Bugzilla – Bug 843174
VUL-0: CVE-2013-5745: vino: denial of service flaw
Last modified: 2018-10-19 18:22:35 UTC
Public via gnome.org: https://bugzilla.gnome.org/show_bug.cgi?id=641811 Bug 641811 - vino-server Denial of Service bug Summary ======= Program: vino-server (vino 2.32.1 and 2.26.1) Type: Denial of Service Impact: Low Authors ======= The Bitblaze group at UC Berkeley. http://bitblaze.cs.berkeley.edu/ Description =========== The vino_server_client_data_pending function in vino-server.c in vino-server of Vino 2.26.1 and 2.32.1 (the latest release) allows remote attackers to trigger an Denial of Service through infinite loop. Platforms affected ================== The bug has been tested on a Ubuntu 9.04 platform using both Vino 2.26.1 and Vino 2.32.1, the latter one is the latest version of the program. Other versions between these two releases could similarly be affected. Vulnerable function =================== In process: vino-server Function backtrace stack (in vino 2.26.1): Impact ====== Impact: Low Reproducible ============ Yes, the bug is reproducible. And the pcap file is as attached. Vulnerability description ========================= This vulnerability is triggered when the user is required to enter a password. The server closes the client connection on receiving an unexpected input sequence from the client. The unprocessed client data remains in the buffer; the server does not remove them from buffer since the client connection has been closed. The result is an infinite loop at the do-while (more_data_pending (rfb_client->sock)) in vino-server.c:415 The gdm and vino-server processes together take up 100% CPU, causing denial of service (see screenshot). In our tests, the DOS is triggered when the same input sequence is replayed twice (see pcap). vino-server.c:415 (vino 2.26.1): 407:vino_server_client_data_pending (GIOChannel *source, 408: GIOCondition condition, 409: rfbClientPtr rfb_client) 410:{ 411: if (rfb_client->onHold) 412: return TRUE; 414: do { 415: rfbProcessClientMessage (rfb_client); 416: } while (more_data_pending (rfb_client->sock)); The original 2.26.1 binary, pcap and screenshot are attached with this email. ------------------------ References: rhn#910082 - (CVE-2013-5745) CVE-2013-5745 vino: denial of service flaw -> bgo#693608 - Logging DOS fills ~/.cache/gdm/session.log -> bgo#641811 - vino-server Denial of Service bug -> rhn#1008661 - CVE-2013-5745 vino: denial of service flaw [fedora-all] ------------------------ This issue was already fixed in openSUSE 12.2 and 12.3.
bugbot adjusting priority
HPJ - can you look into this for SLE
reassign to security-team instead
The SWAMPID for this issue is 54749. This issue was rated as important. Please submit fixed packages until 2013-10-24. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Created attachment 563843 [details] test.eps rerproduce EPS from freedesktop.org bug
Update released for: vino, vino-debuginfo, vino-debugsource, vino-lang Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: vino, vino-debuginfo, vino-debugsource, vino-lang Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: vino, vino-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: vino, vino-debuginfo, vino-debugsource, vino-lang Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
all releasaed