Advisory ROSA-SA-2021-1900

Software: libvncserver 0.9.9
OS: Cobalt 7.9

CVE-ID: CVE-2016-9941
CVE-Crit: CRITICAL
CVE-DESC: Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before version 0.9.11 allows remote servers to cause a denial of service (application failure) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a sub-rectangle outside the client drawing area.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-15126
CVE-Crit: CRITICAL.
CVE-DESC: LibVNC pre-fix 73cb96fec028a576a5a24417b57723b55854ad7b contains a post-release heap exploitation vulnerability in the server-side file transfer extension code that could lead to remote code execution
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-21247
CVE-Crit: HIGH
CVE-DESC: An issue was detected in LibVNCServer before version 0.9.13, an information leak (uninitialized memory contents) in the libvncclient / rfbproto.c ConnectToRFBRepeater function.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20019.
CVE-Crit: CRITICAL.
CVE-DESC: LibVNC pre-fix a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains several write vulnerabilities outside of heap binding in VNC client code that could lead to remote code execution
CVE-STATUS: by default
CVE-REV: default

CVE-ID: CVE-2018-20020.
CVE-Crit: CRITICAL.
CVE-DESC: LibVNC pre-fix 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains an off-heap write vulnerability inside a structure in VNC client code that could lead to remote code execution
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20021.
CVE-Crit: HIGH
CVE-DESC: LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains vulnerability CWE-835: infinite loop in VNC client code. The vulnerability allows an attacker to consume an excessive amount of resources such as CPU and RAM.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2018-20022
CVE-Crit: HIGH
CVE-DESC: LibVNC to 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains several weaknesses. CWE-665: a mis-initialization vulnerability in VNC client code that allows an attacker to read stack memory and can be used for information disclosure. Combined with another vulnerability, it can be exploited to leak the stack memory structure and bypass ASLR.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20023
CVE-Crit: HIGH
CVE-DESC: LibVNC to 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665: A mis-initialization vulnerability in VNC Repeater client code that allows an attacker to read stack memory and can be used for information disclosure. Combined with another vulnerability, it can be exploited to leak the stack memory structure and bypass ASLR.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20024.
CVE-Crit: HIGH
CVE-DESC: LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereferencing in VNC client code, which can lead to DoS.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20748
CVE-Crit: CRITICAL
CVE-DESC: LibVNC before 0.9.12 contains several off-heap write vulnerabilities in libvncclient / rfbproto.c. The fix for CVE-2018-20019 was incomplete.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20749
CVE-Crit: CRITICAL
CVE-DESC: LibVNC before 0.9.12 contains an off-heap write vulnerability in libvncserver / rfbserver.c. The fix for CVE-2018-15127 was incomplete.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20750
CVE-Crit: CRITICAL
CVE-DESC: LibVNC before version 0.9.12 contains an off-heap write vulnerability in libvncserver / rfbserver.c. The fix for CVE-2018-15127 was incomplete.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-6307
CVE-Crit: HIGH
CVE-DESC: LibVNC pre-fix ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains a post-release heap usage vulnerability in the server-side file transfer extension code that could lead to remote code execution.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-20839
CVE-Crit: HIGH
CVE-DESC: libvncclient / sockets.c in LibVNCServer before version 0.9.13 has a buffer overflow due to a long socket filename.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-20788
CVE-Crit: CRITICAL
CVE-DESC: libvncclient / cursor.c in LibVNCServer before version 0.9.12 has an integer HandleCursorShape overflow and a heap-based buffer overflow via a large height or width value. NOTE: this may override CVE-2019-15690.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-14396
CVE-Crit: HIGH
CVE-DESC: a problem was detected in LibVNCServer before version 0.9.13. libvncclient / tls_openssl.c has a NULL pointer dereference.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-14398
CVE-Crit: HIGH
CVE-DESC: a problem was detected in LibVNCServer before version 0.9.13. An improperly closed TCP connection causes an infinite loop in libvncclient / sockets.c.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-14401
CVE-Crit: MEDIUM
CVE-DESC: A problem was found in LibVNCServer before version 0.9.13. libvncserver / scale.c has an integer overflow of pixel_value.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-14405
CVE-Crit: MEDIUM
CVE-DESC: An issue was found in LibVNCServer before version 0.9.13. libvncclient / rfbproto.c does not limit the size of TextChat.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-14397
CVE-Crit: HIGH
CVE-DESC: a problem was detected in LibVNCServer before version 0.9.13. libvncserver / rfbregion.c has a NULL pointer dereference.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-14402
CVE-Crit: MEDIUM
CVE-DESC: a problem was found in LibVNCServer before version 0.9.13. libvncserver / corre.c allows access beyond using encodings.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-14403
CVE-Crit: MEDIUM
CVE-DESC: a problem was found in LibVNCServer before version 0.9.13. libvncserver / hextile.c allows border access via encodings.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-14404
CVE-Crit: MEDIUM
CVE-DESC: a problem was found in LibVNCServer before version 0.9.13. libvncserver / rre.c allows access outside using encodings.
CVE-STATUS: default
CVE-REV: default