Bug 25786 - vino new security issues CVE-2014-6053, CVE-2018-7225, CVE-2019-15681 due to bundled libvncserver
Summary: vino new security issues CVE-2014-6053, CVE-2018-7225, CVE-2019-15681 due to ...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://linuxsecurity.com/advisories/...
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-29 23:30 CET by Zombie Ryushu
Modified: 2020-05-31 04:53 CEST (History)
7 users (show)

See Also:
Source RPM: vino-3.22.0-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Comment 1 Lewis Smith 2019-11-30 11:04:14 CET
Thank you Zombie for the notice.
---
I have looked for duplicates, found none.
This package has no registered maintainer. Assigning to DavidG as you did something with it fairly recently.

Source RPM: vino => vino-3.22.0-3.mga7.src.rpm
Component: RPM Packages => Security
Assignee: bugsquad => geiger.david68210
QA Contact: (none) => security

Comment 2 David Walser 2019-11-30 15:53:50 CET
Actual link:
https://www.debian.org/lts/security/2019/dla-2014

These are libvncserver issues....

CVE-2014-6053: Bug 14155
CVE-2018-7225: Bug 22847
CVE-2019-15681: new

However, vino doesn't appear to be built against the system library, so that should be fixed if possible.

Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO
Summary: vino security update CVE-2014-6053 CVE-2018-7225 CVE-2019-15681 => vino new security issues CVE-2014-6053, CVE-2018-7225, CVE-2019-15681

Comment 3 David Walser 2019-11-30 15:57:27 CET
CVE-2019-15681 filed as Bug 25788.

Summary: vino new security issues CVE-2014-6053, CVE-2018-7225, CVE-2019-15681 => vino new security issues CVE-2014-6053, CVE-2018-7225, CVE-2019-15681 due to bundled libvncserver

Comment 4 David Walser 2019-12-20 22:04:00 CET
CVE-2019-15690 would also affect this (see Bug 25918).
Comment 5 David Walser 2020-04-09 22:15:57 CEST
SUSE has issued an advisory for CVE-2019-15681 in vino on April 8:
http://lists.suse.com/pipermail/sle-security-updates/2020-April/006688.html

CC: (none) => luigiwalser

Comment 6 David GEIGER 2020-04-11 11:31:48 CEST
Done for both Cauldron and mga7!
Comment 7 David Walser 2020-04-11 18:52:33 CEST
(In reply to David Walser from comment #4)
> CVE-2019-15690 would also affect this (see Bug 25918).

Actually that affected libvncclient code, but vino only bundles libvncserver, so vino is not affected by that one.
Comment 8 David Walser 2020-04-11 18:56:45 CEST
Advisory:
========================

Updated vino packages fix security vulnerabilities:

The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in
LibVNCServer did not properly handle attempts to send a large amount of
ClientCutText data, which allowed remote attackers to cause a denial of service
(memory consumption or daemon crash) via a crafted message that was processed
by using a single unchecked malloc (CVE-2014-6053).

An issue was discovered in LibVNCServer. rfbProcessClientNormalMessage() in
rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized
and potentially sensitive data or possibly unspecified other impact (e.g., an
integer overflow) via specially crafted VNC packets (CVE-2018-7225).

LibVNC contained a memory leak in VNC server code, which allowed an attacker to
read stack memory and could be abused for information disclosure. Combined with
another vulnerability, it could be used to leak stack memory and bypass ASLR.
This attack appeared to be exploitable via network connectivity
(CVE-2019-15681).

The bundled libvncserver code in vino has been patched to fix these issues.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6053
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15681
https://www.debian.org/lts/security/2019/dla-2014
========================

Updated packages in core/updates_testing:
========================
vino-3.22.0-3.1.mga7

from vino-3.22.0-3.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 9 Herman Viaene 2020-04-13 15:27:28 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Found some info in bug 8782, but first hurdle: the command vino-preferences is not in our package.
Googled and found http://www.softpanorama.org/Xwindows/VNC/Vino/activating_vino_from_command_line.shtml
but this also refers to that command.
Further quoting from it: "Vino is the default VNC server in Gnome which provides the capability to view Gnome desktop via VNC client."
I have no Gnome on thisor any other machine, and I won't touch it ever, not even with a poole (tried it once and no more)
It installed cleanly, that's all I can say on the update.

CC: (none) => herman.viaene

Comment 10 Len Lawrence 2020-04-13 18:38:12 CEST
According to https://askubuntu.com/questions/416353/where-is-vino-preferences-gone-in-xubuntu-13-10-sharing-desktop-in-xubuntu-1
vino-preferences has been placed in GNOME desktop settings.
Using the dconf editor in Mate the settings can be accessed in this path:
org / gnome / desktop / remote-access
That gives you:
org.gnome.Vino with various settings.

systemd does not seem to know vino-server but it can be launched like so:
$ sudo /usr/libexec/vino-server

Personally I do not feel comfortable with any of this so this is FYI only.

CC: (none) => tarazed25

Thomas Backlund 2020-04-15 11:34:48 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 11 Thomas Andrews 2020-05-06 14:06:15 CEST
Completely out of my element here, so I don't know anything about how to test this, or how to address the questions brought up in Comment 9 and Comment 10. 

However, I just validated Bug 26587, concerning libvncserver1.

Does that affect this bug at all? The suggested advisory says that the bundled vncserver code has been patched. Do the changes in libvncserver1 from Bug 26587 need to be added here, too?

Keywords: (none) => feedback
CC: (none) => andrewsfarm

Comment 12 David Walser 2020-05-06 14:12:18 CEST
No, Comment 7 applies.

Keywords: feedback => (none)

Comment 13 Len Lawrence 2020-05-07 10:45:24 CEST
Agreeing with comment 11 here.  Out of my depth.

All that can be said is that vino-preferences can be accessed via dconf-editor and that the vino-server can be launched and listens on port 5900 but how you tickle it is beyond my understanding.  Where and what is the vino client in all this?
Comment 14 Len Lawrence 2020-05-07 10:54:44 CEST
On the server side:
$ netstat -nl | grep 5900
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN     
tcp6       0      0 :::5900                 :::*                    LISTEN     

So that is fine.  vino is waiting for somebody to send it a message via :5900 and it then needs to find someone to give it to.  How is that defined?
Comment 15 Len Lawrence 2020-05-07 13:51:43 CEST
Verified that the remote port was accessible via telnet.  Also ran the vino server on the remote host and tried a VNC connection with remmina on the local machine and hit "connection refused".
Comment 16 Thomas Andrews 2020-05-31 00:35:22 CEST
So we have two clean installs, and one tester who was able to work with part of it. TMB uploaded the advisory, which says a lot about his confidence in it.

Since nothing has happened here in 24 days, I'm contemplating letting it go. Herman has washed his hands of it, so Len, what do you think?
Comment 17 Len Lawrence 2020-05-31 02:30:17 CEST
Yes, it does not look like QA is going to get anywhere with this one so we might as well let it go.
Thanks TJ.
Comment 18 Thomas Andrews 2020-05-31 04:53:52 CEST
Thanks, Len. OKing and Validating.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.