LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM
Weakness
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libvncserver | Libvnc_project | * | 0.9.12 (excluding) |
| Italc | Ubuntu | bionic | * |
| Italc | Ubuntu | esm-apps/bionic | * |
| Italc | Ubuntu | esm-apps/xenial | * |
| Italc | Ubuntu | trusty | * |
| Italc | Ubuntu | upstream | * |
| Italc | Ubuntu | xenial | * |
| Libvncserver | Ubuntu | bionic | * |
| Libvncserver | Ubuntu | cosmic | * |
| Libvncserver | Ubuntu | esm-infra/bionic | * |
| Libvncserver | Ubuntu | esm-infra/xenial | * |
| Libvncserver | Ubuntu | trusty | * |
| Libvncserver | Ubuntu | upstream | * |
| Libvncserver | Ubuntu | xenial | * |
| Ssvnc | Ubuntu | bionic | * |
| Ssvnc | Ubuntu | esm-apps/bionic | * |
| Ssvnc | Ubuntu | esm-apps/xenial | * |
| Ssvnc | Ubuntu | trusty | * |
| Ssvnc | Ubuntu | upstream | * |
| Ssvnc | Ubuntu | xenial | * |
| Tightvnc | Ubuntu | bionic | * |
| Tightvnc | Ubuntu | esm-infra-legacy/trusty | * |
| Tightvnc | Ubuntu | focal | * |
| Tightvnc | Ubuntu | groovy | * |
| Tightvnc | Ubuntu | hirsute | * |
| Tightvnc | Ubuntu | impish | * |
| Tightvnc | Ubuntu | kinetic | * |
| Tightvnc | Ubuntu | lunar | * |
| Tightvnc | Ubuntu | mantic | * |
| Tightvnc | Ubuntu | oracular | * |
| Tightvnc | Ubuntu | plucky | * |
| Tightvnc | Ubuntu | trusty | * |
| Tightvnc | Ubuntu | trusty/esm | * |
| Tightvnc | Ubuntu | upstream | * |
| Tightvnc | Ubuntu | xenial | * |
| X11vnc | Ubuntu | cosmic | * |
| X11vnc | Ubuntu | trusty | * |
References
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-031-libvnc-infinite-loop/
- https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2019/11/msg00033.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html
- https://security.gentoo.org/glsa/201908-05
- https://security.gentoo.org/glsa/202006-06
- https://usn.ubuntu.com/3877-1/
- https://usn.ubuntu.com/4547-1/
- https://usn.ubuntu.com/4547-2/
- https://usn.ubuntu.com/4587-1/
- https://www.debian.org/security/2019/dsa-4383
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-031-libvnc-infinite-loop/
- https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2019/11/msg00033.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html
- https://security.gentoo.org/glsa/201908-05
- https://security.gentoo.org/glsa/202006-06
- https://usn.ubuntu.com/3877-1/
- https://usn.ubuntu.com/4547-1/
- https://usn.ubuntu.com/4547-2/
- https://usn.ubuntu.com/4587-1/
- https://www.debian.org/security/2019/dsa-4383