Bug 25788 - libvncserver new security issue CVE-2019-15681
Summary: libvncserver new security issue CVE-2019-15681
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-30 15:56 CET by David Walser
Modified: 2019-12-06 15:17 CET (History)
5 users (show)

See Also:
Source RPM: libvncserver-0.9.12-2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-11-30 15:56:42 CET 
Debian-LTS has issued an advisory on November 29:
https://www.debian.org/lts/security/2019/dla-2014

The upstream commit that fixed the issue is linked from here:
https://security-tracker.debian.org/tracker/CVE-2019-15681

Mageia 7 is also affected.
David Walser 2019-11-30 15:56:49 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2019-11-30 18:04:17 CET 
Patched packages uploaded for Mageia 7 and Cauldron by David.

Advisory:
========================

Updated libvncserver packages fix security vulnerability:

LibVNC contained a memory leak in VNC server code, which allowed an attacker to
read stack memory and could be abused for information disclosure. Combined with
another vulnerability, it could be used to leak stack memory and bypass ASLR.
This attack appeared to be exploitable via network connectivity
(CVE-2019-15681).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15681
https://www.debian.org/lts/security/2019/dla-2014
========================

Updated packages in core/updates_testing:
========================
libvncserver1-0.9.12-2.1.mga7
libvncserver-devel-0.9.12-2.1.mga7

from libvncserver-0.9.12-2.1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: bugsquad => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 2 Herman Viaene 2019-12-05 11:57:35 CET 
QA-repo answers: "libvncserver1-0.9.12-2.1.mga7 not found in the remote repository"
Usually the Belgian mirror is one day behind, but not more, and tnef I just tested, loaded on the same day.

CC: (none) => herman.viaene

Comment 3 Thomas Backlund 2019-12-05 11:59:57 CET 
If you test 64bit, that would be:

lib64vncserver1-0.9.12-2.1.mga7

CC: (none) => tmb

Comment 4 Herman Viaene 2019-12-05 12:03:59 CET 
Grrrrrr, headbanging.
Comment 5 Herman Viaene 2019-12-05 15:31:56 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Installed x11vnc to test and connected from my desktop PC, works OK.

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2019-12-05 22:29:14 CET 
(In reply to Herman Viaene from comment #4)
> Grrrrrr, headbanging.

I've been there. QARepo is a really great tool for QA, but it was designed to use copy-and-paste to get the rpm list. When the rpms are listed so that won't work, it's a pain in the neck. 

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-06 13:39:49 CET

Keywords: (none) => advisory

Comment 7 Mageia Robot 2019-12-06 15:17:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0368.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.