Bug 1144289 (CVE-2014-6053) - CVE-2014-6053 libvncserver: server NULL pointer dereference flaw in ClientCutText message handling
Summary: CVE-2014-6053 libvncserver: server NULL pointer dereference flaw in ClientCut...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-6053
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1145878 1145879 1145880 1145883 1157668 1157669 1157670 1157671 1157674 1157675 1157676 1157677
Blocks: 1144297
TreeView+ depends on / blocked
 
Reported: 2014-09-19 07:37 UTC by Murray McAllister
Modified: 2019-09-29 13:22 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the way LibVNCServer handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client.
Clone Of:
Environment:
Last Closed: 2014-11-11 22:33:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1826 normal SHIPPED_LIVE Moderate: libvncserver security update 2014-11-11 23:25:37 UTC
Red Hat Product Errata RHSA-2014:1827 normal SHIPPED_LIVE Moderate: kdenetwork security update 2014-11-12 02:16:52 UTC

Description Murray McAllister 2014-09-19 07:37:28 UTC
A NULL pointer dereference flaw was reported in LibVNCServer's ClientCutText message handling. A VNC client could use this flaw to cause the VNC server to crash.

Upstream commit:

https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28

Comment 1 Murray McAllister 2014-09-24 04:19:51 UTC
Acknowledgements:

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Nicolas RUFF as the original reporter.

Comment 2 Murray McAllister 2014-09-24 04:21:12 UTC
Public now:

http://seclists.org/oss-sec/2014/q3/639

Comment 3 Murray McAllister 2014-09-24 04:30:25 UTC
Created libvncserver tracking bugs for this issue:

Affects: fedora-all [bug 1145878]
Affects: epel-5 [bug 1145879]
Affects: epel-7 [bug 1145880]

Comment 4 Murray McAllister 2014-09-24 04:48:57 UTC
Created krfb tracking bugs for this issue:

Affects: fedora-all [bug 1145883]

Comment 5 Murray McAllister 2014-09-24 04:51:14 UTC
krfb advisory:

http://www.kde.org/info/security/advisory-20140923-1.txt

Comment 6 john.haxby@oracle.com 2014-09-24 09:02:49 UTC
Note that this also appears to affect RHEL5's vnc-server and has been assigned CVE-2010-5304.

Comment 7 Murray McAllister 2014-09-25 08:29:47 UTC
(In reply to john.haxby@oracle.com from comment #6)
> Note that this also appears to affect RHEL5's vnc-server and has been
> assigned CVE-2010-5304.

Thanks John. As I understood it, CVE-2014-6053 is for the flaw in libvncserver. The same flaw was previously reported for RealVNC, and that instance of the issue was CVE-2010-5304.

Do you want me to clarify with MITRE?

Comment 8 Murray McAllister 2014-09-25 08:30:35 UTC
(In reply to Murray McAllister from comment #7)
> (In reply to john.haxby@oracle.com from comment #6)
> > Note that this also appears to affect RHEL5's vnc-server and has been
> > assigned CVE-2010-5304.
> 
> Thanks John. As I understood it, CVE-2014-6053 is for the flaw in
> libvncserver. The same flaw was previously reported for RealVNC, and that
> instance of the issue was CVE-2010-5304.

Still not clear... CVE-2014-6053 is for the flaw in libvncserver. CVE-2010-5304 is for the flaw in RealVNC.

Comment 9 Murray McAllister 2014-09-25 08:45:59 UTC
(In reply to Murray McAllister from comment #8)
> (In reply to Murray McAllister from comment #7)
> > (In reply to john.haxby@oracle.com from comment #6)
> > > Note that this also appears to affect RHEL5's vnc-server and has been
> > > assigned CVE-2010-5304.
> > 
> > Thanks John. As I understood it, CVE-2014-6053 is for the flaw in
> > libvncserver. The same flaw was previously reported for RealVNC, and that
> > instance of the issue was CVE-2010-5304.
> 
> Still not clear... CVE-2014-6053 is for the flaw in libvncserver.
> CVE-2010-5304 is for the flaw in RealVNC.

Sorry for the spam. I see what you mean about the vnc-server package now. Thank you for pointing it out!

Comment 10 john.haxby@oracle.com 2014-09-25 09:30:51 UTC
Murray, I did a lazy check: I looked for the CVE-2010-5304 bugzilla alias, the security/cve link and in the HREL5 vnc-server changelog.   It didn't appear anywhere, which was a little surprising -- I'd usually expect to find something even if it's a "not applicable" notice.  (Our own CVE database doesn't yet include historic, for us, CVEs so that's of no use :))

Comment 12 Murray McAllister 2014-09-26 04:02:38 UTC
As noted above, CVE-2010-5304 was assigned to this flaw in RealVNC.

The "vnc" and "vnc-server" packages in Red Hat Enterprise Linux 5 provide RealVNC.

Comment 13 Fedora Update System 2014-09-29 04:06:35 UTC
libvncserver-0.9.10-0.6.20140718git9453be42.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2014-10-01 04:23:31 UTC
libvncserver-0.9.10-0.6.20140718git9453be42.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2014-10-04 03:25:06 UTC
libvncserver-0.9.10-0.6.20140718git9453be42.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2014-10-08 19:11:28 UTC
krfb-4.11.5-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2014-10-13 21:38:36 UTC
libvncserver-0.9.10-0.6.20140718git9453be42.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Martin Prpič 2014-11-10 08:59:20 UTC
IssueDescription:

A NULL pointer dereference flaw was found in the way LibVNCServer handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client.

Comment 28 Siddharth Sharma 2014-11-11 07:23:21 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 29 errata-xmlrpc 2014-11-11 18:25:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1826 https://rhn.redhat.com/errata/RHSA-2014-1826.html

Comment 30 errata-xmlrpc 2014-11-11 21:17:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1827 https://rhn.redhat.com/errata/RHSA-2014-1827.html


Note You need to log in before you can comment on or make changes to this bug.