[SECURITY] [DLA 1979-1] italc security update

Package : italc
Version : 1:2.0.2+dfsg1-2+deb8u1
CVE ID : CVE-2014-6051 CVE-2014-6052 CVE-2014-6053 CVE-2014-6054
CVE-2014-6055 CVE-2016-9941 CVE-2016-9942 CVE-2018-6307
CVE-2018-7225 CVE-2018-15126 CVE-2018-15127 CVE-2018-20019
CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023
CVE-2018-20024 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750
CVE-2019-15681

Several vulnerabilities have been identified in the VNC code of iTALC, a
classroom management software. All vulnerabilities referenced below are
issues that have originally been reported against Debian source package
libvncserver. The italc source package in Debian ships a custom-patched
version of libvncserver, thus libvncserver's security fixes required
porting over.

CVE-2014-6051

Integer overflow in the MallocFrameBuffer function in vncviewer.c in
LibVNCServer allowed remote VNC servers to cause a denial of service
(crash) and possibly executed arbitrary code via an advertisement for
a large screen size, which triggered a heap-based buffer overflow.

CVE-2014-6052

The HandleRFBServerMessage function in libvncclient/rfbproto.c in
LibVNCServer did not check certain malloc return values, which
allowed remote VNC servers to cause a denial of service (application
crash) or possibly execute arbitrary code by specifying a large
screen size in a (1) FramebufferUpdate, (2) ResizeFrameBuffer, or (3)
PalmVNCReSizeFrameBuffer message.

CVE-2014-6053

The rfbProcessClientNormalMessage function in
libvncserver/rfbserver.c in LibVNCServer did not properly handle
attempts to send a large amount of ClientCutText data, which allowed
remote attackers to cause a denial of service (memory consumption or
daemon crash) via a crafted message that was processed by using a
single unchecked malloc.

CVE-2014-6054

The rfbProcessClientNormalMessage function in
libvncserver/rfbserver.c in LibVNCServer allowed remote attackers to
cause a denial of service (divide-by-zero error and server crash) via
a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or
(2) SetScale message.

CVE-2014-6055

Multiple stack-based buffer overflows in the File Transfer feature in
rfbserver.c in LibVNCServer allowed remote authenticated users to
cause a denial of service (crash) and possibly execute arbitrary code
via a (1) long file or (2) directory name or the (3) FileTime
attribute in a rfbFileTransferOffer message.

CVE-2016-9941

Heap-based buffer overflow in rfbproto.c in LibVNCClient in
LibVNCServer allowed remote servers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
FramebufferUpdate message containing a subrectangle outside of the
client drawing area.

CVE-2016-9942

Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer
allowed remote servers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted
FramebufferUpdate message with the Ultra type tile, such that the LZO
payload decompressed length exceeded what is specified by the tile
dimensions.

CVE-2018-6307

LibVNC contained heap use-after-free vulnerability in server code of
file transfer extension that can result remote code execution.

CVE-2018-7225

An issue was discovered in LibVNCServer.
rfbProcessClientNormalMessage() in rfbserver.c did not sanitize
msg.cct.length, leading to access to uninitialized and potentially
sensitive data or possibly unspecified other impact (e.g., an integer
overflow) via specially crafted VNC packets.

CVE-2018-15126

LibVNC contained heap use-after-free vulnerability in server code of
file transfer extension that can result remote code execution.

CVE-2018-15127

LibVNC contained heap out-of-bound write vulnerability in server code
of file transfer extension that can result remote code execution

CVE-2018-20749

LibVNC contained a heap out-of-bounds write vulnerability in
libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

CVE-2018-20750

LibVNC contained a heap out-of-bounds write vulnerability in
libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

CVE-2018-20019

LibVNC contained multiple heap out-of-bound write vulnerabilities in
VNC client code that can result remote code execution

CVE-2018-20748

LibVNC contained multiple heap out-of-bounds write vulnerabilities in
libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.

CVE-2018-20020

LibVNC contained heap out-of-bound write vulnerability inside
structure in VNC client code that can result remote code execution

CVE-2018-20021

LibVNC contained a CWE-835: Infinite loop vulnerability in VNC client
code. Vulnerability allows attacker to consume excessive amount of
resources like CPU and RAM

CVE-2018-20022

LibVNC contained multiple weaknesses CWE-665: Improper Initialization
vulnerability in VNC client code that allowed attackers to read stack
memory and could be abused for information disclosure. Combined with
another vulnerability, it could be used to leak stack memory layout
and in bypassing ASLR.

CVE-2018-20023

LibVNC contained CWE-665: Improper Initialization vulnerability in
VNC Repeater client code that allowed attacker to read stack memory
and could be abused for information disclosure. Combined with another
vulnerability, it could be used to leak stack memory layout and in
bypassing ASLR.

CVE-2018-20024

LibVNC contained null pointer dereference in VNC client code that
could result DoS.

CVE-2019-15681

LibVNC contained a memory leak (CWE-655) in VNC server code, which
allowed an attacker to read stack memory and could be abused for
information disclosure. Combined with another vulnerability, it could
be used to leak stack memory and bypass ASLR. This attack appeared to
be exploitable via network connectivity.

For Debian 8 "Jessie", these problems have been fixed in version
1:2.0.2+dfsg1-2+deb8u1.

We recommend that you upgrade your italc packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

–

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net
Attachment:
signature.asc
Description: PGP signature