Bug 1144289 (CVE-2014-6053)

Summary: CVE-2014-6053 libvncserver: server NULL pointer dereference flaw in ClientCutText message handling
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alekcejk, chazlett, jgrulich, john.haxby, jreznik, jrusnack, kevin, ltinkl, negativo17, pahan, ppisar, rdieter, rnovacek, security-response-team, sisharma, smparrish, than, twaugh, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the way LibVNCServer handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-11 22:33:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1145878, 1145879, 1145880, 1145883, 1157668, 1157669, 1157670, 1157671, 1157674, 1157675, 1157676, 1157677    
Bug Blocks: 1144297    

Description Murray McAllister 2014-09-19 07:37:28 UTC 
A NULL pointer dereference flaw was reported in LibVNCServer's ClientCutText message handling. A VNC client could use this flaw to cause the VNC server to crash.

Upstream commit:

https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28
Comment 1 Murray McAllister 2014-09-24 04:19:51 UTC 
Acknowledgements:

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Nicolas RUFF as the original reporter.
Comment 2 Murray McAllister 2014-09-24 04:21:12 UTC 
Public now:

http://seclists.org/oss-sec/2014/q3/639
Comment 3 Murray McAllister 2014-09-24 04:30:25 UTC 
Created libvncserver tracking bugs for this issue:

Affects: fedora-all [bug 1145878]
Affects: epel-5 [bug 1145879]
Affects: epel-7 [bug 1145880]
Comment 4 Murray McAllister 2014-09-24 04:48:57 UTC 
Created krfb tracking bugs for this issue:

Affects: fedora-all [bug 1145883]
Comment 5 Murray McAllister 2014-09-24 04:51:14 UTC 
krfb advisory:

http://www.kde.org/info/security/advisory-20140923-1.txt
Comment 6 john.haxby@oracle.com 2014-09-24 09:02:49 UTC 
Note that this also appears to affect RHEL5's vnc-server and has been assigned CVE-2010-5304.
Comment 7 Murray McAllister 2014-09-25 08:29:47 UTC 
(In reply to john.haxby from comment #6)
> Note that this also appears to affect RHEL5's vnc-server and has been
> assigned CVE-2010-5304.

Thanks John. As I understood it, CVE-2014-6053 is for the flaw in libvncserver. The same flaw was previously reported for RealVNC, and that instance of the issue was CVE-2010-5304.

Do you want me to clarify with MITRE?
Comment 8 Murray McAllister 2014-09-25 08:30:35 UTC 
(In reply to Murray McAllister from comment #7)
> (In reply to john.haxby from comment #6)
> > Note that this also appears to affect RHEL5's vnc-server and has been
> > assigned CVE-2010-5304.
> 
> Thanks John. As I understood it, CVE-2014-6053 is for the flaw in
> libvncserver. The same flaw was previously reported for RealVNC, and that
> instance of the issue was CVE-2010-5304.

Still not clear... CVE-2014-6053 is for the flaw in libvncserver. CVE-2010-5304 is for the flaw in RealVNC.
Comment 9 Murray McAllister 2014-09-25 08:45:59 UTC 
(In reply to Murray McAllister from comment #8)
> (In reply to Murray McAllister from comment #7)
> > (In reply to john.haxby from comment #6)
> > > Note that this also appears to affect RHEL5's vnc-server and has been
> > > assigned CVE-2010-5304.
> > 
> > Thanks John. As I understood it, CVE-2014-6053 is for the flaw in
> > libvncserver. The same flaw was previously reported for RealVNC, and that
> > instance of the issue was CVE-2010-5304.
> 
> Still not clear... CVE-2014-6053 is for the flaw in libvncserver.
> CVE-2010-5304 is for the flaw in RealVNC.

Sorry for the spam. I see what you mean about the vnc-server package now. Thank you for pointing it out!
Comment 10 john.haxby@oracle.com 2014-09-25 09:30:51 UTC 
Murray, I did a lazy check: I looked for the CVE-2010-5304 bugzilla alias, the security/cve link and in the HREL5 vnc-server changelog.   It didn't appear anywhere, which was a little surprising -- I'd usually expect to find something even if it's a "not applicable" notice.  (Our own CVE database doesn't yet include historic, for us, CVEs so that's of no use :))
Comment 12 Murray McAllister 2014-09-26 04:02:38 UTC 
As noted above, CVE-2010-5304 was assigned to this flaw in RealVNC.

The "vnc" and "vnc-server" packages in Red Hat Enterprise Linux 5 provide RealVNC.
Comment 13 Fedora Update System 2014-09-29 04:06:35 UTC 
libvncserver-0.9.10-0.6.20140718git9453be42.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2014-10-01 04:23:31 UTC 
libvncserver-0.9.10-0.6.20140718git9453be42.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2014-10-04 03:25:06 UTC 
libvncserver-0.9.10-0.6.20140718git9453be42.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-10-08 19:11:28 UTC 
krfb-4.11.5-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Siddharth Sharma 2014-10-09 08:20:42 UTC 
krfb upstream fix
-----------------

http://quickgit.kde.org/?p=krfb.git&a=commitdiff&h=d931eafccf3140d740ac61e876dce72a23ade7f4&hp=126a746dd7bee35840083e9bec7a52935a010346
Comment 18 Fedora Update System 2014-10-13 21:38:36 UTC 
libvncserver-0.9.10-0.6.20140718git9453be42.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Martin Prpič 2014-11-10 08:59:20 UTC 
IssueDescription:

A NULL pointer dereference flaw was found in the way LibVNCServer handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client.
Comment 28 Siddharth Sharma 2014-11-11 07:23:21 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 29 errata-xmlrpc 2014-11-11 18:25:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1826 https://rhn.redhat.com/errata/RHSA-2014-1826.html
Comment 30 errata-xmlrpc 2014-11-11 21:17:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1827 https://rhn.redhat.com/errata/RHSA-2014-1827.html