg.sct.length);
+ 
++    if (msg.sct.length > 1<<20) {
++          fprintf(stderr, "Ignoring too big cut text length sent by server: 
%u B > 1 MB\n", (unsigned int)msg.sct.length);
++          return False;
++    }
++
+     if (serverCutText)
+       free(serverCutText);
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch 
tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch  1970-01-01 
01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15679.patch  2019-12-20 
22:32:08.000000000 +0100
@@ -0,0 +1,33 @@
+From c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontm...@freeshell.org>
+Date: Sun, 6 Jan 2019 14:20:37 +0100
+Subject: [PATCH] LibVNCClient: fail on server-sent desktop name lengths longer
+ than 1MB
+
+re #273
+---
+ libvncclient/rfbproto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+[sunweaver] Ported over to tightvnc.
+
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -303,13 +303,11 @@
+   si.format.blueMax = Swap16IfLE(si.format.blueMax);
+   si.nameLength = Swap32IfLE(si.nameLength);
+ 
+-  /* FIXME: Check arguments to malloc() calls. */
+-  desktopName = malloc(si.nameLength + 1);
+-  if (!desktopName) {
+-    fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",
+-            (unsigned long)si.nameLength);
+-    return False;
++  if (si.nameLength > 1<<20) {
++      fprintf(stderr, "Too big desktop name length sent by server: %u B > 1 
MB\n", (unsigned int)si.nameLength);
++      return FALSE;
+   }
++  desktopName = malloc(si.nameLength + 1);
+ 
+   if (!ReadFromRFBServer(desktopName, si.nameLength)) return False;
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch 
tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch  1970-01-01 
01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15680.patch  2019-12-20 
16:07:49.000000000 +0100
@@ -0,0 +1,16 @@
+Origin: 
https://github.com/LibVNC/libvncserver/pull/360/commits/85d00057b5daf71675462c9b175d8cb2d47cd0e1
+
+--- a/vncviewer/zlib.c
++++ b/vncviewer/zlib.c
+@@ -55,6 +55,11 @@
+     raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
+     raw_buffer = (char*) malloc( raw_buffer_size );
+ 
++    if (raw_buffer == NULL) {
++
++       return False;
++
++    }
+   }
+ 
+   if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch 
tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch  1970-01-01 
01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-15681.patch  2019-12-19 
21:39:44.000000000 +0100
@@ -0,0 +1,20 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontm...@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+
+[sunweaver] Ported to rfbserver.c in tightvnc
+
+--- a/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
++++ b/Xvnc/programs/Xserver/hw/vnc/rfbserver.c
+@@ -1481,6 +1481,8 @@
+     rfbClientPtr cl, nextCl;
+     rfbServerCutTextMsg sct;
+ 
++    memset((char *)&sct, 0, sizeof(sct));
++
+     if (rfbViewOnly)
+       return;
+ 
diff -Nru tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch 
tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch
--- tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch   1970-01-01 
01:00:00.000000000 +0100
+++ tightvnc-1.3.9/debian/patches/CVE-2019-8287.patch   2019-12-20 
21:43:49.000000000 +0100
@@ -0,0 +1,23 @@
+Description: CVE-2019-8287
+ (same as CVE-2018-20020/libvncserver)
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Origin: 
https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+
+[sunweaver] port libvncclient patch over to tightvnc's vncviewer code
+
+--- a/vncviewer/corre.c
++++ b/vncviewer/corre.c
+@@ -56,7 +56,7 @@
+     XChangeGC(dpy, gc, GCForeground, &gcv);
+     XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh);
+ 
+-    if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
++    if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || 
!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
+       return False;
+ 
+     ptr = (CARD8 *)buffer;
diff -Nru tightvnc-1.3.9/debian/patches/series 
tightvnc-1.3.9/debian/patches/series
--- tightvnc-1.3.9/debian/patches/series        2016-06-19 13:22:20.000000000 
+0200
+++ tightvnc-1.3.9/debian/patches/series        2019-12-21 10:35:39.000000000 
+0100
@@ -6,3 +6,13 @@
 ppc64el.patch
 782620-crashfix.patch
 more-arm64-fixes.patch
+CVE-2019-15680.patch
+CVE-2019-15681.patch
+CVE-2014-6053.patch
+CVE-2018-7225.patch
+CVE-2018-20021.patch
+CVE-2019-8287.patch
+CVE-2018-20022.patch
+CVE-2019-15679.patch
+CVE-2019-15678.patch
+CVE-2019-15678-addon.patch

Reply via email to