Debian Bug report logs -
#849478
tigervnc: CVE-2014-8241: NULL pointer dereference flaw in XRegion
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 27 Dec 2016 16:09:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version tigervnc/1.6.0+dfsg-4
Fixed in version tigervnc/1.7.0-2
Done: Ola Lundqvist <opal@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>:
Bug#849478; Package src:tigervnc.
(Tue, 27 Dec 2016 16:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>.
(Tue, 27 Dec 2016 16:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tigervnc
Version: 1.6.0+dfsg-4
Severity: grave
Tags: security upstream patch
Justification: user security hole
Hi,
the following vulnerability was published for tigervnc.
CVE-2014-8241[0]:
| XRegion in TigerVNC allows remote VNC servers to cause a denial of
| service (NULL pointer dereference) by leveraging failure to check a
| malloc return value, a similar issue to CVE-2014-6052.
The Red Hat bug[1] contains details and a patch[2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8241
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8241
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1151312
[2] https://bugzilla.redhat.com/attachment.cgi?id=946490
Regards,
Salvatore
Reply sent
to Ola Lundqvist <opal@debian.org>:
You have taken responsibility.
(Thu, 29 Dec 2016 19:18:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 29 Dec 2016 19:18:11 GMT) (full text, mbox, link).
Message #10 received at 849478-done@bugs.debian.org (full text, mbox, reply):
Version: 1.6.0+dfsg-2
Hi Salvatore
I have looked into this bug however and this one is indeed solved.
Unless I'm looking with very grumble eyes (I probably do as I should
be in bed).
// Ola
On 27 December 2016 at 17:04, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Source: tigervnc
> Version: 1.6.0+dfsg-4
> Severity: grave
> Tags: security upstream patch
> Justification: user security hole
>
> Hi,
>
> the following vulnerability was published for tigervnc.
>
> CVE-2014-8241[0]:
> | XRegion in TigerVNC allows remote VNC servers to cause a denial of
> | service (NULL pointer dereference) by leveraging failure to check a
> | malloc return value, a similar issue to CVE-2014-6052.
>
> The Red Hat bug[1] contains details and a patch[2].
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2014-8241
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8241
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1151312
> [2] https://bugzilla.redhat.com/attachment.cgi?id=946490
>
> Regards,
> Salvatore
>
> _______________________________________________
> Pkg-tigervnc-devel mailing list
> Pkg-tigervnc-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-tigervnc-devel
--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Folkebogatan 26 \
| ola@inguza.com 654 68 KARLSTAD |
| http://inguza.com/ +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Information forwarded
to debian-bugs-dist@lists.debian.org, TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>:
Bug#849478; Package src:tigervnc.
(Thu, 29 Dec 2016 21:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>.
(Thu, 29 Dec 2016 21:06:02 GMT) (full text, mbox, link).
Message #15 received at 849478@bugs.debian.org (full text, mbox, reply):
Control: reopen -1
Control: found -1 1.6.0+dfsg-4
On Thu, Dec 29, 2016 at 07:18:11PM +0000, Debian Bug Tracking System wrote:
> Hi Salvatore
>
> I have looked into this bug however and this one is indeed solved.
> Unless I'm looking with very grumble eyes (I probably do as I should
> be in bed).
The problem should be in lines 1079-1090:
1077 else
1078 {
1079 /*
1080 * No point in doing the extra work involved in an Xrealloc if
1081 * the region is empty
1082 */
1083 newReg->size = 1;
1084 Xfree((char *) newReg->rects);
1085 newReg->rects = (BoxPtr) Xmalloc(sizeof(BoxRec));
1086 }
1087 }
1088 Xfree ((char *) oldRects);
1089 return;
1090 }
The patch from Red Hat, does add a check for newReg->rects, which in above is
missing (cf. Lines after 1085).
Hope this helps.
Regards,
Salvatore
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 849478-submit@bugs.debian.org.
(Thu, 29 Dec 2016 21:06:02 GMT) (full text, mbox, link).
No longer marked as fixed in versions 1.6.0+dfsg-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 849478-submit@bugs.debian.org.
(Thu, 29 Dec 2016 21:06:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>:
Bug#849478; Package src:tigervnc.
(Thu, 29 Dec 2016 21:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ola Lundqvist <opal@debian.org>:
Extra info received and forwarded to list. Copy sent to TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>.
(Thu, 29 Dec 2016 21:33:03 GMT) (full text, mbox, link).
Message #24 received at 849478@bugs.debian.org (full text, mbox, reply):
Hi
Thank you. I'll check again. I probably failed to check this as most
were rejected and I checked almost all other lines.
// Ola
On 29 December 2016 at 22:03, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Control: reopen -1
> Control: found -1 1.6.0+dfsg-4
>
> On Thu, Dec 29, 2016 at 07:18:11PM +0000, Debian Bug Tracking System wrote:
>> Hi Salvatore
>>
>> I have looked into this bug however and this one is indeed solved.
>> Unless I'm looking with very grumble eyes (I probably do as I should
>> be in bed).
