Bug 26882

Summary: vino new security issues CVE-2020-14397 and CVE-2020-1440[0234]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, nicolas.salguero, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: vino-3.22.0-3.1.mga7.src.rpm CVE: CVE-2020-14397, CVE-2020-14400, CVE-2020-14402, CVE-2020-14403, CVE-2020-14404
Status comment:

Description David Walser 2020-07-01 21:09:00 CEST 
Debian-LTS has issued an advisory on June 30:
https://www.debian.org/lts/security/2020/dla-2264

vino is affected due to bundled libvncserver code.

Mageia 7 is also affected.
David Walser 2020-07-01 21:09:06 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-07-01 21:57:37 CEST 
Another bug for a parentless SRPM, so assigning it globally.

> vino is affected due to bundled libvncserver code
See also bug 26881, libvncserver. Should this one depend on that?

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-07-01 23:26:28 CEST 
Bundled, so no.
Comment 3 Nicolas Salguero 2020-07-07 11:31:54 CEST 
There is no "scale.c" in the embed libvncserver so CVE-2020-14401 does not seem to affect vino.

CC: (none) => nicolas.salguero
Summary: vino new security issues CVE-2020-14397 and CVE-2020-1440[0-4] => vino new security issues CVE-2020-14397 and CVE-2020-1440[0234]

Comment 4 Nicolas Salguero 2020-07-07 11:37:02 CEST 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rfbregion.c has a NULL pointer dereference. (CVE-2020-14397)

An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. (CVE-2020-14400)

An issue was discovered in LibVNCServer before 0.9.13. libvncserver/corre.c allows out-of-bounds access via encodings. (CVE-2020-14402)

An issue was discovered in LibVNCServer before 0.9.13. libvncserver/hextile.c allows out-of-bounds access via encodings. (CVE-2020-14403)

An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rre.c allows out-of-bounds access via encodings. (CVE-2020-14404)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14397
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14402
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14403
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14404
https://www.debian.org/lts/security/2020/dla-2264
========================

Updated package in core/updates_testing:
========================
vino-3.22.0-3.2.mga7

from SRPM:
vino-3.22.0-3.2.mga7.src.rpm

CVE: (none) => CVE-2020-14397, CVE-2020-14400, CVE-2020-14402, CVE-2020-14403, CVE-2020-14404
Source RPM: vino-3.22.0-6.mga8.src.rpm => vino-3.22.0-3.1.mga7.src.rpm
Version: Cauldron => 7
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 5 Herman Viaene 2020-07-07 16:14:42 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 25786 for info.
As this laptop has also MATE installed, used dconf to set a password for vnc (same as the my user's password).
Then launched vino by # /usr/libexec/vino-server
and used vinagre to connect vnc protocol to localhost. This brings in a black screen (there is no gnome desktop on this laptop), but the disconnect button and menu is enabled, thus presuming something happened.
In the CLI of the server I see:
07/07/2020 15:51:33 Autoprobing TCP port in (all) network interface
07/07/2020 15:51:33 Listening IPv6://[::]:5900
07/07/2020 15:51:33 Listening IPv4://0.0.0.0:5900
07/07/2020 15:51:33 Autoprobing selected port 5900
07/07/2020 15:51:33 Advertising security type: 'TLS' (18)
07/07/2020 15:51:33 Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface
07/07/2020 15:51:33 Listening IPv6://[::]:5900
07/07/2020 15:51:33 Listening IPv4://0.0.0.0:5900
07/07/2020 15:51:33 Clearing securityTypes
07/07/2020 15:51:33 Advertising security type: 'TLS' (18)
07/07/2020 15:51:33 Clearing securityTypes
07/07/2020 15:51:33 Advertising security type: 'TLS' (18)
07/07/2020 15:51:33 Advertising authentication type: 'No Authentication' (1)
07/07/2020 15:51:33 Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface
07/07/2020 15:51:33 Listening IPv6://[::]:5900
07/07/2020 15:51:33 Listening IPv4://0.0.0.0:5900
07/07/2020 15:54:58 [IPv6] Got connection from client localhost
07/07/2020 15:54:58   other clients:
07/07/2020 15:54:58 Client Protocol Version 3.7
07/07/2020 15:54:58 Advertising security type 18
07/07/2020 15:54:58 Client returned security type 18
07/07/2020 15:54:58 Advertising authentication type 1
07/07/2020 15:54:58 Client returned authentication type 1
So, the server seems to be happy, and so am I.
And also:
$ netstat -nl | grep 5900
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN     
tcp6       0      0 :::5900                 :::*                    LISTEN    

So I'll OK it, unless someone else has a better idea.

CC: (none) => herman.viaene

Herman Viaene 2020-07-07 16:15:18 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-07-08 20:57:49 CEST 
I'm happy if you're happy, Herman. Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-07-09 17:40:59 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 7 Mageia Robot 2020-07-10 10:02:16 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0288.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED