Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable to CVE-2019-15680? #349

Closed
risicle opened this issue Nov 23, 2019 · 4 comments
Closed

Vulnerable to CVE-2019-15680? #349

risicle opened this issue Nov 23, 2019 · 4 comments
Labels
bug response-needed

Comments

@risicle
Copy link

risicle commented Nov 23, 2019

https://nvd.nist.gov/vuln/detail/CVE-2019-15680 is an issue against tightvnc, but as detailed in https://www.openwall.com/lists/oss-security/2018/12/10/5 (it's the last listed issue) it's related to you common ancestor. The other issues listed there you seem to have fixed, but has this one slipped under the radar?

Your version of zlib.c doesn't appear to perform any checking on the malloc result at

libvncserver/libvncclient/zlib.c

Line 58 in a9f95d8

client->raw_buffer = (char*) malloc( client->raw_buffer_size );

Are there checks elsewhere before raw_buffer or decompStream.next_out is dereferenced that assert the allocation didn't fail?
@risicle risicle added the bug label Nov 23, 2019
@bk138
Copy link
Member

bk138 commented Nov 25, 2019

If I'am not mistaken, if client->decompStream.next_out is NULL,

libvncserver/libvncclient/zlib.c

Line 114 in a9f95d8

inflateResult = inflate( &client->decompStream, Z_SYNC_FLUSH );
will fail with Z_STREAM_ERROR, so there is not dereference there.

@bk138
Copy link
Member

bk138 commented Nov 25, 2019

If client->raw_buffer gets assigned NULL, a viewer fails with

client_examples/SDLvncviewer -encodings zlib localhost:3 
25/11/2019 15:31:03 VNC server supports protocol version 3.8 (viewer 3.8)
25/11/2019 15:31:03 We have 1 security types to read
25/11/2019 15:31:03 0) Received security type 1
25/11/2019 15:31:03 Selecting security type 1 (0/1 in the list)
25/11/2019 15:31:03 Selected Security Scheme 1
25/11/2019 15:31:03 No authentication needed
25/11/2019 15:31:03 VNC authentication succeeded
25/11/2019 15:31:03 Desktop name "denkpad:0"
25/11/2019 15:31:03 Connected to VNC server, using protocol version 3.8
25/11/2019 15:31:03 VNC server default format:
25/11/2019 15:31:03   32 bits per pixel.
25/11/2019 15:31:03   Least significant byte first in each pixel.
25/11/2019 15:31:03   TRUE colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
25/11/2019 15:31:03 sending clipboard text 'cmake -DCMAKE_BUILD_TYPE=Debug'
25/11/2019 15:31:03 client2server supported messages (bit flags)
25/11/2019 15:31:03 00: 00ff 0081 0000 0000 - 0000 0000 0000 0000
25/11/2019 15:31:03 08: 0000 0000 0000 0000 - 0000 0000 0000 0000
25/11/2019 15:31:03 10: 0000 0000 0000 0000 - 0000 0000 0000 0000
25/11/2019 15:31:03 18: 0000 0000 0000 0000 - 0000 0000 0000 0000
25/11/2019 15:31:03 server2client supported messages (bit flags)
25/11/2019 15:31:03 00: 001f 0080 0000 0000 - 0000 0000 0000 0000
25/11/2019 15:31:03 08: 0000 0000 0000 0000 - 0000 0000 0000 0000
25/11/2019 15:31:03 10: 0000 0000 0000 0000 - 0000 0000 0000 0000
25/11/2019 15:31:03 18: 0000 0000 0000 0000 - 0000 0000 0000 0000
25/11/2019 15:31:03 Connected to Server "unknown (LibVNCServer 0.9.11)"
25/11/2019 15:31:03 zlib inflate returned error: -2, msg: (null)

OK ot close or am I missing something @risicle ?

@risicle
Copy link
Author

risicle commented Nov 25, 2019

Nope looks like you've got it about right ✔️

@bk138
Copy link
Member

bk138 commented Nov 25, 2019

OK, closing then :-)

@bk138 bk138 closed this as completed Nov 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug response-needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bk138 @risicle