Bug 1811948 (CVE-2019-15690) - CVE-2019-15690 libvncserver: HandleCursorShape() integer overflow resulting in heap-based buffer overflow
Summary: CVE-2019-15690 libvncserver: HandleCursorShape() integer overflow resulting i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-15690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2019-20788 (view as bug list)
Depends On: 1811950 1811951 1814339 1814340 1814341 1814342 1814343 1814745
Blocks: 1811953 1829873
TreeView+ depends on / blocked
 
Reported: 2020-03-10 09:53 UTC by Michael Kaplan
Modified: 2021-02-16 20:29 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libvncserver. An integer overflow within the HandleCursorShape() function can be exploited to cause a heap-based buffer overflow by tricking a user or application using libvncserver to connect to an unstrusted server and subsequently send cursor shapes with specially crafted dimensions. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-03-23 10:32:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0913 0 None None None 2020-03-23 08:43:05 UTC
Red Hat Product Errata RHSA-2020:0920 0 None None None 2020-03-23 08:47:00 UTC
Red Hat Product Errata RHSA-2020:0921 0 None None None 2020-03-23 08:32:25 UTC

Description Michael Kaplan 2020-03-10 09:53:47 UTC 
An integer overflow within the HandleCursorShape() function in libvncclient/cursor.c can be exploited to cause a heap-based buffer overflow by tricking a user or application using libvncserver to connect to an unstrusted server and subsequently sending cursor shapes with specially crafted dimensions.
Comment 1 Michael Kaplan 2020-03-10 09:54:33 UTC 
Created libvncserver tracking bugs for this issue:

Affects: epel-7 [bug 1811951]
Affects: fedora-all [bug 1811950]
Comment 2 Michael Kaplan 2020-03-10 09:55:51 UTC 
Researcher Reference:

https://www.openwall.com/lists/oss-security/2019/12/20/2
Comment 3 Stefan Cornelius 2020-03-17 16:51:48 UTC 
Patch:
https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed
Comment 12 errata-xmlrpc 2020-03-23 08:32:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0921 https://access.redhat.com/errata/RHSA-2020:0921
Comment 13 errata-xmlrpc 2020-03-23 08:43:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0913 https://access.redhat.com/errata/RHSA-2020:0913
Comment 14 errata-xmlrpc 2020-03-23 08:46:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0920 https://access.redhat.com/errata/RHSA-2020:0920
Comment 15 Product Security DevOps Team 2020-03-23 10:32:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15690
Comment 17 Stefan Cornelius 2020-05-12 13:49:41 UTC 
*** Bug 1829870 has been marked as a duplicate of this bug. ***
Comment 18 Eric Christensen 2020-07-08 18:20:45 UTC 
Mitigation:

Libvncserver should not be used to connect to untrusted server.
Note You need to log in before you can comment on or make changes to this bug.