CVE-2019-15680
Published: 29 October 2019
TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.
From the Ubuntu security team
Pavel Cheremushkin discovered that TightVNC has a null pointer dereference vulnerability. An attacker could use it to cause a Denial of Service or possible a remote code execution.
Priority
CVSS 3 base score: 7.5
Status
Package | Release | Status |
---|---|---|
libvncserver Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(0.9.13+dfsg-1)
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Released
(0.9.12+dfsg-9ubuntu0.1)
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(0.9.11+dfsg-1ubuntu1.2)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(0.9.10+dfsg-3ubuntu0.16.04.4)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
Patches: Upstream: https://github.com/sunweaver/libvncserver/commit/85d00057b5daf71675462c9b175d8cb2d47cd0e1 |
||
ssvnc Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Needs triage
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Needs triage
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Needs triage
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Needs triage
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
tightvnc Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Needs triage
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Needs triage
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Needs triage
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Needs triage
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
veyon Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Needs triage
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Needs triage
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
vncsnapshot Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Needs triage
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Needs triage
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Needs triage
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Needs triage
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
x11vnc Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Needs triage
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Needs triage
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Needs triage
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Needs triage
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Needs triage
|
Notes
Author | Note |
---|---|
mdeslaur | per upstream, this is a non-issue in libvncserver as checks are already done in zlib, see: https://github.com/LibVNC/libvncserver/issues/359#issuecomment-599133529 for completeness, the fix was added to focal and earlier releases, but will not be added to groovy+ |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15680
- https://www.openwall.com/lists/oss-security/2018/12/10/5
- https://usn.ubuntu.com/usn/usn-4407-1
- NVD
- Launchpad
- Debian