Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LMS-2014-06-16-1: Oberhumer LZO (CVE-2014-4607) #9

Closed
Hello71 opened this issue Jun 27, 2014 · 2 comments
Closed

LMS-2014-06-16-1: Oberhumer LZO (CVE-2014-4607) #9

Hello71 opened this issue Jun 27, 2014 · 2 comments

Comments

@Hello71
Copy link

Hello71 commented Jun 27, 2014

By embedding libvncserver, I believe that this package is vulnerable to CVE-2014-4607, which may raise the possibility of remote code execution.

http://seclists.org/oss-sec/2014/q2/665

I am not sufficiently aware of C to be entirely certain whether this bug affects this project, but seeing as the relevant code snippets have been included without modifications, I believe it is reasonable to assume that this project is affected.

LZO 2.07 has been released upstream and can be downloaded here: http://www.oberhumer.com/opensource/lzo/

I have tested copying in the relevant files and have not seen any compile errors.

It would be appreciated if this would be resolved in an expeditious manner due to the number of packages which use this library.
@dscho
Copy link
Contributor

dscho commented Jun 27, 2014

I have tested copying in the relevant files and have not seen any compile errors.

Would you terribly mind opening a pull request?

Hello71 added a commit to Hello71/libvncserver that referenced this issue Jun 27, 2014
@Hello71
Update miniLZO to 2.07 (fixes LibVNC#9)
5240d4b
@Hello71 Hello71 mentioned this issue Jun 27, 2014
Closed
dscho added a commit that referenced this issue Jun 27, 2014
@dscho
Update LZO to version 2.07
3238443 
It was reported that LZO has security issues in LMS-2014-06-16-1:
Oberhumer LZO (CVE-2014-4607): http://seclists.org/oss-sec/2014/q2/665

This was also reported by Alex Xu as
#9.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
@dscho
Copy link
Contributor

dscho commented Jun 27, 2014

Fixed in 3238443.

@dscho dscho closed this as completed Jun 27, 2014
@a-bezrukov a-bezrukov mentioned this issue Feb 26, 2018
Closed
@sfhacker sfhacker mentioned this issue Mar 7, 2018
Closed
jadahl added a commit to jadahl/libvncserver that referenced this issue Sep 16, 2020
@jadahl
zlib: Clear buffer pointers on cleanup
91c685c 
The pointers to the buffers were freed, and the size fields were set to
0, but the buffer pointers themsef was not set to NULL, when shutting
down, meaning the next time used, NULL checks would not tell whether the
pointer is valid. This caused crashes ending with

  #0  0x00007ffff73729e5 in raise () from /lib64/libc.so.6
  LibVNC#1  0x00007ffff735b895 in abort () from /lib64/libc.so.6
  LibVNC#2  0x00007ffff73b6857 in __libc_message () from /lib64/libc.so.6
  LibVNC#3  0x00007ffff73bdd7c in malloc_printerr () from /lib64/libc.so.6
  LibVNC#4  0x00007ffff73c2f1a in realloc () from /lib64/libc.so.6
  LibVNC#5  0x00007ffff78b558e in rfbSendOneRectEncodingZlib (cl=0x4a4b80, x=0, y=0, w=800, h=40) at /home/jonas/Dev/gnome/libvncserver/libvncserver/zlib.c:106
  LibVNC#6  0x00007ffff78b5dec in rfbSendRectEncodingZlib (cl=0x4a4b80, x=0, y=0, w=800, h=600) at /home/jonas/Dev/gnome/libvncserver/libvncserver/zlib.c:308
  LibVNC#7  0x00007ffff7899453 in rfbSendFramebufferUpdate (cl=0x4a4b80, givenUpdateRegion=0x49ef70) at /home/jonas/Dev/gnome/libvncserver/libvncserver/rfbserver.c:3264
  LibVNC#8  0x00007ffff789079d in rfbUpdateClient (cl=0x4a4b80) at /home/jonas/Dev/gnome/libvncserver/libvncserver/main.c:1275
  LibVNC#9  0x00007ffff78905f5 in rfbProcessEvents (screen=0x4d5790, usec=0) at /home/jonas/Dev/gnome/libvncserver/libvncserver/main.c:1251
@jadahl jadahl mentioned this issue Sep 16, 2020
Merged
bk138 pushed a commit that referenced this issue Sep 16, 2020
@jadahl
zlib: Clear buffer pointers on cleanup (#444)
1931d6f 
The pointers to the buffers were freed, and the size fields were set to
0, but the buffer pointers themsef was not set to NULL, when shutting
down, meaning the next time used, NULL checks would not tell whether the
pointer is valid. This caused crashes ending with

  #0  0x00007ffff73729e5 in raise () from /lib64/libc.so.6
  #1  0x00007ffff735b895 in abort () from /lib64/libc.so.6
  #2  0x00007ffff73b6857 in __libc_message () from /lib64/libc.so.6
  #3  0x00007ffff73bdd7c in malloc_printerr () from /lib64/libc.so.6
  #4  0x00007ffff73c2f1a in realloc () from /lib64/libc.so.6
  #5  0x00007ffff78b558e in rfbSendOneRectEncodingZlib (cl=0x4a4b80, x=0, y=0, w=800, h=40) at /home/jonas/Dev/gnome/libvncserver/libvncserver/zlib.c:106
  #6  0x00007ffff78b5dec in rfbSendRectEncodingZlib (cl=0x4a4b80, x=0, y=0, w=800, h=600) at /home/jonas/Dev/gnome/libvncserver/libvncserver/zlib.c:308
  #7  0x00007ffff7899453 in rfbSendFramebufferUpdate (cl=0x4a4b80, givenUpdateRegion=0x49ef70) at /home/jonas/Dev/gnome/libvncserver/libvncserver/rfbserver.c:3264
  #8  0x00007ffff789079d in rfbUpdateClient (cl=0x4a4b80) at /home/jonas/Dev/gnome/libvncserver/libvncserver/main.c:1275
  #9  0x00007ffff78905f5 in rfbProcessEvents (screen=0x4d5790, usec=0) at /home/jonas/Dev/gnome/libvncserver/libvncserver/main.c:1251
@brahma1989 brahma1989 mentioned this issue Oct 28, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dscho @Hello71