701818 – (CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20024) [TRACKER] Multiple VNC vulnerabilities (CVE-2018-{20020,20021,20022,20024})

Bug 701818 (CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20024) - [TRACKER] Multiple VNC vulnerabilities (CVE-2018-{20020,20021,20022,20024})

Summary: [TRACKER] Multiple VNC vulnerabilities (CVE-2018-{20020,20021,20022,20024})

Status:	RESOLVED FIXED

Alias:	CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20024

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:	Tracker

Depends on:	CVE-2018-20019, CVE-2018-20023 701820
Blocks:
	Show dependency tree

Reported:	2019-12-02 22:32 UTC by Thomas Deutschmann (RETIRED)
Modified:	2020-06-20 01:10 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2019-12-02 22:32:44 UTC

CVE-2018-20020

    LibVNC contained heap out-of-bound write vulnerability inside
    structure in VNC client code that can result remote code execution

CVE-2018-20021

    LibVNC contained a CWE-835: Infinite loop vulnerability in VNC client
    code. Vulnerability allows attacker to consume excessive amount of
    resources like CPU and RAM

CVE-2018-20022

    LibVNC contained multiple weaknesses CWE-665: Improper Initialization
    vulnerability in VNC client code that allowed attackers to read stack
    memory and could be abused for information disclosure. Combined with
    another vulnerability, it could be used to leak stack memory layout
    and in bypassing ASLR.

CVE-2018-20024

    LibVNC contained null pointer dereference in VNC client code that
    could result DoS.