1144289 – (CVE-2014-6053) CVE-2014-6053 libvncserver: server NULL pointer dereference flaw in ClientCutText message handling

Bug 1144289 (CVE-2014-6053) - CVE-2014-6053 libvncserver: server NULL pointer dereference flaw in ClientCutText message handling

Summary: CVE-2014-6053 libvncserver: server NULL pointer dereference flaw in ClientCut...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-6053
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1145878 1145879 1145880 1145883 1157668 1157669 1157670 1157671 1157674 1157675 1157676 1157677
Blocks:	1144297
TreeView+	depends on / blocked

Reported:	2014-09-19 07:37 UTC by Murray McAllister
Modified:	2023-05-12 13:41 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A NULL pointer dereference flaw was found in the way LibVNCServer handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client.
Clone Of:
Environment:
Last Closed:	2014-11-11 22:33:57 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1826	0	normal	SHIPPED_LIVE	Moderate: libvncserver security update	2014-11-11 23:25:37 UTC
Red Hat Product Errata	RHSA-2014:1827	0	normal	SHIPPED_LIVE	Moderate: kdenetwork security update	2014-11-12 02:16:52 UTC

Description Murray McAllister 2014-09-19 07:37:28 UTC

A NULL pointer dereference flaw was reported in LibVNCServer's ClientCutText message handling. A VNC client could use this flaw to cause the VNC server to crash.

Upstream commit:

https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28

Comment 1 Murray McAllister 2014-09-24 04:19:51 UTC

Acknowledgements:

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Nicolas RUFF as the original reporter.

Comment 2 Murray McAllister 2014-09-24 04:21:12 UTC

Public now:

http://seclists.org/oss-sec/2014/q3/639

Comment 3 Murray McAllister 2014-09-24 04:30:25 UTC

Created libvncserver tracking bugs for this issue:

Affects: fedora-all [bug 1145878]
Affects: epel-5 [bug 1145879]
Affects: epel-7 [bug 1145880]

Comment 4 Murray McAllister 2014-09-24 04:48:57 UTC

Created krfb tracking bugs for this issue:

Affects: fedora-all [bug 1145883]

Comment 5 Murray McAllister 2014-09-24 04:51:14 UTC

krfb advisory:

http://www.kde.org/info/security/advisory-20140923-1.txt

Comment 6 john.haxby@oracle.com 2014-09-24 09:02:49 UTC

Note that this also appears to affect RHEL5's vnc-server and has been assigned CVE-2010-5304.

Comment 7 Murray McAllister 2014-09-25 08:29:47 UTC

(In reply to john.haxby from comment #6)
> Note that this also appears to affect RHEL5's vnc-server and has been
> assigned CVE-2010-5304.

Thanks John. As I understood it, CVE-2014-6053 is for the flaw in libvncserver. The same flaw was previously reported for RealVNC, and that instance of the issue was CVE-2010-5304.

Do you want me to clarify with MITRE?

Comment 8 Murray McAllister 2014-09-25 08:30:35 UTC

(In reply to Murray McAllister from comment #7)
> (In reply to john.haxby from comment #6)
> > Note that this also appears to affect RHEL5's vnc-server and has been
> > assigned CVE-2010-5304.
> 
> Thanks John. As I understood it, CVE-2014-6053 is for the flaw in
> libvncserver. The same flaw was previously reported for RealVNC, and that
> instance of the issue was CVE-2010-5304.

Still not clear... CVE-2014-6053 is for the flaw in libvncserver. CVE-2010-5304 is for the flaw in RealVNC.

Comment 9 Murray McAllister 2014-09-25 08:45:59 UTC

(In reply to Murray McAllister from comment #8)
> (In reply to Murray McAllister from comment #7)
> > (In reply to john.haxby from comment #6)
> > > Note that this also appears to affect RHEL5's vnc-server and has been
> > > assigned CVE-2010-5304.
> > 
> > Thanks John. As I understood it, CVE-2014-6053 is for the flaw in
> > libvncserver. The same flaw was previously reported for RealVNC, and that
> > instance of the issue was CVE-2010-5304.
> 
> Still not clear... CVE-2014-6053 is for the flaw in libvncserver.
> CVE-2010-5304 is for the flaw in RealVNC.

Sorry for the spam. I see what you mean about the vnc-server package now. Thank you for pointing it out!

Comment 10 john.haxby@oracle.com 2014-09-25 09:30:51 UTC

Murray, I did a lazy check: I looked for the CVE-2010-5304 bugzilla alias, the security/cve link and in the HREL5 vnc-server changelog.   It didn't appear anywhere, which was a little surprising -- I'd usually expect to find something even if it's a "not applicable" notice.  (Our own CVE database doesn't yet include historic, for us, CVEs so that's of no use :))

Comment 12 Murray McAllister 2014-09-26 04:02:38 UTC

As noted above, CVE-2010-5304 was assigned to this flaw in RealVNC.

The "vnc" and "vnc-server" packages in Red Hat Enterprise Linux 5 provide RealVNC.

Comment 13 Fedora Update System 2014-09-29 04:06:35 UTC

libvncserver-0.9.10-0.6.20140718git9453be42.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2014-10-01 04:23:31 UTC

libvncserver-0.9.10-0.6.20140718git9453be42.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2014-10-04 03:25:06 UTC

libvncserver-0.9.10-0.6.20140718git9453be42.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2014-10-08 19:11:28 UTC

krfb-4.11.5-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Siddharth Sharma 2014-10-09 08:20:42 UTC

krfb upstream fix
-----------------

http://quickgit.kde.org/?p=krfb.git&a=commitdiff&h=d931eafccf3140d740ac61e876dce72a23ade7f4&hp=126a746dd7bee35840083e9bec7a52935a010346

Comment 18 Fedora Update System 2014-10-13 21:38:36 UTC

libvncserver-0.9.10-0.6.20140718git9453be42.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Martin Prpič 2014-11-10 08:59:20 UTC

IssueDescription:

A NULL pointer dereference flaw was found in the way LibVNCServer handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client.

Comment 28 Siddharth Sharma 2014-11-11 07:23:21 UTC

Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 29 errata-xmlrpc 2014-11-11 18:25:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1826 https://rhn.redhat.com/errata/RHSA-2014-1826.html

Comment 30 errata-xmlrpc 2014-11-11 21:17:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1827 https://rhn.redhat.com/errata/RHSA-2014-1827.html

Note You need to log in before you can comment on or make changes to this bug.