Bug 31386

Summary: tigervnc needs to be rebuilt for recent x11-server security update
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: tigervnc-1.11.0-4.mga8.src.rpm CVE:
Status comment:
Bug Depends on: 31281    
Bug Blocks:    

Description David Walser 2023-01-10 14:16:35 CET 
The tigervnc package builds a local copy of x11-server source code.  Due to at least Bug 31281 (if not also Bug 31070 and Bug 30628), it needs to be rebuilt.

For Mageia 8 it will need to be rebuilt as well after Bug 31281 is addressed.

RedHat has issued an advisory for this on January 9:
https://access.redhat.com/errata/RHSA-2023:0045

No changes were made to the package other than rebuilding it.
David Walser 2023-01-10 14:17:04 CET

Status comment: (none) => Package needs to be rebuilt
Depends on: (none) => 31281
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2023-01-10 15:59:18 CET 
Suggested advisory:
========================

The updated packages needed to be rebuilt for recent x11-server security update.

References:
https://bugs.mageia.org/show_bug.cgi?id=31070
https://bugs.mageia.org/show_bug.cgi?id=30628
https://bugs.mageia.org/show_bug.cgi?id=31281
https://access.redhat.com/errata/RHSA-2023:0045
========================

Updated packages in core/updates_testing:
========================
tigervnc-1.11.0-4.1.mga8
tigervnc-java-1.11.0-4.1.mga8
tigervnc-server-1.11.0-4.1.mga8
tigervnc-server-module-1.11.0-4.1.mga8

from SRPM:
tigervnc-1.11.0-4.1.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Package needs to be rebuilt => (none)
CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs

Nicolas Salguero 2023-01-10 16:07:01 CET

Source RPM: tigervnc-1.12.0-1.mga9.src.rpm => tigervnc-1.11.0-4.mga8.src.rpm

Comment 2 Herman Viaene 2023-01-16 16:36:17 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 27270 for testing
# systemctl start vncserver
# systemctl -l status vncserver
● vncserver.service - LSB: Start TigerVNC server at boot time
     Loaded: loaded (/etc/rc.d/init.d/vncserver; generated)
     Active: active (exited) since Mon 2023-01-16 16:08:14 CET; 3s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 25370 ExecStart=/etc/rc.d/init.d/vncserver start (code=exited, status=0/SUCCESS)
        CPU: 74ms

Jan 16 16:08:14 mach7.hviaene.thuis systemd[1]: Starting LSB: Start TigerVNC server at boot time...
Jan 16 16:08:14 mach7.hviaene.thuis vncserver[25370]: Starting vncserver: [  OK  ]
Jan 16 16:08:14 mach7.hviaene.thuis systemd[1]: Started LSB: Start TigerVNC server at boot time.
[root@mach7 ~]# vncpasswd
Password:
Verify:
Would you like to enter a view-only password (y/n)? n

Opening ports 5900:5902/tcp and 5800:5802/tcp in the firewall

But then, trying in vain - as in the past - to connect to it from my desktop PC using remmina: Connection refused

Ref bug 27270 Comment Comment 11:
vncserver -fg
vncserver has been replaced by a systemd unit.
Please read /usr/share/doc/tigervnc/HOWTO.md for more information.

$ vncviewer localhost:1

TigerVNC Viewer 64-bit v1.11.0
Built on: 2023-01-10 14:52
Copyright (C) 1999-2020 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.

Mon Jan 16 16:22:11 2023
 DecodeManager: Detected 2 CPU core(s)
 DecodeManager: Creating 2 decoder thread(s)
 CConn:       unable to connect to socket: Connection refused (111)

The message "Please read /usr/share/doc/tigervnc/HOWTO.md for more information." is wrong, the file is located in /usr/share/doc/tigervnc-server, but doesn't make me any wiser.
Over to someone who can handle this.

CC: (none) => herman.viaene

Comment 3 PC LX 2023-01-27 13:06:29 CET 
Installed and tested without issues.

The setup and configuration changed from the last time I used it. There are a bunch of steps that are needed. The instruction in the file "/usr/share/doc/tigervnc-server/HOWTO.md" need to be followed for it to work.

After that, running vncviewer or another vnc client will show a desktop.

Also tested the tigervnc java viewer. It works but right at the end, after ending the session, it throws an exception (see below). It does not cause any problem that I could see but if it can be fixed, all the better.

Marking this update as OK since it has been here for a while. Please, undo if appropriate.


# uname -a
Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa | grep tigervnc | sort
tigervnc-1.11.0-4.mga8
tigervnc-java-1.11.0-4.mga8
tigervnc-server-1.11.0-4.mga8
# systemctl status vncserver@\:1.service 
● vncserver@:1.service - Remote desktop service (VNC)
     Loaded: loaded (/usr/lib/systemd/system/vncserver@.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2023-01-27 10:59:31 WET; 15min ago
    Process: 11914 ExecStart=/usr/libexec/vncsession-start :1 (code=exited, status=0/SUCCESS)
   Main PID: 11921 (vncsession)
      Tasks: 1 (limit: 37625)
     Memory: 452.0K
        CPU: 6ms
     CGroup: /system.slice/system-vncserver.slice/vncserver@:1.service
             ‣ 11921 /usr/sbin/vncsession pclx :1

jan 27 10:59:31 jupiter systemd[1]: Starting Remote desktop service (VNC)...
jan 27 10:59:31 jupiter systemd[1]: Started Remote desktop service (VNC).


$ vncviewer :1

Visualizador TigerVNC 64 bits v1.11.0
Compilado em: 2020-12-06 16:48
Copyright (C) 1999-2020 Equipe TigerVNC e muitos outros (veja README.rst)
Veja https://www.tigervnc.org para informação sobre o TigerVNC.

Fri Jan 27 11:03:28 2023
 DecodeManager: Detected 12 CPU core(s)
 DecodeManager: Creating 4 decoder thread(s)
 CConn:       Conectado ao host localhost porta 5901
 CConnection: Server supports RFB protocol version 3.8
 CConnection: Using RFB protocol version 3.8
 CConnection: Choosing security type VeNCrypt(19)
 CVeNCrypt:   Choosing security type VncAuth (2)

Fri Jan 27 11:03:32 2023
 CConn:       Usando formato de pixel depth 24 (32bpp) little-endian rgb888
 CConnection: Enabling continuous updates

$ java -jar /usr/share/java/VncViewer.jar

TigerVNC Java Viewer v1.11.0 (20201206)
Built on 2020-12-06 at 16:49:53
Copyright (C) 1999-2020 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
DecodeManager: Detected 12 CPU core(s)
DecodeManager: Creating 4 decoder thread(s)
CConn: connected to host localhost port 5901
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
CConn: Using pixel format depth 24 (32bpp) little-endian rgb888
CConnection: Enabling continuous updates
com.tigervnc.rdr.SystemException: read:com.tigervnc.rdr.Exception: newPosition < 0: (-1 < 0)
        at com.tigervnc.rdr.FdInStream.readWithTimeoutOrCallback(FdInStream.java:196)
        at com.tigervnc.rdr.FdInStream.overrun(FdInStream.java:147)
        at com.tigervnc.rdr.InStream.check(InStream.java:41)
        at com.tigervnc.rdr.InStream.check(InStream.java:50)
        at com.tigervnc.rdr.InStream.check(InStream.java:51)
        at com.tigervnc.rdr.InStream.readS8(InStream.java:61)
        at com.tigervnc.rdr.InStream.readU8(InStream.java:70)
        at com.tigervnc.rfb.CMsgReader.readMsg(CMsgReader.java:62)
        at com.tigervnc.rfb.CConnection.processMsg(CConnection.java:149)
        at com.tigervnc.vncviewer.VncViewer.run(VncViewer.java:430)
        at java.base/java.lang.Thread.run(Thread.java:829)

Whiteboard: (none) => MGA8-64-OK
CC: (none) => mageia

Comment 4 Thomas Andrews 2023-01-29 15:36:26 CET 
Since the exception reported in Comment 3 was not observed to cause any problems, I'm going to send this on. If, at a later date, it IS seen to cause problems, a new bug report should be opened on that issue.

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-06 22:04:58 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-02-07 01:08:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0028.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED