Operating System:

[Debian]

Published:

31 October 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4032
                           italc security update
                              31 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           italc
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-15681 CVE-2018-20750 CVE-2018-20749
                   CVE-2018-20748 CVE-2018-20024 CVE-2018-20023
                   CVE-2018-20022 CVE-2018-20021 CVE-2018-20020
                   CVE-2018-20019 CVE-2018-15127 CVE-2018-15126
                   CVE-2018-7225 CVE-2018-6307 CVE-2016-9942
                   CVE-2016-9941 CVE-2014-6055 CVE-2014-6054
                   CVE-2014-6053 CVE-2014-6052 CVE-2014-6051

Reference:         ESB-2019.0460
                   ESB-2019.0307
                   ESB-2019.0298
                   ESB-2019.0295
                   ESB-2019.0134
                   ESB-2019.0123
                   ESB-2019.0400.2

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1979-1

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : italc
Version        : 1:2.0.2+dfsg1-2+deb8u1
CVE ID         : CVE-2014-6051 CVE-2014-6052 CVE-2014-6053 CVE-2014-6054
                 CVE-2014-6055 CVE-2016-9941 CVE-2016-9942 CVE-2018-6307
                 CVE-2018-7225 CVE-2018-15126 CVE-2018-15127 CVE-2018-20019
                 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023
                 CVE-2018-20024 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750
                 CVE-2019-15681


Several vulnerabilities have been identified in the VNC code of iTALC, a
classroom management software. All vulnerabilities referenced below are
issues that have originally been reported against Debian source package
libvncserver. The italc source package in Debian ships a custom-patched
version of libvncserver, thus libvncserver's security fixes required
porting over.

CVE-2014-6051

    Integer overflow in the MallocFrameBuffer function in vncviewer.c in
    LibVNCServer allowed remote VNC servers to cause a denial of service
    (crash) and possibly executed arbitrary code via an advertisement for
    a large screen size, which triggered a heap-based buffer overflow.

CVE-2014-6052

    The HandleRFBServerMessage function in libvncclient/rfbproto.c in
    LibVNCServer did not check certain malloc return values, which
    allowed remote VNC servers to cause a denial of service (application
    crash) or possibly execute arbitrary code by specifying a large
    screen size in a (1) FramebufferUpdate, (2) ResizeFrameBuffer, or (3)
    PalmVNCReSizeFrameBuffer message.

CVE-2014-6053

    The rfbProcessClientNormalMessage function in
    libvncserver/rfbserver.c in LibVNCServer did not properly handle
    attempts to send a large amount of ClientCutText data, which allowed
    remote attackers to cause a denial of service (memory consumption or
    daemon crash) via a crafted message that was processed by using a
    single unchecked malloc.

CVE-2014-6054

    The rfbProcessClientNormalMessage function in
    libvncserver/rfbserver.c in LibVNCServer allowed remote attackers to
    cause a denial of service (divide-by-zero error and server crash) via
    a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or
    (2) SetScale message.

CVE-2014-6055

    Multiple stack-based buffer overflows in the File Transfer feature in
    rfbserver.c in LibVNCServer allowed remote authenticated users to
    cause a denial of service (crash) and possibly execute arbitrary code
    via a (1) long file or (2) directory name or the (3) FileTime
    attribute in a rfbFileTransferOffer message.

CVE-2016-9941

    Heap-based buffer overflow in rfbproto.c in LibVNCClient in
    LibVNCServer allowed remote servers to cause a denial of service
    (application crash) or possibly execute arbitrary code via a crafted
    FramebufferUpdate message containing a subrectangle outside of the
    client drawing area.

CVE-2016-9942

    Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer
    allowed remote servers to cause a denial of service (application
    crash) or possibly execute arbitrary code via a crafted
    FramebufferUpdate message with the Ultra type tile, such that the LZO
    payload decompressed length exceeded what is specified by the tile
    dimensions.

CVE-2018-6307

    LibVNC contained heap use-after-free vulnerability in server code of
    file transfer extension that can result remote code execution.

CVE-2018-7225

    An issue was discovered in LibVNCServer.
    rfbProcessClientNormalMessage() in rfbserver.c did not sanitize
    msg.cct.length, leading to access to uninitialized and potentially
    sensitive data or possibly unspecified other impact (e.g., an integer
    overflow) via specially crafted VNC packets.

CVE-2018-15126

    LibVNC contained heap use-after-free vulnerability in server code of
    file transfer extension that can result remote code execution.

CVE-2018-15127

    LibVNC contained heap out-of-bound write vulnerability in server code
    of file transfer extension that can result remote code execution

CVE-2018-20749

    LibVNC contained a heap out-of-bounds write vulnerability in
    libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

CVE-2018-20750

    LibVNC contained a heap out-of-bounds write vulnerability in
    libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

CVE-2018-20019

    LibVNC contained multiple heap out-of-bound write vulnerabilities in
    VNC client code that can result remote code execution

CVE-2018-20748

    LibVNC contained multiple heap out-of-bounds write vulnerabilities in
    libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.

CVE-2018-20020

    LibVNC contained heap out-of-bound write vulnerability inside
    structure in VNC client code that can result remote code execution

CVE-2018-20021

    LibVNC contained a CWE-835: Infinite loop vulnerability in VNC client
    code. Vulnerability allows attacker to consume excessive amount of
    resources like CPU and RAM

CVE-2018-20022

    LibVNC contained multiple weaknesses CWE-665: Improper Initialization
    vulnerability in VNC client code that allowed attackers to read stack
    memory and could be abused for information disclosure. Combined with
    another vulnerability, it could be used to leak stack memory layout
    and in bypassing ASLR.

CVE-2018-20023

    LibVNC contained CWE-665: Improper Initialization vulnerability in
    VNC Repeater client code that allowed attacker to read stack memory
    and could be abused for information disclosure. Combined with another
    vulnerability, it could be used to leak stack memory layout and in
    bypassing ASLR.

CVE-2018-20024

    LibVNC contained null pointer dereference in VNC client code that
    could result DoS.

CVE-2019-15681

    LibVNC contained a memory leak (CWE-655) in VNC server code, which
    allowed an attacker to read stack memory and could be abused for
    information disclosure. Combined with another vulnerability, it could
    be used to leak stack memory and bypass ASLR. This attack appeared to
    be exploitable via network connectivity.

For Debian 8 "Jessie", these problems have been fixed in version
1:2.0.2+dfsg1-2+deb8u1.

We recommend that you upgrade your italc packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXbpZdGaOgq3Tt24GAQhw6xAA0L4L9ZWstn//KkGiu3qbH4ILF44W0gV9
H1tx5TahwkISHipQLmRa8Dth6+JhmGq9vf2GM94wxcscFtJlsGI88goCh80eQ1Ns
NTC1gxMQ7vcyRtPKdDr0gGXQpbkF8erIVjQXizH2M3Yqa6jt6B2zE/tAOJQsANqz
o52utrRNGhDuUwX7JCogK4ZuVNgUxL5o0oo1WqPulKNY9FrRjSB/CISBuulAZQ1M
iEeBSm4g/LHGtPJLih03mkyukaeamTvE0eecHKNMM6xzyc4+KOiFlcOMMlGcswmY
/Li/xYdzUFZJwkBjWduYcaa1cRE0a0WxeZe65Sfol0LBRfJ80qW7M+dyG3W4jpwj
rXADNyF7w1LRTez35gMKkzubNrGxokMv3+bsbAC8O6FAXV7yON7CHKioCOr35OD1
KylFnQQYPHgTxoXgMJjbNs3xqWxuPgxzHH/FqBqOTMNLYBoFeUa/IZk8lzf+tR9Q
3zxzTVQjrWqF953GTxT5Z8LS+zaXnby3WlNir5+ydbVpnvkpJzW60qnRxuRPZ3eX
3OJZiWSinh6RX/jkEWG+Jnu4fCiz0TAxXKS99gj5fDZ4B0NJfX0YE8yUW45wp2h4
SR3cAdI9L9A2RiYnF4948+0fmw0kqjlXY8pcxQPp/7V4mEq2JTgdnPQy7jJpafKR
7PA4dtV/O3A=
=2Ax8
-----END PGP SIGNATURE-----