Bug 1811948 (CVE-2019-15690)

Summary: CVE-2019-15690 libvncserver: HandleCursorShape() integer overflow resulting in heap-based buffer overflow
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: gsuckevi, negativo17, ppisar, rdieter, scorneli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libvncserver. An integer overflow within the HandleCursorShape() function can be exploited to cause a heap-based buffer overflow by tricking a user or application using libvncserver to connect to an unstrusted server and subsequently send cursor shapes with specially crafted dimensions. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-23 10:32:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1811950, 1811951, 1814339, 1814340, 1814341, 1814342, 1814343, 1814745    
Bug Blocks: 1811953, 1829873    

Description Michael Kaplan 2020-03-10 09:53:47 UTC 
An integer overflow within the HandleCursorShape() function in libvncclient/cursor.c can be exploited to cause a heap-based buffer overflow by tricking a user or application using libvncserver to connect to an unstrusted server and subsequently sending cursor shapes with specially crafted dimensions.
Comment 1 Michael Kaplan 2020-03-10 09:54:33 UTC 
Created libvncserver tracking bugs for this issue:

Affects: epel-7 [bug 1811951]
Affects: fedora-all [bug 1811950]
Comment 2 Michael Kaplan 2020-03-10 09:55:51 UTC 
Researcher Reference:

https://www.openwall.com/lists/oss-security/2019/12/20/2
Comment 3 Stefan Cornelius 2020-03-17 16:51:48 UTC 
Patch:
https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed
Comment 12 errata-xmlrpc 2020-03-23 08:32:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0921 https://access.redhat.com/errata/RHSA-2020:0921
Comment 13 errata-xmlrpc 2020-03-23 08:43:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0913 https://access.redhat.com/errata/RHSA-2020:0913
Comment 14 errata-xmlrpc 2020-03-23 08:46:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0920 https://access.redhat.com/errata/RHSA-2020:0920
Comment 15 Product Security DevOps Team 2020-03-23 10:32:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15690
Comment 17 Stefan Cornelius 2020-05-12 13:49:41 UTC 
*** Bug 1829870 has been marked as a duplicate of this bug. ***
Comment 18 Eric Christensen 2020-07-08 18:20:45 UTC 
Mitigation:

Libvncserver should not be used to connect to untrusted server.