Bug 843174 - (CVE-2013-5745) VUL-0: CVE-2013-5745: vino: denial of service flaw
(CVE-2013-5745)
VUL-0: CVE-2013-5745: vino: denial of service flaw
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Hans Petter Jansson
Security Team bot
maint:released:sle11-sp1:54750 maint...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-30 11:59 UTC by Alexander Bergmann
Modified: 2018-10-19 18:22 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
test.eps (3.93 KB, text/plain)
2013-10-17 09:35 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-09-30 11:59:08 UTC
Public via gnome.org:

https://bugzilla.gnome.org/show_bug.cgi?id=641811

Bug 641811 - vino-server Denial of Service bug 

Summary
=======
Program: vino-server (vino 2.32.1 and 2.26.1)
Type: Denial of Service
Impact: Low

Authors
=======
The Bitblaze group at UC Berkeley.
http://bitblaze.cs.berkeley.edu/


Description
===========
The vino_server_client_data_pending function in vino-server.c in vino-server of
Vino 2.26.1 and
2.32.1 (the latest release) allows remote attackers to trigger an
Denial of Service through infinite loop.


Platforms affected
==================
The bug has been tested on a Ubuntu 9.04 platform using both Vino 2.26.1 and
Vino 2.32.1, the latter one is the latest version of the program. Other
versions between these two releases could similarly be affected.

Vulnerable function
===================
In process: vino-server
Function backtrace stack (in vino 2.26.1):

Impact
======
Impact: Low

Reproducible
============
Yes, the bug is reproducible. And the pcap file is as attached.


Vulnerability description
=========================

This vulnerability is triggered when the user is required to enter a password.
The server closes the client connection on receiving an unexpected input
sequence from the client.

The unprocessed client data remains in the buffer; the server does not remove
them from buffer since the client connection has been closed.
The result is an infinite loop at the do-while (more_data_pending
(rfb_client->sock)) in vino-server.c:415
The gdm and vino-server processes together take up 100% CPU, causing denial of
service (see screenshot).
In our tests, the DOS is triggered when the same input sequence is replayed
twice (see pcap).

vino-server.c:415 (vino 2.26.1):
407:vino_server_client_data_pending (GIOChannel   *source,
408:                             GIOCondition  condition,
409:                             rfbClientPtr  rfb_client)
410:{
411:  if (rfb_client->onHold)
412:    return TRUE;
414:  do {
415:    rfbProcessClientMessage (rfb_client);
416:  } while (more_data_pending (rfb_client->sock));

The original 2.26.1 binary, pcap and screenshot are attached with this email.

------------------------

References:
rhn#910082 - (CVE-2013-5745) CVE-2013-5745 vino: denial of service flaw 
 -> bgo#693608 - Logging DOS fills ~/.cache/gdm/session.log 
 -> bgo#641811 - vino-server Denial of Service bug
 -> rhn#1008661 - CVE-2013-5745 vino: denial of service flaw [fedora-all]

------------------------

This issue was already fixed in openSUSE 12.2 and 12.3.
Comment 1 Swamp Workflow Management 2013-09-30 22:00:18 UTC
bugbot adjusting priority
Comment 2 Scott Reeves 2013-10-15 21:52:14 UTC
HPJ - can you look into this for SLE
Comment 5 Marcus Meissner 2013-10-17 08:37:06 UTC
reassign to security-team instead
Comment 6 Swamp Workflow Management 2013-10-17 09:29:28 UTC
The SWAMPID for this issue is 54749.
This issue was rated as important.
Please submit fixed packages until 2013-10-24.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Marcus Meissner 2013-10-17 09:35:12 UTC
Created attachment 563843 [details]
test.eps

rerproduce EPS from freedesktop.org bug
Comment 11 Swamp Workflow Management 2013-11-06 10:04:20 UTC
Update released for: vino, vino-debuginfo, vino-debugsource, vino-lang
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 12 Swamp Workflow Management 2013-11-06 11:51:20 UTC
Update released for: vino, vino-debuginfo, vino-debugsource, vino-lang
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 13 Swamp Workflow Management 2013-11-06 12:04:19 UTC
Update released for: vino, vino-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 14 Swamp Workflow Management 2013-11-06 15:48:13 UTC
Update released for: vino, vino-debuginfo, vino-debugsource, vino-lang
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 15 Marcus Meissner 2013-11-07 10:02:20 UTC
all releasaed