Bug 1671405 (CVE-2018-20750)

Summary: CVE-2018-20750 libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (Incomplete fix for CVE-2018-15127)
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: negativo17, ppisar, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libvncserver. An incomplete fix for CVE-2018-15127 leaves open an out-of-bounds write vulnerability in code for the file transfer extension. This vulnerability can be remotely exploited. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:47:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1661115, 1661116    
Bug Blocks: 1661105    

Description Andrej Nemec 2019-01-31 14:31:19 UTC 
LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

Upstream patch:

https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec

Upstream issue:

https://github.com/LibVNC/libvncserver/issues/273
Comment 1 Andrej Nemec 2019-01-31 14:34:29 UTC 
Created libvncserver tracking bugs for this issue:

Affects: epel-7 [bug 1661116]
Affects: fedora-all [bug 1661115]