A CVE has been assigned for an issue fixed in noVNC: http://openwall.com/lists/oss-security/2015/03/12/13 The message above contains a link to an upstream patch to fix the issue. I've checked the patch into Mageia 4 and Cauldron SVN and requested a freeze push. Reproducible: Steps to Reproduce:
CC: (none) => mageiaWhiteboard: (none) => MGA5TOO, MGA4TOO
CC: (none) => mageiaAssignee: bugsquad => mageia
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated novnc package fixes security vulnerability: noVNC before 0.5.1 allows an attacker to steal insecurely set session token cookies, hijacking active or inactive VNC sessions (CVE-2013-7436). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7436 https://bugzilla.redhat.com/show_bug.cgi?id=1193451 ======================== Updated packages in core/updates_testing: ======================== novnc-0.4-9.1.mga4 from novnc-0.4-9.1.mga4.src.rpm
Version: Cauldron => 4Assignee: mageia => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Thomas had to rebuild the update due to a missing signature. Updated packages in core/updates_testing: ======================== novnc-0.4-9.2.mga4 from novnc-0.4-9.2.mga4.src.rpm
This is pretty neat. First you have to use a VNC server to share your desktop via VNC, I used krfb. Then you run novnc_server, which will allow you to connect from a remote machine to your desktop via HTTP, or if you give novnc_server an SSL certificate to use, via HTTPS. You can create a certificate with OpenSSL or just use the Apache one if you have that installed (with the option --cert /etc/pki/tls/certs/httpd.pem). $ krfb & $ cd /usr/share/novnc $ novnc_server --cert /etc/pki/tls/certs/httpd.pem then it gives you some output, including an HTTP URL you can use from a remote machine to connect to your desktop. Make sure you've enabled access to port 6080 on your desktop in your firewall settings if you use one (and maybe port 5900 also). It worked fine for me. Testing complete Mageia 4 i586.
Whiteboard: (none) => has_procedure MGA4-32-OK
Hi David, (In reply to David Walser from comment #3) > This is pretty neat. > > First you have to use a VNC server to share your desktop via VNC, I used > krfb. > > Then you run novnc_server, which will allow you to connect from a remote > machine to your desktop via HTTP, or if you give novnc_server an SSL > certificate to use, via HTTPS. You can create a certificate with OpenSSL or > just use the Apache one if you have that installed (with the option --cert > /etc/pki/tls/certs/httpd.pem). > > $ krfb & > $ cd /usr/share/novnc > $ novnc_server --cert /etc/pki/tls/certs/httpd.pem > > then it gives you some output, including an HTTP URL you can use from a > remote machine to connect to your desktop. Make sure you've enabled access > to port 6080 on your desktop in your firewall settings if you use one (and > maybe port 5900 also). > > It worked fine for me. Testing complete Mageia 4 i586. I got a localhost URL, and was not able to connect to the VM's IP . Eitherwise, using a browser to connect to the VM's HTTP service on port localhost:6080 from itself worked fine on MGA4-64. Is it good enough to be marked as OK?
CC: (none) => shlomif
Please fix the firewall settings as I mentioned before.
Thanks for the procedure. It's a useful application. Testing complete mga4 64 In krfb select "New personal invitation" and note the password so you can enter it in the novnc connection settings. One thing worth noting. It appears to only enter text in CAPS from the remote machine, but it's not a regression.
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok
I'm also not able to connect https, that is not a regression either. When attempted, using apache cert, it shows several (9?).. handler exception: [SSL] PEM lib (_ssl.c:2525)
Advisory uploaded. I'll wait for your feedback before validating David.
Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-ok
Using the apache cert worked for me, but I suppose it could depend on when and exactly how the cert was generated and some properties of it. If you want to try regenerating your httpd.pem, it would be: rm /etc/pki/tls/{certs,private}/httpd.pem /usr/share/rpm-helper/create-ssl-certificate apache 1 httpd Hopefully that works.
No unfortunately. It works well without https though, even dislaying a remote host with the local novnc. Trying it on a relatively pristine i586 to see if it's a 64bit issue, it seems to be missing a require.. $ novnc_server --cert /etc/pki/tls/private/httpd.pem Starting webserver and WebSockets proxy on port 6080 Traceback (most recent call last): File "/usr/bin/websockify", line 5, in <module> from pkg_resources import load_entry_point ImportError: No module named pkg_resources Failed to start WebSockets proxy Possibly should be creating it's own cert (self.pem) too. $ novnc_server Warning: could not find self.pem Starting webserver and WebSockets proxy on port 6080 Traceback (most recent call last): File "/usr/bin/websockify", line 5, in <module> from pkg_resources import load_entry_point ImportError: No module named pkg_resources Failed to start WebSockets proxy
So does https work if you install python-pkg-resources? It looks like we need a bug report for websockify should require python-pkg-resources. As for generating it's own cert, that's really up to the user to do. The stuff in /usr/share/novnc is technically just an example, you're really supposed to copy it to your own directory somewhere and customize it (if you want) there.
It starts with the python package installed but https still shows the handler exception.
Strange, I just tried generating new certs with create-ssl-certificate, and it still works just fine. Do you only get the exception on x86_64?
No it's both i586 and x86_64. Bug 15622 created for websockify
So it's something particular on your system (maybe a missing requires, maybe who knows?), so I guess we can validate this (since I know it works) if we can't find some obvious reason for the problem. The only other things I would be trying would be running it as strace -f -o novnc.out novnc [..args..] and checking the strace output to see if anything obvious stands out, like trying to open non-existent files or something.
I don't see anything obvious. It's not a regression anyway. Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0133.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/639239/