Security issues in libvncserver were announced today (September 23): http://openwall.com/lists/oss-security/2014/09/23/6 It sounds like fixes should be available soon. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
To David Geiger: Could you backport the fixes to make remmina build against the system libvncserver from Cauldron into Mageia 3 and Mageia 4 SVN? We'll need to do that for this update. To Luc Menut: Whichever Mageia versions don't have krfb built against the system libvncserver will either need to be made to do so, or it'll have to be patched for these issues as well.
CC: (none) => geiger.david68210, lmenutWhiteboard: (none) => MGA4TOO, MGA3TOO
An advisory was released today (September 25) with links to upstream patches: http://www.ocert.org/advisories/ocert-2014-007.html
Fedora has issued an advisory for this on September 26: https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139445.html
URL: (none) => http://lwn.net/Vulnerabilities/614039/
Blocks: (none) => 14205
(In reply to David Walser from comment #1) > > To Luc Menut: > Whichever Mageia versions don't have krfb built against the system > libvncserver will either need to be made to do so, or it'll have to be > patched for these issues as well. CVE-2014-6051 and CVE-2014-6052 concern vulnerabilities in the libvncclient part of libvncserver, and so, they don't concern krfb that only includes the libvncserver part. I just opened a separate bugreport for CVE-2014-605[3-5] vulnerabilities in krfb, bug #14205.
As Luc mentioned, krfb will be handled in other bug reports. I've uploaded patched libvncserver packages for Mageia 3, Mageia 4, and Cauldron. I'm still waiting for David to fix remmina, but when he does, this will be the advisory. Advisory: ======================== Updated libvncserver and remmina packages fix security vulnerabilities: A malicious VNC server can trigger incorrect memory management handling by advertising a large screen size parameter to the VNC client. This would result in multiple memory corruptions and could allow remote code execution on the VNC client (CVE-2014-6051, CVE-2014-6052). A malicious VNC client can trigger multiple DoS conditions on the VNC server by advertising a large screen size, ClientCutText message length and/or a zero scaling factor parameter (CVE-2014-6053, CVE-2014-6054). A malicious VNC client can trigger multiple stack-based buffer overflows by passing a long file and directory names and/or attributes (FileTime) when using the file transfer message feature (CVE-2014-6055). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6055 http://www.ocert.org/advisories/ocert-2014-007.html https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139445.html ======================== Updated packages in core/updates_testing: ======================== libvncserver0-0.9.9-2.2.mga3 libvncserver-devel-0.9.9-2.2.mga3 linuxvnc-0.9.9-2.2.mga3 remmina-1.0.0-3.2.mga3 remmina-devel-1.0.0-3.2.mga3 remmina-plugins-common-1.0.0-3.2.mga3 remmina-plugins-gnome-1.0.0-3.2.mga3 remmina-plugins-nx-1.0.0-3.2.mga3 remmina-plugins-rdp-1.0.0-3.2.mga3 remmina-plugins-telepathy-1.0.0-3.2.mga3 remmina-plugins-vnc-1.0.0-3.2.mga3 remmina-plugins-xdmcp-1.0.0-3.2.mga3 libvncserver0-0.9.9-3.2.mga4 libvncserver-devel-0.9.9-3.2.mga4 linuxvnc-0.9.9-3.2.mga4 remmina-1.0.0-4.4.mga4 remmina-devel-1.0.0-4.4.mga4 remmina-plugins-common-1.0.0-4.4.mga4 remmina-plugins-gnome-1.0.0-4.4.mga4 remmina-plugins-nx-1.0.0-4.4.mga4 remmina-plugins-rdp-1.0.0-4.4.mga4 remmina-plugins-telepathy-1.0.0-4.4.mga4 remmina-plugins-vnc-1.0.0-4.4.mga4 remmina-plugins-xdmcp-1.0.0-4.4.mga4 from SRPMS: libvncserver-0.9.9-2.2.mga3.src.rpm remmina-1.0.0-3.2.mga3.src.rpm libvncserver-0.9.9-3.2.mga4.src.rpm remmina-1.0.0-4.4.mga4.src.rpm
Severity: normal => criticalVersion: Cauldron => 4Source RPM: libvncserver-0.9.9-5.mga5.src.rpm => libvncserver-0.9.9-5.mga5.src.rpm, remmina-1.0.0-4.3.mga4.src.rpmWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Thanks to David, remmina is ready to go now too. Advisory: ======================== Updated libvncserver and remmina packages fix security vulnerabilities: A malicious VNC server can trigger incorrect memory management handling by advertising a large screen size parameter to the VNC client. This would result in multiple memory corruptions and could allow remote code execution on the VNC client (CVE-2014-6051, CVE-2014-6052). A malicious VNC client can trigger multiple DoS conditions on the VNC server by advertising a large screen size, ClientCutText message length and/or a zero scaling factor parameter (CVE-2014-6053, CVE-2014-6054). A malicious VNC client can trigger multiple stack-based buffer overflows by passing a long file and directory names and/or attributes (FileTime) when using the file transfer message feature (CVE-2014-6055). The remmina package had been built with a bundled copy of libvncserver. It has been rebuilt against the system libvncserver library to resolve these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6055 http://www.ocert.org/advisories/ocert-2014-007.html https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139445.html ======================== Updated packages in core/updates_testing: ======================== libvncserver0-0.9.9-2.2.mga3 libvncserver-devel-0.9.9-2.2.mga3 linuxvnc-0.9.9-2.2.mga3 remmina-1.0.0-3.2.mga3 remmina-devel-1.0.0-3.2.mga3 remmina-plugins-common-1.0.0-3.2.mga3 remmina-plugins-gnome-1.0.0-3.2.mga3 remmina-plugins-nx-1.0.0-3.2.mga3 remmina-plugins-rdp-1.0.0-3.2.mga3 remmina-plugins-telepathy-1.0.0-3.2.mga3 remmina-plugins-vnc-1.0.0-3.2.mga3 remmina-plugins-xdmcp-1.0.0-3.2.mga3 libvncserver0-0.9.9-3.2.mga4 libvncserver-devel-0.9.9-3.2.mga4 linuxvnc-0.9.9-3.2.mga4 remmina-1.0.0-4.4.mga4 remmina-devel-1.0.0-4.4.mga4 remmina-plugins-common-1.0.0-4.4.mga4 remmina-plugins-gnome-1.0.0-4.4.mga4 remmina-plugins-nx-1.0.0-4.4.mga4 remmina-plugins-rdp-1.0.0-4.4.mga4 remmina-plugins-telepathy-1.0.0-4.4.mga4 remmina-plugins-vnc-1.0.0-4.4.mga4 remmina-plugins-xdmcp-1.0.0-4.4.mga4 from SRPMS: libvncserver-0.9.9-2.2.mga3.src.rpm remmina-1.0.0-3.2.mga3.src.rpm libvncserver-0.9.9-3.2.mga4.src.rpm remmina-1.0.0-4.4.mga4.src.rpm
Assignee: bugsquad => qa-bugs
In VirtualBox, M3, KDE, 32-bit Package(s) under test: libvncserver0 remmina default install of libvncserver0 & remmina [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-2.1.mga3.i586 is already installed Marking libvncserver0 as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-3.1.mga3.i586 is already installed remmina installs without errors install libvncserver0 & remmina from updates_testing [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-2.2.mga3.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-3.2.mga3.i586 is already installed libvncserver0 & remmina updates install with no reported errors Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 64-bit Package(s) under test: lib64vncserver0 remmina default install of lib64vncserver0 & remmina [root@localhost wilcal]# urpmi lib64vncserver0 Package lib64vncserver0-0.9.9-2.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-3.1.mga3.x86_64 is already installed remmina installs without errors install lib64vncserver0 & remmina from updates_testing [root@localhost wilcal]# urpmi lib64vncserver0 Package lib64vncserver0-0.9.9-2.2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-3.2.mga3.x86_64 is already installed lib64vncserver0 & remmina updates install with no reported errors Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 32-bit Package(s) under test: libvncserver0 remmina default install of libvncserver0 & remmina [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-3.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-4.3.mga4.i586 is already installed remmina installs without errors install libvncserver0 & remmina from updates_testing [root@localhost wilcal]# urpmi libvncserver0 Package libvncserver0-0.9.9-3.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-4.4.mga4.i586 is already installed libvncserver0 & remmina updates install with no reported errors Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 64-bit Package(s) under test: lib64vncserver0 remmina default install of lib64vncserver0 & remmina [root@localhost wilcal]# urpmi lib64vncserver0 Package lib64vncserver0-0.9.9-3.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-4.3.mga4.x86_64 is already installed remmina installs without errors install lib64vncserver0 & remmina from updates_testing [root@localhost wilcal]# urpmi lib64vncserver0 Package lib64vncserver0-0.9.9-3.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi remmina Package remmina-1.0.0-4.4.mga4.x86_64 is already installed lib64vncserver0 & remmina updates install with no reported errors Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
For me this update works fine. Testing is the same proceedure as: https://bugs.mageia.org/show_bug.cgi?id=13944 Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Blocks: 14205 => (none)
Advisory from comment 6 uploaded.
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0397.html
Status: NEW => RESOLVEDResolution: (none) => FIXED