Bug 1790315 (CVE-2019-15694)

Summary: CVE-2019-15694 tigervnc: Heap buffer overflow in DecodeManager::decodeRect
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, jgrulich, twaugh, vonsch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tigervnc 1.10.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1791767, 1791768, 1790316    
Bug Blocks: 1790319    

Description Pedro Sampaio 2020-01-13 06:13:58 UTC
TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which could be triggered from DecodeManager::decodeRect. Vulnerability occurs due to the signdness error in processing MemOutStream. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

Upstream patch:

https://github.com/CendioOssman/tigervnc/commit/0943c006c7d900dfc0281639e992791d6c567438

References:

https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1
https://www.openwall.com/lists/oss-security/2019/12/20/2

Comment 1 Pedro Sampaio 2020-01-13 06:14:18 UTC
Created tigervnc tracking bugs for this issue:

Affects: fedora-all [bug 1790316]