Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear release team, I just uploaded this ssvnc update to Debian buster: + * Non-maintainer upload by the LTS team. @Magnus: Thanks for fixing ssnvc in testing/unstable regarding below CVE issues. I saw that those issues haven't been convered in stretch+buster, so I was so brisk and dput fixes straight away. + * Porting of libvncclient security patches (Closes: #945827): + - CVE-2018-20020: heap out-of-bound write vulnerability inside structure + in VNC client code. + - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. + - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. + - CVE-2018-20024: null pointer dereference that can result DoS. @release team: The upload fixes the not-so-critical CVEs given above. Thanks+Greets, Mike -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru ssvnc-1.0.29/debian/changelog ssvnc-1.0.29/debian/changelog --- ssvnc-1.0.29/debian/changelog 2018-06-24 19:39:53.000000000 +0200 +++ ssvnc-1.0.29/debian/changelog 2020-05-31 20:58:21.000000000 +0200 @@ -1,3 +1,15 @@ +ssvnc (1.0.29-4+deb10u1) buster; urgency=medium + + * Non-maintainer upload by the LTS team. + * Porting of libvncclient security patches (Closes: #945827): + - CVE-2018-20020: heap out-of-bound write vulnerability inside structure + in VNC client code. + - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. + - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. + - CVE-2018-20024: null pointer dereference that can result DoS. + + -- Mike Gabriel <sunwea...@debian.org> Sun, 31 May 2020 20:58:21 +0200 + ssvnc (1.0.29-4) unstable; urgency=low * default-jdk-headless is enough to build. diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch 2019-12-16 19:37:52.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2018-20020 + heap out-of-bound write vulnerability inside structure in VNC client code that + can result remote code execution +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d +Bug: https://github.com/LibVNC/libvncserver/issues/250 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/vnc_unixsrc/vncviewer/corre.c ++++ b/vnc_unixsrc/vncviewer/corre.c +@@ -76,7 +76,7 @@ + FillRectangle(rx, ry, rw, rh, gcv.foreground); + #endif + +- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) ++ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8)))) + return False; + + ptr = (CARD8 *)buffer; diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch 2019-12-16 19:37:52.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2018-20021 + CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows + attacker to consume excessive amount of resources like CPU and RAM +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c +Bug: https://github.com/LibVNC/libvncserver/issues/251 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/vnc_unixsrc/vncviewer/rfbproto.c ++++ b/vnc_unixsrc/vncviewer/rfbproto.c +@@ -3156,7 +3156,7 @@ + if (db) fprintf(stderr, "Raw: %dx%d+%d+%d\n", rect.r.w, rect.r.h, rect.r.x, rect.r.y); + area_raw += rect.r.w * rect.r.h; + +- while (rect.r.h > 0) { ++ while (linesToRead && rect.r.h > 0) { + if (linesToRead > rect.r.h) { + linesToRead = rect.r.h; + } diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20022.patch 2019-12-16 19:37:52.000000000 +0100 @@ -0,0 +1,31 @@ +Description: CVE-2018-20022 + multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC + client code that allows attacker to read stack memory and can be abuse for + information disclosure. Combined with another vulnerability, it can be used + to leak stack memory layout and in bypassing ASLR +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 +Bug: https://github.com/LibVNC/libvncserver/issues/252 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +--- a/vnc_unixsrc/vncviewer/rfbproto.c ++++ b/vnc_unixsrc/vncviewer/rfbproto.c +@@ -2447,6 +2447,7 @@ + } + } + ++ memset(&ke, 0, sizeof(ke)); + ke.type = rfbKeyEvent; + ke.down = down ? 1 : 0; + ke.key = Swap32IfLE(key); +@@ -2480,6 +2481,7 @@ + return True; + } + ++ memset(&cct, 0, sizeof(cct)); + cct.type = rfbClientCutText; + cct.length = Swap32IfLE((unsigned int) len); + currentMsg = rfbClientCutText; diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch --- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch 1970-01-01 01:00:00.000000000 +0100 +++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20024.patch 2019-12-16 19:37:52.000000000 +0100 @@ -0,0 +1,43 @@ +Description: CVE-2018-20024 + null pointer dereference in VNC client code that can result DoS. +--- + +Author: Abhijith PA <abhij...@debian.org> +Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 +Bug: https://github.com/LibVNC/libvncserver/issues/254 +Bug-Debian: https://bugs.debian.org/916941 +Last-Update: 2018-12-23 + +[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in zrle.c and zlib.c. + The ultra.c code that this has originally been reported against is not present in + ssvnc. + +--- a/vnc_unixsrc/vncviewer/zlib.c ++++ b/vnc_unixsrc/vncviewer/zlib.c +@@ -55,6 +55,11 @@ + raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); + raw_buffer = (char*) malloc( raw_buffer_size ); + ++ if (raw_buffer == NULL) { ++ ++ return False; ++ ++ } + } + + if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) +--- a/vnc_unixsrc/vncviewer/zrle.c ++++ b/vnc_unixsrc/vncviewer/zrle.c +@@ -132,6 +132,12 @@ + raw_buffer_size = min_buffer_size; + raw_buffer = (char*) malloc( raw_buffer_size ); + ++ if ( raw_buffer == NULL ) { ++ ++ return False; ++ ++ } ++ + } + + if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader)) diff -Nru ssvnc-1.0.29/debian/patches/series ssvnc-1.0.29/debian/patches/series --- ssvnc-1.0.29/debian/patches/series 2016-07-30 23:09:13.000000000 +0200 +++ ssvnc-1.0.29/debian/patches/series 2020-05-31 20:57:56.000000000 +0200 @@ -6,3 +6,7 @@ openssl1.1.patch auto-scale.patch samemachine_ip6_overflow.patch +libvncclient_CVE-2018-20020.patch +libvncclient_CVE-2018-20021.patch +libvncclient_CVE-2018-20022.patch +libvncclient_CVE-2018-20024.patch