vino: CVE-2013-5745 denial of service via infinite loop

Debian Bug report logs - #724545
vino: CVE-2013-5745 denial of service via infinite loop

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: vino: CVE-2013-5745 denial of service via infinite loop

Date: Wed, 25 Sep 2013 01:14:24 +0200

[Message part 1 (text/plain, inline)]

Package: vino
Severity: grave
Tags: security

Hi,
the following vulnerability was published for vino.

CVE-2013-5745[0]:
| Persistent DoS Vulnerability in Vino VNC Server
| 
| This vulnerability is triggered when the user is required to enter a password.
| The server closes the client connection on receiving an unexpected input
| sequence from the client.
| 
| The unprocessed client data remains in the buffer; the server does not remove
| them from buffer since the client connection has been closed.
| The result is an infinite loop at the do-while (more_data_pending
| (rfb_client->sock)) in vino-server.c:415
| The gdm and vino-server processes together take up 100% CPU, causing denial of
| service (see screenshot).
| In our tests, the DOS is triggered when the same input sequence is replayed
| twice (see pcap).
| 
| vino-server.c:415 (vino 2.26.1):
| 407:vino_server_client_data_pending (GIOChannel   *source,
| 408:                             GIOCondition  condition,
| 409:                             rfbClientPtr  rfb_client)
| 410:{
| 411:  if (rfb_client->onHold)
| 412:    return TRUE;
| 414:  do {
| 415:    rfbProcessClientMessage (rfb_client);
| 416:  } while (more_data_pending (rfb_client->sock));
| 
| The original 2.26.1 binary, pcap and screenshot are attached with this email.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5745
    http://security-tracker.debian.org/tracker/CVE-2013-5745
    https://bugzilla.gnome.org/show_bug.cgi?id=641811

Please adjust the affected versions in the BTS as needed.

-- 
Nico Golde - XMPP: nion@jabber.ccc.de - GPG: 0xA0A0AAAA

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 724545-done@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Nico Golde <nion@debian.org>, 724545-done@bugs.debian.org

Subject: Re: Bug#724545: vino: CVE-2013-5745 denial of service via infinite loop

Date: Thu, 17 Oct 2013 13:33:42 +0200

[Message part 1 (text/plain, inline)]

Version: 3.10.1-1


Fixed in 3.10.1-1 which has been uploaded to unstable. Unfortunately not
mentioned in the changelog.

If this should be fixed for stable as well (via stable or
stable-security), please let us know.


Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 724545-done@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: 724545-done@bugs.debian.org

Subject: vino cve fixed

Date: Thu, 17 Oct 2013 13:30:44 +0200

Package: vino
Version: 3.10.1-1

The cve was fixed in the new upstream version I just uploaded.
I missed this bug report and thus forgot to add both Closes and CVE
to the changelog entry. This has been fixed in the packaging Subversion
repository and will be part of the next future upload.

-- 
Andreas Henriksson

Send a report that this bug log contains spam.