Ubuntu
x11vnc package

x11vnc Ubuntu 12.10 - buffer overflow and not working

Bug #1070614 reported by Will
58
This bug affects 11 people
Affects Status Importance Assigned to Milestone
x11vnc (Fedora)
Won't Fix
Undecided
x11vnc (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hi,

I just upgraded from Ubuntu 12.04 64bit to Ubuntu 12.10 64bit and now x11vnc is not working.

It keeps crashing with a buffer overflow as seen below.

it does NOT crash every time. Seems to be random.

When it does not crash x11vnc is NOT getting any connections now and it is NOT a firewall. I turned it off via ufw and still no connections are made it seems. Was fine before the upgrade to Ubuntu 12.10.

I'm starting x11vnc with the following upstart script:

# x11vnc
#
# This x11vnc server provides secure remote access (via SSH2) to the desktop.

description "x11vnc server"

start on runlevel 2

stop on runlevel [!2345]

respawn
respawn limit 10 5
umask 022

exec x11vnc -env FD_XDM=1 -auth guess -display :0 -rfbport 5901 -rfbauth /home/rob/.vnc/passwd -forever -localhost -solid black -ncache 10 -ncache_cr -ultrafilexfer -xkb -o /media/RAID/Will/x11vnc/x11vnc.log -shared -noxfixes -cursor arrow -arrow 3 -noxrecord

This has been working fine since at least Ubuntu 11.10. Again, was working fine no problem until I upgraded to Ubuntu 12.10 the other day.

rob@RobsUbuntuServer:~/Desktop$ lsb_release -rd
Description: Ubuntu 12.10
Release: 12.10

rob@RobsUbuntuServer:~/Desktop$ apt-cache policy x11vnc
x11vnc:
  Installed: 0.9.13-1ubuntu1
  Candidate: 0.9.13-1ubuntu1
  Version table:
 *** 0.9.13-1ubuntu1 0
        500 http://archive.linux.duke.edu/ubuntu/ quantal/universe amd64 Packages
        100 /var/lib/dpkg/status

I was expecting my upstart script to still work on the upgrade to Ubuntu 12.10 and I expect x11vnc to not crash on startup witha buffer overflow and I'd expect it to continue to work and allow connections.

Please see the following log show the buffer overflow crash:

23/10/2012 19:07:00 passing arg to libvncserver: -rfbport
23/10/2012 19:07:00 passing arg to libvncserver: 5901
23/10/2012 19:07:00 passing arg to libvncserver: -rfbauth
23/10/2012 19:07:00 passing arg to libvncserver: /home/rob/.vnc/passwd
23/10/2012 19:07:00 passing arg to libvncserver: -rfbversion
23/10/2012 19:07:00 passing arg to libvncserver: 3.6
23/10/2012 19:07:00 passing arg to libvncserver: -permitfiletransfer
23/10/2012 19:07:00 x11vnc version: 0.9.13 lastmod: 2011-08-10 pid: 5658
23/10/2012 19:07:00 Using X display :0
23/10/2012 19:07:00 rootwin: 0x27d reswin: 0x3600001 dpy: 0x206b7b0
23/10/2012 19:07:00
23/10/2012 19:07:00 ------------------ USEFUL INFORMATION ------------------
23/10/2012 19:07:01 X DAMAGE available on display, using it for polling hints.
23/10/2012 19:07:01 To disable this behavior use: '-noxdamage'
23/10/2012 19:07:01
23/10/2012 19:07:01 Most compositing window managers like 'compiz' or 'beryl'
23/10/2012 19:07:01 cause X DAMAGE to fail, and so you may not see any screen
23/10/2012 19:07:01 updates via VNC. Either disable 'compiz' (recommended) or
23/10/2012 19:07:01 supply the x11vnc '-noxdamage' command line option.
23/10/2012 19:07:01
23/10/2012 19:07:01 Wireframing: -wireframe mode is in effect for window moves.
23/10/2012 19:07:01 If this yields undesired behavior (poor response, painting
23/10/2012 19:07:01 errors, etc) it may be disabled:
23/10/2012 19:07:01 - use '-nowf' to disable wireframing completely.
23/10/2012 19:07:01 - use '-nowcr' to disable the Copy Rectangle after the
23/10/2012 19:07:01 moved window is released in the new position.
23/10/2012 19:07:01 Also see the -help entry for tuning parameters.
23/10/2012 19:07:01 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 19:07:01 repaint the screen, also see the -fixscreen option for
23/10/2012 19:07:01 periodic repaints.
23/10/2012 19:07:01 GrabServer control via XTEST.
23/10/2012 19:07:01
23/10/2012 19:07:01 Scroll Detection: -scrollcopyrect mode is in effect to
23/10/2012 19:07:01 use RECORD extension to try to detect scrolling windows
23/10/2012 19:07:01 (induced by either user keystroke or mouse input).
23/10/2012 19:07:01 If this yields undesired behavior (poor response, painting
23/10/2012 19:07:01 errors, etc) it may be disabled via: '-noscr'
23/10/2012 19:07:01 Also see the -help entry for tuning parameters.
23/10/2012 19:07:01 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 19:07:01 repaint the screen, also see the -fixscreen option for
23/10/2012 19:07:01 periodic repaints.
23/10/2012 19:07:01
23/10/2012 19:07:01 Client Side Caching: -ncache mode is in effect to provide
23/10/2012 19:07:01 client-side pixel data caching. This speeds up
23/10/2012 19:07:01 iconifying/deiconifying windows, moving and raising
23/10/2012 19:07:01 windows, and reposting menus. In the simple CopyRect
23/10/2012 19:07:01 encoding scheme used (no compression) a huge amount
23/10/2012 19:07:01 of extra memory (20-100MB) is used on both the server and
23/10/2012 19:07:01 client sides. This mode works with any VNC viewer.
23/10/2012 19:07:01 However, in most you can actually see the cached pixel
23/10/2012 19:07:01 data by scrolling down, so you need to re-adjust its size.
23/10/2012 19:07:01 See http://www.karlrunge.com/x11vnc/faq.html#faq-client-caching.
23/10/2012 19:07:01 If this mode yields undesired behavior (poor response,
23/10/2012 19:07:01 painting errors, etc) it may be disabled via: '-ncache 0'
23/10/2012 19:07:01 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 19:07:01 repaint the screen, also see the -fixscreen option for
23/10/2012 19:07:01 periodic repaints.
23/10/2012 19:07:01 X FBPM extension not supported.
23/10/2012 19:07:01 X display is capable of DPMS.
23/10/2012 19:07:01 --------------------------------------------------------
23/10/2012 19:07:01
23/10/2012 19:07:01 Default visual ID: 0x21
23/10/2012 19:07:01 Read initial data from X display into framebuffer.
23/10/2012 19:07:01 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/5120
23/10/2012 19:07:01
23/10/2012 19:07:01 X display :0 is 32bpp depth=24 true color
23/10/2012 19:07:01
23/10/2012 19:07:01 Listening for VNC connections on TCP port 5901
23/10/2012 19:07:01 rfbListenOnTCP6Port: error in bind IPv6 socket: Address family not supported by protocol
23/10/2012 19:07:01 listen6: socket: Address family not supported by protocol
23/10/2012 19:07:01 (Ignore the above error if this system is IPv4-only.)
23/10/2012 19:07:01 Not listening on IPv6 interface.
23/10/2012 19:07:01
23/10/2012 19:07:01 Xinerama is present and active (e.g. multi-head).
23/10/2012 19:07:01 Xinerama: number of sub-screens: 1
23/10/2012 19:07:01 Xinerama: no blackouts needed (only one sub-screen)
23/10/2012 19:07:01
23/10/2012 19:07:01 fb read rate: 172 MB/sec
23/10/2012 19:07:01 fast read: reset -wait ms to: 10
23/10/2012 19:07:01 fast read: reset -defer ms to: 10
23/10/2012 19:07:01 The X server says there are 10 mouse buttons.
23/10/2012 19:07:01 screen setup finished.
23/10/2012 19:07:01

The VNC desktop is: localhost:1
*** buffer overflow detected ***: x11vnc terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f8132ffe82c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7f8132ffd700]
/lib/x86_64-linux-gnu/libc.so.6(+0x10a7be)[0x7f8132ffe7be]
/usr/lib/x86_64-linux-gnu/libvncserver.so.0(rfbProcessNewConnection+0x104)[0x7f81352e2694]
/usr/lib/x86_64-linux-gnu/libvncserver.so.0(rfbCheckFds+0x3e8)[0x7f81352e2ba8]
/usr/lib/x86_64-linux-gnu/libvncserver.so.0(rfbProcessEvents+0x1d)[0x7f81352d9fcd]
x11vnc[0x4a3081]
x11vnc[0x465102]
x11vnc[0x410be3]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f8132f1576d]
x11vnc[0x41b4d5]
======= Memory map: ========
00400000-00544000 r-xp 00000000 fc:00 132531 /usr/bin/x11vnc
00743000-00744000 r--p 00143000 fc:00 132531 /usr/bin/x11vnc
00744000-0078a000 rw-p 00144000 fc:00 132531 /usr/bin/x11vnc
0078a000-009cc000 rw-p 00000000 00:00 0
02065000-02150000 rw-p 00000000 00:00 0 [heap]
7f812c046000-7f812fc47000 rw-p 00000000 00:00 0
7f812fda9000-7f812fdbe000 r-xp 00000000 fc:00 919352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f812fdbe000-7f812ffbd000 ---p 00015000 fc:00 919352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f812ffbd000-7f812ffbe000 r--p 00014000 fc:00 919352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f812ffbe000-7f812ffbf000 rw-p 00015000 fc:00 919352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f812ffe4000-7f812ffe6000 rw-p 00000000 00:00 0
7f812ffe6000-7f813000e000 rw-s 00000000 00:04 1507374 /SYSV00000000 (deleted)
7f813000e000-7f8130035000 rw-s 00000000 00:04 1474605 /SYSV00000000 (deleted)
7f8130035000-7f813005b000 rw-s 00000000 00:04 1441836 /SYSV00000000 (deleted)
7f813005b000-7f8130080000 rw-s 00000000 00:04 1409067 /SYSV00000000 (deleted)
7f8130080000-7f81300a4000 rw-s 00000000 00:04 1376298 /SYSV00000000 (deleted)
7f81300a4000-7f81300c7000 rw-s 00000000 00:04 1343529 /SYSV00000000 (deleted)
7f81300c7000-7f81300e9000 rw-s 00000000 00:04 1310760 /SYSV00000000 (deleted)
7f81300e9000-7f813010a000 rw-s 00000000 00:04 1277991 /SYSV00000000 (deleted)
7f813010a000-7f813012a000 rw-s 00000000 00:04 1245222 /SYSV00000000 (deleted)
7f813012a000-7f8130149000 rw-s 00000000 00:04 1212453 /SYSV00000000 (deleted)
7f8130149000-7f8130649000 rw-s 00000000 00:04 196614 /SYSV00000000 (deleted)
7f8130649000-7f8130655000 r-xp 00000000 fc:00 918823 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f8130655000-7f8130854000 ---p 0000c000 fc:00 918823 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f8130854000-7f8130855000 r--p 0000b000 fc:00 918823 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f8130855000-7f8130856000 rw-p 0000c000 fc:00 918823 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7f8130856000-7f8130860000 r-xp 00000000 fc:00 918628 /lib/x86_64-linux-gnu/libnss_nis-2.15.so
7f8130860000-7f8130a60000 ---p 0000a000 fc:00 918628 /lib/x86_64-linux-gnu/libnss_nis-2.15.so
7f8130a60000-7f8130a61000 r--p 0000a000 fc:00 918628 /lib/x86_64-linux-gnu/libnss_nis-2.15.so
7f8130a61000-7f8130a62000 rw-p 0000b000 fc:00 918628 /lib/x86_64-linux-gnu/libnss_nis-2.15.so
7f8130a62000-7f8130a79000 r-xp 00000000 fc:00 919655 /lib/x86_64-linux-gnu/libnsl-2.15.so
7f8130a79000-7f8130c78000 ---p 00017000 fc:00 919655 /lib/x86_64-linux-gnu/libnsl-2.15.so
7f8130c78000-7f8130c79000 r--p 00016000 fc:00 919655 /lib/x86_64-linux-gnu/libnsl-2.15.so
7f8130c79000-7f8130c7a000 rw-p 00017000 fc:00 919655 /lib/x86_64-linux-gnu/libnsl-2.15.so
7f8130c7a000-7f8130c7c000 rw-p 00000000 00:00 0
7f8130c7c000-7f8130c84000 r-xp 00000000 fc:00 918836 /lib/x86_64-linux-gnu/libnss_compat-2.15.so
7f8130c84000-7f8130e83000 ---p 00008000 fc:00 918836 /lib/x86_64-linux-gnu/libnss_compat-2.15.so
7f8130e83000-7f8130e84000 r--p 00007000 fc:00 918836 /lib/x86_64-linux-gnu/libnss_compat-2.15.so
7f8130e84000-7f8130e85000 rw-p 00008000 fc:00 918836 /lib/x86_64-linux-gnu/libnss_compat-2.15.so
7f8130e85000-7f8130e8b000 rw-p 00000000 00:00 0
7f8130e8b000-7f8130e92000 r-xp 00000000 fc:00 918526 /lib/x86_64-linux-gnu/librt-2.15.so
7f8130e92000-7f8131091000 ---p 00007000 fc:00 918526 /lib/x86_64-linux-gnu/librt-2.15.so
7f8131091000-7f8131092000 r--p 00006000 fc:00 918526 /lib/x86_64-linux-gnu/librt-2.15.so
7f8131092000-7f8131093000 rw-p 00007000 fc:00 918526 /lib/x86_64-linux-gnu/librt-2.15.so
7f8131093000-7f8131098000 r-xp 00000000 fc:00 132234 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7f8131098000-7f8131297000 ---p 00005000 fc:00 132234 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7f8131297000-7f8131298000 r--p 00004000 fc:00 132234 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7f8131298000-7f8131299000 rw-p 00005000 fc:00 132234 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7f8131299000-7f813129b000 r-xp 00000000 fc:00 132229 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7f813129b000-7f813149b000 ---p 00002000 fc:00 132229 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7f813149b000-7f813149c000 r--p 00002000 fc:00 132229 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7f813149c000-7f813149d000 rw-p 00003000 fc:00 132229 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
7f813149d000-7f81314af000 r-xp 00000000 fc:00 135474 /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.0.0
7f81314af000-7f81316af000 ---p 00012000 fc:00 135474 /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.0.0
7f81316af000-7f81316b0000 r--p 00012000 fc:00 135474 /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.0.0
7f81316b0000-7f81316b1000 rw-p 00013000 fc:00 135474 /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.0.0
7f81316b1000-7f81316c0000 r-xp 00000000 fc:00 134614 /usr/lib/x86_64-linux-gnu/libtasn1.so.3.1.16
7f81316c0000-7f81318c0000 ---p 0000f000 fc:00 134614 /usr/lib/x86_64-linux-gnu/libtasn1.so.3.1.16
7f81318c0000-7f81318c1000 r--p 0000f000 fc:00 134614 /usr/lib/x86_64-linux-gnu/libtasn1.so.3.1.16
7f81318c1000-7f81318c2000 rw-p 00010000 fc:00 134614 /usr/lib/x86_64-linux-gnu/libtasn1.so.3.1.16
7f81318c2000-7f81318c5000 r-xp 00000000 fc:00 921464 /lib/x86_64-linux-gnu/libgpg-error.so.0.8.0
7f81318c5000-7f8131ac4000 ---p 00003000 fc:00 921464 /lib/x86_64-linux-gnu/libgpg-error.so.0.8.0
7f8131ac4000-7f8131ac5000 r--p 00002000 fc:00 921464 /lib/x86_64-linux-gnu/libgpg-error.so.0.8.0
7f8131ac5000-7f8131ac6000 rw-p 00003000 fc:00 921464 /lib/x86_64-linux-gnu/libgpg-error.so.0.8.0
7f8131ac6000-7f8131b09000 r-xp 00000000 fc:00 922375 /lib/x86_64-linux-gnu/libdbus-1.so.3.7.2
7f8131b09000-7f8131d08000 ---p 00043000 fc:00 922375 /lib/x86_64-linux-gnu/libdbus-1.so.3.7.2
7f8131d08000-7f8131d09000 r--p 00042000 fc:00 922375 /lib/x86_64-linux-gnu/libdbus-1.so.3.7.2
7f8131d09000-7f8131d0a000 rw-p 00043000 fc:00 922375 /lib/x86_64-linux-gnu/libdbus-1.so.3.7.2
7f8131d0a000-7f8131d27000 r-xp 00000000 fc:00 131842 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7f8131d27000-7f8131f26000 ---p 0001d000 fc:00 131842 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7f8131f26000-7f8131f27000 r--p 0001c000 fc:00 131842 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7f8131f27000-7f8131f28000 rw-p 0001d000 fc:00 131842 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
7f8131f28000-7f8131f31000 r-xp 00000000 fc:00 131602 /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
7f8131f31000-7f8132130000 ---p 00009000 fc:00 131602 /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
7f8132130000-7f8132131000 r--p 00008000 fc:00 131602 /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
7f8132131000-7f8132132000 rw-p 00009000 fc:00 131602 /usr/lib/x86_64-linux-gnu/libXrender.so.1.3.0
7f8132132000-7f8132134000 r-xp 00000000 fc:00 917981 /lib/x86_64-linux-gnu/libdl-2.15.so
7f8132134000-7f8132334000 ---p 00002000 fc:00 917981 /lib/x86_64-linux-gnu/libdl-2.15.so
7f8132334000-7f8132335000 r--p 00002000 fc:00 917981 /lib/x86_64-linux-gnu/libdl-2.15.so
7f8132335000-7f8132336000 rw-p 00003000 fc:00 917981 /lib/x86_64-linux-gnu/libdl-2.15.so
7f8132336000-7f81323ea000 r-xp 00000000 fc:00 132735 /usr/lib/x86_64-linux-gnu/libgnutls.so.26.21.8
7f81323ea000-7f81325ea000 ---p 000b4000 fc:00 132735 /usr/lib/x86_64-linux-gnu/libgnutls.so.26.21.8
7f81325ea000-7f81325f0000 r--p 000b4000 fc:00 132735 /usr/lib/x86_64-linux-gnu/libgnutls.so.26.21.8
7f81325f0000-7f81325f1000 rw-p 000ba000 fc:00 132735 /usr/lib/x86_64-linux-gnu/libgnutls.so.26.21.8
7f81325f1000-7f81325f2000 rw-p 00000000 00:00 0
7f81325f2000-7f813266c000 r-xp 00000000 fc:00 920791 /lib/x86_64-linux-gnu/libgcrypt.so.11.7.0
7f813266c000-7f813286c000 ---p 0007a000 fc:00 920791 /lib/x86_64-linux-gnu/libgcrypt.so.11.7.0
7f813286c000-7f813286d000 r--p 0007a000 fc:00 920791 /lib/x86_64-linux-gnu/libgcrypt.so.11.7.0
7f813286d000-7f8132870000 rw-p 0007b000 fc:00 920791 /lib/x86_64-linux-gnu/libgcrypt.so.11.7.0
7f8132870000-7f8132888000 r-xp 00000000 fc:00 918622 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f8132888000-7f8132a88000 ---p 00018000 fc:00 918622 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f8132a88000-7f8132a89000 r--p 00018000 fc:00 918622 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f8132a89000-7f8132a8a000 rw-p 00019000 fc:00 918622 /lib/x86_64-linux-gnu/libresolv-2.15.so
7f8132a8a000-7f8132a8c000 rw-p 00000000 00:00 0
7f8132a8c000-7f8132acb000 r-xp 00000000 fc:00 132847 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
7f8132acb000-7f8132ccb000 ---p 0003f000 fc:00 132847 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
7f8132ccb000-7f8132ccc000 r--p 0003f000 fc:00 132847 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
7f8132ccc000-7f8132ccd000 rw-p 00040000 fc:00 132847 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
7f8132ccd000-7f8132cdd000 rw-p 00000000 00:00 0
7f8132cdd000-7f8132cf3000 r-xp 00000000 fc:00 939148 /lib/x86_64-linux-gnu/libz.so.1.2.7
7f8132cf3000-7f8132ef2000 ---p 00016000 fc:00 939148 /lib/x86_64-linux-gnu/libz.so.1.2.7
7f8132ef2000-7f8132ef3000 r--p 00015000 fc:00 939148 /lib/x86_64-linux-gnu/libz.so.1.2.7
7f8132ef3000-7f8132ef4000 rw-p 00016000 fc:00 939148 /lib/x86_64-linux-gnu/libz.so.1.2.7
7f8132ef4000-7f81330a9000 r-xp 00000000 fc:00 918008 /lib/x86_64-linux-gnu/libc-2.15.so
7f81330a9000-7f81332a8000 ---p 001b5000 fc:00 918008 /lib/x86_64-linux-gnu/libc-2.15.so
7f81332a8000-7f81332ac000 r--p 001b4000 fc:00 918008 /lib/x86_64-linux-gnu/libc-2.15.so
7f81332ac000-7f81332ae000 rw-p 001b8000 fc:00 918008 /lib/x86_64-linux-gnu/libc-2.15.so
7f81332ae000-7f81332b3000 rw-p 00000000 00:00 0
7f81332b3000-7f81332c2000 r-xp 00000000 fc:00 133394 /usr/lib/x86_64-linux-gnu/libavahi-client.so.3.2.9
7f81332c2000-7f81334c2000 ---p 0000f000 fc:00 133394 /usr/lib/x86_64-linux-gnu/libavahi-client.so.3.2.9
7f81334c2000-7f81334c3000 r--p 0000f000 fc:00 133394 /usr/lib/x86_64-linux-gnu/libavahi-client.so.3.2.9
7f81334c3000-7f81334c4000 rw-p 00010000 fc:00 133394 /usr/lib/x86_64-linux-gnu/libavahi-client.so.3.2.9
7f81334c4000-7f81334cf000 r-xp 00000000 fc:00 133395 /usr/lib/x86_64-linux-gnu/libavahi-common.so.3.5.3
7f81334cf000-7f81336ce000 ---p 0000b000 fc:00 133395 /usr/lib/x86_64-linux-gnu/libavahi-common.so.3.5.3
7f81336ce000-7f81336cf000 r--p 0000a000 fc:00 133395 /usr/lib/x86_64-linux-gnu/libavahi-common.so.3.5.3
7f81336cf000-7f81336d0000 rw-p 0000b000 fc:00 133395 /usr/lib/x86_64-linux-gnu/libavahi-common.so.3.5.3
7f81336d0000-7f8133804000 r-xp 00000000 fc:00 137798 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7f8133804000-7f8133a04000 ---p 00134000 fc:00 137798 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7f8133a04000-7f8133a05000 r--p 00134000 fc:00 137798 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7f8133a05000-7f8133a0a000 rw-p 00135000 fc:00 137798 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
7f8133a0a000-7f8133a0c000 r-xp 00000000 fc:00 139746 /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0
7f8133a0c000-7f8133c0b000 ---p 00002000 fc:00 139746 /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0
7f8133c0b000-7f8133c0c000 r--p 00001000 fc:00 139746 /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0
7f8133c0c000-7f8133c0d000 rw-p 00002000 fc:00 139746 /usr/lib/x86_64-linux-gnu/libXdamage.so.1.1.0
7f8133c0d000-7f8133c12000 r-xp 00000000 fc:00 134492 /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
7f8133c12000-7f8133e11000 ---p 00005000 fc:00 134492 /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
7f8133e11000-7f8133e12000 r--p 00004000 fc:00 134492 /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
7f8133e12000-7f8133e13000 rw-p 00005000 fc:00 134492 /usr/lib/x86_64-linux-gnu/libXfixes.so.3.1.0
7f8133e13000-7f8133e1c000 r-xp 00000000 fc:00 141707 /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
7f8133e1c000-7f813401b000 ---p 00009000 fc:00 141707 /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
7f813401b000-7f813401c000 r--p 00008000 fc:00 141707 /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
7f813401c000-7f813401d000 rw-p 00009000 fc:00 141707 /usr/lib/x86_64-linux-gnu/libXrandr.so.2.2.0
7f813401d000-7f813401f000 r-xp 00000000 fc:00 136834 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7f813401f000-7f813421e000 ---p 00002000 fc:00 136834 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7f813421e000-7f813421f000 r--p 00001000 fc:00 136834 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7f813421f000-7f8134220000 rw-p 00002000 fc:00 136834 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
7f8134220000-7f8134230000 r-xp 00000000 fc:00 131237 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7f8134230000-7f8134430000 ---p 00010000 fc:00 131237 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7f8134430000-7f8134431000 r--p 00010000 fc:00 131237 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7f8134431000-7f8134432000 rw-p 00011000 fc:00 131237 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
7f8134432000-7f8134437000 r-xp 00000000 fc:00 137148 /usr/lib/x86_64-linux-gnu/libXtst.so.6.1.0
7f8134437000-7f8134636000 ---p 00005000 fc:00 137148 /usr/lib/x86_64-linux-gnu/libXtst.so.6.1.0
7f8134636000-7f8134637000 r--p 00004000 fc:00 137148 /usr/lib/x86_64-linux-gnu/libXtst.so.6.1.0
7f8134637000-7f8134638000 rw-p 00005000 fc:00 137148 /usr/lib/x86_64-linux-gnu/libXtst.so.6.1.0
7f8134638000-7f8134641000 r-xp 00000000 fc:00 918676 /lib/x86_64-linux-gnu/libcrypt-2.15.so
7f8134641000-7f8134841000 ---p 00009000 fc:00 918676 /lib/x86_64-linux-gnu/libcrypt-2.15.so
7f8134841000-7f8134842000 r--p 00009000 fc:00 918676 /lib/x86_64-linux-gnu/libcrypt-2.15.so
7f8134842000-7f8134843000 rw-p 0000a000 fc:00 918676 /lib/x86_64-linux-gnu/libcrypt-2.15.so
7f8134843000-7f8134871000 rw-p 00000000 00:00 0
7f8134871000-7f8134a0f000 r-xp 00000000 fc:00 919830 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f8134a0f000-7f8134c0e000 ---p 0019e000 fc:00 919830 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f8134c0e000-7f8134c29000 r--p 0019d000 fc:00 919830 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f8134c29000-7f8134c34000 rw-p 001b8000 fc:00 919830 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f8134c34000-7f8134c38000 rw-p 00000000 00:00 0
7f8134c38000-7f8134c8a000 r-xp 00000000 fc:00 919819 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f8134c8a000-7f8134e8a000 ---p 00052000 fc:00 919819 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f8134e8a000-7f8134e8d000 r--p 00052000 fc:00 919819 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f8134e8d000-7f8134e93000 rw-p 00055000 fc:00 919819 /lib/x86_64-linux-gnu/libssl.so.1.0.0
7f8134e93000-7f8134e94000 rw-p 00000000 00:00 0
7f8134e94000-7f8134eac000 r-xp 00000000 fc:00 918314 /lib/x86_64-linux-gnu/libpthread-2.15.so
7f8134eac000-7f81350ab000 ---p 00018000 fc:00 918314 /lib/x86_64-linux-gnu/libpthread-2.15.so
7f81350ab000-7f81350ac000 r--p 00017000 fc:00 918314 /lib/x86_64-linux-gnu/libpthread-2.15.so
7f81350ac000-7f81350ad000 rw-p 00018000 fc:00 918314 /lib/x86_64-linux-gnu/libpthread-2.15.so
7f81350ad000-7f81350b1000 rw-p 00000000 00:00 0
7f81350b1000-7f81350ce000 r-xp 00000000 fc:00 141191 /usr/lib/x86_64-linux-gnu/libvncclient.so.0.0.0
7f81350ce000-7f81352cd000 ---p 0001d000 fc:00 141191 /usr/lib/x86_64-linux-gnu/libvncclient.so.0.0.0
7f81352cd000-7f81352ce000 r--p 0001c000 fc:00 141191 /usr/lib/x86_64-linux-gnu/libvncclient.so.0.0.0
7f81352ce000-7f81352cf000 rw-p 0001d000 fc:00 141191 /usr/lib/x86_64-linux-gnu/libvncclient.so.0.0.0
7f81352cf000-7f8135317000 r-xp 00000000 fc:00 137646 /usr/lib/x86_64-linux-gnu/libvncserver.so.0.0.0
7f8135317000-7f8135516000 ---p 00048000 fc:00 137646 /usr/lib/x86_64-linux-gnu/libvncserver.so.0.0.0
7f8135516000-7f8135517000 r--p 00047000 fc:00 137646 /usr/lib/x86_64-linux-gnu/libvncserver.so.0.0.0
7f8135517000-7f8135518000 rw-p 00048000 fc:00 137646 /usr/lib/x86_64-linux-gnu/libvncserver.so.0.0.0
7f8135518000-7f813552d000 rw-p 00000000 00:00 0
7f813552d000-7f813554f000 r-xp 00000000 fc:00 919135 /lib/x86_64-linux-gnu/ld-2.15.so
7f8135568000-7f8135586000 rw-s 00000000 00:04 1179684 /SYSV00000000 (deleted)
7f8135586000-7f81355a3000 rw-s 00000000 00:04 1146915 /SYSV00000000 (deleted)
7f81355a3000-7f81355bf000 rw-s 00000000 00:04 1114146 /SYSV00000000 (deleted)
7f81355bf000-7f81355da000 rw-s 00000000 00:04 1081377 /SYSV00000000 (deleted)
7f81355da000-7f81355f4000 rw-s 00000000 00:04 1048608 /SYSV00000000 (deleted)
7f81355f4000-7f813560d000 rw-s 00000000 00:04 1015839 /SYSV00000000 (deleted)
7f813560d000-7f8135625000 rw-s 00000000 00:04 983070 /SYSV00000000 (deleted)
7f8135625000-7f813563c000 rw-s 00000000 00:04 950301 /SYSV00000000 (deleted)
7f813563c000-7f8135652000 rw-s 00000000 00:04 917532 /SYSV00000000 (deleted)
7f8135652000-7f8135667000 rw-s 00000000 00:04 884763 /SYSV00000000 (deleted)
7f8135667000-7f813567b000 rw-s 00000000 00:04 851994 /SYSV00000000 (deleted)
7f813567b000-7f813568e000 rw-s 00000000 00:04 819225 /SYSV00000000 (deleted)
7f813568e000-7f81356a0000 rw-s 00000000 00:04 786456 /SYSV00000000 (deleted)
7f81356a0000-7f81356b1000 rw-s 00000000 00:04 753687 /SYSV00000000 (deleted)
7f81356b1000-7f81356c1000 rw-s 00000000 00:04 720918 /SYSV00000000 (deleted)
7f81356c1000-7f81356d0000 rw-s 00000000 00:04 688149 /SYSV00000000 (deleted)
7f81356d0000-7f81356de000 rw-s 00000000 00:04 655380 /SYSV00000000 (deleted)
7f81356de000-7f81356eb000 rw-s 00000000 00:04 622611 /SYSV00000000 (deleted)
7f81356eb000-7f81356f7000 rw-s 00000000 00:04 589842 /SYSV00000000 (deleted)
7f81356f7000-7f8135702000 rw-s 00000000 00:04 557073 /SYSV00000000 (deleted)
7f8135702000-7f813570c000 rw-s 00000000 00:04 524304 /SYSV00000000 (deleted)
7f813570c000-7f8135715000 rw-s 00000000 00:04 491535 /SYSV00000000 (deleted)
7f8135715000-7f813571d000 rw-s 00000000 00:04 458766 /SYSV00000000 (deleted)
7f813571d000-7f8135728000 rw-p 00000000 00:00 0
7f813572f000-7f8135736000 rw-s 00000000 00:04 425997 /SYSV00000000 (deleted)
7f8135736000-7f813573c000 rw-s 00000000 00:04 393228 /SYSV00000000 (deleted)
7f813573c000-7f8135741000 rw-s 00000000 00:04 360459 /SYSV00000000 (deleted)
7f8135741000-7f8135745000 rw-s 00000000 00:04 327690 /SYSV00000000 (deleted)
7f8135745000-7f8135748000 rw-s 00000000 00:04 294921 /SYSV00000000 (deleted)
7f8135748000-7f813574a000 rw-s 00000000 00:04 262152 /SYSV00000000 (deleted)
7f813574a000-7f813574b000 rw-s 00000000 00:04 229383 /SYSV00000000 (deleted)
7f813574b000-7f813574d000 rw-s 00000000 00:04 163845 /SYSV00000000 (deleted)
7f813574d000-7f813574f000 rw-p 00000000 00:00 0
7f813574f000-7f8135750000 r--p 00022000 fc:00 919135 /lib/x86_64-linux-gnu/ld-2.15.so
7f8135750000-7f8135752000 rw-p 00023000 fc:00 919135 /lib/x86_64-linux-gnu/ld-2.15.so
7fff84c6b000-7fff84c8c000 rw-p 00000000 00:00 0 [stack]
7fff84d49000-7fff84d4a000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
caught signal: 6
23/10/2012 19:40:30 deleted 40 tile_row polling images.

