Bug 17190

Summary: tigervnc new security issues CVE-2014-8240 and CVE-2014-8241
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/665256/
Whiteboard: has_procedure advisory MGA5-32-OK
Source RPM: tigervnc-1.3.1-6.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-20 19:03:38 CET 
RedHat has issued an advisory on November 19:
https://rhn.redhat.com/errata/RHSA-2015-2233.html

All the changes they made should be of interest:
https://git.centos.org/commit/rpms!tigervnc.git/refs!heads!c7

For Cauldron, we'll also need the xserver 1.18 patch from Fedora:
https://git.centos.org/commit/rpms!tigervnc.git/refs!heads!c7

Mageia 5 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-11-20 20:22:19 CET 
(In reply to David Walser from comment #0)
> For Cauldron, we'll also need the xserver 1.18 patch from Fedora:
> https://git.centos.org/commit/rpms!tigervnc.git/refs!heads!c7

Should have been:
http://pkgs.fedoraproject.org/cgit/tigervnc.git/log/?h=f23

But that's already been done.
Comment 2 David Walser 2015-11-20 21:11:09 CET 
Patched packages uploaded for Mageia 5 and Cauldron.

Looking at the patches, 8240 is about the server sending invalid screen sizes and 8241 is about the server doing something that would cause Xmalloc calls to fail (and the code was missing checks for Xmalloc failing) resulting in the NULL dereference.

Advisory:
========================

Updated tigervnc packages fix security vulnerabilities:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way TigerVNC handled screen sizes. A malicious VNC server
could use this flaw to cause a client to crash or, potentially, execute
arbitrary code on the client (CVE-2014-8240).

A NULL pointer dereference flaw was found in TigerVNC's XRegion.
A malicious VNC server could use this flaw to cause a client to crash
(CVE-2014-8241).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8241
https://rhn.redhat.com/errata/RHSA-2015-2233.html
========================

Updated packages in core/updates_testing:
========================
tigervnc-1.3.1-6.1.mga5
tigervnc-server-1.3.1-6.1.mga5
tigervnc-server-module-1.3.1-6.1.mga5
tigervnc-java-1.3.1-6.1.mga5

from tigervnc-1.3.1-6.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs

Comment 3 Herman Viaene 2015-11-21 11:54:16 CET 
MGA5-32 on Acer D620 Xfce
No installation issues.
Followed test instructions as per bug 13082 Comment 9
I could start vncserver and vncviewer on a separate workspace. IceWM runs and I could start Kpatience in it.

CC: (none) => herman.viaene
Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 4 claire robinson 2015-11-26 17:58:44 CET 
Validating. Advisory uploaded.

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-11-26 21:48:34 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0459.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED