Security update for LibVNCServer SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1025-1 Final 1 1 2020-07-21T08:27:26Z current 2020-07-21T08:27:26Z 2020-07-21T08:27:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for LibVNCServer This update for LibVNCServer fixes the following issues: - security update - added patches fix CVE-2018-21247 [bsc#1173874], uninitialized memory contents are vulnerable to Information leak + LibVNCServer-CVE-2018-21247.patch fix CVE-2019-20839 [bsc#1173875], buffer overflow in ConnectClientToUnixSock() + LibVNCServer-CVE-2019-20839.patch fix CVE-2019-20840 [bsc#1173876], unaligned accesses in hybiReadAndDecode can lead to denial of service + LibVNCServer-CVE-2019-20840.patch fix CVE-2020-14398 [bsc#1173880], improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c + LibVNCServer-CVE-2020-14398.patch fix CVE-2020-14397 [bsc#1173700], NULL pointer dereference in libvncserver/rfbregion.c + LibVNCServer-CVE-2020-14397.patch fix CVE-2020-14399 [bsc#1173743], Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. + LibVNCServer-CVE-2020-14399.patch fix CVE-2020-14400 [bsc#1173691], Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. + LibVNCServer-CVE-2020-14400.patch fix CVE-2020-14401 [bsc#1173694], potential integer overflows in libvncserver/scale.c + LibVNCServer-CVE-2020-14401.patch fix CVE-2020-14402 [bsc#1173701], out-of-bounds access via encodings. + LibVNCServer-CVE-2020-14402,14403,14404.patch fix CVE-2017-18922 [bsc#1173477], preauth buffer overwrite This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1025 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ E-Mail link for openSUSE-SU-2020:1025-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173691 SUSE Bug 1173691 https://bugzilla.suse.com/1173694 SUSE Bug 1173694 https://bugzilla.suse.com/1173700 SUSE Bug 1173700 https://bugzilla.suse.com/1173701 SUSE Bug 1173701 https://bugzilla.suse.com/1173743 SUSE Bug 1173743 https://bugzilla.suse.com/1173874 SUSE Bug 1173874 https://bugzilla.suse.com/1173875 SUSE Bug 1173875 https://bugzilla.suse.com/1173876 SUSE Bug 1173876 https://bugzilla.suse.com/1173880 SUSE Bug 1173880 https://www.suse.com/security/cve/CVE-2017-18922/ SUSE CVE CVE-2017-18922 page https://www.suse.com/security/cve/CVE-2018-21247/ SUSE CVE CVE-2018-21247 page https://www.suse.com/security/cve/CVE-2019-20839/ SUSE CVE CVE-2019-20839 page https://www.suse.com/security/cve/CVE-2019-20840/ SUSE CVE CVE-2019-20840 page https://www.suse.com/security/cve/CVE-2020-14397/ SUSE CVE CVE-2020-14397 page https://www.suse.com/security/cve/CVE-2020-14398/ SUSE CVE CVE-2020-14398 page https://www.suse.com/security/cve/CVE-2020-14399/ SUSE CVE CVE-2020-14399 page https://www.suse.com/security/cve/CVE-2020-14400/ SUSE CVE CVE-2020-14400 page https://www.suse.com/security/cve/CVE-2020-14401/ SUSE CVE CVE-2020-14401 page https://www.suse.com/security/cve/CVE-2020-14402/ SUSE CVE CVE-2020-14402 page openSUSE Leap 15.2 LibVNCServer-devel-0.9.10-lp152.9.8.1 libvncclient0-0.9.10-lp152.9.8.1 libvncserver0-0.9.10-lp152.9.8.1 LibVNCServer-devel-0.9.10-lp152.9.8.1 as a component of openSUSE Leap 15.2 libvncclient0-0.9.10-lp152.9.8.1 as a component of openSUSE Leap 15.2 libvncserver0-0.9.10-lp152.9.8.1 as a component of openSUSE Leap 15.2 It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by sending specially crafted WebSocket frames to a server, causing a heap-based buffer overflow. CVE-2017-18922 openSUSE Leap 15.2:LibVNCServer-devel-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncclient0-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncserver0-0.9.10-lp152.9.8.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ https://www.suse.com/security/cve/CVE-2017-18922.html CVE-2017-18922 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 An issue was discovered in LibVNCServer before 0.9.13. There is an information leak (of uninitialized memory contents) in the libvncclient/rfbproto.c ConnectToRFBRepeater function. CVE-2018-21247 openSUSE Leap 15.2:LibVNCServer-devel-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncclient0-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncserver0-0.9.10-lp152.9.8.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ https://www.suse.com/security/cve/CVE-2018-21247.html CVE-2018-21247 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173874 SUSE Bug 1173874 libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer overflow via a long socket filename. CVE-2019-20839 openSUSE Leap 15.2:LibVNCServer-devel-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncclient0-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncserver0-0.9.10-lp152.9.8.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ https://www.suse.com/security/cve/CVE-2019-20839.html CVE-2019-20839 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173875 SUSE Bug 1173875 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws_decode.c can lead to a crash because of unaligned accesses in hybiReadAndDecode. CVE-2019-20840 openSUSE Leap 15.2:LibVNCServer-devel-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncclient0-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncserver0-0.9.10-lp152.9.8.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ https://www.suse.com/security/cve/CVE-2019-20840.html CVE-2019-20840 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173876 SUSE Bug 1173876 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rfbregion.c has a NULL pointer dereference. CVE-2020-14397 openSUSE Leap 15.2:LibVNCServer-devel-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncclient0-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncserver0-0.9.10-lp152.9.8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ https://www.suse.com/security/cve/CVE-2020-14397.html CVE-2020-14397 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173700 SUSE Bug 1173700 An issue was discovered in LibVNCServer before 0.9.13. An improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c. CVE-2020-14398 openSUSE Leap 15.2:LibVNCServer-devel-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncclient0-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncserver0-0.9.10-lp152.9.8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ https://www.suse.com/security/cve/CVE-2020-14398.html CVE-2020-14398 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173880 SUSE Bug 1173880 ** DISPUTED ** An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: there is reportedly "no trust boundary crossed." CVE-2020-14399 openSUSE Leap 15.2:LibVNCServer-devel-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncclient0-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncserver0-0.9.10-lp152.9.8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ https://www.suse.com/security/cve/CVE-2020-14399.html CVE-2020-14399 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173743 SUSE Bug 1173743 ** DISPUTED ** An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. NOTE: Third parties do not consider this to be a vulnerability as there is no known path of exploitation or cross of a trust boundary. CVE-2020-14400 openSUSE Leap 15.2:LibVNCServer-devel-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncclient0-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncserver0-0.9.10-lp152.9.8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ https://www.suse.com/security/cve/CVE-2020-14400.html CVE-2020-14400 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173691 SUSE Bug 1173691 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/scale.c has a pixel_value integer overflow. CVE-2020-14401 openSUSE Leap 15.2:LibVNCServer-devel-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncclient0-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncserver0-0.9.10-lp152.9.8.1 moderate 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ https://www.suse.com/security/cve/CVE-2020-14401.html CVE-2020-14401 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173694 SUSE Bug 1173694 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/corre.c allows out-of-bounds access via encodings. CVE-2020-14402 openSUSE Leap 15.2:LibVNCServer-devel-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncclient0-0.9.10-lp152.9.8.1 openSUSE Leap 15.2:libvncserver0-0.9.10-lp152.9.8.1 moderate 5.5 AV:N/AC:L/Au:S/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRXTN4MBX2MAHYVC2KCQATTKYECU2TZT/ https://www.suse.com/security/cve/CVE-2020-14402.html CVE-2020-14402 https://bugzilla.suse.com/1173477 SUSE Bug 1173477 https://bugzilla.suse.com/1173701 SUSE Bug 1173701