Fedora has issued an advisory on March 21: https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130495.html The issue is fixed upstream in 1.3.1, and the upstream commits are linked: https://bugzilla.redhat.com/show_bug.cgi?id=1050928 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Hi I submitted the patch to mga4. Juancho, Could you push the package please? I'll send the other patch ASAP Saludos
CC: (none) => juan.baptiste
Pushed to core/updates_testing.
(In reply to Juan Luis Baptiste from comment #2) > Pushed to core/updates_testing. Thanks. The update is also needed for Mageia 3. Please don't forget to push the changes to Cauldron as well. Packages in updates_testing: tigervnc-1.3.0-2.1.mga4 tigervnc-server-1.3.0-2.1.mga4 tigervnc-server-module-1.3.0-2.1.mga4 tigervnc-java-1.3.0-2.1.mga4 from tigervnc-1.3.0-2.1.mga4.src.rpm
Hi all I have uploaded a patched package for Mageia 4. I think that mga3 package isn't affected like RHEL 6 old version[1] [2] I'm working at tigervnc in cauldron, I hope solve soon some problem with the compilation [1]https://bugzilla.redhat.com/show_bug.cgi?id=1050928#c14 [2] Feel free to correct me :-) I'm sorry I can't helping to QA for this issue. How can I test this solution? Suggested advisory: ======================== This update fixes CVE-2014-0011, a ZRLE decoding heap-based buffer overflow in vncviewer References: https://bugzilla.redhat.com/show_bug.cgi?id=1050928 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0011 https://bugs.mageia.org/show_bug.cgi?id=13082 ======================== Updated packages in updates_testing: ======================== tigervnc-1.3.0-2.mga4 tigervnc-server-1.3.0-2 tigervnc-server-module-1.3.0-2.mga4 tigervnc-java-1.3.0-2.mga4 tigervnc-1.3.0-2.1.mga4.x86_64 tigervnc-server-1.3.0-2.1.mga4.x86_64 tigervnc-server-module-1.3.0-2.1.mga4 tigervnc-java-1.3.0-2.1.mga4 tigervnc-debuginfo-1.3.0-2.1 Source RPMs: tigervnc-1.3.0-2.1.mga4.src.rpm
Hi Alfonso, Once Cauldron is patched I'll push this to QA. As for Mageia 3, looking at the code, I believe it is vulnerable.
@Alfonso, Did you try the patches from cauldron on mga 3 version ?
tigervnc-1.3.1-1.mga5 built for Cauldron. Now we just need the Mageia 3 update.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
I had to re-diff the common/CMakeLists.txt part of the patch for 1.1.0 on Mageia 3, so hopefully what the patch adds still works and has the same effect and effectively closes the security issue. Advisory: ======================== Updated tigervnc packages fix security vulnerability: A heap-based buffer overflow was found in the way vncviewer rendered certain screen images from a vnc server. If a user could be tricked into connecting to a malicious vnc server, it may cause the vncviewer to crash, or could possibly execute arbitrary code with the permissions of the user running it. This issue was due to an issue in the ZRLE_DECODE() function which performs RLE decoding (CVE-2014-0011). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0011 https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130495.html ======================== Updated packages in core/updates_testing: ======================== tigervnc-1.1.0-3.2.mga3 tigervnc-server-1.1.0-3.2.mga3 tigervnc-server-module-1.1.0-3.2.mga3 tigervnc-java-1.1.0-3.2.mga3 tigervnc-1.3.0-2.1.mga4 tigervnc-server-1.3.0-2.1.mga4 tigervnc-server-module-1.3.0-2.1.mga4 tigervnc-java-1.3.0-2.1.mga4 from SRPMS: tigervnc-1.1.0-3.2.mga3.src.rpm tigervnc-1.3.0-2.1.mga4.src.rpm
CC: (none) => bersuit.veraAssignee: bersuit.vera => qa-bugsSeverity: normal => major
Tested on a Mageia 4 x86-64 VM by using a procedure similar to http://forums.fedoraforum.org/showthread.php?t=229781 . What I did was: #. Run vncpasswd and set up a password. #. Create a .vnc/xstartup script with #!/bin/bash starticewm #. Make it executable. #. Run vncserver :1 #. Run vncviewer :1 in a different virtual workspace. Verify that IceWM is running. Then you can disconnect and kill everything.
CC: (none) => shlomifWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
This is fine on Mageia 4 i586/32-bit too.
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK
Regarding Mageia 3 - I don't see the 3.2.mga4 packages anywhere on updates_testing (also not in the mirror.kernel.org mirror).
(In reply to Shlomi Fish from comment #11) > Regarding Mageia 3 - I don't see the 3.2.mga4 packages anywhere on > updates_testing (also not in the mirror.kernel.org mirror). You mean 3.2.mga3, but yes, they won't appear there until 20 after the hour, so give it about 8 minutes.
(In reply to David Walser from comment #12) > (In reply to Shlomi Fish from comment #11) > > Regarding Mageia 3 - I don't see the 3.2.mga4 packages anywhere on > > updates_testing (also not in the mirror.kernel.org mirror). > > You mean 3.2.mga3, but yes, they won't appear there until 20 after the hour, > so give it about 8 minutes. Thanks. I checked it on MGA3-32 and it's fine there as well. Regards, -- Shlomi Fish
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK
vncserver / vncviewer work fine on MGA3-64 (Mageia 3 x86-64) too . Regards, -- Shlomi Fish
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK
Thanks Shlomi Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OKCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0173.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED