(David Walser comment #2 in bug #14155)
An advisory was released today (September 25) with links to upstream patches:
http://www.ocert.org/advisories/ocert-2014-007.html

(David Walser comment #3 in bug #14155)
Fedora has issued an advisory for this on September 26:
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139445.html

CC: geiger.david68210 => (none)
Whiteboard: (none) => MGA4TOO, MGA3TOO

Here's the upstream KDE advisory for this from September 23:
https://www.kde.org/info/security/advisory-20140923-1.txt

(In reply to David Walser in bug #14155)
> 
> To Luc Menut:
> Whichever Mageia versions don't have krfb built against the system
> libvncserver will either need to be made to do so, or it'll have to be
> patched for these issues as well.

Sadly, I had to reuse the bundled libvncserver even in Cauldron, because the patch to use the system libvncserver available upstream in krfb master is intended to be used with a recent git snapshot of libvncserver.
I used the 4 patches available in krfb 4.14 branch to patch krfb and kdenetwork4:
- krfb-4.14.1-1.mga5 in cauldron
- krfb-4.12.5-1.2.mga4 is available in 4/updates_testing and is included in mga4 updates to 4.12.5 - bug #13221
- kdenetwork4-4.10.5-1.3.mga3 is available in 3/updates_testing.

Depends on: 14155 => (none)

Advisory:
========================

Updated kdenetwork4 packages fix security vulnerabilities in krfb:

A malicious VNC client can trigger multiple DoS conditions on the VNC server
by advertising a large screen size, ClientCutText message length and/or a zero
scaling factor parameter (CVE-2014-6053, CVE-2014-6054).

A malicious VNC client can trigger multiple stack-based buffer overflows by
passing a long file and directory names and/or attributes (FileTime) when
using the file transfer message feature (CVE-2014-6055).

The krfb package is built with a bundled copy of libvncserver.

References:
http://www.ocert.org/advisories/ocert-2014-007.html
https://www.kde.org/info/security/advisory-20140923-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6055

========================

src.rpm:
kdenetwork4-4.10.5-1.3.mga3.src.rpm

packages for i586:
kde4-filesharing-4.10.5-1.3.mga3.i586.rpm
kdenetwork4-4.10.5-1.3.mga3.i586.rpm
kdenetwork4-devel-4.10.5-1.3.mga3.i586.rpm
kdenetwork-strigi-analyzers-4.10.5-1.3.mga3.i586.rpm
kdnssd-4.10.5-1.3.mga3.i586.rpm
kget-4.10.5-1.3.mga3.i586.rpm
kget-handbook-4.10.5-1.3.mga3.noarch.rpm
kopete-4.10.5-1.3.mga3.i586.rpm
kopete-handbook-4.10.5-1.3.mga3.noarch.rpm
kopete-latex-4.10.5-1.3.mga3.i586.rpm
kppp-4.10.5-1.3.mga3.i586.rpm
kppp-handbook-4.10.5-1.3.mga3.noarch.rpm
kppp-provider-4.10.5-1.3.mga3.i586.rpm
krdc-4.10.5-1.3.mga3.i586.rpm
krdc-handbook-4.10.5-1.3.mga3.noarch.rpm
krfb-4.10.5-1.3.mga3.i586.rpm
krfb-handbook-4.10.5-1.3.mga3.noarch.rpm
libkgetcore4-4.10.5-1.3.mga3.i586.rpm
libkopete4-4.10.5-1.3.mga3.i586.rpm
libkopeteaddaccountwizard1-4.10.5-1.3.mga3.i586.rpm
libkopetechatwindow_shared1-4.10.5-1.3.mga3.i586.rpm
libkopetecontactlist1-4.10.5-1.3.mga3.i586.rpm
libkopeteidentity1-4.10.5-1.3.mga3.i586.rpm
libkopete_oscar4-4.10.5-1.3.mga3.i586.rpm
libkopeteprivacy1-4.10.5-1.3.mga3.i586.rpm
libkopetestatusmenu1-4.10.5-1.3.mga3.i586.rpm
libkopete_videodevice4-4.10.5-1.3.mga3.i586.rpm
libkrdccore4-4.10.5-1.3.mga3.i586.rpm
libkrfbprivate4-4.10.5-1.3.mga3.i586.rpm
libkyahoo1-4.10.5-1.3.mga3.i586.rpm
liboscar1-4.10.5-1.3.mga3.i586.rpm

packages for x86_64:
kde4-filesharing-4.10.5-1.3.mga3.x86_64.rpm
kdenetwork4-4.10.5-1.3.mga3.x86_64.rpm
kdenetwork4-devel-4.10.5-1.3.mga3.x86_64.rpm
kdenetwork-strigi-analyzers-4.10.5-1.3.mga3.x86_64.rpm
kdnssd-4.10.5-1.3.mga3.x86_64.rpm
kget-4.10.5-1.3.mga3.x86_64.rpm
kget-handbook-4.10.5-1.3.mga3.noarch.rpm
kopete-4.10.5-1.3.mga3.x86_64.rpm
kopete-handbook-4.10.5-1.3.mga3.noarch.rpm
kopete-latex-4.10.5-1.3.mga3.x86_64.rpm
kppp-4.10.5-1.3.mga3.x86_64.rpm
kppp-handbook-4.10.5-1.3.mga3.noarch.rpm
kppp-provider-4.10.5-1.3.mga3.x86_64.rpm
krdc-4.10.5-1.3.mga3.x86_64.rpm
krdc-handbook-4.10.5-1.3.mga3.noarch.rpm
krfb-4.10.5-1.3.mga3.x86_64.rpm
krfb-handbook-4.10.5-1.3.mga3.noarch.rpm
lib64kgetcore4-4.10.5-1.3.mga3.x86_64.rpm
lib64kopete4-4.10.5-1.3.mga3.x86_64.rpm
lib64kopeteaddaccountwizard1-4.10.5-1.3.mga3.x86_64.rpm
lib64kopetechatwindow_shared1-4.10.5-1.3.mga3.x86_64.rpm
lib64kopetecontactlist1-4.10.5-1.3.mga3.x86_64.rpm
lib64kopeteidentity1-4.10.5-1.3.mga3.x86_64.rpm
lib64kopete_oscar4-4.10.5-1.3.mga3.x86_64.rpm
lib64kopeteprivacy1-4.10.5-1.3.mga3.x86_64.rpm
lib64kopetestatusmenu1-4.10.5-1.3.mga3.x86_64.rpm
lib64kopete_videodevice4-4.10.5-1.3.mga3.x86_64.rpm
lib64krdccore4-4.10.5-1.3.mga3.x86_64.rpm
lib64krfbprivate4-4.10.5-1.3.mga3.x86_64.rpm
lib64kyahoo1-4.10.5-1.3.mga3.x86_64.rpm
lib64oscar1-4.10.5-1.3.mga3.x86_64.rpm

Version: Cauldron => 3
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => (none)

Used krfb to share a connection (Mageia 3 i586) and then connected to it using TigerVNC from a Windows machine at work.  It worked fine (other than switching my left and right mouse buttons).

Source RPM: kdenetwork4-4.10.5-1.2.mga3, krfb-4.12.5-1.1.mga4 => kdenetwork4-4.10.5-1.2.mga3
Whiteboard: (none) => MGA3-32-OK

Testing on Mageia3-64 virtualbox

Before
------

Installed normal krfb-4.10.5-1.2 plus all packages listed in version 4.10.5-1.2

Used remote desktop client (KRDC) from a mageia4-64 computer to connect to mageia3-64 through krbc. Everything went well.

After :
------

Updated on mageia3-64 to krfb-4.10.5-1.3 plus all packages listed.
Retraced same procedure.


When connecting with krdc on mageia4-64

With vnc protocol, I don't get the chance to give the password, because immediatly :
Pop-up window : "Le serveur VNC a fermé la connexion" (VNC server closed connection)
On mageia3-64 using krfb : "Connexion non invitée acceptée depuis <<192.168.0.11:41425>>" (Uninvited connection accepted from...)
though it's invited and not accepted.

With rdp protocol, I can fill the password
Pop-up window : "Echec de tentative de connexion à l'hôte" (Connection to host unsuccessful).
On mageia3-64 using krfb, same as before :"Connection non invitée acceptée depuis ..."


With Gnome remote desktop,

No time to give the password, message : "Connexion fermée, la connexion à l'hôte 192.168.0.13 a été fermée" (Connection closed)
On mageia3-64 using krfb : "Connection non invitée..."

So that does not work for me.

Question : is it normal that lib64kdnssd4 2:4.10.5-1.2.mga3 is not updated in testing when kdnssd is to version 2:4.10.5-1.3.mga3 ?

CC: (none) => olchal

Olivier, every time you make a new connection you have to first go back to krfb and do a new invitation.  I found this out while testing too.

Secondly, for some reason libkdnssd4 comes from a different SRPM (kdelibs4) than kdnssd (kdenetwork4).  I don't know why, but it's nothing to worry about :o)

That's what I did.

To be sure, I deleted all invitations in krfb, shutdown both computers (guest and host), proceded with a new invitation from krfb, and still the same problem.

That's strange.  I'm guessing you did, but just to be sure, did you update the libkrfbprivate4 package as well as krfb?

Not that it's anything that should have changed between the initial install and updating it, but maybe double-check your firewall rules (I had to fix mine to allow the connection).

I checked all packages, all is updated in testing as it should.

Firewall set as "accept all" on both sides to be sure, still not working.

I'll retry the whole process as soon as I can.

On mageia3-64 virtual box

I did it a third time, installing task-kde instead of task-kde-minimal which gave me nearly all the packages for non-updated non-testing version.
It performed well.

With updated-testing packages, it was impossible to connect to vnc server.

Could someone else try on mageia3-64 ?

Making the initial connection is a bit of a convoluted procedure. On
the machine you're running krfb on, you run krfb and make a new invitation.
Also make sure your firewall settings allow connections to port 5900. Then
you go to a remote machine and use a VNC client (tigervnc is a good one) and
make a connection to the krfb machine. Nothing will happen there
immediately, as you have to go back to the krfb machine and click something
to allow the connection. Then you have to go back to the other machine and
put in the password that krfb gave you when you created the invitation.

You can make it a bit simpler, by going (in Krfb's menu) to Settings > Configure Desktop Sharing > Security and uncheck "Ask before accepting connections" and check "Allow uninvited connections" and put in a password below that.  Then, when you connect from a VNC client from a remote machine, all you have to do is put in the password and it works.

Whiteboard: MGA3-32-OK => has_procedure MGA3-32-OK

Thanks David,

I could make it work with settings in 2nd paragraph from your comment 12.

Could connect from krdc to host with uninvited connections allowed. That proved my firewall was correctly set.

I was still unable to get a connection with invitation though following your procedure faithfully. With current packages (non-testing), even if it was confusing, I could manage it.
Tigervnc was no better.

I don't know what to make of that.

Yeah, who knows, it's a bit convoluted if you don't change the settings :o)  The important thing is that you were able to get it to work.  I'll go ahead and validate this now.

Could someone please upload the advisory?

Once the advisory is uploaded, sysadmins, please push this to core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA3-32-OK => has_procedure MGA3-32-OK MGA3-64-OK
CC: (none) => sysadmin-bugs

Advisory uploaded.

CC: (none) => remi
Whiteboard: has_procedure MGA3-32-OK MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK advisory

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0466.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED