Debian-LTS has issued an advisory on January 3: https://lwn.net/Alerts/710609/ Upstream commits to fix the issues are linked in the Debian bugs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850007 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850008 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Patched package uploaded for Cauldron. Possible testing procedures: https://bugs.mageia.org/show_bug.cgi?id=13944#c2 https://bugs.mageia.org/show_bug.cgi?id=14155#c7 Patched package uploaded for Mageia 5. Advisory: ======================== Updated libvncserver package fixes security vulnerabilities: It was discovered that there were two vulnerabilities in libvncserver, a library to create/embed a VNC server: A heap-based buffer overflow that allows remote servers to cause a denial of service via a crafted FramebufferUpdate message containing a subrectangle outside of the drawing area (CVE-2016-9941). A heap-based buffer overflow that allow remote servers to cause a denial of service via a crafted FramebufferUpdate message with the "Ultra" type tile such that the LZO decompressed payload exceeds the size of the tile dimensions (CVE-2016-9942). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9941 https://security-tracker.debian.org/tracker/CVE-2016-9941 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9942 https://security-tracker.debian.org/tracker/CVE-2016-9942 ======================== Updated packages in core/updates_testing: ======================== lib64vncserver0-0.9.10-1.2.mga5 lib64vncserver-devel-0.9.10-1.2.mga5 libvncserver-debuginfo-0.9.10-1.2.mga5 from libvncserver-0.9.10-1.2.mga5.src.rpm
CC: (none) => mramboVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => has_procedure
You can use the DSA URL in the reference rather than the trackers: https://www.debian.org/security/2017/dsa-3753
MGA5-32 on AcerD620 Xfce No installation issues Downloaded and run krfb at CLI strace -o libvnc.txt krfb and get call to libvncserver open("/lib/libvncserver.so.0", O_RDONLY|O_CLOEXEC) = 3
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
Testing M5_64 # urpmq --whatrequires lib64vncserver0 krdc [VNC client] krfb [VNC server] ...libs remmina-plugins-vnc remmina-plugins-vnc x11vnc Following Herman, I installed 'krdc' [unnecessarily at the feeble level of this test] & 'krfb'. I did not find previous bug references to 'remina' helpful. Unconvincing result was the same before (lib64vncserver0-0.9.10-1.1) and after (lib64vncserver0-0.9.10-1.2) the update. Both commands popped up the GUI. $ strace krfb 2>&1 | grep libvncserver open("/lib64/libvncserver.so.0", O_RDONLY|O_CLOEXEC) = 3 $ strace krdc 2>&1 | grep libvncserver $ which shows merely that krfb opens the library. krdc might if a connection is opened, which I could not try. Unless one can do this on a single machine? OKing anyway. And validating.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0027.html
Status: NEW => RESOLVEDResolution: (none) => FIXED