Bug 20179 - tigervnc new security issues CVE-2017-5581, CVE-2017-739[2-6], and CVE-2016-10207
Summary: tigervnc new security issues CVE-2017-5581, CVE-2017-739[2-6], and CVE-2016-1...
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/712666/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-25 12:04 CET by David Walser
Modified: 2017-12-30 01:52 CET (History)
1 user (show)

See Also:
Source RPM: tigervnc-1.3.1-6.1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-01-25 12:04:33 CET 
A CVE has been assigned for a buffer overflow issue fixed in TigerVNC 1.7.1:
http://openwall.com/lists/oss-security/2017/01/25/6

The issue was fixed in this commit:
https://github.com/TigerVNC/tigervnc/commit/6c39c0cb0191e1ca4fe209450bbe6297f047ce87

Backporting it to 1.3.1 appears to be non-trivial.
Comment 1 Marja Van Waes 2017-01-26 23:45:58 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2017-01-27 00:20:49 CET

URL: (none) => https://lwn.net/Vulnerabilities/712666/

Comment 2 David Walser 2017-01-27 13:43:16 CET 
openSUSE has issued an advisory for this on January 26:
http://lists.opensuse.org/opensuse-updates/2017-01/msg00146.html

They ported the patch as far back as 1.5.0, which may or may not help.
Comment 3 David Walser 2017-02-05 15:37:08 CET 
CVE-2017-10207 assigned for another issues fixed upstream:
http://openwall.com/lists/oss-security/2017/02/05/2

This one has only been fixed upstream in master so far, not in 1.7-branch.

Summary: tigervnc new security issue CVE-2017-5581 => tigervnc new security issues CVE-2017-5581 and CVE-2017-10207

Comment 4 David Walser 2017-02-13 23:38:03 CET 
(In reply to David Walser from comment #3)
> CVE-2017-10207 assigned for another issues fixed upstream:
> http://openwall.com/lists/oss-security/2017/02/05/2
> 
> This one has only been fixed upstream in master so far, not in 1.7-branch.

openSUSE has issued an advisory for this on February 11:
http://lists.opensuse.org/opensuse-updates/2017-02/msg00053.html

LWN reference:
https://lwn.net/Vulnerabilities/714431/
Comment 5 David Walser 2017-03-23 15:10:27 CET 
RedHat has issued an advisory for this on March 21:
https://rhn.redhat.com/errata/RHSA-2017-0630.html
Comment 6 David Walser 2017-04-09 17:45:14 CEST 
Fedora has issued an advisory on April 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AWXMLXNVUGAYE5VUZEHB7MRIQJNP6VAI/

It fixes more new security issues.

Summary: tigervnc new security issues CVE-2017-5581 and CVE-2017-10207 => tigervnc new security issues CVE-2017-5581, CVE-2017-739[2-6], and CVE-2017-10207

Comment 7 David Walser 2017-08-04 22:02:05 CEST 
(In reply to David Walser from comment #3)
> CVE-2017-10207 assigned for another issues fixed upstream:
> http://openwall.com/lists/oss-security/2017/02/05/2
> 
> This one has only been fixed upstream in master so far, not in 1.7-branch.

Oops, CVE-2016-10207.

Summary: tigervnc new security issues CVE-2017-5581, CVE-2017-739[2-6], and CVE-2017-10207 => tigervnc new security issues CVE-2017-5581, CVE-2017-739[2-6], and CVE-2016-10207

Comment 8 David Walser 2017-12-30 01:52:00 CET 
Patching this appears to be impossible.  It looks like it actually *could* be upgraded to 1.8.0, but that would require upgrading fltk to 1.3.3 or 1.3.4, which would require rebuilding several packages.  So, that won't be happening.  Sorry.

Resolution: (none) => OLD
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.