>
> The problem should be in lines 1079-1090:
>
> 1077 else
> 1078 {
> 1079 /*
> 1080 * No point in doing the extra work involved in an Xrealloc if
> 1081 * the region is empty
> 1082 */
> 1083 newReg->size = 1;
> 1084 Xfree((char *) newReg->rects);
> 1085 newReg->rects = (BoxPtr) Xmalloc(sizeof(BoxRec));
> 1086 }
> 1087 }
> 1088 Xfree ((char *) oldRects);
> 1089 return;
> 1090 }
>
> The patch from Red Hat, does add a check for newReg->rects, which in above is
> missing (cf. Lines after 1085).
>
> Hope this helps.
>
> Regards,
> Salvatore
--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Folkebogatan 26 \
| ola@inguza.com 654 68 KARLSTAD |
| http://inguza.com/ +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply sent
to Ola Lundqvist <opal@debian.org>:
You have taken responsibility.
(Thu, 29 Dec 2016 22:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 29 Dec 2016 22:51:03 GMT) (full text, mbox, link).
Message #29 received at 849478-close@bugs.debian.org (full text, mbox, reply):
Source: tigervnc
Source-Version: 1.7.0-2
We believe that the bug you reported is fixed in the latest version of
tigervnc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated tigervnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 29 Dec 2016 22:04:35 +0000
Source: tigervnc
Binary: tigervnc-common tigervnc-scraping-server tigervnc-standalone-server tigervnc-xorg-extension tigervnc-viewer
Architecture: source amd64
Version: 1.7.0-2
Distribution: unstable
Urgency: high
Maintainer: TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description:
tigervnc-common - Virtual network computing; Common software needed by servers
tigervnc-scraping-server - VNC server uses screen scraping of an already running X server
tigervnc-standalone-server - Standalone VNC server
tigervnc-viewer - Virtual network computing client software for X
tigervnc-xorg-extension - X server vnc extension
Closes: 849478
Changes:
tigervnc (1.7.0-2) unstable; urgency=high
.
* Most of CVE-2014-8241 was already corrected but this update correct
one missing part of that CVE. Closes: #849478.
* Added a versioned dependency on xorg source.
Checksums-Sha1:
9329003fa69f29cf8d768b2d3cda829765ef87f0 4419 tigervnc_1.7.0-2.dsc
cf0a3da725a360e36c99f7571324b3f62f9bcbe2 42192 tigervnc_1.7.0-2.debian.tar.xz
01cce1cef1df77271b8e4dad2b7b4b65e1d034ff 235760 tigervnc-common-dbgsym_1.7.0-2_amd64.deb
f36b40774c27c52d38d8d0656fe7ed0f03a192f2 63798 tigervnc-common_1.7.0-2_amd64.deb
bbdadf267932e6541414a45d155bdb55d36722e0 1152198 tigervnc-scraping-server-dbgsym_1.7.0-2_amd64.deb
5e323bdd0d0987647328bc3a3eda1bf4eee0d905 185828 tigervnc-scraping-server_1.7.0-2_amd64.deb
5e5dfc15426ef7a8495c525eadc93efa68fbd60b 5833228 tigervnc-standalone-server-dbgsym_1.7.0-2_amd64.deb
f360a36f5388de96588fdbdac74cfb12e89b8e6d 982028 tigervnc-standalone-server_1.7.0-2_amd64.deb
0036b3284ccf5f9568379f184f4f57d9a7a099a3 1008534 tigervnc-viewer-dbgsym_1.7.0-2_amd64.deb
831dac815c48bb0ac981743b5134d32600c31a28 164830 tigervnc-viewer_1.7.0-2_amd64.deb
ef42bff26f4b9c779bf2a0422d26778e13f5aed6 1309484 tigervnc-xorg-extension-dbgsym_1.7.0-2_amd64.deb
2e804cacb3706a116443d340033fa7aca271385a 194568 tigervnc-xorg-extension_1.7.0-2_amd64.deb
70b4f7d4a01614a8849bbf604693234f78af0a5e 13986 tigervnc_1.7.0-2_amd64.buildinfo
Checksums-Sha256:
a05e78379d867795fe3ce4707b08bc78b240d0dea8d7bc47bb608b5722cffd27 4419 tigervnc_1.7.0-2.dsc
2c34ca0e642575b959111c7af59ae070eff07f7b77a14c03450ca3a45c864406 42192 tigervnc_1.7.0-2.debian.tar.xz
