Bug 26881

Summary:	libvncserver new security issues CVE-2019-20839, CVE-2020-1439[79], CVE-2020-1440[0-5]
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	andrewsfarm, geiger.david68210, mageia, mageia, sysadmin-bugs
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	libvncserver-0.9.12-2.3.mga7.src.rpm	CVE:
Status comment:

Description David Walser 2020-07-01 21:06:46 CEST

Debian-LTS has issued an advisory on June 30:
https://www.debian.org/lts/security/2020/dla-2264

The issues are fixed upstream in 0.9.13.

Comment 1 Lewis Smith 2020-07-01 21:48:30 CEST

This has no registered maintainer, but DavidG has been doing it, so assigning to you.

Assignee: bugsquad => geiger.david68210

Comment 2 Lewis Smith 2020-07-01 21:57:05 CEST

See also bug_26882, vino: https://bugs.mageia.org/show_bug.cgi?id=26882#c0
Should this one block that one?

Comment 3 David Walser 2020-07-01 23:25:57 CEST

No, vino doesn't depend on this because it bundles it.  That's the problem.

Comment 4 David GEIGER 2020-07-02 08:12:14 CEST

Done for mga7!

Comment 5 David Walser 2020-07-02 15:22:05 CEST

Advisory:
========================

Updated libvncserver packages fix security vulnerabilities:

libvncclient/sockets.c in LibVNCServer had a buffer overflow via a long socket
filename (CVE-2019-20839).

libvncserver/rfbregion.c had a NULL pointer dereference (CVE-2020-14397).

Byte-aligned data was accessed through uint32_t pointers in
libvncclient/rfbproto.c (CVE-2020-14399).

Byte-aligned data was accessed through uint16_t pointers in
libvncserver/translate.c (CVE-2020-14400).

libvncserver/scale.c had a pixel_value integer overflow (CVE-2020-14401).

libvncserver/corre.c allowed out-of-bounds access via encodings
(CVE-2020-14402).

libvncserver/hextile.c allowed out-of-bounds access via encodings
(CVE-2020-14403).

libvncserver/rre.c allowed out-of-bounds access via encodings
(CVE-2020-14404).

libvncclient/rfbproto.c does not limit TextChat size (CVE-2020-14405).

The libvncserver package has been updated to version 0.9.13, fixing these
issues and several others.  See the release announcement for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14405
https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.13
https://www.debian.org/lts/security/2020/dla-2264
========================

Updated packages in core/updates_testing:
========================
libvncserver1-0.9.13-1.mga7
libvncserver-devel-0.9.13-1.mga7

from libvncserver-0.9.13-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 6 PC LX 2020-07-02 20:10:48 CEST

Installed and tested without issues.

Tested on server side: x11vnc, krfb and linuxvnc.
Tested on client side: vncviewer and krdc.
No issues noticed.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.


$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q lib64vncserver1
lib64vncserver1-0.9.13-1.mga7
$ urpmq --whatrequires lib64vncserver1 | sort -u
krdc
krfb
lib64vncserver1
lib64vncserver-devel
linuxvnc
remmina-plugins-vnc
x11vnc
$ rpm -q krdc krfb x11vnc linuxvnc tigervnc
krdc-19.04.0-1.mga7
krfb-19.04.0-1.mga7
x11vnc-0.9.16-1.mga7
linuxvnc-0.9.10-4.mga7
tigervnc-1.10.1-1.1.mga7

Whiteboard: (none) => MGA7-64-OK
CC: (none) => mageia

Comment 7 David Walser 2020-07-02 23:15:00 CEST

This update also fixes CVE-2019-15680, though upstream says it's a non-issue:
https://ubuntu.com/security/notices/USN-4407-1

Comment 8 Thomas Andrews 2020-07-02 23:39:13 CEST

Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-05 21:03:24 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 9 Mageia Robot 2020-07-05 21:49:34 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0280.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 10 David Walser 2020-07-17 00:08:19 CEST

Apparently the fix for CVE-2019-20839 also fixes CVE-2018-21247:
https://lists.suse.com/pipermail/sle-security-updates/2020-July/007136.html

And (see above), this update also fixed CVE-2019-20840 and CVE-2020-14398.

Comment 11 David Walser 2020-07-17 00:17:29 CEST

Another reference for CVE-2018-21247 and CVE-2019-20839:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NVP7TJVYJDXDFRHVQ3ENEN3H354QPXEZ/

Comment 12 David Walser 2020-07-17 00:24:05 CEST

Another reference for CVE-2019-20840:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4F6FUH4EFK4NAP6GT4TQRTBKWIRCZLIY/

Comment 13 David Walser 2020-07-29 23:03:37 CEST

This update also fixed CVE-2020-14396:
https://ubuntu.com/security/notices/USN-4434-1

Comment 14 David Walser 2020-11-19 14:53:21 CET

This update also fixed CVE-2020-25708:
https://ubuntu.com/security/notices/USN-4636-1