Bug 27270

Summary: tigervnc 1.11.0 fixes security issue with TLS connections (CVE-2020-26117)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, mageia, mageia, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: tigervnc-1.10.1-1.1.mga7.src.rpm CVE: CVE-2020-26117
Status comment:
Bug Depends on: 27289    
Bug Blocks:    

Description David Walser 2020-09-11 04:56:32 CEST 
TigerVNC 1.11.0 has been released on September 9, fixing a security issue:
https://github.com/TigerVNC/tigervnc/releases/tag/v1.11.0

It also supports newer X.org server versions, which we will need for it to continue to be buildable for mga8.
Comment 1 Lewis Smith 2020-09-11 21:46:47 CEST 
tigervnc has neither registered nor consistent maintainer, so having to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-09-17 16:49:50 CEST 
The build fails with an error I do not know how to solve:
"""
[100%] Generating VncViewer.jar
/usr/bin/jar cfm VncViewer.jar /home/iurt/rpmbuild/BUILD/tigervnc-1.11.0/java/com/tigervnc/vncviewer/MANIFEST.MF com/tigervnc/vncviewer/timestamp com/tigervnc/vncviewer/*.class com/tigervnc/rfb/*.class com/tigervnc/rdr/*.class com/tigervnc/network/*.class com/jcraft/jzlib/*.class com/jcraft/jsch/jcraft/*.class com/jcraft/jsch/jce/*.class com/jcraft/jsch/*.class com/tigervnc/vncviewer/*.png com/tigervnc/vncviewer/tigervnc.ico
/usr/bin/cmake -DJava_PATH=/usr/bin/ -DJAR_FILE=/home/iurt/rpmbuild/BUILD/tigervnc-1.11.0/java/build/VncViewer.jar -DJAVA_KEYSTORE=NOTFOUND -DJAVA_KEYSTORE_TYPE=jks -DJAVA_STOREPASS=NOTFOUND -DJAVA_KEYPASS=NOTFOUND -DJAVA_KEY_ALIAS=NOTFOUND -DJAVA_TSA_URL=NOTFOUND -P /home/iurt/rpmbuild/BUILD/tigervnc-1.11.0/java/cmake/SignJar.cmake
-- Generating self-signed certificate
-- Signing /home/iurt/rpmbuild/BUILD/tigervnc-1.11.0/java/build/VncViewer.jar
CMake Error at /home/iurt/rpmbuild/BUILD/tigervnc-1.11.0/java/cmake/SignJar.cmake:66 (message):
  /usr/bin//jarsigner failed:

  Exception in thread "main" java.lang.ExceptionInInitializerError

  Caused by: java.lang.IllegalArgumentException: Error in security property.
  Constraint unknown: c2tnb191v1

  	at
  java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.<init>(DisabledAlgorithmConstraints.java:376)


  	at
  java.base/sun.security.util.DisabledAlgorithmConstraints.<init>(DisabledAlgorithmConstraints.java:125)


  	at
  java.base/sun.security.util.DisabledAlgorithmConstraints.<init>(DisabledAlgorithmConstraints.java:92)


  	at jdk.jartool/sun.security.tools.jarsigner.Main.<clinit>(Main.java:98)



gmake[2]: *** [CMakeFiles/java.dir/build.make:149: VncViewer.jar] Error 1
gmake[2]: *** Deleting file 'VncViewer.jar'
gmake[2]: Leaving directory '/home/iurt/rpmbuild/BUILD/tigervnc-1.11.0/java/build'
gmake[1]: *** [CMakeFiles/Makefile2:98: CMakeFiles/java.dir/all] Error 2
gmake[1]: Leaving directory '/home/iurt/rpmbuild/BUILD/tigervnc-1.11.0/java/build'
gmake: *** [Makefile:106: all] Error 2
error: Bad exit status from /home/iurt/rpmbuild/tmp/rpm-tmp.61FoV8 (%build)
"""
See for instance: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20200917141759.ns80.duvel.45080/log/tigervnc-1.11.0-1.mga8/build.0.20200917143932.log

CC: (none) => nicolas.salguero

David Walser 2020-09-17 16:53:44 CEST

CC: (none) => geiger.david68210, mageia

Comment 3 Dave Hodgins 2020-09-17 17:15:23 CEST 
Don't know if this helps, but c2tnb191v1 is listed as a type of  ECC Curve at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Config_Options

CC: (none) => davidwhodgins

Comment 4 Nicolas Salguero 2020-09-18 10:40:02 CEST 
Hi,

Ok I found the problem: in java 11 security properties, a new property was added, named "jdk.disabled.namedCurves".

The problem is: that property has some values in its list that contains a space in their name and the first of those problematic values is "X9.62 c2tnb191v1".

With this space, the value is viewed as disabled algorithm: X9.62 with a constraint named c2tnb191v1 whereas the value should be viewed as disabled algorithm: X9.62 c2tnb191v1.

Sadly, all I tried to escape the space did not work.

Best regards,

Nico.
Comment 5 David Walser 2020-09-18 12:18:19 CEST 
Can the Java stuff in tigervnc be disabled?
Nicolas Salguero 2020-09-18 16:33:08 CEST

Depends on: (none) => 27289

Comment 6 David Walser 2020-09-22 23:29:30 CEST 
Fedora has issued an advisory for this on September 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XJC7PGEFEUUZTWSX7CGQG5YLB3NCQ6BO/
Comment 7 David Walser 2020-10-13 18:06:08 CEST 
Debian-LTS has issued an advisory for this on October 6:
https://www.debian.org/lts/security/2020/dla-2396

Severity: normal => major
Summary: tigervnc 1.11.0 fixes security issue with TLS connections => tigervnc 1.11.0 fixes security issue with TLS connections (CVE-2020-26117)

Comment 8 David Walser 2020-10-13 19:52:33 CEST 
openSUSE has issued an advisory for this today (October 13):
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00025.html

Whiteboard: (none) => MGA7TOO

Comment 9 Nicolas Salguero 2020-10-15 11:56:30 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception. (CVE-2020-26117)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26117
https://github.com/TigerVNC/tigervnc/releases/tag/v1.11.0
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XJC7PGEFEUUZTWSX7CGQG5YLB3NCQ6BO/
https://www.debian.org/lts/security/2020/dla-2396
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00025.html
========================

Updated packages in core/updates_testing:
========================
tigervnc-1.10.1-1.2.mga7
tigervnc-server-1.10.1-1.2.mga7
tigervnc-server-module-1.10.1-1.2.mga7
tigervnc-java-1.10.1-1.2.mga7

from SRPM:
tigervnc-1.10.1-1.2.mga7.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 7
CVE: (none) => CVE-2020-26117
Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs
Source RPM: tigervnc-1.10.1-3.mga8.src.rpm => tigervnc-1.10.1-1.1.mga7.src.rpm

Comment 10 Herman Viaene 2020-10-16 16:44:47 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 25917 for tests
# systemctl -l status vncserver
● vncserver.service - LSB: Start TigerVNC server at boot time
   Loaded: loaded (/etc/rc.d/init.d/vncserver; generated)
   Active: inactive (dead)
     Docs: man:systemd-sysv-generator(8)

# systemctl start vncserver

# systemctl -l status vncserver
● vncserver.service - LSB: Start TigerVNC server at boot time
   Loaded: loaded (/etc/rc.d/init.d/vncserver; generated)
   Active: active (exited) since Fri 2020-10-16 16:29:57 CEST; 4s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 15435 ExecStart=/etc/rc.d/init.d/vncserver start (code=exited, status=0/SUCCESS)

Oct 16 16:29:57 mach5.hviaene.thuis systemd[1]: Starting LSB: Start TigerVNC server at boot time...
Oct 16 16:29:57 mach5.hviaene.thuis vncserver[15435]: Starting vncserver: [  OK  ]
Oct 16 16:29:57 mach5.hviaene.thuis systemd[1]: Started LSB: Start TigerVNC server at boot time.

# vncpasswd
Password:
Verify:
Would you like to enter a view-only password (y/n)? n

But then as usual,first open up port 5900:5902/tcp in firewall, but trying to connect, runs into
CConn:       unable connect to socket: Connection refused (111)
I've never got this working.

CC: (none) => herman.viaene

Comment 11 PC LX 2020-10-18 01:54:58 CEST 
Installed and tested without issues.

Tested remote and local server to local client connections. No issues.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.


$ uname -a
Linux marte 5.7.19-desktop-1.mga7 #1 SMP Thu Aug 27 20:27:55 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep tigervnc | sort
tigervnc-1.10.1-1.2.mga7
tigervnc-server-1.10.1-1.2.mga7
tigervnc-server-module-1.10.1-1.2.mga7

###########################

$ vncserver -fg

New 'marte:1 (pclx)' desktop is marte:1

Starting applications specified in /home/pclx/.vnc/xstartup
Log file is /home/pclx/.vnc/marte:1.log

Killing Xvnc process ID 16621


###########################

$ vncviewer localhost:1

TigerVNC Viewer 64-bit v1.10.1
Built on: 2020-10-15 09:41
Copyright (C) 1999-2019 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.

Sun Oct 18 00:49:04 2020
 DecodeManager: Detected 4 CPU core(s)
 DecodeManager: Creating 4 decoder thread(s)
 CConn:       Connected to host localhost port 5901
 CConnection: Server supports RFB protocol version 3.8
 CConnection: Using RFB protocol version 3.8
 CConnection: Choosing security type VeNCrypt(19)
 CVeNCrypt:   Choosing security type TLSVnc (258)

Sun Oct 18 00:49:10 2020
 DesktopWindow: Adjusting window size to avoid accidental full screen request
 CConn:       Using pixel format depth 24 (32bpp) little-endian rgb888
 CConnection: Enabling continuous updates

Sun Oct 18 00:50:17 2020
 CConn:       End of stream

CC: (none) => mageia

David Walser 2020-10-18 02:05:45 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 12 Aurelien Oudelet 2020-10-18 14:03:45 CEST 
Validating update ; packages and advisory on Comment 9.
Advisory done.

CC: (none) => ouaurelien

Aurelien Oudelet 2020-10-18 14:04:17 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 13 Mageia Robot 2020-10-20 18:23:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0388.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED