Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Feb 2018 22:44:31 +0100
From: Solar Designer <>
Subject: Re: LibVNCServer rfbserver.c: rfbProcessClientNormalMessage() case rfbClientCutText doesn't sanitize msg.cct.length

On Sun, Feb 18, 2018 at 07:09:45PM +0100, Solar Designer wrote:
> vcSetXCutTextProc() came from LibVNCServer-0.9.9/vncterm/VNConsole.c, so its
> shortcomings also need to be reported to LibVNCServer upstream.

> vncterm exists as a separate repo,
> so I might report its issues in there:

Reported vncterm: VNConsole.c: vcSetXCutTextProc() integer overflow and
unchecked malloc():

vncterm's implementation of the callback is:

void vcSetXCutTextProc(char* str,int len, struct _rfbClientRec* cl)
  vncConsolePtr c=(vncConsolePtr)cl->screen->screenData;

  if(c->selection) free(c->selection);

Besides the conversion to signed int during the call (a LibVNCServer API
issue), there's also len+1 in the implementation, which may cause an
integer overflow resulting in e.g. malloc(0) (which succeeds) followed
by memcpy(..., ..., -1) (which writes beyond the allocated memory).  And
there's no check for malloc() possibly returning NULL.

I did not request CVE ID(s) for this, and I don't intend to do so.  If
you need to, please feel free to track the vncterm vcSetXCutTextProc()
issues above as OVE-20180218-0002.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