Bug 27306

Assigning this globally in the absence of an evident maintainer.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated package fixes a security vulnerability:

An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name. (CVE-2017-18635)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18635
https://ubuntu.com/security/notices/USN-4522-1
========================

Updated package in core/updates_testing:
========================
novnc-0.5.1-2.1.mga7

from SRPM:
novnc-0.5.1-2.1.mga7.src.rpm

Source RPM: novnc-0.5.1-3.mga8.src.rpm => novnc-0.5.1-2.mga7.src.rpm
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2017-18635
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Installed and tested without issues.


Tested with vncserver and krfb servers and Firefox, Chrome, Chromium and Konqueror browsers on GNU/Linux and WebOS browser running on a TV.
Also locked at Firefox on Android but it was unusable so didn't bother testing.



$ uname -a
Linux marte 5.7.19-desktop-1.mga7 #1 SMP Thu Aug 27 20:27:55 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q novnc
novnc-0.5.1-2.1.mga7
$ vncserver :1

New 'marte:1 (pclx)' desktop is marte:1

Starting applications specified in /home/pclx/.vnc/xstartup
Log file is /home/pclx/.vnc/marte:1.log
$ novnc_server --vnc marte:5901
Warning: could not find self.pem
Starting webserver and WebSockets proxy on port 6080
WebSocket server settings:
  - Listen on :6080
  - Flash security policy server
  - Web server. Web root: /usr/share/novnc
  - No SSL/TLS support (no cert file)
  - proxying from :6080 to marte:5901


Navigate to this URL:

    http://marte:6080/vnc.html?host=marte&port=6080

Press Ctrl-C to exit


marte.local - - [25/Sep/2020 21:04:38] code 404, message File not found
marte.local - - [25/Sep/2020 21:04:45] 192.168.1.64: Plain non-SSL (ws://) WebSocket connection
marte.local - - [25/Sep/2020 21:04:45] 192.168.1.64: Version hybi-13, base64: 'False'
marte.local - - [25/Sep/2020 21:04:45] 192.168.1.64: Path: '/websockify'
marte.local - - [25/Sep/2020 21:04:45] connecting to: marte:5901
^C
Terminating WebSockets proxy (21554)

CC: (none) => mageia

MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 15481 for testing.
$ krfb &
[1] 444
[tester7@mach5 ~]$ found plugin at  "/usr/lib64/qt5/plugins/krfb/krfb_framebuffer_xcb.so"
Loaded plugin with name  "xcb"
found plugin at  "/usr/lib64/qt5/plugins/krfb/krfb_framebuffer_qt.so"
Loaded plugin with name  "qt"
Using FrameBuffer: "xcb"
xcb framebuffer: Primary screen:  "eDP1" , geometry:  QRect(0,0 1920x1080) , depth:  24
Starting server. Listen port: 5900 Listen Address: "0.0.0.0" Password enabled: true
Could not open KWallet, Falling back to config file

In this window define password for unattended access, then further

$ cd /usr/share/novnc

$ novnc_server --cert /etc/pki/tls/certs/httpd.pem
Starting webserver and WebSockets proxy on port 6080


Navigate to this URL:

    http://mach5.hviaene.thuis:6080/vnc.html?host=mach5.hviaene.thuis&port=6080

Press Ctrl-C to exit


WebSocket server settings:
  - Listen on :6080
  - Flash security policy server
  - Web server. Web root: /usr/share/novnc
  - SSL/TLS support
and some warnings,

Then pointed browser to URL above (thus to itself), brings "novnc" page with dialogue to connect to the laptop, entering password defined above, results in the page showing itself, showing itself etc .....

But seems to work OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

validating update
Adv and packages in Comment 2

CC: (none) => ouaurelien

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0374.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED