tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling

Debian Bug report logs - #849479
tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling

Date: Tue, 27 Dec 2016 17:20:18 +0100

Source: tigervnc
Version: 1.6.0+dfsg-4
Severity: grave
Tags: security patch upstream
Justification: user security hole

Hi,

the following vulnerability was published for tigervnc.

CVE-2014-8240[0]:
| Integer overflow in TigerVNC allows remote VNC servers to cause a
| denial of service (crash) and possibly execute arbitrary code via
| vectors related to screen size handling, which triggers a heap-based
| buffer overflow, a similar issue to CVE-2014-6051.

More details are in the Red Hat bug[1] which includes a patch[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-8240
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8240
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1151307
[2] https://bugzilla.redhat.com/attachment.cgi?id=947578

Regards,
Salvatore

Message #10 received at 849479-done@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: 849479-done@bugs.debian.org

Subject: Was corrected in first version uploaded

Date: Wed, 28 Dec 2016 23:05:35 +0100

Version: 1.6.0+dfsg-2

Hi

This problem was corrected already in the version that was first
uploaded to sid.

Best regards

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Message #15 received at 849479@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 849479@bugs.debian.org, Ola Lundqvist <ola@inguza.com>

Subject: Red Hat patch not applied to 1.6.0+dfsg-4?

Date: Thu, 29 Dec 2016 06:02:53 +0100

Hi Ola,

On Wed, Dec 28, 2016 at 10:09:03PM +0000, Debian Bug Tracking System wrote:
> This problem was corrected already in the version that was first
> uploaded to sid.

Sure about that? I downloaded the tigervnc source package before
reporting the bug, and the patch
https://bugzilla.redhat.com/attachment.cgi?id=947578 is not applied in
Debian.

How where these interger overflow fixed in the 1.6.0 version?

Regards,
Salvatore

p.s.: reopening the bug as safety-measure, as soon above clarified
might be reclosed.

Message #20 received at 849479@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 849479@bugs.debian.org

Cc: opal@debian.org

Subject: Re: Bug#849479: tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling

Date: Thu, 29 Dec 2016 06:07:54 +0100

Example, we have the following code in Image.cxx (all Debian patches
applied):

 75 void Image::Init(int width, int height)                                                       
 76 {
 77   Visual* vis = DefaultVisual(dpy, DefaultScreen(dpy));
 78   trueColor = (vis->c_class == TrueColor);
 79 
 80   xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
 81                      ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
 82 
 83   xim->data = (char *)malloc(xim->bytes_per_line * xim->height);

The referenced Red Hat patch will first validate xim->byptes_per_line
et al.

Regards,
Salvatore

Message #25 received at 849479@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 849479@bugs.debian.org

Subject: Re: Red Hat patch not applied to 1.6.0+dfsg-4?

Date: Thu, 29 Dec 2016 08:42:28 +0100

[Message part 1 (text/plain, inline)]

I will double check again. When I checked the source it looked like the
code was there.

Sent from a phone

Den 29 dec 2016 06:03 skrev "Salvatore Bonaccorso" <carnil@debian.org>:

> Hi Ola,
>
> On Wed, Dec 28, 2016 at 10:09:03PM +0000, Debian Bug Tracking System wrote:
> > This problem was corrected already in the version that was first
> > uploaded to sid.
>
> Sure about that? I downloaded the tigervnc source package before
> reporting the bug, and the patch
> https://bugzilla.redhat.com/attachment.cgi?id=947578 is not applied in
> Debian.
>
> How where these interger overflow fixed in the 1.6.0 version?
>
> Regards,
> Salvatore
>
> p.s.: reopening the bug as safety-measure, as soon above clarified
> might be reclosed.
>

[Message part 2 (text/html, inline)]

Message #34 received at 849479@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Ola Lundqvist <ola@inguza.com>

Cc: 849479@bugs.debian.org

Subject: Re: Red Hat patch not applied to 1.6.0+dfsg-4?

Date: Thu, 29 Dec 2016 11:42:04 +0100

Hi Ola,

On Thu, Dec 29, 2016 at 08:42:28AM +0100, Ola Lundqvist wrote:
> I will double check again. When I checked the source it looked like the
> code was there.

Alright, thanks. I did as well, and posted as well a followup to this
bug. 

Regards,
Salvatore

Message #39 received at 849479@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 849479@bugs.debian.org

Subject: Re: Red Hat patch not applied to 1.6.0+dfsg-4?

Date: Thu, 29 Dec 2016 13:34:52 +0100

[Message part 1 (text/plain, inline)]

Thank you

Sent from a phone

Den 29 dec 2016 11:42 skrev "Salvatore Bonaccorso" <carnil@debian.org>:

> Hi Ola,
>
> On Thu, Dec 29, 2016 at 08:42:28AM +0100, Ola Lundqvist wrote:
> > I will double check again. When I checked the source it looked like the
> > code was there.
>
> Alright, thanks. I did as well, and posted as well a followup to this
> bug.
>
> Regards,
> Salvatore
>

[Message part 2 (text/html, inline)]

Message #44 received at 849479@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 849479@bugs.debian.org

Cc: Ola Lundqvist <ola@inguza.com>

Subject: Re: [Pkg-tigervnc-devel] Bug#849479: Red Hat patch not applied to 1.6.0+dfsg-4?

Date: Thu, 29 Dec 2016 20:13:14 +0100

Hi Salvatore

It turned out that you were right and I was wrong. I'll include this
in the build I'm preparing now.

// Ola

On 29 December 2016 at 11:42, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi Ola,
>
> On Thu, Dec 29, 2016 at 08:42:28AM +0100, Ola Lundqvist wrote:
>> I will double check again. When I checked the source it looked like the
>> code was there.
>
> Alright, thanks. I did as well, and posted as well a followup to this
> bug.
>
> Regards,
> Salvatore
>
> _______________________________________________
> Pkg-tigervnc-devel mailing list
> Pkg-tigervnc-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-tigervnc-devel



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Message #49 received at 849479@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <opal@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 849479@bugs.debian.org, Ola Lundqvist <opal@debian.org>

Subject: Re: Bug#849479: tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling

Date: Thu, 29 Dec 2016 20:13:50 +0100

Hi

Yes you are right. I misread the code. Thank you very much for noticing.

// Ola

On 29 December 2016 at 06:07, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Example, we have the following code in Image.cxx (all Debian patches
> applied):
>
>  75 void Image::Init(int width, int height)
>  76 {
>  77   Visual* vis = DefaultVisual(dpy, DefaultScreen(dpy));
>  78   trueColor = (vis->c_class == TrueColor);
>  79
>  80   xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
>  81                      ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
>  82
>  83   xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
>
> The referenced Red Hat patch will first validate xim->byptes_per_line
> et al.
>
> Regards,
> Salvatore



-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Folkebogatan 26          \
|  ola@inguza.com                      654 68 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Message #54 received at 849479-close@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <opal@debian.org>

To: 849479-close@bugs.debian.org

Subject: Bug#849479: fixed in tigervnc 1.7.0-1

Date: Thu, 29 Dec 2016 19:49:59 +0000

Source: tigervnc
Source-Version: 1.7.0-1

We believe that the bug you reported is fixed in the latest version of
tigervnc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849479@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated tigervnc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 28 Nov 2016 23:20:20 +0100
Source: tigervnc
Binary: tigervnc-common tigervnc-scraping-server tigervnc-standalone-server tigervnc-xorg-extension tigervnc-viewer
Architecture: source amd64
Version: 1.7.0-1
Distribution: unstable
Urgency: high
Maintainer: TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description:
 tigervnc-common - Virtual network computing; Common software needed by servers
 tigervnc-scraping-server - VNC server uses screen scraping of an already running X server
 tigervnc-standalone-server - Standalone VNC server
 tigervnc-viewer - Virtual network computing client software for X
 tigervnc-xorg-extension - X server vnc extension
Closes: 843543 849479
Changes:
 tigervnc (1.7.0-1) unstable; urgency=high
 .
   * Fresh upstream that help to solve #843543.
    - Modified a special patch for VeNCrypt support as it all parts that made
      sense is already in there.
    - Removed a few patches that are already applied upstream.
    - Did quilt refresh on a few more.
   * Correction to make it build against xorg source 1.19. Closes: #843543.
   * Security correction for CVE-2014-8240 that corrects an integer overflow
     flaw, leading to a heap-based buffer overflow in screen size handling.
     Closes: #849479.
Checksums-Sha1:
 f0e7557a5972e63d117797df058f7c7cf670ee8d 4407 tigervnc_1.7.0-1.dsc
 cd152c1b633fcb13e7e6479583195d57462ea227 1405952 tigervnc_1.7.0.orig.tar.gz
 a01b0b3fd900fe274f510cf256328449bdaeca91 41964 tigervnc_1.7.0-1.debian.tar.xz
 5d810e8cd5a514f760ebffece412244be0effc14 235770 tigervnc-common-dbgsym_1.7.0-1_amd64.deb
 1358b9490adf37c37cd05f2f807fc2e38da2a7c2 63916 tigervnc-common_1.7.0-1_amd64.deb
 3c795edf77c45f7758593c79bdf531021ccbcfac 1152348 tigervnc-scraping-server-dbgsym_1.7.0-1_amd64.deb
 11c37f6263432f1552ca1620e42d6020497cac6b 185632 tigervnc-scraping-server_1.7.0-1_amd64.deb
 99cf8a61d7c962ec4957e52632d34cc5d21fc475 5833060 tigervnc-standalone-server-dbgsym_1.7.0-1_amd64.deb
 06ed8cd6f6c87e0405d0ff632f8daaa343d03335 982710 tigervnc-standalone-server_1.7.0-1_amd64.deb
 04b8d6a015babb7f1b046f400715ff02660c755a 1008412 tigervnc-viewer-dbgsym_1.7.0-1_amd64.deb
 6180c8085a26b0c259505de5f20be332932c0de2 164914 tigervnc-viewer_1.7.0-1_amd64.deb
 e5d8b7c4ca9e8a54a58e6642fcdebf903e9e2bd5 1309332 tigervnc-xorg-extension-dbgsym_1.7.0-1_amd64.deb
 f8f704f80e619b662f1ca34b6a4e7757c9d90b2c 194322 tigervnc-xorg-extension_1.7.0-1_amd64.deb
 5dc0608c4ed832d8df91ee4da0c5d3be21d814d1 14017 tigervnc_1.7.0-1_amd64.buildinfo
Checksums-Sha256:
 178ff2fde0a5cb2858a7ce295eaeadd70b0a90dbff8871ca30d27e5b9a0dfdfa 4407 tigervnc_1.7.0-1.dsc
 4aa704747b4f8f1d59768b663c488fa937e6783db2a46ae407cd2a599cfbf8b1 1405952 tigervnc_1.7.0.orig.tar.gz
 a53f75dbe8bf0399d6fd29c12daa9468c67e4af84915be4f81626d4c365cc8c6 41964 tigervnc_1.7.0-1.debian.tar.xz
 d3f21ac74d2ed971be46e53974070671c045ce35eef3e81a2c3d9b927aa15cd3 235770 tigervnc-common-dbgsym_1.7.0-1_amd64.deb
 3f912170bb1330c3643626edaae3c631d95f7ba2a8d7ba360d01d0b19a0956e5 63916 tigervnc-common_1.7.0-1_amd64.deb
 3d62bb099dccaefce059982d89375f45c5695548a73bbc789e1a1f55a0f72635 1152348 tigervnc-scraping-server-dbgsym_1.7.0-1_amd64.deb
 08a98833513f5a00bd00b78e3df4fb05ec03bb0b96ae5bfee6f33b33072bc4e0 185632 tigervnc-scraping-server_1.7.0-1_amd64.deb
 927555c447b14f95cb698175cc4a8943c72d1c9844c5d07fe580e88ed4181f14 5833060 tigervnc-standalone-server-dbgsym_1.7.0-1_amd64.deb
 1ad4e2bdfa135f57302fe2c5df9f2759aafe99169648c73f4b2cc861d6cc1486 982710 tigervnc-standalone-server_1.7.0-1_amd64.deb
 f458af3d7a010db547314896cb55a13688f2859b668558b364146e019b0833bc 1008412 tigervnc-viewer-dbgsym_1.7.0-1_amd64.deb
 a8a4b056253e19d719520d9cb920b6017d4ac769397856a97fe449e5fbd8c9a6 164914 tigervnc-viewer_1.7.0-1_amd64.deb
 c0126967d97e21b8ef378769be12caec003aa2d56616d85ae4134339cddd6b4b 1309332 tigervnc-xorg-extension-dbgsym_1.7.0-1_amd64.deb
 611abeb979db2a203ffa551c8a3c05ee187b5f3ca3e5a855fb59c41017e35210 194322 tigervnc-xorg-extension_1.7.0-1_amd64.deb
 789acdb5aefca9ee4c2442765f08509889674dfebc69e80faa0a1a443dd18ec2 14017 tigervnc_1.7.0-1_amd64.buildinfo
Files:
 2ce396bba420ac1eaf4abfeb6f9194ce 4407 x11 optional tigervnc_1.7.0-1.dsc
 0930edf4f339283d856ce7027db40308 1405952 x11 optional tigervnc_1.7.0.orig.tar.gz
 bb2dd45700f41c48ed38ccfb13f0ded4 41964 x11 optional tigervnc_1.7.0-1.debian.tar.xz
 1ecccb39ee429584b4bc0e0d2d648b0f 235770 debug extra tigervnc-common-dbgsym_1.7.0-1_amd64.deb
 1d12343296156a29f1e19f0f61774333 63916 x11 optional tigervnc-common_1.7.0-1_amd64.deb
 ff181adc107c40c0852efa601e2abe18 1152348 debug extra tigervnc-scraping-server-dbgsym_1.7.0-1_amd64.deb
 2158ff3a7c1f7bb594123976231ea23a 185632 x11 optional tigervnc-scraping-server_1.7.0-1_amd64.deb
 a33d1f4ef059bc6ea63dcfed3fb26322 5833060 debug extra tigervnc-standalone-server-dbgsym_1.7.0-1_amd64.deb
 89e3f447293c05a36a1d2595336c24ff 982710 x11 optional tigervnc-standalone-server_1.7.0-1_amd64.deb
 6125b78fece2a7f558a245f3c32250af 1008412 debug extra tigervnc-viewer-dbgsym_1.7.0-1_amd64.deb
 4a59bffaa7a00be2da02f550bb6c83ec 164914 x11 optional tigervnc-viewer_1.7.0-1_amd64.deb
 c1174aa0b2ae724ef6b96b95ab2dd175 1309332 debug extra tigervnc-xorg-extension-dbgsym_1.7.0-1_amd64.deb
 d5aaae70a64fcd3f847f07410f58a1b0 194322 x11 optional tigervnc-xorg-extension_1.7.0-1_amd64.deb
 3be59e149eb3bb221928fb859d075c6b 14017 x11 optional tigervnc_1.7.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEIvIyxrHg9L8rJgpqXpDc+pQmh48FAlhlZgYACgkQXpDc+pQm
h4+8OQ//QO+T9LRFTbblPRfZC8dxc7dSi3FOYDzz6zskDrOIGcWPcUM32cXoL9Vb
K8WDq8ZrRQkBU3LkFrCVDM7+HrHagibrffCgWF4ekSM0l/MLuNVZVOnLkgILBUfp
KzMaFjj9YcTY4/k8SgIsOxOoALXwPV3wTf4VniJNTxr/olrtcd33auUz/olROoX9
rWsCgymYeqzOPcER0Je8wpd9uqBbI1SoHbYPFKsxvTmrYqOPn9+sd2ai5Q3DeWVb
eQnmaVivbS9rwoqbgkTxGSA70zhoyB1D8m4ZbYFa9TxvmdSNZU1eWkWKz8D9vX+/
Q6RqAVINruSw8pagFPmr6ljrNUl5jyW58Pf5OxLJRohoTnw7V6fr70QrQjhq3cxt
0VcnbVU1MeCeMnSKYqN3Gwro0G85OzPUCvnjn4oDJVnmOhOYM3qddbFVo0oalEDg
P9KL72zUwHXVrFn+6cb7omtdsxUc79m7D/z11a1X511Y87FglX5SDN02TSyT8TM8
0YlI3fyzJODhCHDG7Y6Nb17bZcSiizLODCOy7mV4dlhb5fXn4sh9F7JXoxUD5eBJ
y2LovI0RIN2HDkRoa/ut7SQyrANWEpEYaUHJ6dtmj9oaOQZYoVXNSKxHA/uzCoFF
UZJ2AWX1p5gjQ00X6k27VOj4VkPlXGw2R8ZArvAzSmvLUXbk/XY=
=pTeE
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.