Also, here is my log file showing x11vnc when it does manage to start up correctly without crashing.

As you can see all is as expected. And yet zero connections are being made. I attempt to connect to port 5901 and simply cant. Again was fine before the upgrade to Ubuntu 12.10.

Here is the log of x11vnc when starting correctly:

23/10/2012 20:21:16 passing arg to libvncserver: -rfbport
23/10/2012 20:21:16 passing arg to libvncserver: 5901
23/10/2012 20:21:16 passing arg to libvncserver: -rfbauth
23/10/2012 20:21:16 passing arg to libvncserver: /home/rob/.vnc/passwd
23/10/2012 20:21:16 passing arg to libvncserver: -rfbversion
23/10/2012 20:21:16 passing arg to libvncserver: 3.6
23/10/2012 20:21:16 passing arg to libvncserver: -permitfiletransfer
23/10/2012 20:21:17 x11vnc version: 0.9.13 lastmod: 2011-08-10 pid: 23440
23/10/2012 20:21:17 -auth guess: using 'XAUTHORITY=/var/run/lightdm/root/:0' for disp=':0'
23/10/2012 20:21:17 Using X display :0
23/10/2012 20:21:17 rootwin: 0x27d reswin: 0x5400001 dpy: 0xcac7e0
23/10/2012 20:21:17
23/10/2012 20:21:17 ------------------ USEFUL INFORMATION ------------------
23/10/2012 20:21:17 X DAMAGE available on display, using it for polling hints.
23/10/2012 20:21:17 To disable this behavior use: '-noxdamage'
23/10/2012 20:21:17
23/10/2012 20:21:17 Most compositing window managers like 'compiz' or 'beryl'
23/10/2012 20:21:17 cause X DAMAGE to fail, and so you may not see any screen
23/10/2012 20:21:17 updates via VNC. Either disable 'compiz' (recommended) or
23/10/2012 20:21:17 supply the x11vnc '-noxdamage' command line option.
23/10/2012 20:21:17
23/10/2012 20:21:17 Wireframing: -wireframe mode is in effect for window moves.
23/10/2012 20:21:17 If this yields undesired behavior (poor response, painting
23/10/2012 20:21:17 errors, etc) it may be disabled:
23/10/2012 20:21:17 - use '-nowf' to disable wireframing completely.
23/10/2012 20:21:17 - use '-nowcr' to disable the Copy Rectangle after the
23/10/2012 20:21:17 moved window is released in the new position.
23/10/2012 20:21:17 Also see the -help entry for tuning parameters.
23/10/2012 20:21:17 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 20:21:17 repaint the screen, also see the -fixscreen option for
23/10/2012 20:21:17 periodic repaints.
23/10/2012 20:21:17 GrabServer control via XTEST.
23/10/2012 20:21:17
23/10/2012 20:21:17 Scroll Detection: -scrollcopyrect mode is in effect to
23/10/2012 20:21:17 use RECORD extension to try to detect scrolling windows
23/10/2012 20:21:17 (induced by either user keystroke or mouse input).
23/10/2012 20:21:17 If this yields undesired behavior (poor response, painting
23/10/2012 20:21:17 errors, etc) it may be disabled via: '-noscr'
23/10/2012 20:21:17 Also see the -help entry for tuning parameters.
23/10/2012 20:21:17 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 20:21:17 repaint the screen, also see the -fixscreen option for
23/10/2012 20:21:17 periodic repaints.
23/10/2012 20:21:17
23/10/2012 20:21:17 Client Side Caching: -ncache mode is in effect to provide
23/10/2012 20:21:17 client-side pixel data caching. This speeds up
23/10/2012 20:21:17 iconifying/deiconifying windows, moving and raising
23/10/2012 20:21:17 windows, and reposting menus. In the simple CopyRect
23/10/2012 20:21:17 encoding scheme used (no compression) a huge amount
23/10/2012 20:21:17 of extra memory (20-100MB) is used on both the server and
23/10/2012 20:21:17 client sides. This mode works with any VNC viewer.
23/10/2012 20:21:17 However, in most you can actually see the cached pixel
23/10/2012 20:21:17 data by scrolling down, so you need to re-adjust its size.
23/10/2012 20:21:17 See http://www.karlrunge.com/x11vnc/faq.html#faq-client-caching.
23/10/2012 20:21:17 If this mode yields undesired behavior (poor response,
23/10/2012 20:21:17 painting errors, etc) it may be disabled via: '-ncache 0'
23/10/2012 20:21:17 You can press 3 Alt_L's (Left "Alt" key) in a row to
23/10/2012 20:21:17 repaint the screen, also see the -fixscreen option for
23/10/2012 20:21:17 periodic repaints.
23/10/2012 20:21:17 X FBPM extension not supported.
23/10/2012 20:21:17 X display is capable of DPMS.
23/10/2012 20:21:17 --------------------------------------------------------
23/10/2012 20:21:17
23/10/2012 20:21:18 Default visual ID: 0x21
23/10/2012 20:21:18 Read initial data from X display into framebuffer.
23/10/2012 20:21:18 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/5120
23/10/2012 20:21:18
23/10/2012 20:21:18 X display :0 is 32bpp depth=24 true color
23/10/2012 20:21:18
23/10/2012 20:21:18 Listening for VNC connections on TCP port 5901
23/10/2012 20:21:18 rfbListenOnTCP6Port: error in bind IPv6 socket: Address family not supported by protocol
23/10/2012 20:21:18 listen6: socket: Address family not supported by protocol
23/10/2012 20:21:18 (Ignore the above error if this system is IPv4-only.)
23/10/2012 20:21:18 Not listening on IPv6 interface.
23/10/2012 20:21:18
23/10/2012 20:21:18 Xinerama is present and active (e.g. multi-head).
23/10/2012 20:21:18 Xinerama: number of sub-screens: 1
23/10/2012 20:21:18 Xinerama: no blackouts needed (only one sub-screen)
23/10/2012 20:21:18
23/10/2012 20:21:18 fb read rate: 164 MB/sec
23/10/2012 20:21:18 fast read: reset -wait ms to: 10
23/10/2012 20:21:18 fast read: reset -defer ms to: 10
23/10/2012 20:21:18 The X server says there are 10 mouse buttons.
23/10/2012 20:21:18 screen setup finished.
23/10/2012 20:21:18

The VNC desktop is: localhost:1

I went ahead and marked this bug as "This bug is a security vulnerability" since it involves a buffer overflow. Just in case.

Thanks for the help,

Will

Will (war59312)
tags: added: x11vnc
tags: added: buffer crash
Revision history for this message
Marc Deslauriers (mdeslaur) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Private Security → Public
Revision history for this message
dieth (gavin-r-barnard) wrote :
Download full text (15.9 KiB)

This set up previously worked for generating up to 5 separate X/x11vnc sessions on Ubuntu 12.04, I recently moved to 12.10

Currently only the first connected to instance can maintain, I get the following buffer overflow as soon as I connect to a the 2nd or more vnc's.

gavin@gavin-desktop:~/multiseat$ ./multiseat.php -s2
Launched X :2 -sharevts -nolisten tcp -br -audit 0 -config openseats/2.conf
Launched x11vnc -rfbport 5902 -forever -display :2
Launched xfce4-session
*** buffer overflow detected ***: x11vnc terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd7859ff82c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd7859fe700]
/lib/x86_64-linux-gnu/libc.so.6(+0x10a7be)[0x7fd7859ff7be]
/usr/lib/x86_64-linux-gnu/libvncserver.so.0(rfbProcessNewConnection+0x104)[0x7fd787ce3694]
/usr/lib/x86_64-linux-gnu/libvncserver.so.0(rfbCheckFds+0x3e8)[0x7fd787ce3ba8]
/usr/lib/x86_64-linux-gnu/libvncserver.so.0(rfbProcessEvents+0x1d)[0x7fd787cdafcd]
x11vnc[0x4a3081]
x11vnc[0x465102]
x11vnc[0x410be3]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd78591676d]
x11vnc[0x41b4d5]
======= Memory map: ========
00400000-00544000 r-xp 00000000 08:31 36708048 /usr/bin/x11vnc
00743000-00744000 r--p 00143000 08:31 36708048 /usr/bin/x11vnc
00744000-0078a000 rw-p 00144000 08:31 36708048 /usr/bin/x11vnc
0078a000-009cc000 rw-p 00000000 00:00 0
0125f000-0134a000 rw-p 00000000 00:00 0 [heap]
7fd783014000-7fd783029000 r-xp 00000000 08:31 18615751 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd783029000-7fd783228000 ---p 00015000 08:31 18615751 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd783228000-7fd783229000 r--p 00014000 08:31 18615751 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd783229000-7fd78322a000 rw-p 00015000 08:31 18615751 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fd783243000-7fd783245000 rw-p 00000000 00:00 0
7fd783245000-7fd783265000 rw-s 00000000 00:04 13566034 /SYSV00000000 (deleted)
7fd783265000-7fd783284000 rw-s 00000000 00:04 13533265 /SYSV00000000 (deleted)
7fd783284000-7fd783585000 rw-p 00000000 00:00 0
7fd783586000-7fd783886000 rw-s 00000000 00:04 12517426 /SYSV00000000 (deleted)
7fd783886000-7fd78388c000 rw-p 00000000 00:00 0
7fd78388c000-7fd783893000 r-xp 00000000 08:31 18615829 /lib/x86_64-linux-gnu/librt-2.15.so
7fd783893000-7fd783a92000 ---p 00007000 08:31 18615829 /lib/x86_64-linux-gnu/librt-2.15.so
7fd783a92000-7fd783a93000 r--p 00006000 08:31 18615829 /lib/x86_64-linux-gnu/librt-2.15.so
7fd783a93000-7fd783a94000 rw-p 00007000 08:31 18615829 /lib/x86_64-linux-gnu/librt-2.15.so
7fd783a94000-7fd783a99000 r-xp 00000000 08:31 36706456 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7fd783a99000-7fd783c98000 ---p 00005000 08:31 36706456 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
7fd783c98000-7fd783c99000 r--p 00004000 08:31 36706456 /usr/lib/x86_64-linux-gnu/libX...

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libvncserver (Ubuntu):
status: New → Confirmed
Revision history for this message
W. S. Lob (wistlo) wrote :
Download full text (13.1 KiB)

I suffered a similar buffer overflow error on Ubuntu 12.10 with x11vnc 0.9.13 on an x86 32 bit installation upgraded from 12.04 to 12.10.

This error did *not* occur on an AMD 64 bit 12.10 upgrade (also from 12.04).

I get the error consistently on the x86 32 bit machine when trying to use the -reflect switch, i.e.

sudo x11vnc -forever -shared -noxdamage -reflect 192.168.30.115 -autoport 5915 -nopw
06/11/2012 17:19:31 x11vnc version: 0.9.13 lastmod: 2011-08-10 pid: 26765
06/11/2012 17:19:31 Not opening DISPLAY in -rawfb mode (force via -rawfb +str)
06/11/2012 17:19:31 Continuing without X display in -rawfb mode.
06/11/2012 17:19:31 rfbGetClient(bitsPerSample=8, samplesPerPixel=3, bytesPerPixel=4)
06/11/2012 17:19:31 rawfb: vnc:192.168.30.115
06/11/2012 17:19:31 VNC server supports protocol version 3.8 (viewer 3.8)
06/11/2012 17:19:31 We have 2 security types to read
06/11/2012 17:19:31 0) Received security type 2
06/11/2012 17:19:31 Selecting security type 2 (0/2 in the list)
06/11/2012 17:19:31 1) Received security type 16
06/11/2012 17:19:31 Selected Security Scheme 2
Password: 06/11/2012 17:19:36 VNC authentication succeeded
06/11/2012 17:19:37 Desktop name "d4z8jqg1"
06/11/2012 17:19:37 Connected to VNC server, using protocol version 3.8
06/11/2012 17:19:37 VNC server default format:
06/11/2012 17:19:37 16 bits per pixel.
06/11/2012 17:19:37 Least significant byte first in each pixel.
06/11/2012 17:19:37 TRUE colour: max red 31 green 63 blue 31, shift red 11 green 5 blue 0
06/11/2012 17:19:37 vnc_reflect_resize: 2960x1050x32 first=1
06/11/2012 17:19:37
06/11/2012 17:19:37 vnc_reflector set rawfb str to: map:/dev/null@2960x1050x32:0xff/0xff00/0xff0000
06/11/2012 17:19:37 raw fb is non-regular file: /dev/null
06/11/2012 17:19:37 rawfb: vnc fb: /dev/null
06/11/2012 17:19:37 w: 2960 h: 1050 b: 32 addr: 0xb61fc008 sz: 12432000
06/11/2012 17:19:37 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/11840
06/11/2012 17:19:37
06/11/2012 17:19:37 Raw fb at addr 0xb61fc008 is 32bpp depth=24 true color
06/11/2012 17:19:37
06/11/2012 17:19:37 Listening for VNC connections on TCP port 5915
06/11/2012 17:19:37 rfbListenOnTCP6Port: error in bind IPv6 socket: Address already in use
06/11/2012 17:19:37 Listening also on IPv6 port 5915 (socket 6)
06/11/2012 17:19:37 fb read rate: 222 MB/sec
06/11/2012 17:19:37 fast read: reset -wait ms to: 10
06/11/2012 17:19:37 fast read: reset -defer ms to: 10
06/11/2012 17:19:37 screen setup finished.
06/11/2012 17:19:37

The VNC desktop is: gateway:15
PORT=5915

[Connection from VNC client happens here, fails immediately]

*** buffer overflow detected ***: x11vnc terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x65)[0xb71c5065]
/lib/i386-linux-gnu/libc.so.6(+0x102e1a)[0xb71c3e1a]
/lib/i386-linux-gnu/libc.so.6(+0x103fda)[0xb71c4fda]
/usr/lib/i386-linux-gnu/libvncserver.so.0(rfbProcessNewConnection+0x123)[0xb76760d3]
/usr/lib/i386-linux-gnu/libvncserver.so.0(rfbCheckFds+0x390)[0xb76765e0]
/usr/lib/i386-linux-gnu/libvncserver.so.0(rfbProcessEvents+0x2e)[0xb766cd6e]
x11vnc[0x80f2a39]
x11vnc[0x80b1cef]
x11vnc[0x8056453]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+...

Revision history for this message
Andrey (waster2008) wrote :

Have the same bug for two X screens.

Luca Falavigna (dktrkranz)
affects: libvncserver (Ubuntu) → x11vnc (Ubuntu)
Revision history for this message
Alex Plattfuss (loco88) wrote :

I get the same bug, cannot connect to any instances.

Revision history for this message
Will (war59312) wrote :

OK make sure you are NOT using:

ipv6.disable=1

If that is enabled via grub config then x11vnc will fail to connect.

I removed that, rebuilt grub, and rebooted and now x11vnc is still crashing sometimes but after restarting x11vnc, it now works again. :)

Also appears you need to be using a kernel >= 3.5.0-23 or else x11vnc crashes every single time still. Tested with 3.5.0-17 through 3.5.0-23.

I have only tested this on Ubuntu 12.10 Server x64 and only on 1 server.

Can anyone confirm?

Same behavior and work around working?

Revision history for this message
Masiosare (luis-zaldivar) wrote :

Confirmed on:

$ uname -a
Linux localhost.localdomain 3.5.7 #1 PREEMPT Sun Nov 4 08:37:32 CST 2012 armv7l armv7l armv7l GNU/Linux

Package: x11vnc
Version: 0.9.13-1ubuntu1

Crash happens with -noipv6 or without it.

Revision history for this message
Ronald (ronald645) wrote :

I accidentally opened a duplicate bugreport #1175098. I'm having the same issue to. My kernel does not contain ipv6 at all. Is this project dead? That would be real sad, it was a really nice piece of software.

Revision history for this message
Diego Carrera Gallego (diegocarrera2000) wrote :

i got same bug on:

$ uname -a
Linux cubieboard 3.4.24-a10-aufs+ #33 PREEMPT Sun Feb 24 21:17:26 CET 2013 armv7l armv7l armv7l GNU/Linux

package: x11vnc
version: 0.9.13-1ubuntu1

Revision history for this message
In , Frantisek (frantisek-redhat-bugs) wrote :

Description of problem:
I start x11vnc by command
/usr/bin/x11vnc -ncache 10 -auth /var/run/lightdm/root/:0 -localhost -display :0
and it run. But at the moment when client (vncviewer from tigervnc-1.2.80-0.10.20130314svn5065.fc18.i686 package) connect to it, x11vnc crashes with message:
*** buffer overflow detected ***: /usr/bin/x11vnc terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x45)[0x4c02cca5]
/lib/libc.so.6[0x4c02ac7a]
/lib/libc.so.6[0x4c02cbaa]
/lib/libvncserver.so.0(rfbProcessNewConnection+0x125)[0x41012835]
/lib/libvncserver.so.0(rfbCheckFds+0x390)[0x41012d40]
/lib/libvncserver.so.0(rfbProcessEvents+0x2f)[0x4100927f]
/usr/bin/x11vnc[0x80f28c1]
/usr/bin/x11vnc[0x80b13af]
/usr/bin/x11vnc[0x8055b43]
/lib/libc.so.6(__libc_start_main+0xf5)[0x4bf38865]
/usr/bin/x11vnc[0x8062999]
======= Memory map: ========
....

Running under gdb (w. debuginfo packages installed) give backtrace:
#0 0xb7fff424 in __kernel_vsyscall ()
#1 0x4bf4db7f in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:63
#2 0x4bf4f4d3 in __GI_abort () at abort.c:90
#3 0x4bf8d405 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x4c091c25 "*** %s ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:197
#4 0x4c02cca5 in __GI___fortify_fail (msg=msg@entry=0x4c091bcb "buffer overflow detected") at fortify_fail.c:31
#5 0x4c02ac7a in __GI___chk_fail () at chk_fail.c:28
#6 0x4c02cbaa in __fdelt_chk (d=-1) at fdelt_chk.c:25
#7 0x41012835 in rfbProcessNewConnection (rfbScreen=rfbScreen@entry=0x83f01d0) at sockets.c:407
#8 0x41012d40 in rfbCheckFds (rfbScreen=rfbScreen@entry=0x83f01d0, usec=0) at sockets.c:306
#9 0x4100927f in rfbProcessEvents (screen=0x83f01d0, usec=<optimized out>, usec@entry=0) at main.c:1101
#10 0x080f28c1 in rfbPE (usec=usec@entry=0) at util.c:581
#11 0x080b13af in watch_loop () at screen.c:4527
#12 0x08055b43 in main (argc=8, argv=0xbffff104) at x11vnc.c:5990

Version-Release number of selected component (if applicable):
x11vnc-0.9.13-8.fc18.i686
libvncserver-0.9.9-7.fc18.i686
glibc-2.16-31.fc18.i686

Revision history for this message
In , Frantisek (frantisek-redhat-bugs) wrote :

I now verified that same bug is on Fedora 17 i686 (x11vnc-0.9.13-3.fc17.i686, libvncserver-0.9.9-7.fc17.i686), and this problem seems be not x11vnc, but libvncserver bug - when I replace libvncserver-0.9.9-7.fc17.i686 with older libvncserver-0.9.8.2-4.fc17.i686, then all works fine and client can connect to remote X session.

Thus please change this against libvncserver (and extend it to F17 too)

Revision history for this message
In , Pavel (pavel-redhat-bugs) wrote :

Reassigning according to last comment.

Revision history for this message
In , Frantisek (frantisek-redhat-bugs) wrote :

Also, rebuild libvncserver-0.9.8.2-4.fc17.src.rpm for F18 and replace libvncserver-0.9.9-7.fc18.i686 with it, solve problem on F18

Revision history for this message
Ronald (ronald645) wrote :

On my duplicate report, someone showed up with a patch (now building):

https://bugs.launchpad.net/ubuntu/+source/x11vnc/+bug/1175098/comments/1

Furthermore, post #7 on this bug recommended to disabling IPV6. I found this comment on a x11vnc bugreport at Debian:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672449#15

You need to use: -no6 -rfbportv6 -1

To disable IPV6 on x11vnc currently. I will see what is working and what is not. Thanks!

Revision history for this message
Ronald (ronald645) wrote :

Just tested it:

- Disabling IPV6 does not work.
- Patch works!

Revision history for this message
In , Frantisek (frantisek-redhat-bugs) wrote :

just tested at FC19 x86_64: current version 0.9.9-7.fc19 crashed; when I replace
it with libvncserver-0.9.8.2-4.fc19.x86_64 (my build), x11vnc connection work fine. Thus raise Fedora version to 19.

Revision history for this message
Chaoz (chaozx) wrote :

Just ran into this exact problem after upgrading from 12.04 to 12.10, kind of annoying as I use VNC everyday. But it turns out I didn't need to recompile x11vnc as the latest test version worked - from the man himself, of course! It can be found in http://www.karlrunge.com/x11vnc/bins/. The one I used was x11vnc-0.9.14_TEST_amd64-Linux for Ubuntu + Openbox.

Hope this helps someone in the same situation.

Revision history for this message
In , Frantisek (frantisek-redhat-bugs) wrote :

After nearly half of year from initial report, this bug isn't solved.

Revision history for this message
In , Darryl (darryl-redhat-bugs) wrote :

Still broken in F20/i686
libvncserver-0.9.9-10.fc20.i686

Pretty useless really.

Revision history for this message
In , Rex (rex-redhat-bugs) wrote :

pretty sure this is a x11vnc bug (not supporting libvncserver api for ipv6 connections). Digging in to x11vnc source code for more details now.

Revision history for this message
In , Rex (rex-redhat-bugs) wrote :

Found related reports from other distros:
https://bugs.archlinux.org/task/30401
https://bugs.launchpad.net/ubuntu/+source/x11vnc/+bug/1070614
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=735648

Revision history for this message
In , Rex (rex-redhat-bugs) wrote :

Turns out I cannot reproduce the crash on host using:

$ rpm -q x11vnc libvncserver
x11vnc-0.9.13-11.fc19.x86_64
libvncserver-0.9.9-10.fc19.x86_64

and connecting to it from a fedora 20 client.

(I suppose there's a chance this is i686-specific somehow).

If anyone can still reproduce this, can you generate a fresh backtrace (or let abrt do it for you)?

Revision history for this message
In , Darryl (darryl-redhat-bugs) wrote :
Download full text (36.7 KiB)

[client@lts11-6 ~]$ x11vnc
###############################################################
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#
#@ @#
#@ ** WARNING ** WARNING ** WARNING ** WARNING ** @#
#@ @#
#@ YOU ARE RUNNING X11VNC WITHOUT A PASSWORD!! @#
#@ @#
#@ This means anyone with network access to this computer @#
#@ may be able to view and control your desktop. @#
#@ @#
#@ >>> If you did not mean to do this Press CTRL-C now!! <<< @#
#@ @#
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#
#@ @#
#@ You can create an x11vnc password file by running: @#
#@ @#
#@ x11vnc -storepasswd password /path/to/passfile @#
#@ or x11vnc -storepasswd /path/to/passfile @#
#@ or x11vnc -storepasswd @#
#@ @#
#@ (the last one will use ~/.vnc/passwd) @#
#@ @#
#@ and then starting x11vnc via: @#
#@ @#
#@ x11vnc -rfbauth /path/to/passfile @#
#@ @#
#@ an existing ~/.vnc/passwd file from another VNC @#
#@ application will work fine too. @#
#@ @#
#@ You can also use the -passwdfile or -passwd options. @#
#@ (note -passwd is unsafe if local users are not trusted) @#
#@ @#
#@ Make sure any -rfbauth and -passwdfile password files @#
#@ cannot be read by untrusted users. @#
#@ @#
#@ Use x11vnc -usepw to automatically use your @#
#@ ~/.vnc/passwd or ~/.vnc/passwdfile password files. @#
#@ (and prompt you to create ~/.vnc/passwd if neither @#
#@ file exists.) Under -usepw, x11vnc will exit if it @#
#@ cannot find a password to use. @#
#@ @#
#@ @#
#@ Even with a password, the subsequent VNC traffic is @#
#@ sent in the clear. Consider tunnelling via ssh(1): @#
#@ @#
#@ http://www.karlrunge.com/x11vnc/#tunnelling @#
#@ @#
#@ Or using the x11vnc SSL options: -ssl and -stunnel @#
#@ @#
#@ Please Read the documention for m...

Revision history for this message
In , Rex (rex-redhat-bugs) wrote :

OK, very likely has something to with all the warnings:

31/01/2014 07:14:20 rfbListenOnTCP6Port: error in bind IPv6 socket: Address
family not supported by protocol

(I don't see that on my box)

Can abrt catch this to generate a backtrace or can you run it under gdb?

Revision history for this message
In , Darryl (darryl-redhat-bugs) wrote :

libvncserver-0.9.9-10.fc20.i686
x11vnc-0.9.13-11.fc20.i686

Doesn't seen to take any notice of the ipv6 disable flags??
x11vnc -noipv6 -no6
...
31/01/2014 07:26:23 Autoprobing TCP port
31/01/2014 07:26:23 Autoprobing selected TCP port 5900
31/01/2014 07:26:23 Autoprobing TCP6 port
31/01/2014 07:26:23 rfbListenOnTCP6Port: error in bind IPv6 socket: Address family not supported by protocol
31/01/2014 07:26:23 rfbListenOnTCP6Port: error in bind IPv6 socket: Address family not supported by protocol
31/01/2014 07:26:23 rfbListenOnTCP6Port: error in bind IPv6 socket: Address family not supported by protocol
31/01/2014 07:26:23 rfbListenOnTCP6Port: error in bind IPv6 socket: Address family not supported by protocol
...

Revision history for this message
In , Darryl (darryl-redhat-bugs) wrote :

I do have ipv6 disabled on the x11vnc server

Revision history for this message
In , Darryl (darryl-redhat-bugs) wrote :

0xb7ffd424 in __kernel_vsyscall ()
(gdb) backtrace
#0 0xb7ffd424 in __kernel_vsyscall ()
#1 0xb792aba6 in raise () from /lib/libc.so.6
#2 0xb792c3e3 in abort () from /lib/libc.so.6
#3 0xb796a2e8 in __libc_message () from /lib/libc.so.6
#4 0xb7a05575 in __fortify_fail () from /lib/libc.so.6
#5 0xb7a0364a in __chk_fail () from /lib/libc.so.6
#6 0xb7a0548a in __fdelt_warn () from /lib/libc.so.6
#7 0xb7f85f41 in rfbProcessNewConnection () from /lib/libvncserver.so.0
#8 0xb7f86440 in rfbCheckFds () from /lib/libvncserver.so.0
#9 0xb7f7c54f in rfbProcessEvents () from /lib/libvncserver.so.0
#10 0x080f3489 in rfbPE ()
#11 0x080b2bcf in watch_loop ()
#12 0x080565eb in main ()

Revision history for this message
In , Frantisek (frantisek-redhat-bugs) wrote :

Created attachment 857669
x11vnc/gdb outputs when crash occurs

this is x11vnc crash on my f19-i386 PC, with backtrace (debuginfo pkgs installed); backtrace is at listing end.

Revision history for this message
In , Darryl (darryl-redhat-bugs) wrote :

Workaround for me is to remove the ipv6 disable from the kernel command line (ipv6.disable=1).
The ipv6 wornings are no longer displayed and x11vnc works as it should.

Revision history for this message
In , Frantisek (frantisek-redhat-bugs) wrote :

(In reply to Rex Dieter from comment #9)
> Turns out I cannot reproduce the crash on host using:
>
> $ rpm -q x11vnc libvncserver
> x11vnc-0.9.13-11.fc19.x86_64
> libvncserver-0.9.9-10.fc19.x86_64
>
> and connecting to it from a fedora 20 client.
>
> (I suppose there's a chance this is i686-specific somehow).
>
> If anyone can still reproduce this, can you generate a fresh backtrace (or
> let abrt do it for you)?

This crash occurs on my f19/x86_64 system too.

Revision history for this message
In , Frantisek (frantisek-redhat-bugs) wrote :

(In reply to Darryl Bond from comment #16)
> Workaround for me is to remove the ipv6 disable from the kernel command line
> (ipv6.disable=1).
> The ipv6 wornings are no longer displayed and x11vnc works as it should.

"disable ipv6.disable=1" options are (and I hope they will) standard options on all my IPv4-only machines (which are all non-experimental ;).
And all network daemons/programs are working fine, including x11vnc - until 'libvncserver' was updated from '0.9.8' to '0.9.9'.

Revision history for this message
In , Rex (rex-redhat-bugs) wrote :

OK, thanks for the extra information. It's fairly clear now that the new ipv6 support that came in v0.9.9 wasn't robust against the case of having ipv6 disabled on the host.

I'll work to inform upstream and other distros, and see if we can collaborate our way to a workable solution.

Revision history for this message
In , Rex (rex-redhat-bugs) wrote :

filed upstream ticket,
https://sourceforge.net/p/libvncserver/tickets/1/

Revision history for this message
Rex Dieter (rdieter) wrote :

FYI, I filed bug (ticket) upstream,
https://sourceforge.net/p/libvncserver/tickets/1/

Revision history for this message
In , Rex (rex-redhat-bugs) wrote :

Unfortunate initial feedback from upstream:

"the use case illustrated at least in the first downstream link is only supported by disabling IPv6 support at compile time for now"

Looks like libvncserver simply does not support ipv6 being disabled on the host (currently). :(

Revision history for this message
In , Rex (rex-redhat-bugs) wrote :

Found a couple of upstream commits that may help (some), anyone interested in testing can grab these builds:

f19: https://koji.fedoraproject.org/koji/buildinfo?buildID=508284
f20: https://koji.fedoraproject.org/koji/buildinfo?buildID=508285

Revision history for this message
In , Rex (rex-redhat-bugs) wrote :

In particular, pulled in these 2 commits:

https://github.com/LibVNC/libvncserver/commit/66282f58000c8863e104666c30cb67b1d5cbdee3

https://github.com/LibVNC/libvncserver/commit/584542ba97d35706a9e5c001b5cdf64296b5dd7f

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

This message is a notice that Fedora 19 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 19. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 19 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Bug Watch Updater (bug-watch-updater)
Changed in x11vnc (Fedora):
importance: Unknown → Undecided
status: Unknown → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.