Bug 13944 - libvncserver, remmina, x11vnc new security issue CVE-2014-4607
Summary: libvncserver, remmina, x11vnc new security issue CVE-2014-4607
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/604237/
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
Keywords: validated_update
Depends on: 14001
Blocks: 13943
  Show dependency treegraph
 
Reported: 2014-08-19 19:39 CEST by David Walser
Modified: 2014-08-28 15:51 CEST (History)
4 users (show)

See Also:
Source RPM: libvncserver-0.9.9-3.mga4.src.rpm, remmina-1.0.0-4.2.mga4.src.rpm, x11vnc-0.9.13-4.mga4
CVE:
Status comment:


Attachments

Description David Walser 2014-08-19 19:39:29 CEST
libvncserver bundles minilzo, which is affected by the CVE-2014-4607 issue from the LZO library.  Remmina bundles libvncserver.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated libvncserver and remmina packages fix security vulnerability:

An integer overflow in liblzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).

The libvncserver library is built with a bundled copy of minilzo, which is a
part of liblzo containing the vulnerable code.  The remmina package is built
with a bundled copy of libvncserver.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://advisories.mageia.org/MGASA-2014-0290.html
========================

Updated packages in core/updates_testing:
========================
libvncserver0-0.9.9-2.1.mga3
libvncserver-devel-0.9.9-2.1.mga3
linuxvnc-0.9.9-2.1.mga3
remmina-1.0.0-3.1.mga3
remmina-devel-1.0.0-3.1.mga3
remmina-plugins-common-1.0.0-3.1.mga3
remmina-plugins-gnome-1.0.0-3.1.mga3
remmina-plugins-nx-1.0.0-3.1.mga3
remmina-plugins-rdp-1.0.0-3.1.mga3
remmina-plugins-telepathy-1.0.0-3.1.mga3
remmina-plugins-vnc-1.0.0-3.1.mga3
remmina-plugins-xdmcp-1.0.0-3.1.mga3
libvncserver0-0.9.9-3.1.mga4
libvncserver-devel-0.9.9-3.1.mga4
linuxvnc-0.9.9-3.1.mga4
remmina-1.0.0-4.3.mga4
remmina-devel-1.0.0-4.3.mga4
remmina-plugins-common-1.0.0-4.3.mga4
remmina-plugins-gnome-1.0.0-4.3.mga4
remmina-plugins-nx-1.0.0-4.3.mga4
remmina-plugins-rdp-1.0.0-4.3.mga4
remmina-plugins-telepathy-1.0.0-4.3.mga4
remmina-plugins-vnc-1.0.0-4.3.mga4
remmina-plugins-xdmcp-1.0.0-4.3.mga4

from SRPMS:
libvncserver-0.9.9-2.1.mga3.src.rpm
remmina-1.0.0-3.1.mga3.src.rpm
libvncserver-0.9.9-3.1.mga4.src.rpm
remmina-1.0.0-4.3.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-19 19:40:00 CEST

Blocks: (none) => 13943
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-08-20 22:54:28 CEST
x11vnc also bundles libvncserver.  It has been rebuilt (thanks to configure options found in Fedora) against the system libvncserver.

Advisory:
========================

Updated libvncserver, remmina, and x11vnc packages fix security vulnerability:

An integer overflow in liblzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).

The libvncserver library is built with a bundled copy of minilzo, which is a
part of liblzo containing the vulnerable code.

The remmina package is built with a bundled copy of libvncserver, which has
been patched to fix this issue.

The x11vnc package had been built with a bundled copy of libvncserver, but it
has been rebuilt against the system libvncserver library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://advisories.mageia.org/MGASA-2014-0290.html
========================

Updated packages in core/updates_testing:
========================
libvncserver0-0.9.9-2.1.mga3
libvncserver-devel-0.9.9-2.1.mga3
linuxvnc-0.9.9-2.1.mga3
remmina-1.0.0-3.1.mga3
remmina-devel-1.0.0-3.1.mga3
remmina-plugins-common-1.0.0-3.1.mga3
remmina-plugins-gnome-1.0.0-3.1.mga3
remmina-plugins-nx-1.0.0-3.1.mga3
remmina-plugins-rdp-1.0.0-3.1.mga3
remmina-plugins-telepathy-1.0.0-3.1.mga3
remmina-plugins-vnc-1.0.0-3.1.mga3
remmina-plugins-xdmcp-1.0.0-3.1.mga3
x11vnc-0.9.13-3.1.mga3
libvncserver0-0.9.9-3.1.mga4
libvncserver-devel-0.9.9-3.1.mga4
linuxvnc-0.9.9-3.1.mga4
remmina-1.0.0-4.3.mga4
remmina-devel-1.0.0-4.3.mga4
remmina-plugins-common-1.0.0-4.3.mga4
remmina-plugins-gnome-1.0.0-4.3.mga4
remmina-plugins-nx-1.0.0-4.3.mga4
remmina-plugins-rdp-1.0.0-4.3.mga4
remmina-plugins-telepathy-1.0.0-4.3.mga4
remmina-plugins-vnc-1.0.0-4.3.mga4
remmina-plugins-xdmcp-1.0.0-4.3.mga4
x11vnc-0.9.13-4.1.mga4

from SRPMS:
libvncserver-0.9.9-2.1.mga3.src.rpm
remmina-1.0.0-3.1.mga3.src.rpm
x11vnc-0.9.13-3.1.mga3.src.rpm
libvncserver-0.9.9-3.1.mga4.src.rpm
remmina-1.0.0-4.3.mga4.src.rpm
x11vnc-0.9.13-4.1.mga4.src.rpm

Summary: libvncserver and remmina new security issue CVE-2014-4607 => libvncserver, remmina, x11vnc new security issue CVE-2014-4607
Source RPM: libvncserver-0.9.9-3.mga4.src.rpm, remmina-1.0.0-4.2.mga4.src.rpm => libvncserver-0.9.9-3.mga4.src.rpm, remmina-1.0.0-4.2.mga4.src.rpm, x11vnc-0.9.13-4.mga4

Comment 2 William Kenney 2014-08-24 18:19:35 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
libvncserver0 remmina x11vnc

default install of libvncserver0 remmina x11vnc

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-3.mga3.i586 is already installed

All packages installed correctly and without error messages

install libvncserver0 remmina x11vnc from updates_testing

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-2.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-3.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-3.1.mga3.i586 is already installed

All packages update correctly and without error messages

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 3 William Kenney 2014-08-24 18:19:50 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
libvncserver0 remmina x11vnc

default install of libvncserver0 remmina x11vnc
There does not appear to be a libvncserver0 x86_64 package in the repo

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-3.mga3.x86_64 is already installed

All packages installed correctly and without error messages

install libvncserver0 remmina x11vnc from updates_testing

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-2.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-3.1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-3.1.mga3.x86_64 is already installed

All packages update correctly and without error messages

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 4 William Kenney 2014-08-24 18:20:04 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
libvncserver0 remmina x11vnc

default install of libvncserver0 remmina x11vnc

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-4.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-4.mga4.i586 is already installed

All packages installed correctly and without error messages

install libvncserver0 remmina x11vnc from updates_testing

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-3.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-4.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-4.1.mga4.i586 is already installed

All packages update correctly and without error messages

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 5 William Kenney 2014-08-24 18:20:17 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
libvncserver0 remmina x11vnc

default install of libvncserver0 remmina x11vnc
There does not appear to be a libvncserver0 x86_64 package in the repo

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-4.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-4.mga4.x86_64 is already installed

All packages installed correctly and without error messages

install libvncserver0 remmina x11vnc from updates_testing

[root@localhost wilcal]# urpmi libvncserver0
Package libvncserver0-0.9.9-3.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi remmina
Package remmina-1.0.0-4.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi x11vnc
Package x11vnc-0.9.13-4.1.mga4.x86_64 is already installed

All packages update correctly and without error messages

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2014-08-24 18:20:50 CEST
For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 David Walser 2014-08-24 18:28:38 CEST
FYI, on x86_64, the library package names always start with lib64 instead of just lib.  This is always the case for any package.
Comment 8 David Walser 2014-08-24 18:30:18 CEST
Also, it would be nice to get a test of x11vnc functionality, since it was changed to use the system libvncserver, rather than just being patched like the others
Comment 9 William Kenney 2014-08-24 19:23:08 CEST
(In reply to David Walser from comment #8)

> Also, it would be nice to get a test of x11vnc functionality, since it was
> changed to use the system libvncserver, rather than just being patched like
> the others

Gimme a simple test. I've still got the Vbox clients stored
Comment 10 David Walser 2014-08-24 19:27:08 CEST
Figure out what you can do with it :o).  I'm guessing it's a VNC client.  So you could share a desktop with a VNC server (I think krfb might be one) and then connect to it with x11vnc
Comment 11 William Kenney 2014-08-24 19:34:13 CEST
In reply to David Walser from comment #7)

> FYI, on x86_64, the library package names always start with lib64 instead of
> just lib.  This is always the case for any package.

[root@localhost wilcal]# urpmi lib64vncserver0
Package lib64vncserver0-0.9.9-2.1.mga3.x86_64 is already installed

[root@localhost wilcal]# urpmi lib64vncserver0
Package lib64vncserver0-0.9.9-3.1.mga4.x86_64 is already installed

Both went in just fine.
Comment 12 William Kenney 2014-08-24 19:34:41 CEST
(In reply to David Walser from comment #10)
> Figure out what you can do with it :o).  I'm guessing it's a VNC client.  So
> you could share a desktop with a VNC server (I think krfb might be one) and
> then connect to it with x11vnc

I'll tinker with it.
Comment 13 Dave Hodgins 2014-08-26 09:56:13 CEST
Advisory 13944.adv added to svn.

CC: (none) => davidwhodgins
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

Comment 14 Mageia Robot 2014-08-27 01:05:39 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0356.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 15 David Walser 2014-08-27 19:33:54 CEST
It looks like an outdated advisory got uploaded for this one, and x11vnc didn't get included or pushed.  Please see Comment 1.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 16 Colin Guthrie 2014-08-28 15:39:47 CEST
I think we'll need to issue a new advisory to sort this out - so a new bug. I'll do that now.

CC: (none) => mageia

Comment 17 Colin Guthrie 2014-08-28 15:46:37 CEST
I opened bug #14001 to handle this oversight.

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED

David Walser 2014-08-28 15:51:36 CEST

Depends on: (none) => 14001


Note You need to log in before you can comment on or make changes to this bug.