VNC zlib Advisory draft 1

Andrew van der Stock ajv "at"
Thu, 14 Mar 2002 02:14:08 +0000

Hi there,

We need to respond to the CERT multiple vendor zlib issue as a "vendor".
I've taken the liberty of preparing an advisory. It's probably better if
everyone who has a server or client and uses zlib to use the same
advisory. Trust me, as a security person I get about 40-80 of these a
day, and it's just easier if all the information is in the one place. 

If you maintain a version of VNC that includes zlib in the viewer or
server, please get back to me if you are affected, and what plans you
have to go to zlib version 1.1.4 or the fixed version of zlib from


Ps. The circumstances where this bug can be exploited are fairly low
--------------------------BEGIN INCLUDED TEXT--------------------

             VNC Security Bulletin 

		   Zlib double free issue
                15 March 2002

        Security Bulletin Summary

Topic:			zlib double free may cause local exploit or

Vendor:                 Multiple vendors

Product:                TightVNC Xvnc, WinVNC 
				Tridia Xvnc, WinVNC 
				VNC Viewer for Java
				VNC Viewer for Apple Newton

Operating System:       VNC is portable across multiple vendors
				including Linux, NetBSD, FreeBSD,
				MacOS and all Win32 platforms

Impact:                 Potential root / LOCALSYSTEM compromise
                        Execute arbitrary code/commands

Access Required:        Local, requires existing password

Version:			The following programs link with or are
				linked with zlib and should be upgraded:

				TightVNC 1.2.2 (both Xvnc and WinVNC)
				TridiaVNC 1.5.4
				ChromiVNC v3.4 alpha 5 for MacOS (68k
and PPC platforms)
				VNCThing for MacOS X (and MacOS
platforms with Carbon)
				VNC Viewer for Java
				VNC Viewer and Server for Apple Newton 
				XXX: others?
Unknown at this time:	Unix: 	IBM AIX 4.3.3 and 5L, "Toolbox for Linux

						applications" (based
upon AT&T?)

				XXX: others?

Not vulnerable:		Unix:		AT&T VNC 3.3.3r2 (current
				Windows: 	AT&T WinVNC 3.3.3r9 for
x86 (current version)
						WinVNC 3.3.3r1 for Alpha
						AT&T WINVNC 3.3.3r2 beta
				Geos (Nokia 9000)	VNCGEO10
				OS/2:		VNC Viewer for OS/2 PM
				PalmOS:	PalmVNC 1.40
				RiscOS:	!VNC (any version)
				VMS:		AT&T VNC VNC333R1VMS011

				XXX:		Others?

Fixed in:
				None yet shipped


There is a vulnerability in the decompression algorithm used by the
popular zlib compression library. If an attacker is able to pass a
specially-crafted block of invalid compressed data to a program that
includes zlib, the program's attempt to decompress the crafted data can
cause the zlib routines to corrupt the internal data structures
maintained by malloc.

Various VNC implementations use the affected versions of zlib. This
could lead to execution of arbitrary code under the privilege the user
of the client program utilizing gzip, which is generally the local user
in Unix (which may include root), and the local user or Administrator in
WinNT/2000/XP, or complete control of platforms without a security
architecture (MacOS, Win95 - WinME, WinCE, Newton, etc).

Technical Details

CERT advisory:

Solutions and Workarounds

Typically, Unix versions of affected VNC viewers utilize the zlib shared
library, Upgrading zlib should remedy most users of Unix
platforms. However, the following versions have been statically linked
against zlib, and will require upgrading when new versions are

TightVNC 1.2.2

A future version will be available shortly to correct this problem.

TridiaVNC 1.4.0

A future version will be available shortly to correct this problem.  

Java viewers and servers rely on the Java Runtime Environment (JRE) and
the client browser being correct. To correct Java problems, please
review the appropriate advisories for Java or your browser for your

Thanks To

Sites with VNC affected clients and servers


Vendor responses

Revision History

	2002-03-15	Initial release

More Information

An up-to-date PGP signed copy of this release will be maintained at

XXX: To be advised.

Copyright 2002, Andrew van der Stock et al.  All Rights Reserved.
To unsubscribe, mail majordomo "at" with the line:
'unsubscribe vnc-list' in the message BODY
See also: