New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix two heap buffer overflows #137
Conversation
Altough rfbproto.c does check whether the overall FramebufferUpdate rectangle is too large, some of the individual encoding decoders do not, which allows a malicious server to overwrite parts of the heap.
The Ultra type tile decoder does not use the _safe variant of the LZO decompress function, which allows a maliciuous server to overwrite parts of the heap by sending a larger-than-specified LZO data stream.
|
I cannot get the PoC to run on Debian. Do you know which package to install to get lzo for python3? The other way around, it finds lzo with python2, but then asyncio is not available :-/ |
|
I installed the python3 version directly from pip (https://pypi.python.org/pypi/python-lzo/1.08) (as it is not available in Gentoo repositories either). |
|
Tested && merged. Thanks a lot! |
|
I have been told that it is a good practice to report things like this as CVEs. Do you plan to do that or should I? I see that there are already some libvncserver/libvcnclient CVEs on the list. |
|
If you could take care of that, I'd be very thankful indeed. |
|
Do you plan on doing a release any time soon? It probably would be useful to have a new version the CVE can refer to as fixed. |
|
Am Tue, 13 Dec 2016 12:34:15 -0800
schrieb Josef Gajdusek <notifications@github.com>:
Do you plan on doing a release any time soon? It probably would be useful to
have a new version the CVE can refer to as fixed.
Yes. 0.9.11 is due before x-mas.
|
This PR fixes two unrelated buffer overflows, which can be used by a malicious server to overwrite parts of the heap and crash the client (or possibly execute arbitrary code).
PoC (for
./client_examples/gtkvncviewer):