x11vnc Ubuntu 12.10 - buffer overflow and not working
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
x11vnc (Fedora) |
Won't Fix
|
Undecided
|
|||
x11vnc (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hi,
I just upgraded from Ubuntu 12.04 64bit to Ubuntu 12.10 64bit and now x11vnc is not working.
It keeps crashing with a buffer overflow as seen below.
it does NOT crash every time. Seems to be random.
When it does not crash x11vnc is NOT getting any connections now and it is NOT a firewall. I turned it off via ufw and still no connections are made it seems. Was fine before the upgrade to Ubuntu 12.10.
I'm starting x11vnc with the following upstart script:
# x11vnc
#
# This x11vnc server provides secure remote access (via SSH2) to the desktop.
description "x11vnc server"
start on runlevel 2
stop on runlevel [!2345]
respawn
respawn limit 10 5
umask 022
exec x11vnc -env FD_XDM=1 -auth guess -display :0 -rfbport 5901 -rfbauth /home/rob/
This has been working fine since at least Ubuntu 11.10. Again, was working fine no problem until I upgraded to Ubuntu 12.10 the other day.
rob@RobsUbuntuS
Description: Ubuntu 12.10
Release: 12.10
rob@RobsUbuntuS
x11vnc:
Installed: 0.9.13-1ubuntu1
Candidate: 0.9.13-1ubuntu1
Version table:
*** 0.9.13-1ubuntu1 0
500 http://
100 /var/lib/
I was expecting my upstart script to still work on the upgrade to Ubuntu 12.10 and I expect x11vnc to not crash on startup witha buffer overflow and I'd expect it to continue to work and allow connections.
Please see the following log show the buffer overflow crash:
23/10/2012 19:07:00 passing arg to libvncserver: -rfbport
23/10/2012 19:07:00 passing arg to libvncserver: 5901
23/10/2012 19:07:00 passing arg to libvncserver: -rfbauth
23/10/2012 19:07:00 passing arg to libvncserver: /home/rob/
23/10/2012 19:07:00 passing arg to libvncserver: -rfbversion
23/10/2012 19:07:00 passing arg to libvncserver: 3.6
23/10/2012 19:07:00 passing arg to libvncserver: -permitfiletransfer
23/10/2012 19:07:00 x11vnc version: 0.9.13 lastmod: 2011-08-10 pid: 5658
23/10/2012 19:07:00 Using X display :0
23/10/2012 19:07:00 rootwin: 0x27d reswin: 0x3600001 dpy: 0x206b7b0
23/10/2012 19:07:00
23/10/2012 19:07:00 ------------------ USEFUL INFORMATION ------------------
23/10/2012 19:07:01 X DAMAGE available on display, using it for polling hints.
23/10/2012 19:07:01 To disable this behavior use: '-noxdamage'
23/10/2012 19:07:01
23/10/2012 19:07:01 Most compositing window managers like 'compiz' or 'beryl'
23/10/2012 19:07:01 cause X DAMAGE to fail, and so you may not see any screen
23/10/2012 19:07:01 updates via VNC. Either disable 'compiz' (recommended) or
23/10/2012 19:07:01 supply the x11vnc '-noxdamage' command line option.
23/10/2012 19:07:01
23/10/2012 19:07:01 Wireframing: -wireframe mode is in effect for window moves.
23/10/2012 19:07:01 If this yields undesired behavior (poor response, painting
23/10/2012 19:07:01 errors, etc) it may be disabled:
23/10/2012 19:07:01 - use '-nowf' to disable wireframing completely.
23/10/2012 19:07:01 - use '-nowcr' to disable the Copy Rectangle after the
23/10/2012 19:07:01 moved window is released in the new position.
23/10/2012 19:07:01 Also see the -help entry for tuning parameters.
23/10/2012 19:07:01 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 19:07:01 repaint the screen, also see the -fixscreen option for
23/10/2012 19:07:01 periodic repaints.
