Debian Bug report logs -
#724545
vino: CVE-2013-5745 denial of service via infinite loop
Reported by: Nico Golde <nion@debian.org>
Date: Tue, 24 Sep 2013 23:18:02 UTC
Severity: grave
Tags: security
Fixed in version 3.10.1-1
Done: Andreas Henriksson <andreas@fatal.se>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#724545
; Package vino
.
(Tue, 24 Sep 2013 23:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Tue, 24 Sep 2013 23:18:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: vino
Severity: grave
Tags: security
Hi,
the following vulnerability was published for vino.
CVE-2013-5745[0]:
| Persistent DoS Vulnerability in Vino VNC Server
|
| This vulnerability is triggered when the user is required to enter a password.
| The server closes the client connection on receiving an unexpected input
| sequence from the client.
|
| The unprocessed client data remains in the buffer; the server does not remove
| them from buffer since the client connection has been closed.
| The result is an infinite loop at the do-while (more_data_pending
| (rfb_client->sock)) in vino-server.c:415
| The gdm and vino-server processes together take up 100% CPU, causing denial of
| service (see screenshot).
| In our tests, the DOS is triggered when the same input sequence is replayed
| twice (see pcap).
|
| vino-server.c:415 (vino 2.26.1):
| 407:vino_server_client_data_pending (GIOChannel *source,
| 408: GIOCondition condition,
| 409: rfbClientPtr rfb_client)
| 410:{
| 411: if (rfb_client->onHold)
| 412: return TRUE;
| 414: do {
| 415: rfbProcessClientMessage (rfb_client);
| 416: } while (more_data_pending (rfb_client->sock));
|
| The original 2.26.1 binary, pcap and screenshot are attached with this email.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5745
http://security-tracker.debian.org/tracker/CVE-2013-5745
https://bugzilla.gnome.org/show_bug.cgi?id=641811
Please adjust the affected versions in the BTS as needed.
--
Nico Golde - XMPP: nion@jabber.ccc.de - GPG: 0xA0A0AAAA
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Michael Biebl <biebl@debian.org>
:
You have taken responsibility.
(Thu, 17 Oct 2013 11:36:05 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(Thu, 17 Oct 2013 11:36:05 GMT) (full text, mbox, link).
Message #10 received at 724545-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 3.10.1-1
Fixed in 3.10.1-1 which has been uploaded to unstable. Unfortunately not
mentioned in the changelog.
If this should be fixed for stable as well (via stable or
stable-security), please let us know.
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Andreas Henriksson <andreas@fatal.se>
:
You have taken responsibility.
(Thu, 17 Oct 2013 11:39:08 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(Thu, 17 Oct 2013 11:39:08 GMT) (full text, mbox, link).
Message #15 received at 724545-done@bugs.debian.org (full text, mbox, reply):
Package: vino
Version: 3.10.1-1
The cve was fixed in the new upstream version I just uploaded.
I missed this bug report and thus forgot to add both Closes and CVE
to the changelog entry. This has been fixed in the packaging Subversion
repository and will be part of the next future upload.
--
Andreas Henriksson
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 26 Apr 2015 07:39:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:19:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.