142557 – kde-base/krfb includes vulnerable libvncserver? (CVE-2006-2450)

Bug 142557 - kde-base/krfb includes vulnerable libvncserver? (CVE-2006-2450)

Summary: kde-base/krfb includes vulnerable libvncserver? (CVE-2006-2450)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-08-02 08:54 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2006-09-05 21:00 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-08-02 08:54:03 UTC

See bug #136916 for further details.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2006-08-12 07:58:21 UTC

KDE team, please advise/patch.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-05 06:25:11 UTC

KDE team, please advise/patch.

Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev

2006-09-05 07:36:36 UTC

Is there a patch for this? because I was waiting for that when the bug was open, and seems nothing was posted while I was away ...

Comment 4 Wolf Giesen (RETIRED) gentoo-dev

2006-09-05 08:18:37 UTC

We haven't identified whether the bundled version is affected, I think. I'm not even sure upstream knows about the libvncserver problem (same for vino). Jaervosz, maybe we should pull in Tavis?

Diego, I take it you didn't hear anything about this upstream?

Comment 5 Ioannis Aslanidis (RETIRED) gentoo-dev

2006-09-05 08:20:30 UTC

At least, there are no open bugs about this upstream. Thus, no patches either.

Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev

2006-09-05 08:27:12 UTC

Nothing on the sekrit mailing list (kde-packager) where I was expecting the security patch.
That's why I was waiting from someone to post the patch to libvncserver to see if it applied..

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-05 09:11:25 UTC

I'm not sure which version is bundled with KDE, but bug #136916 has a patch.

Comment 8 Ioannis Aslanidis (RETIRED) gentoo-dev

2006-09-05 09:20:02 UTC

(In reply to comment #7)
> I'm not sure which version is bundled with KDE, but bug #136916 has a patch.

Sorry, but I fail to see any patch there. In bug #136916#c22 the patch is requested, however no one replied. Please, could you point us to the exact location of the patch? Or is it under net-libs/libvncserver/files?

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-05 09:29:22 UTC

KDE security team contacted.

@commment #8: See URI for upstream libvncserver patch.

Comment 10 Diego Elio Pettenò (RETIRED) gentoo-dev

2006-09-05 09:45:50 UTC

The patch does not apply, because auth.c is waaaay different. The libvncserver version used seems to be somewhere between 0.3 and 0.4

Comment 11 Wolf Giesen (RETIRED) gentoo-dev

2006-09-05 10:00:23 UTC

I dug around a bit in the sources, and my opinion is that krfb's bundled code is a _very_ old version, so old in fact that it probably isn't vulnerable. From what I see it only supports protocols up to 3.3, and there seems to be no handshake for various authentication types between server and client, which IIRC is the problem (authNONE is accepted even when it was not advertised) because that was introduced in later versions of the protocol (3.7 or such).

My personal conclusion is that this old version is not vulnerable to the specific bug we're dealing with here, but I'd rather have someone familiar with VNC or from the Auditing team confirm this (read as: "do not rely on what I say" .-)

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-09-05 21:00:58 UTC

Upstream confirms that the version is so old that it is not vulnerable.

Thx everyone.