Bug 24177 - libvncserver, x11vnc new security issues fixed upstream in 0.9.12, 0.9.16
Summary: libvncserver, x11vnc new security issues fixed upstream in 0.9.12, 0.9.16
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-14 04:10 CET by David Walser
Modified: 2019-02-01 19:19 CET (History)
4 users (show)

See Also:
Source RPM: libvncserver-0.9.11-4.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-01-14 04:10:56 CET
LibVNCServer 0.9.12 has been released on January 6:
https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12

It says that it fixed multiple security issues in LibVNCClient.

Mageia 6 is also affected.
David Walser 2019-01-14 04:11:05 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David GEIGER 2019-01-14 08:01:46 CET
Fixed both mga6 and Cauldron!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-01-14 14:27:35 CET
Thanks!

Advisory:
========================

Updated libvncserver packages fix security vulnerabilities:

A heap use-after-free vulnerability in the server code of the file transfer
extension, which can result in remote code execution. This attack appears to
be exploitable via network connectivity (CVE-2018-6307).

A heap out-of-bound write vulnerability in the server code of the file
transfer extension, which can result in remote code execution. This attack
appears to be exploitable via network connectivity (CVE-2018-15127).

Multiple heap out-of-bound write vulnerabilities in VNC client code, which can
result in remote code execution (CVE-2018-20019).

Heap out-of-bound write vulnerability in a structure in VNC client code, which
can result in remote code execution (CVE-2018-20020).

Infinite Loop vulnerability in VNC client code. The vulnerability could allow
an attacker to consume an excessive amount of resources, such as CPU and RAM
(CVE-2018-20021).

Improper Initialization weaknesses in VNC client code, which could allow an
attacker to read stack memory and can be abused for information disclosure.
Combined with another vulnerability, it can be used to leak stack memory
layout and bypass ASLR (CVE-2018-20022).

Improper Initialization vulnerability in VNC Repeater client code, which could
allow an attacker to read stack memory and can be abused for information
disclosure. Combined with another vulnerability, it can be used to leak stack
memory layout and bypass ASLR (CVE-2018-20023).

A null pointer dereference in VNC client code, which can result in DoS
(CVE-2018-20024).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6307
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20024
https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12
https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
========================

Updated packages in core/updates_testing:
========================
libvncserver1-0.9.12-1.mga6
libvncserver-devel-0.9.12-1.mga6

from libvncserver-0.9.12-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 6

Comment 3 David Walser 2019-01-15 02:21:36 CET
Missed one CVE in the advisory.

Advisory:
========================

Updated libvncserver packages fix security vulnerabilities:

A heap use-after-free vulnerability in the server code of the file transfer
extension, which can result in remote code execution. This attack appears to
be exploitable via network connectivity (CVE-2018-6307).

A heap use-after-free vulnerability in the server code of the file transfer
extension, which can result in remote code execution. This attack appears to
be exploitable via network connectivity (CVE-2018-15126).

A heap out-of-bound write vulnerability in the server code of the file
transfer extension, which can result in remote code execution. This attack
appears to be exploitable via network connectivity (CVE-2018-15127).

Multiple heap out-of-bound write vulnerabilities in VNC client code, which can
result in remote code execution (CVE-2018-20019).

Heap out-of-bound write vulnerability in a structure in VNC client code, which
can result in remote code execution (CVE-2018-20020).

Infinite Loop vulnerability in VNC client code. The vulnerability could allow
an attacker to consume an excessive amount of resources, such as CPU and RAM
(CVE-2018-20021).

Improper Initialization weaknesses in VNC client code, which could allow an
attacker to read stack memory and can be abused for information disclosure.
Combined with another vulnerability, it can be used to leak stack memory
layout and bypass ASLR (CVE-2018-20022).

Improper Initialization vulnerability in VNC Repeater client code, which could
allow an attacker to read stack memory and can be abused for information
disclosure. Combined with another vulnerability, it can be used to leak stack
memory layout and bypass ASLR (CVE-2018-20023).

A null pointer dereference in VNC client code, which can result in DoS
(CVE-2018-20024).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6307
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20024
https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12
https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
https://lists.opensuse.org/opensuse-updates/2019-01/msg00027.html
Comment 4 David Walser 2019-01-15 03:05:12 CET
x11vnc is also affected by these issues.

Advisory:
========================

Updated libvncserver and x11vnc packages fix security vulnerabilities:

A heap use-after-free vulnerability in the server code of the file transfer
extension, which can result in remote code execution. This attack appears to
be exploitable via network connectivity (CVE-2018-6307).

A heap use-after-free vulnerability in the server code of the file transfer
extension, which can result in remote code execution. This attack appears to
be exploitable via network connectivity (CVE-2018-15126).

A heap out-of-bound write vulnerability in the server code of the file
transfer extension, which can result in remote code execution. This attack
appears to be exploitable via network connectivity (CVE-2018-15127).

Multiple heap out-of-bound write vulnerabilities in VNC client code, which can
result in remote code execution (CVE-2018-20019).

Heap out-of-bound write vulnerability in a structure in VNC client code, which
can result in remote code execution (CVE-2018-20020).

Infinite Loop vulnerability in VNC client code. The vulnerability could allow
an attacker to consume an excessive amount of resources, such as CPU and RAM
(CVE-2018-20021).

Improper Initialization weaknesses in VNC client code, which could allow an
attacker to read stack memory and can be abused for information disclosure.
Combined with another vulnerability, it can be used to leak stack memory
layout and bypass ASLR (CVE-2018-20022).

Improper Initialization vulnerability in VNC Repeater client code, which could
allow an attacker to read stack memory and can be abused for information
disclosure. Combined with another vulnerability, it can be used to leak stack
memory layout and bypass ASLR (CVE-2018-20023).

A null pointer dereference in VNC client code, which can result in DoS
(CVE-2018-20024).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6307
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20024
https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12
https://github.com/LibVNC/x11vnc/releases/tag/0.9.15
https://github.com/LibVNC/x11vnc/releases/tag/0.9.16
https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
https://lists.opensuse.org/opensuse-updates/2019-01/msg00027.html
========================

Updated packages in core/updates_testing:
========================
libvncserver1-0.9.12-1.mga6
libvncserver-devel-0.9.12-1.mga6
x11vnc-0.9.16-1.mga6

from SRPMS:
libvncserver-0.9.12-1.mga6.src.rpm
x11vnc-0.9.16-1.mga6.src.rpm

Summary: libvncserver new security issues fixed upstream in 0.9.12 => libvncserver, x11vnc new security issues fixed upstream in 0.9.12, 0.9.16

David Walser 2019-01-15 14:00:38 CET

Severity: normal => critical

Comment 5 PC LX 2019-01-15 14:15:08 CET
Installed and tested without issues.

Tested using krdc and tigervnc clients.

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep -i 'vnc|krdc' | sort
krdc-17.12.2-1.mga6
krdc-handbook-17.12.2-1.mga6
lib64krdccore5-17.12.2-1.mga6
lib64vncserver1-0.9.12-1.mga6
tigervnc-1.8.0-1.mga6
x11vnc-0.9.16-1.mga6

Severity: critical => normal
Whiteboard: (none) => MGA6-64-OK
CC: (none) => mageia

David Walser 2019-01-15 16:03:02 CET

Severity: normal => critical

Comment 6 Lewis Smith 2019-01-15 21:34:03 CET
(In reply to PC LX from comment #5)
> Installed and tested without issues.
Super work, and not easy.
Advisory done from comment 4; validating.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Mageia Robot 2019-01-15 23:16:55 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0037.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2019-02-01 19:19:50 CET
Ubuntu has issued an advisory for this on January 31:
https://usn.ubuntu.com/3877-1/

This update also fixed CVE-2018-20748 and CVE-2018-20749.

We missed CVE-2018-20750, however.

Note You need to log in before you can comment on or make changes to this bug.