| Summary: | libvncserver new security issues CVE-2016-9941 and CVE-2016-9942 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, marja11, mhrambo3501, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/710627/ | ||
| Whiteboard: | has_procedure MGA5-32-OK advisory MGA5-64-OK | ||
| Source RPM: | libvncserver-0.9.10-5.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-01-05 01:45:03 CET
David Walser
2017-01-05 01:45:19 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. CC:
(none) =>
marja11 Patched package uploaded for Cauldron. Possible testing procedures: https://bugs.mageia.org/show_bug.cgi?id=13944#c2 https://bugs.mageia.org/show_bug.cgi?id=14155#c7 Patched package uploaded for Mageia 5. Advisory: ======================== Updated libvncserver package fixes security vulnerabilities: It was discovered that there were two vulnerabilities in libvncserver, a library to create/embed a VNC server: A heap-based buffer overflow that allows remote servers to cause a denial of service via a crafted FramebufferUpdate message containing a subrectangle outside of the drawing area (CVE-2016-9941). A heap-based buffer overflow that allow remote servers to cause a denial of service via a crafted FramebufferUpdate message with the "Ultra" type tile such that the LZO decompressed payload exceeds the size of the tile dimensions (CVE-2016-9942). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9941 https://security-tracker.debian.org/tracker/CVE-2016-9941 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9942 https://security-tracker.debian.org/tracker/CVE-2016-9942 ======================== Updated packages in core/updates_testing: ======================== lib64vncserver0-0.9.10-1.2.mga5 lib64vncserver-devel-0.9.10-1.2.mga5 libvncserver-debuginfo-0.9.10-1.2.mga5 from libvncserver-0.9.10-1.2.mga5.src.rpm CC:
(none) =>
mrambo You can use the DSA URL in the reference rather than the trackers: https://www.debian.org/security/2017/dsa-3753 MGA5-32 on AcerD620 Xfce
No installation issues
Downloaded and run krfb at CLI
strace -o libvnc.txt krfb
and get call to libvncserver
open("/lib/libvncserver.so.0", O_RDONLY|O_CLOEXEC) = 3CC:
(none) =>
herman.viaene
Lewis Smith
2017-01-15 13:27:57 CET
CC:
(none) =>
lewyssmith Testing M5_64
# urpmq --whatrequires lib64vncserver0
krdc [VNC client]
krfb [VNC server]
...libs
remmina-plugins-vnc
remmina-plugins-vnc
x11vnc
Following Herman, I installed 'krdc' [unnecessarily at the feeble level of this test] & 'krfb'. I did not find previous bug references to 'remina' helpful.
Unconvincing result was the same before (lib64vncserver0-0.9.10-1.1) and after (lib64vncserver0-0.9.10-1.2) the update. Both commands popped up the GUI.
$ strace krfb 2>&1 | grep libvncserver
open("/lib64/libvncserver.so.0", O_RDONLY|O_CLOEXEC) = 3
$ strace krdc 2>&1 | grep libvncserver
$
which shows merely that krfb opens the library. krdc might if a connection is opened, which I could not try. Unless one can do this on a single machine?
OKing anyway. And validating.Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0027.html Status:
NEW =>
RESOLVED |