Bug 13944

x11vnc also bundles libvncserver.  It has been rebuilt (thanks to configure options found in Fedora) against the system libvncserver.

Advisory:
========================

Updated libvncserver, remmina, and x11vnc packages fix security vulnerability:

An integer overflow in liblzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).

The libvncserver library is built with a bundled copy of minilzo, which is a
part of liblzo containing the vulnerable code.

The remmina package is built with a bundled copy of libvncserver, which has
been patched to fix this issue.

The x11vnc package had been built with a bundled copy of libvncserver, but it
has been rebuilt against the system libvncserver library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://advisories.mageia.org/MGASA-2014-0290.html
========================

Updated packages in core/updates_testing:
========================
libvncserver0-0.9.9-2.1.mga3
libvncserver-devel-0.9.9-2.1.mga3
linuxvnc-0.9.9-2.1.mga3
remmina-1.0.0-3.1.mga3
remmina-devel-1.0.0-3.1.mga3
remmina-plugins-common-1.0.0-3.1.mga3
remmina-plugins-gnome-1.0.0-3.1.mga3
remmina-plugins-nx-1.0.0-3.1.mga3
remmina-plugins-rdp-1.0.0-3.1.mga3
remmina-plugins-telepathy-1.0.0-3.1.mga3
remmina-plugins-vnc-1.0.0-3.1.mga3
remmina-plugins-xdmcp-1.0.0-3.1.mga3
x11vnc-0.9.13-3.1.mga3
libvncserver0-0.9.9-3.1.mga4
libvncserver-devel-0.9.9-3.1.mga4
linuxvnc-0.9.9-3.1.mga4
remmina-1.0.0-4.3.mga4
remmina-devel-1.0.0-4.3.mga4
remmina-plugins-common-1.0.0-4.3.mga4
remmina-plugins-gnome-1.0.0-4.3.mga4
remmina-plugins-nx-1.0.0-4.3.mga4
remmina-plugins-rdp-1.0.0-4.3.mga4
remmina-plugins-telepathy-1.0.0-4.3.mga4
remmina-plugins-vnc-1.0.0-4.3.mga4
remmina-plugins-xdmcp-1.0.0-4.3.mga4
x11vnc-0.9.13-4.1.mga4

from SRPMS:
libvncserver-0.9.9-2.1.mga3.src.rpm
remmina-1.0.0-3.1.mga3.src.rpm
x11vnc-0.9.13-3.1.mga3.src.rpm
libvncserver-0.9.9-3.1.mga4.src.rpm
remmina-1.0.0-4.3.mga4.src.rpm
x11vnc-0.9.13-4.1.mga4.src.rpm

Summary: libvncserver and remmina new security issue CVE-2014-4607 => libvncserver, remmina, x11vnc new security issue CVE-2014-4607
Source RPM: libvncserver-0.9.9-3.mga4.src.rpm, remmina-1.0.0-4.2.mga4.src.rpm => libvncserver-0.9.9-3.mga4.src.rpm, remmina-1.0.0-4.2.mga4.src.rpm, x11vnc-0.9.13-4.mga4

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
libvncserver0 remmina x11vnc

default install of libvncserver0 remmina x11vnc

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-3.mga3.i586 is already installed

All packages installed correctly and without error messages

install libvncserver0 remmina x11vnc from updates_testing

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-2.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-3.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-3.1.mga3.i586 is already installed

All packages update correctly and without error messages

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
libvncserver0 remmina x11vnc

default install of libvncserver0 remmina x11vnc
There does not appear to be a libvncserver0 x86_64 package in the repo

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-3.mga3.x86_64 is already installed

All packages installed correctly and without error messages

install libvncserver0 remmina x11vnc from updates_testing

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-2.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-3.1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-3.1.mga3.x86_64 is already installed

All packages update correctly and without error messages

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
libvncserver0 remmina x11vnc

default install of libvncserver0 remmina x11vnc

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-4.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-4.mga4.i586 is already installed

All packages installed correctly and without error messages

install libvncserver0 remmina x11vnc from updates_testing

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-3.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-4.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-4.1.mga4.i586 is already installed

All packages update correctly and without error messages

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
libvncserver0 remmina x11vnc

default install of libvncserver0 remmina x11vnc
There does not appear to be a libvncserver0 x86_64 package in the repo

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-4.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-4.mga4.x86_64 is already installed

All packages installed correctly and without error messages

install libvncserver0 remmina x11vnc from updates_testing

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-3.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-4.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-4.1.mga4.x86_64 is already installed

All packages update correctly and without error messages

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

FYI, on x86_64, the library package names always start with lib64 instead of just lib.  This is always the case for any package.

Also, it would be nice to get a test of x11vnc functionality, since it was changed to use the system libvncserver, rather than just being patched like the others

(In reply to David Walser from comment #8)

> Also, it would be nice to get a test of x11vnc functionality, since it was
> changed to use the system libvncserver, rather than just being patched like
> the others

Gimme a simple test. I've still got the Vbox clients stored

Figure out what you can do with it :o).  I'm guessing it's a VNC client.  So you could share a desktop with a VNC server (I think krfb might be one) and then connect to it with x11vnc

In reply to David Walser from comment #7)

> FYI, on x86_64, the library package names always start with lib64 instead of
> just lib.  This is always the case for any package.

[root@localhost wilcal]# urpmi lib64vncserver0
Package lib64vncserver0-0.9.9-2.1.mga3.x86_64 is already installed

[root@localhost wilcal]# urpmi lib64vncserver0
Package lib64vncserver0-0.9.9-3.1.mga4.x86_64 is already installed

Both went in just fine.

(In reply to David Walser from comment #10)
> Figure out what you can do with it :o).  I'm guessing it's a VNC client.  So
> you could share a desktop with a VNC server (I think krfb might be one) and
> then connect to it with x11vnc

I'll tinker with it.

Advisory 13944.adv added to svn.

CC: (none) => davidwhodgins
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0356.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

It looks like an outdated advisory got uploaded for this one, and x11vnc didn't get included or pushed.  Please see Comment 1.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

I think we'll need to issue a new advisory to sort this out - so a new bug. I'll do that now.

CC: (none) => mageia

I opened bug #14001 to handle this oversight.

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED