x11vnc terminated due to buffer overflow

Bug #1175098 reported by Ronald on 2013-05-01
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
x11vnc-xinetd
Fix Released
Unknown
x11vnc (Ubuntu)
Undecided
Unassigned

Bug Description

Ubuntu 13.04, up to date.

I copy the .Xauthority file to a seperate location and give it correct permissions. Then, using su with the user owning .Xauthority, I connect VNC. It is stable. Until I try to connect with remmina. I get an instant buffer overflow.

I also tried UltraVNC viewer (Windows), same result.

root@Delta:~# su -c "x11vnc -rfbport 57090 -display WAIT::0 -auth "$XAUTHORITY_VNC" -forever -shared -noremote" nobody
01/05/2013 11:20:43 x11vnc version: 0.9.13 lastmod: 2011-08-10 pid: 15126
01/05/2013 11:20:43
01/05/2013 11:20:43 wait_for_client: WAIT::0
01/05/2013 11:20:43
01/05/2013 11:20:43 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/2560
01/05/2013 11:20:43
01/05/2013 11:20:43 Listening for VNC connections on TCP port 57090
01/05/2013 11:20:43 rfbListenOnTCP6Port: error in bind IPv6 socket: Address family not supported by protocol
01/05/2013 11:20:43 listen6: socket: Address family not supported by protocol
01/05/2013 11:20:43 (Ignore the above error if this system is IPv4-only.)
01/05/2013 11:20:43 Not listening on IPv6 interface.
01/05/2013 11:20:43

The VNC desktop is: Delta:51190
01/05/2013 11:20:43 possible aliases: Delta:57090, Delta::57090
PORT=57090
*** buffer overflow detected ***: x11vnc terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x63)[0xb72b7bc3]
/lib/i386-linux-gnu/libc.so.6(+0x10593a)[0xb72b693a]
/lib/i386-linux-gnu/libc.so.6(+0x106aaa)[0xb72b7aaa]
/usr/lib/i386-linux-gnu/libvncserver.so.0(rfbProcessNewConnection+0x123)[0xb77700d3]
/usr/lib/i386-linux-gnu/libvncserver.so.0(rfbCheckFds+0x390)[0xb77705e0]
/usr/lib/i386-linux-gnu/libvncserver.so.0(rfbProcessEvents+0x2e)[0xb7766d6e]
x11vnc[0x80f2a39]
x11vnc[0x80d67f1]
x11vnc[0x8056db1]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0xb71ca935]
x11vnc[0x80632f5]
======= Memory map: ========
08048000-08194000 r-xp 00000000 08:02 32610 /usr/bin/x11vnc
08194000-08195000 r--p 0014b000 08:02 32610 /usr/bin/x11vnc
08195000-081da000 rw-p 0014c000 08:02 32610 /usr/bin/x11vnc
081da000-083b5000 rw-p 00000000 00:00 0
0a302000-0a323000 rw-p 00000000 00:00 0 [heap]
b6dc3000-b6dde000 r-xp 00000000 08:02 168 /lib/i386-linux-gnu/libgcc_s.so.1
b6dde000-b6ddf000 r--p 0001a000 08:02 168 /lib/i386-linux-gnu/libgcc_s.so.1
b6ddf000-b6de0000 rw-p 0001b000 08:02 168 /lib/i386-linux-gnu/libgcc_s.so.1
b6df3000-b6f24000 rw-p 00000000 00:00 0
b6f24000-b6f2b000 r-xp 00000000 08:02 237 /lib/i386-linux-gnu/librt-2.17.so
b6f2b000-b6f2c000 r--p 00006000 08:02 237 /lib/i386-linux-gnu/librt-2.17.so
b6f2c000-b6f2d000 rw-p 00007000 08:02 237 /lib/i386-linux-gnu/librt-2.17.so
b6f2d000-b6f2e000 rw-p 00000000 00:00 0
b6f2e000-b6f33000 r-xp 00000000 08:02 22616 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6f33000-b6f34000 r--p 00004000 08:02 22616 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6f34000-b6f35000 rw-p 00005000 08:02 22616 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6f35000-b6f37000 r-xp 00000000 08:02 22614 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6f37000-b6f38000 r--p 00001000 08:02 22614 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6f38000-b6f39000 rw-p 00002000 08:02 22614 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6f39000-b6f4b000 r-xp 00000000 08:02 22515 /usr/lib/i386-linux-gnu/libp11-kit.so.0.0.0
b6f4b000-b6f4c000 r--p 00011000 08:02 22515 /usr/lib/i386-linux-gnu/libp11-kit.so.0.0.0
b6f4c000-b6f4d000 rw-p 00012000 08:02 22515 /usr/lib/i386-linux-gnu/libp11-kit.so.0.0.0
b6f4d000-b6f5d000 r-xp 00000000 08:02 22517 /usr/lib/i386-linux-gnu/libtasn1.so.3.2.0
b6f5d000-b6f5e000 r--p 0000f000 08:02 22517 /usr/lib/i386-linux-gnu/libtasn1.so.3.2.0
b6f5e000-b6f5f000 rw-p 00010000 08:02 22517 /usr/lib/i386-linux-gnu/libtasn1.so.3.2.0
b6f5f000-b6f62000 r-xp 00000000 08:02 22511 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
b6f62000-b6f63000 r--p 00002000 08:02 22511 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
b6f63000-b6f64000 rw-p 00003000 08:02 22511 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
b6f64000-b6f65000 rw-p 00000000 00:00 0
b6f65000-b6fad000 r-xp 00000000 08:02 158 /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b6fad000-b6fae000 r--p 00047000 08:02 158 /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b6fae000-b6faf000 rw-p 00048000 08:02 158 /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b6faf000-b6fcf000 r-xp 00000000 08:02 22618 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6fcf000-b6fd0000 r--p 0001f000 08:02 22618 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6fd0000-b6fd1000 rw-p 00020000 08:02 22618 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6fd1000-b6fd9000 r-xp 00000000 08:02 25560 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b6fd9000-b6fda000 r--p 00007000 08:02 25560 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b6fda000-b6fdb000 rw-p 00008000 08:02 25560 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b6fdb000-b6fde000 r-xp 00000000 08:02 160 /lib/i386-linux-gnu/libdl-2.17.so
b6fde000-b6fdf000 r--p 00002000 08:02 160 /lib/i386-linux-gnu/libdl-2.17.so
b6fdf000-b6fe0000 rw-p 00003000 08:02 160 /lib/i386-linux-gnu/libdl-2.17.so
b6fe0000-b70a0000 r-xp 00000000 08:02 22520 /usr/lib/i386-linux-gnu/libgnutls.so.26.22.6
b70a0000-b70a4000 r--p 000bf000 08:02 22520 /usr/lib/i386-linux-gnu/libgnutls.so.26.22.6
b70a4000-b70a5000 rw-p 000c3000 08:02 22520 /usr/lib/i386-linux-gnu/libgnutls.so.26.22.6
b70a5000-b70a6000 rw-p 00000000 00:00 0
b70a6000-b7127000 r-xp 00000000 08:02 22513 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b7127000-b7128000 r--p 00080000 08:02 22513 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b7128000-b712a000 rw-p 00081000 08:02 22513 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b712a000-b713d000 r-xp 00000000 08:02 235 /lib/i386-linux-gnu/libresolv-2.17.so
b713d000-b713e000 r--p 00013000 08:02 235 /lib/i386-linux-gnu/libresolv-2.17.so
b713e000-b713f000 rw-p 00014000 08:02 235 /lib/i386-linux-gnu/libresolv-2.17.so
b713f000-b7141000 rw-p 00000000 00:00 0
b7141000-b7186000 r-xp 00000000 08:02 25584 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
b7186000-b7187000 r--p 00044000 08:02 25584 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
b7187000-b7188000 rw-p 00045000 08:02 25584 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2
b7188000-b7198000 rw-p 00000000 00:00 0
b7198000-b71af000 r-xp 00000000 08:02 259 /lib/i386-linux-gnu/libz.so.1.2.7
b71af000-b71b0000 r--p 00016000 08:02 259 /lib/i386-linux-gnu/libz.so.1.2.7
b71b0000-b71b1000 rw-p 00017000 08:02 259 /lib/i386-linux-gnu/libz.so.1.2.7
b71b1000-b735e000 r-xp 00000000 08:02 146 /lib/i386-linux-gnu/libc-2.17.so
b735e000-b7360000 r--p 001ad000 08:02 146 /lib/i386-linux-gnu/libc-2.17.so
b7360000-b7361000 rw-p 001af000 08:02 146 /lib/i386-linux-gnu/libc-2.17.so
b7361000-b7365000 rw-p 00000000 00:00 0
b7365000-b7375000 r-xp 00000000 08:02 25528 /usr/lib/i386-linux-gnu/libavahi-client.so.3.2.9
b7375000-b7376000 r--p 0000f000 08:02 25528 /usr/lib/i386-linux-gnu/libavahi-client.so.3.2.9
b7376000-b7377000 rw-p 00010000 08:02 25528 /usr/lib/i386-linux-gnu/libavahi-client.so.3.2.9
b7377000-b7383000 r-xp 00000000 08:02 25521 /usr/lib/i386-linux-gnu/libavahi-common.so.3.5.3
b7383000-b7384000 r--p 0000b000 08:02 25521 /usr/lib/i386-linux-gnu/libavahi-common.so.3.5.3
b7384000-b7385000 rw-p 0000c000 08:02 25521 /usr/lib/i386-linux-gnu/libavahi-common.so.3.5.3
b7385000-b74b7000 r-xp 00000000 08:02 22868 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b74b7000-b74b8000 r--p 00132000 08:02 22868 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b74b8000-b74bb000 rw-p 00133000 08:02 22868 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b74bb000-b74bd000 r-xp 00000000 08:02 25775 /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b74bd000-b74be000 r--p 00001000 08:02 25775 /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b74be000-b74bf000 rw-p 00002000 08:02 25775 /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b74bf000-b74c4000 r-xp 00000000 08:02 25765 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
b74c4000-b74c5000 r--p 00004000 08:02 25765 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
b74c5000-b74c6000 rw-p 00005000 08:02 25765 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
b74c6000-b74c7000 rw-p 00000000 00:00 0
b74c7000-b74d0000 r-xp 00000000 08:02 25787 /usr/lib/i386-linux-gnu/libXrandr.so.2.2.0
b74d0000-b74d1000 r--p 00008000 08:02 25787 /usr/lib/i386-linux-gnu/libXrandr.so.2.2.0
b74d1000-b74d2000 rw-p 00009000 08:02 25787 /usr/lib/i386-linux-gnu/libXrandr.so.2.2.0
b74d2000-b74d4000 r-xp 00000000 08:02 25785 /usr/lib/i386-linux-gnu/libXinerama.so.1.0.0
b74d4000-b74d5000 r--p 00001000 08:02 25785 /usr/lib/i386-linux-gnu/libXinerama.so.1.0.0
b74d5000-b74d6000 rw-p 00002000 08:02 25785 /usr/lib/i386-linux-gnu/libXinerama.so.1.0.0
b74d6000-b74e6000 r-xp 00000000 08:02 22870 /usr/lib/i386-linux-gnu/libXext.so.6.4.0
b74e6000-b74e7000 r--p 0000f000 08:02 22870 /usr/lib/i386-linux-gnu/libXext.so.6.4.0
b74e7000-b74e8000 rw-p 00010000 08:02 22870 /usr/lib/i386-linux-gnu/libXext.so.6.4.0
b74e8000-b74ed000 r-xp 00000000 08:02 28097 /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
b74ed000-b74ee000 r--p 00004000 08:02 28097 /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
b74ee000-b74ef000 rw-p 00005000 08:02 28097 /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
b74ef000-b74f8000 r-xp 00000000 08:02 154 /lib/i386-linux-gnu/libcrypt-2.17.so
b74f8000-b74f9000 r--p 00008000 08:02 154 /lib/i386-linux-gnu/libcrypt-2.17.so
b74f9000-b74fa000 rw-p 00009000 08:02 154 /lib/i386-linux-gnu/libcrypt-2.17.so
b74fa000-b7522000 rw-p 00000000 00:00 0
b7522000-b76b4000 r-xp 00000000 08:02 156 /lib/i386-linux-gnu/libcrypto.so.1.0.0
b76b4000-b76c3000 r--p 00192000 08:02 156 /lib/i386-linux-gnu/libcrypto.so.1.0.0
b76c3000-b76ca000 rw-p 001a1000 08:02 156 /lib/i386-linux-gnu/libcrypto.so.1.0.0
b76ca000-b76cd000 rw-p 00000000 00:00 0
b76cd000-b771e000 r-xp 00000000 08:02 245 /lib/i386-linux-gnu/libssl.so.1.0.0
b771e000-b7720000 r--p 00050000 08:02 245 /lib/i386-linux-gnu/libssl.so.1.0.0
b7720000-b7724000 rw-p 00052000 08:02 245 /lib/i386-linux-gnu/libssl.so.1.0.0
b7724000-b773b000 r-xp 00000000 08:02 231 /lib/i386-linux-gnu/libpthread-2.17.so
b773b000-b773c000 r--p 00016000 08:02 231 /lib/i386-linux-gnu/libpthread-2.17.so
b773c000-b773d000 rw-p 00017000 08:02 231 /lib/i386-linux-gnu/libpthread-2.17.so
b773d000-b773f000 rw-p 00000000 00:00 0
b773f000-b775c000 r-xp 00000000 08:02 29590 /usr/lib/i386-linux-gnu/libvncclient.so.0.0.0
b775c000-b775d000 r--p 0001d000 08:02 29590 /usr/lib/i386-linux-gnu/libvncclient.so.0.0.0
b775d000-b775e000 rw-p 0001e000 08:02 29590 /usr/lib/i386-linux-gnu/libvncclient.so.0.0.0
b775e000-b77a6000 r-xp 00000000 08:02 29589 /usr/lib/i386-linux-gnu/libvncserver.so.0.0.0
b77a6000-b77a7000 r--p 00048000 08:02 29589 /usr/lib/i386-linux-gnu/libvncserver.so.0.0.0
b77a7000-b77a8000 rw-p 00049000 08:02 29589 /usr/lib/i386-linux-gnu/libvncserver.so.0.0.0
b77a8000-b77be000 rw-p 00000000 00:00 0
b77cf000-b77d2000 rw-p 00000000 00:00 0
b77d2000-b77d3000 r-xp 00000000 00:00 0 [vdso]
b77d3000-b77f3000 r-xp 00000000 08:02 126 /lib/i386-linux-gnu/ld-2.17.so
b77f3000-b77f4000 r--p 0001f000 08:02 126 /lib/i386-linux-gnu/ld-2.17.so
b77f4000-b77f5000 rw-p 00020000 08:02 126 /lib/i386-linux-gnu/ld-2.17.so
bffdd000-bfffe000 rw-p 00000000 00:00 0 [stack]
caught signal: 6

M. Vefa Bicakci (mvb) wrote :

I noticed that the problem only manifests itself if x11vnc is ./configure'd before compilation with the "--with-system-libvncserver" option. Unfortunately, only removing this ./configure option is not sufficient. One needs to make two other modifications to the debian/rules file.

Recompiling the x11vnc package after patching the debian/rules file with the attached patch produces a working x11vnc binary.

information type: Public → Public Security
information type: Public Security → Public

The attachment "Patch against debian/rules which fixes the issue." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Ronald (ronald645) wrote :

Thank you mister Bicakci, I will test the patch ASAP.

Ronald (ronald645) wrote :

Just tested it, works like a charm! Thanks a ton!

Chaoz (chaozx) wrote :

Just ran into this exact problem after upgrading from 12.04 to 12.10, kind of annoying as I use VNC everyday. But it turns out I didn't need to recompile x11vnc as the latest test version worked - from the man himself, of course! It can be found in http://www.karlrunge.com/x11vnc/bins/. The one I used was x11vnc-0.9.14_TEST_amd64-Linux for Ubuntu + Openbox.

Hope this helps someone in the same situation.

Ronald (ronald645) wrote :

I have not looked at the binaries closely... But,

That is probably a static bin with old library's. You will eventually run into problems as well due to incompatibilities. Furthermore, those versions of x11vnc could have been compiled with known vulnerability's in it's statically linked library's.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in x11vnc (Ubuntu):
status: New → Confirmed
Florian Schlichting (fschlich) wrote :

actually a bug in libvncserver, fixed in version 0.9.9+dfsg-5 (see Debian bug and the bugs referenced there)

Changed in x11vnc (Ubuntu):
status: Confirmed → Fix Released
Changed in x11vnc-xinetd:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.