Bug 1017711 - (CVE-2016-9941) VUL-0: CVE-2016-9941: LibVNCServer,x11vnc: Heap-based buffer overflow via crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area
(CVE-2016-9941)
VUL-0: CVE-2016-9941: LibVNCServer,x11vnc: Heap-based buffer overflow via cra...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Cristian Rodríguez
Security Team bot
https://smash.suse.de/issue/178186/
CVSSv2:SUSE:CVE-2016-9941:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-02 08:45 UTC by Andreas Stieger
Modified: 2019-11-02 17:43 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-01-02 08:45:22 UTC
Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before
0.9.11 allows remote servers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted FramebufferUpdate message
containing a subrectangle outside of the client drawing area.

Poc in: 
https://github.com/LibVNC/libvncserver/pull/137

Fix:
https://github.com/LibVNC/libvncserver/commit/5418e8007c248bf9668d22a8c1fa9528149b69f2

Also found in openSUSE: x11vnc

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9941
http://www.cvedetails.com/cve/CVE-2016-9941/
https://github.com/LibVNC/libvncserver/pull/137
https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.11
Comment 1 Swamp Workflow Management 2017-01-02 23:00:27 UTC
bugbot adjusting priority
Comment 3 Petr Gajdos 2017-01-04 08:04:19 UTC
Reassigning to opensuse bugowner in order to do version update to 0.9.11 in tumbleweed. I wanted to do myself but it seems there is some work on patches, which we maintain (maybe needlesly?).

Please reassign to security-team@ afterwards.
Comment 4 Johannes Segitz 2017-01-09 10:04:36 UTC
https://build.suse.de/request/show/126105 seems incomplete. The linked POC still crashes the server. Please have a look
Comment 5 Petr Gajdos 2017-01-11 11:37:44 UTC
(In reply to Johannes Segitz from comment #4)
> https://build.suse.de/request/show/126105 seems incomplete. The linked POC
> still crashes the server. Please have a look

Hmm, the description of the bug does no talk about crashing the server. Could you please outline here how do you test? Please provide the reference host, if you already have it.
Comment 6 Swamp Workflow Management 2017-01-11 13:08:41 UTC
SUSE-SU-2017:0104-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1017711,1017712
CVE References: CVE-2016-9941,CVE-2016-9942
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    LibVNCServer-0.9.1-159.1
SUSE Linux Enterprise Server 11-SP4 (src):    LibVNCServer-0.9.1-159.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    LibVNCServer-0.9.1-159.1
Comment 7 Johannes Segitz 2017-01-11 13:12:07 UTC
(In reply to Petr Gajdos from comment #5)
Sorry, meant the client, not the server. But in the meanwhile we figured out that we don't have any client that uses the vulnerable code. So feel free to reassign to us, this one should be done.
Comment 8 Petr Gajdos 2017-01-11 15:00:41 UTC
Interesting :). Now I do not fully understand how you become sure to write comment 4 even when I s/server/client/ there.

Reassigning to Christian to do update to 0.9.11 in tumbleweed.
Comment 9 Andreas Stieger 2017-01-13 08:42:04 UTC
*** Bug 1019274 has been marked as a duplicate of this bug. ***
Comment 11 Swamp Workflow Management 2018-03-27 19:07:53 UTC
SUSE-SU-2018:0830-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1017711,1017712,1081493
CVE References: CVE-2016-9941,CVE-2016-9942,CVE-2018-7225
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    LibVNCServer-0.9.9-17.5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    LibVNCServer-0.9.9-17.5.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    LibVNCServer-0.9.9-17.5.1
SUSE Linux Enterprise Server 12-SP3 (src):    LibVNCServer-0.9.9-17.5.1
SUSE Linux Enterprise Server 12-SP2 (src):    LibVNCServer-0.9.9-17.5.1
Comment 12 Andreas Stieger 2018-03-29 16:35:05 UTC
Appears to still be missing in x11vnc in Leap 42.3.
The original bugowner is gone, can anyone of you submit this one?
Comment 13 Swamp Workflow Management 2018-03-29 22:07:23 UTC
openSUSE-SU-2018:0851-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1017711,1017712,1081493
CVE References: CVE-2016-9941,CVE-2016-9942,CVE-2018-7225
Sources used:
openSUSE Leap 42.3 (src):    LibVNCServer-0.9.9-16.3.1
Comment 15 Marcus Meissner 2019-11-02 17:43:04 UTC
released