VNC zlib Advisory draft 1

Dair Grant dair "at"
Fri, 15 Mar 2002 11:55:13 +0000

Adrian Umpleby wrote:

>> The next version of VNCThing (2.3) will be linked with zlib 1.1.4: should be
>> available fairly soon.
> Thanks for the info!
> (Does that mean v2.2 is potentially vulnerable?)

I doubt it - the bug involves pretty specific circumstances (and depends on
the exact behaviour of the malloc/free you link to).

The Metrowerks malloc/free that VNCThing links to is a pool based system on
top of the Mac OS NewPtr/DisposePtr allocator (which map to BSD's
malloc/free on X, and are the lowest level on 9). Given the extra layer, the
behaviour is probably pretty different to the libc that was originally

Also remember that if you were trying to exploit this on a Mac, you'd need
to know PowerPC assembly - there's nothing in the VNC protocol to indicate
the client platform, so a rigged/compromised server would almost certainly
be trying to send x86 instructions.

No Mac clients currently support listen mode, so any attack could only be
made when a client connected to a compromised server (where the attacker
knew in advance that a Mac was going to be the client, and could prepare a
PowerPC buffer overflow).

Obviously just updating to zlib 1.1.4 doesn't guarantee that there aren't
any other  potential problems - but it took less time than writing this
mail. :-)

> Just curious to know if you've also figured out the problem with dragging when
> connected to an Xvnc server? (That's the only thing that's keeping me using
> VNCDimension at the moment rather than VNCThing.)

The plan is to switch to carbon events for mouse input, which will map much
more cleanly onto the vnc mouse events: unfortunately I don't have access to
an X11 box to test on, but if you'd like to give it a quick test before
release let me know (off list).

mailto:dair "at"
To unsubscribe, mail majordomo "at" with the line:
'unsubscribe vnc-list' in the message BODY
See also: