Bug 25788 - libvncserver new security issue CVE-2019-15681
Summary: libvncserver new security issue CVE-2019-15681
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-11-30 15:56 CET by David Walser
Modified: 2019-12-06 15:17 CET (History)
5 users (show)

See Also:
Source RPM: libvncserver-0.9.12-2.mga7.src.rpm
Status comment:


Description David Walser 2019-11-30 15:56:42 CET
Debian-LTS has issued an advisory on November 29:

The upstream commit that fixed the issue is linked from here:

Mageia 7 is also affected.
David Walser 2019-11-30 15:56:49 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2019-11-30 18:04:17 CET
Patched packages uploaded for Mageia 7 and Cauldron by David.


Updated libvncserver packages fix security vulnerability:

LibVNC contained a memory leak in VNC server code, which allowed an attacker to
read stack memory and could be abused for information disclosure. Combined with
another vulnerability, it could be used to leak stack memory and bypass ASLR.
This attack appeared to be exploitable via network connectivity


Updated packages in core/updates_testing:

from libvncserver-0.9.12-2.1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: bugsquad => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 2 Herman Viaene 2019-12-05 11:57:35 CET
QA-repo answers: "libvncserver1-0.9.12-2.1.mga7 not found in the remote repository"
Usually the Belgian mirror is one day behind, but not more, and tnef I just tested, loaded on the same day.

CC: (none) => herman.viaene

Comment 3 Thomas Backlund 2019-12-05 11:59:57 CET
If you test 64bit, that would be:


CC: (none) => tmb

Comment 4 Herman Viaene 2019-12-05 12:03:59 CET
Grrrrrr, headbanging.
Comment 5 Herman Viaene 2019-12-05 15:31:56 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Installed x11vnc to test and connected from my desktop PC, works OK.

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2019-12-05 22:29:14 CET
(In reply to Herman Viaene from comment #4)
> Grrrrrr, headbanging.

I've been there. QARepo is a really great tool for QA, but it was designed to use copy-and-paste to get the rpm list. When the rpms are listed so that won't work, it's a pain in the neck. 

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-06 13:39:49 CET

Keywords: (none) => advisory

Comment 7 Mageia Robot 2019-12-06 15:17:35 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.