CVE-2018-7225

NameCVE-2018-7225
DescriptionAn issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1332-1, DLA-1979-1, DLA-2014-1, DLA-2045-1, DSA-4221-1
NVD severityhigh
Debian Bugs894045, 945784

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
italc (PTS)stretch1:3.0.3+dfsg1-1+deb9u1fixed
libvncserver (PTS)stretch0.9.11+dfsg-1.3~deb9u4fixed
stretch (security)0.9.11+dfsg-1.3~deb9u6fixed
buster0.9.11+dfsg-1.3+deb10u4fixed
bullseye, sid0.9.13+dfsg-1fixed
tightvnc (PTS)stretch1:1.3.9-9+deb9u1fixed
buster1:1.3.9-9+deb10u1fixed
bullseye, sid1:1.3.10-1fixed
vino (PTS)stretch3.22.0-1vulnerable
buster3.22.0-5vulnerable
bullseye, sid3.22.0-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
italcsourcejessie1:2.0.2+dfsg1-2+deb8u1DLA-1979-1
italcsourcestretch1:3.0.3+dfsg1-1+deb9u1
italcsource(unstable)(unfixed)
libvncserversourcewheezy0.9.9+dfsg-1+deb7u3DLA-1332-1
libvncserversourcejessie0.9.9+dfsg2-6.1+deb8u3DSA-4221-1
libvncserversourcestretch0.9.11+dfsg-1+deb9u1DSA-4221-1
libvncserversource(unstable)0.9.11+dfsg-1.1894045
tightvncsourcejessie1.3.9-6.5+deb8u1DLA-2045-1
tightvncsourcestretch1:1.3.9-9+deb9u1
tightvncsourcebuster1:1.3.9-9deb10u1
tightvncsource(unstable)1:1.3.9-9.1
vinosourcejessie3.14.0-2+deb8u1DLA-2014-1
vinosource(unstable)3.22.0-6945784

Notes

[buster] - vino <no-dsa> (Minor issue)
[stretch] - vino <no-dsa> (Minor issue)
https://github.com/LibVNC/libvncserver/issues/218
https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee

Search for package or bug name: Reporting problems