libvncserver bundles minilzo, which is affected by the CVE-2014-4607 issue from the LZO library. Remmina bundles libvncserver. Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated libvncserver and remmina packages fix security vulnerability: An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker (CVE-2014-4607). The libvncserver library is built with a bundled copy of minilzo, which is a part of liblzo containing the vulnerable code. The remmina package is built with a bundled copy of libvncserver. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607 http://advisories.mageia.org/MGASA-2014-0290.html ======================== Updated packages in core/updates_testing: ======================== libvncserver0-0.9.9-2.1.mga3 libvncserver-devel-0.9.9-2.1.mga3 linuxvnc-0.9.9-2.1.mga3 remmina-1.0.0-3.1.mga3 remmina-devel-1.0.0-3.1.mga3 remmina-plugins-common-1.0.0-3.1.mga3 remmina-plugins-gnome-1.0.0-3.1.mga3 remmina-plugins-nx-1.0.0-3.1.mga3 remmina-plugins-rdp-1.0.0-3.1.mga3 remmina-plugins-telepathy-1.0.0-3.1.mga3 remmina-plugins-vnc-1.0.0-3.1.mga3 remmina-plugins-xdmcp-1.0.0-3.1.mga3 libvncserver0-0.9.9-3.1.mga4 libvncserver-devel-0.9.9-3.1.mga4 linuxvnc-0.9.9-3.1.mga4 remmina-1.0.0-4.3.mga4 remmina-devel-1.0.0-4.3.mga4 remmina-plugins-common-1.0.0-4.3.mga4 remmina-plugins-gnome-1.0.0-4.3.mga4 remmina-plugins-nx-1.0.0-4.3.mga4 remmina-plugins-rdp-1.0.0-4.3.mga4 remmina-plugins-telepathy-1.0.0-4.3.mga4 remmina-plugins-vnc-1.0.0-4.3.mga4 remmina-plugins-xdmcp-1.0.0-4.3.mga4 from SRPMS: libvncserver-0.9.9-2.1.mga3.src.rpm remmina-1.0.0-3.1.mga3.src.rpm libvncserver-0.9.9-3.1.mga4.src.rpm remmina-1.0.0-4.3.mga4.src.rpm Reproducible: Steps to Reproduce:
Blocks: (none) => 13943Whiteboard: (none) => MGA3TOO
x11vnc also bundles libvncserver. It has been rebuilt (thanks to configure options found in Fedora) against the system libvncserver. Advisory: ======================== Updated libvncserver, remmina, and x11vnc packages fix security vulnerability: An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker (CVE-2014-4607). The libvncserver library is built with a bundled copy of minilzo, which is a part of liblzo containing the vulnerable code. The remmina package is built with a bundled copy of libvncserver, which has been patched to fix this issue. The x11vnc package had been built with a bundled copy of libvncserver, but it has been rebuilt against the system libvncserver library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607 http://advisories.mageia.org/MGASA-2014-0290.html ======================== Updated packages in core/updates_testing: ======================== libvncserver0-0.9.9-2.1.mga3 libvncserver-devel-0.9.9-2.1.mga3 linuxvnc-0.9.9-2.1.mga3 remmina-1.0.0-3.1.mga3 remmina-devel-1.0.0-3.1.mga3 remmina-plugins-common-1.0.0-3.1.mga3 remmina-plugins-gnome-1.0.0-3.1.mga3 remmina-plugins-nx-1.0.0-3.1.mga3 remmina-plugins-rdp-1.0.0-3.1.mga3 remmina-plugins-telepathy-1.0.0-3.1.mga3 remmina-plugins-vnc-1.0.0-3.1.mga3 remmina-plugins-xdmcp-1.0.0-3.1.mga3 x11vnc-0.9.13-3.1.mga3 libvncserver0-0.9.9-3.1.mga4 libvncserver-devel-0.9.9-3.1.mga4 linuxvnc-0.9.9-3.1.mga4 remmina-1.0.0-4.3.mga4 remmina-devel-1.0.0-4.3.mga4 remmina-plugins-common-1.0.0-4.3.mga4 remmina-plugins-gnome-1.0.0-4.3.mga4 remmina-plugins-nx-1.0.0-4.3.mga4 remmina-plugins-rdp-1.0.0-4.3.mga4 remmina-plugins-telepathy-1.0.0-4.3.mga4 remmina-plugins-vnc-1.0.0-4.3.mga4 remmina-plugins-xdmcp-1.0.0-4.3.mga4 x11vnc-0.9.13-4.1.mga4 from SRPMS: libvncserver-0.9.9-2.1.mga3.src.rpm remmina-1.0.0-3.1.mga3.src.rpm x11vnc-0.9.13-3.1.mga3.src.rpm libvncserver-0.9.9-3.1.mga4.src.rpm remmina-1.0.0-4.3.mga4.src.rpm x11vnc-0.9.13-4.1.mga4.src.rpm
Summary: libvncserver and remmina new security issue CVE-2014-4607 => libvncserver, remmina, x11vnc new security issue CVE-2014-4607Source RPM: libvncserver-0.9.9-3.mga4.src.rpm, remmina-1.0.0-4.2.mga4.src.rpm => libvncserver-0.9.9-3.mga4.src.rpm, remmina-1.0.0-4.2.mga4.src.rpm, x11vnc-0.9.13-4.mga4
In VirtualBox, M3, KDE, 32-bit Package(s) under test: libvncserver0 remmina x11vnc default install of libvncserver0 remmina x11vnc [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-2.mga3.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-3.mga3.i586 is already installed [root@localhost wilcal]# urpmi x11vnc Package x11vnc-0.9.13-3.mga3.i586 is already installed All packages installed correctly and without error messages install libvncserver0 remmina x11vnc from updates_testing [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-2.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-3.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi x11vnc Package x11vnc-0.9.13-3.1.mga3.i586 is already installed All packages update correctly and without error messages Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 64-bit Package(s) under test: libvncserver0 remmina x11vnc default install of libvncserver0 remmina x11vnc There does not appear to be a libvncserver0 x86_64 package in the repo [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-2.mga3.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-3.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi x11vnc Package x11vnc-0.9.13-3.mga3.x86_64 is already installed All packages installed correctly and without error messages install libvncserver0 remmina x11vnc from updates_testing [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-2.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-3.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi x11vnc Package x11vnc-0.9.13-3.1.mga3.x86_64 is already installed All packages update correctly and without error messages Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 32-bit Package(s) under test: libvncserver0 remmina x11vnc default install of libvncserver0 remmina x11vnc [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-3.mga4.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-4.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi x11vnc Package x11vnc-0.9.13-4.mga4.i586 is already installed All packages installed correctly and without error messages install libvncserver0 remmina x11vnc from updates_testing [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-3.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-4.3.mga4.i586 is already installed [root@localhost wilcal]# urpmi x11vnc Package x11vnc-0.9.13-4.1.mga4.i586 is already installed All packages update correctly and without error messages Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 64-bit Package(s) under test: libvncserver0 remmina x11vnc default install of libvncserver0 remmina x11vnc There does not appear to be a libvncserver0 x86_64 package in the repo [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-3.mga4.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-4.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi x11vnc Package x11vnc-0.9.13-4.mga4.x86_64 is already installed All packages installed correctly and without error messages install libvncserver0 remmina x11vnc from updates_testing [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-3.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-4.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi x11vnc Package x11vnc-0.9.13-4.1.mga4.x86_64 is already installed All packages update correctly and without error messages Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
FYI, on x86_64, the library package names always start with lib64 instead of just lib. This is always the case for any package.
Also, it would be nice to get a test of x11vnc functionality, since it was changed to use the system libvncserver, rather than just being patched like the others
(In reply to David Walser from comment #8) > Also, it would be nice to get a test of x11vnc functionality, since it was > changed to use the system libvncserver, rather than just being patched like > the others Gimme a simple test. I've still got the Vbox clients stored
Figure out what you can do with it :o). I'm guessing it's a VNC client. So you could share a desktop with a VNC server (I think krfb might be one) and then connect to it with x11vnc
In reply to David Walser from comment #7) > FYI, on x86_64, the library package names always start with lib64 instead of > just lib. This is always the case for any package. [root@localhost wilcal]# urpmi lib64vncserver0 Package lib64vncserver0-0.9.9-2.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vncserver0 Package lib64vncserver0-0.9.9-3.1.mga4.x86_64 is already installed Both went in just fine.
(In reply to David Walser from comment #10) > Figure out what you can do with it :o). I'm guessing it's a VNC client. So > you could share a desktop with a VNC server (I think krfb might be one) and > then connect to it with x11vnc I'll tinker with it.
Advisory 13944.adv added to svn.
CC: (none) => davidwhodginsWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0356.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
It looks like an outdated advisory got uploaded for this one, and x11vnc didn't get included or pushed. Please see Comment 1.
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
I think we'll need to issue a new advisory to sort this out - so a new bug. I'll do that now.
CC: (none) => mageia
I opened bug #14001 to handle this oversight.
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED
Depends on: (none) => 14001