Bug 26419

Summary: tigervnc: Invalid Display Size
Product: Mageia Reporter: Mike Rambo <mhrambo3501>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, luigiwalser, mageia, mhrambo3501, spam, tim
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: tigervnc-1.10.1-1.mga7.src.rpm CVE:
Status comment:
Bug Depends on: 25917    
Bug Blocks:    

Description Mike Rambo 2020-04-02 03:43:08 CEST 
+++ This bug was initially created as a clone of Bug #25917 +++

TigerVNC 1.10.1 has been released today (December 20), fixing security issues:
https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1

More details are here:
https://www.openwall.com/lists/oss-security/2019/12/20/2

It sounds like there will be more CVEs forthcoming.

Mageia 7 is also affected.
David Walser 2020-04-02 03:48:20 CEST

Summary: tigervnc new security issues CVE-2019-1569[1-5] => tigervnc: Invalid Display Size
Keywords: advisory, validated_update => (none)
Source RPM: tigervnc-1.9.0-4.mga8.src.rpm => tigervnc-1.10.1-1.mga7.src.rpm

Comment 1 Mike Rambo 2020-04-02 03:55:20 CEST 
I'm trying to connect to my work computer (Mageia 7 to Mageia 7) which is running (and logged in) with screen locked X session. I have tried two methods of connecting to the existing X session on that machine via ssh and our vpn.

x0vncserver -display=:0 -PasswordFile=$HOME/.vnc/passwd

and I also tried x11vnc -usepw

In both cases with the 1.10 update it asks for the connection password and then crashes with "Invalid screen size". Downgrading to 1.9.0 fixes the problem as described by a couple of other people in the 25917 bug. I know Dave Hodgins didn't have a problem with his method but PC LX ran into the same crash I and the other two commenters saw. I am connecting over vpn.
Comment 2 David Walser 2020-04-02 03:57:45 CEST 
The "Invalid display size" error appears in SOURCES/tigervnc-1.8.0-CVE-2014-8240.patch, which we took from Debian, who also still has it in 1.10.1.  Google doesn't show any references to this error besides us.
David Walser 2020-04-02 03:58:52 CEST

CC: qa-bugs, security, sysadmin-bugs, tmb => (none)

Comment 3 Mike Rambo 2020-04-02 04:24:28 CEST 
Another note, my work machine has tigervnc-1.10.1-1.mga7 and
tigervnc-server-1.10.1-1.mga7 and works ok so long as my client machine has tigervnc-1.9.0-3.mga7. So it would appear the viewer/client piece has the problem. I checked upstream bug tracking and didn't see anything related to this there either.
Comment 4 Dave Hodgins 2020-04-02 04:36:53 CEST 
From https://bugs.mageia.org/show_bug.cgi?id=26118#c6 ...

While the existing mageia verison works ok for connecting to an existing
X display, it cannot create a new one as is needed for xen.

replacing /usr/bin/vncviewer with the version downloaded from
https://bintray.com/tigervnc/stable/download_file?file_path=tigervnc-1.10.1.x86_64.tar.gz fixes the problem.
Comment 5 Dave Hodgins 2020-04-02 04:38:48 CEST 
Closing as a duplicate

*** This bug has been marked as a duplicate of bug 26118 ***

Resolution: (none) => DUPLICATE
Status: NEW => RESOLVED