Bug 1173878 (CVE-2020-14396)

Summary:	VUL-0: CVE-2020-14396: LibVNCServer: NULL pointer dereference in tls_openssl.c
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Alexandros Toptsoglou <atoptsoglou>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/261721/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-14396:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Alexandros Toptsoglou 2020-07-08 08:08:49 UTC

CVE-2020-14396

An issue was discovered in LibVNCServer before 0.9.13.
libvncclient/tls_openssl.c has a NULL pointer dereference.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14396
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14396.html
https://github.com/LibVNC/libvncserver/commit/33441d90a506d5f3ae9388f2752901227e430553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14396
https://github.com/LibVNC/libvncserver/compare/LibVNCServer-0.9.12...LibVNCServer-0.9.13

Comment 1 Petr Gajdos 2020-07-09 09:05:34 UTC

In 11,12,15/LibVNCServer, code not found, considering not affected. TW already fixed by version update.

Comment 2 Petr Gajdos 2020-07-09 13:32:16 UTC

Submitted for 15,12/LibVNCServer.

I believe all fixed.

Comment 4 Alexandros Toptsoglou 2020-08-27 13:55:01 UTC

Done