various security issues in VNC related packages

[Mike Gabriel]

Hi all,








  x11vnc -> uses system's libvncserver and system's libvncclient, but still
            bundles older versions of both in the orig tarball. (See [2]).
            NOT AFFECTED

  italc  -> bundles libvncserver (shame on myself+upstream) and uses it. It
            probably needs to be listed for all libvncserver CVEs we have seen
            in the past (luckily italc has been removed from unstable recently
            and replaced by veyon)
            AFFECTED (LOVE NEEDED)


            of an rfbserver rewritten in C++/Qt
            NOT AFFECTED


            all libvncclient CVEs
            NEEDS MORE TRIAGING

  veyon  -> uses system-wide libvncserver, but still bundles libvncclient
            (this will be resolved with veyon 4.3.0, I heard from upstream)
            NEEDS MORE TRIAGING

  vino   -> bundles libvncserver and uses it. It probably needs to
            be listed for all libvncserver CVEs we have seen in the past
            AFFECTED (LOVE NEEDED)

  vncsnapshot -> contains a small subset the libvncclient files
            NEEDS MORE TRIAGING

  tightvnc -> has copy+pasted code from libvncserver, e.g. rfbserver.(ch)
            and also from libvncclient
            PARTIALLY AFFECTED (LOVE NEEDED)

  tigervnc -> VNC code has been entirely rewritten in C++, not related
              to libvncserver / libvncclient (anymore?) as it seems



light+love
Mike

[1] https://www.openwall.com/lists/oss-security/2018/12/10/5
[2] https://bugs.debian.org/943833
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

today I looked into libvncserver/CVE-2019-15681. The VNC situation is non-optimal in Debian... The gist (which also applies to Debian) can be found in [1]. Thanks to Pavel Cheremushkin from Kaspersky for publishing his findings. I looked at all packages I could think of that are related to VNC and came up with this list: krfb -> ships rfbserver.c from libvncserver, but uses its own implementation ssvnc -> VNC client only; ships libvncclient code files, probably affected by Please add more packages, if you see fit, that belong to the same category of packages. Please provide feedback if you think otherwise on statements I made above.

pgpYcXLgtW7mM.pgp
Description: Digitale PGP-Signatur