23/10/2012 19:07:01 GrabServer control via XTEST.
23/10/2012 19:07:01
23/10/2012 19:07:01 Scroll Detection: -scrollcopyrect mode is in effect to
23/10/2012 19:07:01 use RECORD extension to try to detect scrolling windows
23/10/2012 19:07:01 (induced by either user keystroke or mouse input).
23/10/2012 19:07:01 If this yields undesired behavior (poor response, painting
23/10/2012 19:07:01 errors, etc) it may be disabled via: '-noscr'
23/10/2012 19:07:01 Also see the -help entry for tuning parameters.
23/10/2012 19:07:01 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 19:07:01 repaint the screen, also see the -fixscreen option for
23/10/2012 19:07:01 periodic repaints.
23/10/2012 19:07:01
23/10/2012 19:07:01 Client Side Caching: -ncache mode is in effect to provide
23/10/2012 19:07:01 client-side pixel data caching. This speeds up
23/10/2012 19:07:01 iconifying/
23/10/2012 19:07:01 windows, and reposting menus. In the simple CopyRect
23/10/2012 19:07:01 encoding scheme used (no compression) a huge amount
23/10/2012 19:07:01 of extra memory (20-100MB) is used on both the server and
23/10/2012 19:07:01 client sides. This mode works with any VNC viewer.
23/10/2012 19:07:01 However, in most you can actually see the cached pixel
23/10/2012 19:07:01 data by scrolling down, so you need to re-adjust its size.
23/10/2012 19:07:01 See http://
23/10/2012 19:07:01 If this mode yields undesired behavior (poor response,
23/10/2012 19:07:01 painting errors, etc) it may be disabled via: '-ncache 0'
23/10/2012 19:07:01 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 19:07:01 repaint the screen, also see the -fixscreen option for
23/10/2012 19:07:01 periodic repaints.
23/10/2012 19:07:01 X FBPM extension not supported.
23/10/2012 19:07:01 X display is capable of DPMS.
23/10/2012 19:07:01 -------
23/10/2012 19:07:01
23/10/2012 19:07:01 Default visual ID: 0x21
23/10/2012 19:07:01 Read initial data from X display into framebuffer.
23/10/2012 19:07:01 initialize_screen: fb_depth/
23/10/2012 19:07:01
23/10/2012 19:07:01 X display :0 is 32bpp depth=24 true color
23/10/2012 19:07:01
23/10/2012 19:07:01 Listening for VNC connections on TCP port 5901
23/10/2012 19:07:01 rfbListenOnTCP6
23/10/2012 19:07:01 listen6: socket: Address family not supported by protocol
23/10/2012 19:07:01 (Ignore the above error if this system is IPv4-only.)
23/10/2012 19:07:01 Not listening on IPv6 interface.
23/10/2012 19:07:01
23/10/2012 19:07:01 Xinerama is present and active (e.g. multi-head).
23/10/2012 19:07:01 Xinerama: number of sub-screens: 1
23/10/2012 19:07:01 Xinerama: no blackouts needed (only one sub-screen)
23/10/2012 19:07:01
23/10/2012 19:07:01 fb read rate: 172 MB/sec
23/10/2012 19:07:01 fast read: reset -wait ms to: 10
23/10/2012 19:07:01 fast read: reset -defer ms to: 10
23/10/2012 19:07:01 The X server says there are 10 mouse buttons.
23/10/2012 19:07:01 screen setup finished.
23/10/2012 19:07:01
The VNC desktop is: localhost:1
*** buffer overflow detected ***: x11vnc terminated
======= Backtrace: =========
/lib/x86_
/lib/x86_
/lib/x86_
/usr/lib/
/usr/lib/
/usr/lib/
x11vnc[0x4a3081]
x11vnc[0x465102]
x11vnc[0x410be3]
/lib/x86_
x11vnc[0x41b4d5]
======= Memory map: ========
00400000-00544000 r-xp 00000000 fc:00 132531 /usr/bin/x11vnc
00743000-00744000 r--p 00143000 fc:00 132531 /usr/bin/x11vnc
00744000-0078a000 rw-p 00144000 fc:00 132531 /usr/bin/x11vnc
0078a000-009cc000 rw-p 00000000 00:00 0
02065000-02150000 rw-p 00000000 00:00 0 [heap]
7f812c046000-
7f812fda9000-
7f812fdbe000-
7f812ffbd000-
7f812ffbe000-
7f812ffe4000-
7f812ffe6000-
7f813000e000-
7f8130035000-
7f813005b000-
7f8130080000-
7f81300a4000-
7f81300c7000-
7f81300e9000-
7f813010a000-
7f813012a000-
7f8130149000-
7f8130649000-
7f8130655000-
7f8130854000-
7f8130855000-
7f8130856000-
7f8130860000-
7f8130a60000-
7f8130a61000-
7f8130a62000-
7f8130a79000-
7f8130c78000-
7f8130c79000-
7f8130c7a000-
7f8130c7c000-
7f8130c84000-
7f8130e83000-
7f8130e84000-
7f8130e85000-
7f8130e8b000-
7f8130e92000-
7f8131091000-
7f8131092000-
7f8131093000-
7f8131098000-
7f8131297000-
7f8131298000-
7f8131299000-
7f813129b000-
7f813149b000-
7f813149c000-
7f813149d000-
7f81314af000-
7f81316af000-
7f81316b0000-
7f81316b1000-
7f81316c0000-
7f81318c0000-
7f81318c1000-
7f81318c2000-
7f81318c5000-
7f8131ac4000-
7f8131ac5000-
7f8131ac6000-
7f8131b09000-
7f8131d08000-
7f8131d09000-
7f8131d0a000-
7f8131d27000-
7f8131f26000-
7f8131f27000-
7f8131f28000-
7f8131f31000-
7f8132130000-
7f8132131000-
7f8132132000-
7f8132134000-
7f8132334000-
7f8132335000-
7f8132336000-
7f81323ea000-
7f81325ea000-
7f81325f0000-
7f81325f1000-
7f81325f2000-
7f813266c000-
7f813286c000-
7f813286d000-
7f8132870000-
7f8132888000-
7f8132a88000-
7f8132a89000-
7f8132a8a000-
7f8132a8c000-
7f8132acb000-
7f8132ccb000-
7f8132ccc000-
7f8132ccd000-
7f8132cdd000-
7f8132cf3000-
7f8132ef2000-
7f8132ef3000-
7f8132ef4000-
7f81330a9000-
7f81332a8000-
7f81332ac000-
7f81332ae000-
7f81332b3000-
7f81332c2000-
7f81334c2000-
7f81334c3000-
7f81334c4000-
7f81334cf000-
7f81336ce000-
7f81336cf000-
7f81336d0000-
7f8133804000-
7f8133a04000-
7f8133a05000-
7f8133a0a000-
7f8133a0c000-
7f8133c0b000-
7f8133c0c000-
7f8133c0d000-
7f8133c12000-
7f8133e11000-
7f8133e12000-
7f8133e13000-
7f8133e1c000-
7f813401b000-
7f813401c000-
7f813401d000-
7f813401f000-
7f813421e000-
7f813421f000-
7f8134220000-
7f8134230000-
7f8134430000-
7f8134431000-
7f8134432000-
7f8134437000-
7f8134636000-
7f8134637000-
7f8134638000-
7f8134641000-
7f8134841000-
7f8134842000-
7f8134843000-
7f8134871000-
7f8134a0f000-
7f8134c0e000-
7f8134c29000-
7f8134c34000-
7f8134c38000-
7f8134c8a000-
7f8134e8a000-
7f8134e8d000-
7f8134e93000-
7f8134e94000-
7f8134eac000-
7f81350ab000-
7f81350ac000-
7f81350ad000-
7f81350b1000-
7f81350ce000-
7f81352cd000-
7f81352ce000-
7f81352cf000-
7f8135317000-
7f8135516000-
7f8135517000-
7f8135518000-
7f813552d000-
7f8135568000-
7f8135586000-
7f81355a3000-
7f81355bf000-
7f81355da000-
7f81355f4000-
7f813560d000-
7f8135625000-
7f813563c000-
7f8135652000-
7f8135667000-
7f813567b000-
7f813568e000-
7f81356a0000-
7f81356b1000-
7f81356c1000-
7f81356d0000-
7f81356de000-
7f81356eb000-
7f81356f7000-
7f8135702000-
7f813570c000-
7f8135715000-
7f813571d000-
7f813572f000-
7f8135736000-
7f813573c000-
7f8135741000-
7f8135745000-
7f8135748000-
7f813574a000-
7f813574b000-
7f813574d000-
7f813574f000-
7f8135750000-
7fff84c6b000-
7fff84d49000-
ffffffffff60000
caught signal: 6
23/10/2012 19:40:30 deleted 40 tile_row polling images.
Also, here is my log file showing x11vnc when it does manage to start up correctly without crashing.
As you can see all is as expected. And yet zero connections are being made. I attempt to connect to port 5901 and simply cant. Again was fine before the upgrade to Ubuntu 12.10.
Here is the log of x11vnc when starting correctly:
23/10/2012 20:21:16 passing arg to libvncserver: -rfbport
23/10/2012 20:21:16 passing arg to libvncserver: 5901
23/10/2012 20:21:16 passing arg to libvncserver: -rfbauth
23/10/2012 20:21:16 passing arg to libvncserver: /home/rob/
23/10/2012 20:21:16 passing arg to libvncserver: -rfbversion
23/10/2012 20:21:16 passing arg to libvncserver: 3.6
23/10/2012 20:21:16 passing arg to libvncserver: -permitfiletransfer
23/10/2012 20:21:17 x11vnc version: 0.9.13 lastmod: 2011-08-10 pid: 23440
23/10/2012 20:21:17 -auth guess: using 'XAUTHORITY=
23/10/2012 20:21:17 Using X display :0
23/10/2012 20:21:17 rootwin: 0x27d reswin: 0x5400001 dpy: 0xcac7e0
23/10/2012 20:21:17
23/10/2012 20:21:17 ------------------ USEFUL INFORMATION ------------------
23/10/2012 20:21:17 X DAMAGE available on display, using it for polling hints.
23/10/2012 20:21:17 To disable this behavior use: '-noxdamage'
23/10/2012 20:21:17
23/10/2012 20:21:17 Most compositing window managers like 'compiz' or 'beryl'
23/10/2012 20:21:17 cause X DAMAGE to fail, and so you may not see any screen
23/10/2012 20:21:17 updates via VNC. Either disable 'compiz' (recommended) or
23/10/2012 20:21:17 supply the x11vnc '-noxdamage' command line option.
23/10/2012 20:21:17
23/10/2012 20:21:17 Wireframing: -wireframe mode is in effect for window moves.
23/10/2012 20:21:17 If this yields undesired behavior (poor response, painting
23/10/2012 20:21:17 errors, etc) it may be disabled:
23/10/2012 20:21:17 - use '-nowf' to disable wireframing completely.
23/10/2012 20:21:17 - use '-nowcr' to disable the Copy Rectangle after the
23/10/2012 20:21:17 moved window is released in the new position.
23/10/2012 20:21:17 Also see the -help entry for tuning parameters.
23/10/2012 20:21:17 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 20:21:17 repaint the screen, also see the -fixscreen option for
23/10/2012 20:21:17 periodic repaints.
23/10/2012 20:21:17 GrabServer control via XTEST.
23/10/2012 20:21:17
23/10/2012 20:21:17 Scroll Detection: -scrollcopyrect mode is in effect to
23/10/2012 20:21:17 use RECORD extension to try to detect scrolling windows
23/10/2012 20:21:17 (induced by either user keystroke or mouse input).
23/10/2012 20:21:17 If this yields undesired behavior (poor response, painting
23/10/2012 20:21:17 errors, etc) it may be disabled via: '-noscr'
23/10/2012 20:21:17 Also see the -help entry for tuning parameters.
23/10/2012 20:21:17 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 20:21:17 repaint the screen, also see the -fixscreen option for
23/10/2012 20:21:17 periodic repaints.
23/10/2012 20:21:17
23/10/2012 20:21:17 Client Side Caching: -ncache mode is in effect to provide
23/10/2012 20:21:17 client-side pixel data caching. This speeds up
23/10/2012 20:21:17 iconifying/
23/10/2012 20:21:17 windows, and reposting menus. In the simple CopyRect
23/10/2012 20:21:17 encoding scheme used (no compression) a huge amount
23/10/2012 20:21:17 of extra memory (20-100MB) is used on both the server and
23/10/2012 20:21:17 client sides. This mode works with any VNC viewer.
23/10/2012 20:21:17 However, in most you can actually see the cached pixel
23/10/2012 20:21:17 data by scrolling down, so you need to re-adjust its size.
23/10/2012 20:21:17 See http://
23/10/2012 20:21:17 If this mode yields undesired behavior (poor response,
23/10/2012 20:21:17 painting errors, etc) it may be disabled via: '-ncache 0'
23/10/2012 20:21:17 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 20:21:17 repaint the screen, also see the -fixscreen option for
23/10/2012 20:21:17 periodic repaints.
23/10/2012 20:21:17 X FBPM extension not supported.
23/10/2012 20:21:17 X display is capable of DPMS.
23/10/2012 20:21:17 -------
23/10/2012 20:21:17
23/10/2012 20:21:18 Default visual ID: 0x21
23/10/2012 20:21:18 Read initial data from X display into framebuffer.
23/10/2012 20:21:18 initialize_screen: fb_depth/
23/10/2012 20:21:18
23/10/2012 20:21:18 X display :0 is 32bpp depth=24 true color
23/10/2012 20:21:18
23/10/2012 20:21:18 Listening for VNC connections on TCP port 5901
23/10/2012 20:21:18 rfbListenOnTCP6
23/10/2012 20:21:18 listen6: socket: Address family not supported by protocol
23/10/2012 20:21:18 (Ignore the above error if this system is IPv4-only.)
23/10/2012 20:21:18 Not listening on IPv6 interface.
23/10/2012 20:21:18
23/10/2012 20:21:18 Xinerama is present and active (e.g. multi-head).
23/10/2012 20:21:18 Xinerama: number of sub-screens: 1
23/10/2012 20:21:18 Xinerama: no blackouts needed (only one sub-screen)
23/10/2012 20:21:18
23/10/2012 20:21:18 fb read rate: 164 MB/sec
23/10/2012 20:21:18 fast read: reset -wait ms to: 10
23/10/2012 20:21:18 fast read: reset -defer ms to: 10
23/10/2012 20:21:18 The X server says there are 10 mouse buttons.
23/10/2012 20:21:18 screen setup finished.
23/10/2012 20:21:18
The VNC desktop is: localhost:1
I went ahead and marked this bug as "This bug is a security vulnerability" since it involves a buffer overflow. Just in case.
Thanks for the help,
Will
tags: | added: x11vnc |
tags: | added: buffer crash |
affects: | libvncserver (Ubuntu) → x11vnc (Ubuntu) |
Changed in x11vnc (Fedora): | |
importance: | Unknown → Undecided |
status: | Unknown → Won't Fix |
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.