http://bugzilla.suse.com/show_bug.cgi?id=900896 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium CC| |security-team@suse.de Assignee|security-team@suse.de |michalsrb@gmail.com Severity|Major |Normal -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=900896 --- Comment #1 from Michal Srb --- Unfortunately the Red Hat bug right now doesn't say anything apart from it being similar to CVE-2014-6051. "Integer overflaw leading to a heap-based buffer overflow was found in the way screen sizes were handled. A Malicious VNC server could use this flaw to cause a client to crash or, potentially, execute arbitrary code on the client." So we would have to rediscover where the problem is. I had quick look at the code and found one apparent problem: In non-SHM branch, it uses assert() to check the return values of malloc. However after bnc#869307 (CVE-2014-0011) it was clear that authors of tigervnc are using assert() in all wrong places, so we preventively patched tigervnc to use asserts even in release build. So we are safe from this particular problem. Or am I missing any place with additional information about the bug? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=900896 --- Comment #3 from Michal Srb --- (In reply to Sebastian Krahmer from comment #2)

"Integer overflow" sounds different though. Sounds like there is some computation inside e.g. malloc(a*b*c) itself, that cannot be checked after malloc returns - assert() or not.

Alright, I found one possible overflow, but it's not actually dangerous. The width and height in VNC protocol are transported as unsigned 16bit number. Tigervnc picks them up and stores them into ints. They are stored as ints without any calculations until they are fed into XCreateImage or XShmCreateImage. In case of XCreateImage one suspicious place follows: malloc(xim->bytes_per_line * xim->height); Where xim is structure filled by XCreateImage, xim->height is int equal to the height and xim->bytes_per_line is int equal to the width times 4 (at most, depends on screen depth). So at worst you can smuggle 0xffff as width and height and you get (int)0xffff * (int)0xffff * 4 = -524284 as parameter of malloc. You never overflow far enough to get back to positive numbers. Parameter of malloc is size_t, so on 64 bit system it turns into 18446744073709027332, on 32 bit into 4294443012. Both should fail and tigervnc quits. Even if it somehow got pass this point, tigervnc will most probably abort because of error message from X server who will protest against such big images. Relying on that is of course not good practice and I will make patch that will prevent the overflow explicitly. But my question remains - we don't know what the Red Hat bug is about. Whether they found this or something else...

I also see we have it on SLE12?

Yes, we have tigervnc in SLE12. And any fixes will go there as well. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=900896 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(krahmer@suse.com) | --- Comment #5 from Sebastian Krahmer --- Indeed the RH bz about it is really sparse. According to it it boils down to something similar to this: https://github.com/newsoft/libvncserver/commit/045a044e8ae79db9244593fbce154... which matches comment#3. We could just ask them to open their bz so our patches are in sync. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=900896 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(krahmer@suse.com) | -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=900896 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(krahmer@suse.com) | -- You are receiving this mail because: You are on the CC list for the bug.