Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4032 italc security update 31 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: italc Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-15681 CVE-2018-20750 CVE-2018-20749 CVE-2018-20748 CVE-2018-20024 CVE-2018-20023 CVE-2018-20022 CVE-2018-20021 CVE-2018-20020 CVE-2018-20019 CVE-2018-15127 CVE-2018-15126 CVE-2018-7225 CVE-2018-6307 CVE-2016-9942 CVE-2016-9941 CVE-2014-6055 CVE-2014-6054 CVE-2014-6053 CVE-2014-6052 CVE-2014-6051 Reference: ESB-2019.0460 ESB-2019.0307 ESB-2019.0298 ESB-2019.0295 ESB-2019.0134 ESB-2019.0123 ESB-2019.0400.2 Original Bulletin: https://security-tracker.debian.org/tracker/DLA-1979-1 - --------------------------BEGIN INCLUDED TEXT-------------------- Package : italc Version : 1:2.0.2+dfsg1-2+deb8u1 CVE ID : CVE-2014-6051 CVE-2014-6052 CVE-2014-6053 CVE-2014-6054 CVE-2014-6055 CVE-2016-9941 CVE-2016-9942 CVE-2018-6307 CVE-2018-7225 CVE-2018-15126 CVE-2018-15127 CVE-2018-20019 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023 CVE-2018-20024 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750 CVE-2019-15681 Several vulnerabilities have been identified in the VNC code of iTALC, a classroom management software. All vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The italc source package in Debian ships a custom-patched version of libvncserver, thus libvncserver's security fixes required porting over. CVE-2014-6051 Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer allowed remote VNC servers to cause a denial of service (crash) and possibly executed arbitrary code via an advertisement for a large screen size, which triggered a heap-based buffer overflow. CVE-2014-6052 The HandleRFBServerMessage function in libvncclient/rfbproto.c in LibVNCServer did not check certain malloc return values, which allowed remote VNC servers to cause a denial of service (application crash) or possibly execute arbitrary code by specifying a large screen size in a (1) FramebufferUpdate, (2) ResizeFrameBuffer, or (3) PalmVNCReSizeFrameBuffer message. CVE-2014-6053 The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc. CVE-2014-6054 The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer allowed remote attackers to cause a denial of service (divide-by-zero error and server crash) via a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or (2) SetScale message. CVE-2014-6055 Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer allowed remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a rfbFileTransferOffer message. CVE-2016-9941 Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area. CVE-2016-9942 Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeded what is specified by the tile dimensions. CVE-2018-6307 LibVNC contained heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution. CVE-2018-7225 An issue was discovered in LibVNCServer. rfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. CVE-2018-15126 LibVNC contained heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution. CVE-2018-15127 LibVNC contained heap out-of-bound write vulnerability in server code of file transfer extension that can result remote code execution CVE-2018-20749 LibVNC contained a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete. CVE-2018-20750 LibVNC contained a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete. CVE-2018-20019 LibVNC contained multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution CVE-2018-20748 LibVNC contained multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete. CVE-2018-20020 LibVNC contained heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution CVE-2018-20021 LibVNC contained a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM CVE-2018-20022 LibVNC contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR. CVE-2018-20023 LibVNC contained CWE-665: Improper Initialization vulnerability in VNC Repeater client code that allowed attacker to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR. CVE-2018-20024 LibVNC contained null pointer dereference in VNC client code that could result DoS. CVE-2019-15681 LibVNC contained a memory leak (CWE-655) in VNC server code, which allowed an attacker to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory and bypass ASLR. This attack appeared to be exploitable via network connectivity. For Debian 8 "Jessie", these problems have been fixed in version 1:2.0.2+dfsg1-2+deb8u1. We recommend that you upgrade your italc packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXbpZdGaOgq3Tt24GAQhw6xAA0L4L9ZWstn//KkGiu3qbH4ILF44W0gV9 H1tx5TahwkISHipQLmRa8Dth6+JhmGq9vf2GM94wxcscFtJlsGI88goCh80eQ1Ns NTC1gxMQ7vcyRtPKdDr0gGXQpbkF8erIVjQXizH2M3Yqa6jt6B2zE/tAOJQsANqz o52utrRNGhDuUwX7JCogK4ZuVNgUxL5o0oo1WqPulKNY9FrRjSB/CISBuulAZQ1M iEeBSm4g/LHGtPJLih03mkyukaeamTvE0eecHKNMM6xzyc4+KOiFlcOMMlGcswmY /Li/xYdzUFZJwkBjWduYcaa1cRE0a0WxeZe65Sfol0LBRfJ80qW7M+dyG3W4jpwj rXADNyF7w1LRTez35gMKkzubNrGxokMv3+bsbAC8O6FAXV7yON7CHKioCOr35OD1 KylFnQQYPHgTxoXgMJjbNs3xqWxuPgxzHH/FqBqOTMNLYBoFeUa/IZk8lzf+tR9Q 3zxzTVQjrWqF953GTxT5Z8LS+zaXnby3WlNir5+ydbVpnvkpJzW60qnRxuRPZ3eX 3OJZiWSinh6RX/jkEWG+Jnu4fCiz0TAxXKS99gj5fDZ4B0NJfX0YE8yUW45wp2h4 SR3cAdI9L9A2RiYnF4948+0fmw0kqjlXY8pcxQPp/7V4mEq2JTgdnPQy7jJpafKR 7PA4dtV/O3A= =2Ax8 -----END PGP SIGNATURE-----