A NULL pointer dereference flaw was reported in LibVNCServer's ClientCutText message handling. A VNC client could use this flaw to cause the VNC server to crash. Upstream commit: https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28
Acknowledgements: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Nicolas RUFF as the original reporter.
Public now: http://seclists.org/oss-sec/2014/q3/639
Created libvncserver tracking bugs for this issue: Affects: fedora-all [bug 1145878] Affects: epel-5 [bug 1145879] Affects: epel-7 [bug 1145880]
Created krfb tracking bugs for this issue: Affects: fedora-all [bug 1145883]
krfb advisory: http://www.kde.org/info/security/advisory-20140923-1.txt
Note that this also appears to affect RHEL5's vnc-server and has been assigned CVE-2010-5304.
(In reply to john.haxby from comment #6) > Note that this also appears to affect RHEL5's vnc-server and has been > assigned CVE-2010-5304. Thanks John. As I understood it, CVE-2014-6053 is for the flaw in libvncserver. The same flaw was previously reported for RealVNC, and that instance of the issue was CVE-2010-5304. Do you want me to clarify with MITRE?
(In reply to Murray McAllister from comment #7) > (In reply to john.haxby from comment #6) > > Note that this also appears to affect RHEL5's vnc-server and has been > > assigned CVE-2010-5304. > > Thanks John. As I understood it, CVE-2014-6053 is for the flaw in > libvncserver. The same flaw was previously reported for RealVNC, and that > instance of the issue was CVE-2010-5304. Still not clear... CVE-2014-6053 is for the flaw in libvncserver. CVE-2010-5304 is for the flaw in RealVNC.
(In reply to Murray McAllister from comment #8) > (In reply to Murray McAllister from comment #7) > > (In reply to john.haxby from comment #6) > > > Note that this also appears to affect RHEL5's vnc-server and has been > > > assigned CVE-2010-5304. > > > > Thanks John. As I understood it, CVE-2014-6053 is for the flaw in > > libvncserver. The same flaw was previously reported for RealVNC, and that > > instance of the issue was CVE-2010-5304. > > Still not clear... CVE-2014-6053 is for the flaw in libvncserver. > CVE-2010-5304 is for the flaw in RealVNC. Sorry for the spam. I see what you mean about the vnc-server package now. Thank you for pointing it out!
Murray, I did a lazy check: I looked for the CVE-2010-5304 bugzilla alias, the security/cve link and in the HREL5 vnc-server changelog. It didn't appear anywhere, which was a little surprising -- I'd usually expect to find something even if it's a "not applicable" notice. (Our own CVE database doesn't yet include historic, for us, CVEs so that's of no use :))
As noted above, CVE-2010-5304 was assigned to this flaw in RealVNC. The "vnc" and "vnc-server" packages in Red Hat Enterprise Linux 5 provide RealVNC.
libvncserver-0.9.10-0.6.20140718git9453be42.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
libvncserver-0.9.10-0.6.20140718git9453be42.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libvncserver-0.9.10-0.6.20140718git9453be42.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
krfb-4.11.5-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
krfb upstream fix ----------------- http://quickgit.kde.org/?p=krfb.git&a=commitdiff&h=d931eafccf3140d740ac61e876dce72a23ade7f4&hp=126a746dd7bee35840083e9bec7a52935a010346
libvncserver-0.9.10-0.6.20140718git9453be42.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: A NULL pointer dereference flaw was found in the way LibVNCServer handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client.
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1826 https://rhn.redhat.com/errata/RHSA-2014-1826.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1827 https://rhn.redhat.com/errata/RHSA-2014-1827.html