Two stack-based buffer overflow flaws were reported in LibVNCServer's file transfer handling. A VNC client could use these flaws to cause the VNC server to crash or, potentially, execute arbitrary code. Upstream commits: https://github.com/newsoft/libvncserver/commit/06ccdf016154fde8eccb5355613ba04c59127b2e https://github.com/newsoft/libvncserver/commit/f528072216dec01cee7ca35d94e171a3b909e677
(In reply to Murray McAllister from comment #0) > Upstream commits: > > https://github.com/newsoft/libvncserver/commit/ > 06ccdf016154fde8eccb5355613ba04c59127b2e > The change contains: -rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, char *path, char *unixPath) +rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, /* in */ char *path, /* out */ char *unixPath, size_t unixPathMaxLen ) I.e. it adds a new argument. The rfbFilenameTranslate2UNIX() function is not declared in header files, but it's still exported by the libraries: $ nm -D /usr/lib64/libvnc{client,server}.so | grep rfbFilenameTranslate2UNIX 000000000000d4a0 T rfbFilenameTranslate2UNIX So it breaks ABI.
Acknowledgements: Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Nicolas RUFF as the original reporter.
Public now: http://seclists.org/oss-sec/2014/q3/639
Created libvncserver tracking bugs for this issue: Affects: fedora-all [bug 1145878] Affects: epel-5 [bug 1145879] Affects: epel-7 [bug 1145880]
Created krfb tracking bugs for this issue: Affects: fedora-all [bug 1145883]
krfb advisory: http://www.kde.org/info/security/advisory-20140923-1.txt
it's only effected in f19 because it uses the embeded libvncserver. i have built new krfb with "the unbundle libvncserver fix" which now uses the system libvncserver in f19. http://koji.fedoraproject.org/koji/buildinfo?buildID=580492
libvncserver-0.9.10-0.6.20140718git9453be42.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
libvncserver-0.9.10-0.6.20140718git9453be42.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libvncserver-0.9.10-0.6.20140718git9453be42.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
krfb-4.11.5-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
krfb upstream fix ----------------- http://quickgit.kde.org/?p=krfb.git&a=commitdiff&h=2e211579455fd832fb21322482c005b6a85aa1bf&hp=857c2b411ed806ef806116407612a2d2a40fab9c
libvncserver-0.9.10-0.6.20140718git9453be42.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: Two stack-based buffer overflow flaws were found in the way LibVNCServer handled file transfers. A remote attacker could use this flaw to crash the VNC server using a malicious VNC client.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1826 https://rhn.redhat.com/errata/RHSA-2014-1826.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1827 https://rhn.redhat.com/errata/RHSA-2014-1827.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2015:0113 https://rhn.redhat.com/errata/RHSA-2015-0113.html