Bug 26587

Summary: libvncserver new security issue CVE-2019-20788
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libvncserver-0.9.12-2.2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-05-04 20:20:37 CEST 
SUSE has issued an advisory today (May 4):
http://lists.suse.com/pipermail/sle-security-updates/2020-May/006771.html

It's not clear if we fixed this in Bug 25918.  If not, Mageia 7 is also affected.
Comment 1 David GEIGER 2020-05-05 07:08:13 CEST 
Don't know why but security CVE-2019-20788 is same as CVE-2019-15690 already fixed:

libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
Comment 2 David Walser 2020-05-05 16:13:51 CEST 
Looking at the SUSE bug, we are missing this commit:
https://github.com/LibVNC/libvncserver/commit/8937203441ee241c4ace85da687b7d6633a12365
Comment 3 David GEIGER 2020-05-05 17:19:11 CEST 
Done for Cauldron and mga7!
Comment 4 David Walser 2020-05-05 19:03:20 CEST 
Advisory:
========================

Updated libvncserver packages fix security vulnerability:

libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape
integer overflow and heap-based buffer overflow via a large height or width
value (CVE-2019-20788).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20788
http://lists.suse.com/pipermail/sle-security-updates/2020-May/006771.html
========================

Updated packages in core/updates_testing:
========================
libvncserver1-0.9.12-2.3.mga7
libvncserver-devel-0.9.12-2.3.mga7

from libvncserver-0.9.12-2.3.mga7.src.rpm

Version: Cauldron => 7
Assignee: geiger.david68210 => qa-bugs
Source RPM: libvncserver-0.9.12-5.mga8.src.rpm => libvncserver-0.9.12-2.2.mga7.src.rpm
CC: (none) => geiger.david68210

Comment 5 PC LX 2020-05-06 12:49:41 CEST 
Installed and tested without issues.

Tested using x11vnc, krfb and linuxvnc along with krdc client. No issues noticed.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.


$ uname -a
Linux marte 5.6.8-desktop-1.mga7 #1 SMP Thu Apr 30 06:12:53 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q lib64vncserver1
lib64vncserver1-0.9.12-2.3.mga7
$ rpm -q krdc krfb x11vnc linuxvnc
krdc-19.04.0-1.mga7
krfb-19.04.0-1.mga7
x11vnc-0.9.16-1.mga7
linuxvnc-0.9.10-4.mga7
$ urpmq --whatrequires lib64vncserver1 | sort -u
krdc
krfb
lib64vncserver1
lib64vncserver-devel
linuxvnc
remmina-plugins-vnc
x11vnc

CC: (none) => mageia
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-05-06 13:55:46 CEST 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-05-08 12:05:41 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-05-08 12:59:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0207.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED