Bug#724545: vino: CVE-2013-5745 denial of service via infinite loop
Nico Golde
nion at debian.org
Tue Sep 24 23:14:24 UTC 2013
Package: vino
Severity: grave
Tags: security
Hi,
the following vulnerability was published for vino.
CVE-2013-5745[0]:
| Persistent DoS Vulnerability in Vino VNC Server
|
| This vulnerability is triggered when the user is required to enter a password.
| The server closes the client connection on receiving an unexpected input
| sequence from the client.
|
| The unprocessed client data remains in the buffer; the server does not remove
| them from buffer since the client connection has been closed.
| The result is an infinite loop at the do-while (more_data_pending
| (rfb_client->sock)) in vino-server.c:415
| The gdm and vino-server processes together take up 100% CPU, causing denial of
| service (see screenshot).
| In our tests, the DOS is triggered when the same input sequence is replayed
| twice (see pcap).
|
| vino-server.c:415 (vino 2.26.1):
| 407:vino_server_client_data_pending (GIOChannel *source,
| 408: GIOCondition condition,
| 409: rfbClientPtr rfb_client)
| 410:{
| 411: if (rfb_client->onHold)
| 412: return TRUE;
| 414: do {
| 415: rfbProcessClientMessage (rfb_client);
| 416: } while (more_data_pending (rfb_client->sock));
|
| The original 2.26.1 binary, pcap and screenshot are attached with this email.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5745
http://security-tracker.debian.org/tracker/CVE-2013-5745
https://bugzilla.gnome.org/show_bug.cgi?id=641811
Please adjust the affected versions in the BTS as needed.
--
Nico Golde - XMPP: nion at jabber.ccc.de - GPG: 0xA0A0AAAA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20130925/a3dc1c70/attachment.sig>
More information about the pkg-gnome-maintainers
mailing list