Bug#945784: [vino] fix libvncserver bundle security issues

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Thu Nov 28 15:49:22 GMT 2019

Package: vino
Version: 3.22.0-5
Tags: security upstream

Dear maintainers of vino,

last month, I have started working on a audit regarding  
libvncserver+libvncclient in Debian. Code portions from either of  
those libraries have been bundled in the Debian src:pkg "vino":

| LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains
| a memory leak (CWE-655) in VNC server code, which allow an attacker to
| read stack memory and can be abused for information disclosure.
| Combined with another vulnerability, it can be used to leak stack
| memory and bypass ASLR. This attack appear to be exploitable via
| network connectivity. These vulnerabilities have been fixed in commit
| d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a.

| An issue was discovered in LibVNCServer through 0.9.11.
| rfbProcessClientNormalMessage() in rfbserver.c does not
| sanitize msg.cct.length, leading to access to uninitialized and
| potentially sensitive data or possibly unspecified other impact
| (e.g., an integer overflow) via specially crafted VNC packets.

| The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c
| in LibVNCServer 0.9.9 and earlier does not properly handle attempts to
| send a large amount of ClientCutText data, which allows remote attackers
| to cause a denial of service (memory consumption or daemon crash) via
| a crafted message that is processed by using a single unchecked malloc.

Find attached a .debdiff (targetting the vino version in  
testing/unstable) that resolves the above libvncserver related issues  
in vino.

With my LTS team member hat on, I will upload vino to jessie LTS  
within the next hours.

Please let me know, if you will also handle uploads to  
stretch-security and buster-security. Thanks.

Please note, that I have not runtime-tested the vino 3.22.0-5.1  
version, the .debdiff is a simple forward port of what I have been  
working on for Debian jessie LTS. Thanks.


c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vino_3.22.0-5_3.22.0-5.1.debdiff
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20191128/bd2ec0ab/attachment-0001.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20191128/bd2ec0ab/attachment-0001.sig>

More information about the pkg-gnome-maintainers mailing list