17714ddeb435a0e1bdc14bf56c4e4cfdd2eea611a56ed094cea97f062f97d6a4 235760 tigervnc-common-dbgsym_1.7.0-2_amd64.deb
af6fa70625d0e524e246162923f8b24da2c08ee5bb599fced476eb04ec9e5c4c 63798 tigervnc-common_1.7.0-2_amd64.deb
b0bb05c224f438898bce611ee660fd7bc4cc0faad4536382546cf895927c84f3 1152198 tigervnc-scraping-server-dbgsym_1.7.0-2_amd64.deb
498878b68ebd53c1dd5d2765b0ce6f4944f2ab16783cc17db1924e4e37998054 185828 tigervnc-scraping-server_1.7.0-2_amd64.deb
bf010090c3e939e3ec5b1a878aa5e74a691189c0533be922be462d3463800121 5833228 tigervnc-standalone-server-dbgsym_1.7.0-2_amd64.deb
e1082133427bcd1c9fa9e1e7e3b255171088ca0ad4f7e40e8492bfaef5bee910 982028 tigervnc-standalone-server_1.7.0-2_amd64.deb
106c05fcff5c432d0761002a74db737c1736102ab4c946c67ebda9bec336ff2a 1008534 tigervnc-viewer-dbgsym_1.7.0-2_amd64.deb
f0e50b65a24cd5ed239c9bb61fa9d2b0d5efbbb81e31280acb47e8c20b5bf78e 164830 tigervnc-viewer_1.7.0-2_amd64.deb
af24acf97258122ff4df1056168e5866f77370513462f9a347d8e4c426ea22c8 1309484 tigervnc-xorg-extension-dbgsym_1.7.0-2_amd64.deb
9451eca8360e1289ddb632ee03e2b4584a8bba45383bef6afce52fcb1822b09a 194568 tigervnc-xorg-extension_1.7.0-2_amd64.deb
ce73e349c84a30c3119fa43e9e9a38c724eef934bbd54c5ea7d21a3026f6e292 13986 tigervnc_1.7.0-2_amd64.buildinfo
Files:
755efb901aec4117e7a4ff40802c6ca3 4419 x11 optional tigervnc_1.7.0-2.dsc
b8c59aa51ef678fa9e24e08fe2bef75f 42192 x11 optional tigervnc_1.7.0-2.debian.tar.xz
3be6e0902bf784f59b4e79d796f6d029 235760 debug extra tigervnc-common-dbgsym_1.7.0-2_amd64.deb
b3a72ba659a3d13872066ef3e8d885a5 63798 x11 optional tigervnc-common_1.7.0-2_amd64.deb
beea44947a4e3960265a20e4bf6fb564 1152198 debug extra tigervnc-scraping-server-dbgsym_1.7.0-2_amd64.deb
3b457513366684be501483a7e8ccad66 185828 x11 optional tigervnc-scraping-server_1.7.0-2_amd64.deb
3311d254564310da0aefcae9cb75ed71 5833228 debug extra tigervnc-standalone-server-dbgsym_1.7.0-2_amd64.deb
67e6a10bdbd886c4ff96891f34714202 982028 x11 optional tigervnc-standalone-server_1.7.0-2_amd64.deb
cc0abf269420dbc74149732b3d4256d2 1008534 debug extra tigervnc-viewer-dbgsym_1.7.0-2_amd64.deb
46775c55059202e957ac6948ce1a2d61 164830 x11 optional tigervnc-viewer_1.7.0-2_amd64.deb
37212c230ce56e126c54beb40840c33d 1309484 debug extra tigervnc-xorg-extension-dbgsym_1.7.0-2_amd64.deb
125c161e7d58264b48a6865364003dc1 194568 x11 optional tigervnc-xorg-extension_1.7.0-2_amd64.deb
7dc1449dab339bbb64289dd168e52bb2 13986 x11 optional tigervnc_1.7.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEIvIyxrHg9L8rJgpqXpDc+pQmh48FAlhljcAACgkQXpDc+pQm
h49EBw//TYarOf5ZivxL1NYFZYUO5gUT1T0Ae4AUatbJMntcp2YwyvJaNXSTYf2u
ZqT2Pg+MSPFPn2FdhaOrYOmYqxpwLpqLS1bsgSIhElm6TbV/l7aGIhcdOv86734G
KsYFi+TQqJ4H0ZilMqzGRsrPTpjlcwixzcXSkSA0jHOXHOsh/0dcYk2BuEUClEQu
KtLQYlzX1actkdVAYxfKH/BSspmYndRUE4+cbD475dk9+SC56/0C3/WqtoEhQeC/
k8IL/souHcuuxAzTP1e7PiRBcfjnBp+j6JJ39HfqCuW0UkuZZ6yHYnXy+HbXrJAx
r/PfZkuzu6NTJ1aaVksNYlmrTIM1Mzfx0z6WJvW3szDfGvxeb9P/nrMR8Gzi3wGF
Txaq0QDzDQLpv5Wb5vpiBIhwB3VN8eUJ4UpeAbjwbL72jVs5LL3Jz8V++o76fMsT
/VgIGy0SWgdWUhRKJ5XPqMEaKfT84KIjbDFVVMvs97IxbHJpDm5dQ0WHUJGem0f+
YXhYB9U2Qa4TkGpaZsu4S9YR+EPA1K6YDIUKf1pQFcxDfUFwDZ7hqlsY/61qVQXy
gviXiKF4OJMUtQshWQQ5NaGrFtkednao4bE5KBHgFQTs4XDkHz7OFg3kbaW2F/d6
ezL0gbmF/OH7Gi688bbMw7OeD97hLionn8V/ozzeoH0swvzwza4=
=bCZ1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 15 Mar 2017 07:34:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:49:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon