Bug 25917 - tigervnc new security issues CVE-2019-1569[1-5]
Summary: tigervnc new security issues CVE-2019-1569[1-5]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-20 22:01 CET by David Walser
Modified: 2020-01-23 23:30 CET (History)
6 users (show)

See Also:
Source RPM: tigervnc-1.9.0-4.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-12-20 22:01:20 CET
TigerVNC 1.10.1 has been released today (December 20), fixing security issues:
https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1

More details are here:
https://www.openwall.com/lists/oss-security/2019/12/20/2

It sounds like there will be more CVEs forthcoming.

Mageia 7 is also affected.
David Walser 2019-12-20 22:03:11 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-21 20:33:29 CET
No registered maintainer.
Assigning to Stig as just having upated this; DavidG for a couple of recent commits. Hope this is OK.

CC: (none) => geiger.david68210
Assignee: bugsquad => smelror

Comment 2 David GEIGER 2019-12-22 08:55:06 CET
Done for mga7 updating to latest 1.10.1 release!
Comment 3 David Walser 2019-12-22 14:18:30 CET
Advisory:
========================

Updated tigervnc packages fix security vulnerabilities:

The tigervnc package has been updated to version 1.10.1 to fix multiple
unspecified security issues. These issues affect both the client and server and
could theoretically allow an malicious peer to take control over the software
on the other side. No working exploit is known at this time, and the issues
require the peer to first be authenticated (CVE-2019-15691, CVE-2019-15692,
CVE-2019-15693, CVE-2019-15694, CVE-2019-15695).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15694
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15695
https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1
https://www.openwall.com/lists/oss-security/2019/12/20/2
========================

Updated packages in core/updates_testing:
========================
tigervnc-1.10.1-1.mga7
tigervnc-server-1.10.1-1.mga7
tigervnc-server-module-1.10.1-1.mga7
tigervnc-java-1.10.1-1.mga7

from tigervnc-1.10.1-1.mga7.src.rpm

Version: Cauldron => 7
Assignee: smelror => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 4 Herman Viaene 2020-01-04 15:23:52 CET
MGA7-64 Plasma on Lenovo B50
No installation issues
# systemctl -l status vncserver
● vncserver.service - LSB: Start TigerVNC server at boot time
   Loaded: loaded (/etc/rc.d/init.d/vncserver; generated)
   Active: inactive (dead)
     Docs: man:systemd-sysv-generator(8)

# systemctl -l start vncserver
# systemctl -l status vncserver
● vncserver.service - LSB: Start TigerVNC server at boot time
   Loaded: loaded (/etc/rc.d/init.d/vncserver; generated)
   Active: active (exited) since Sat 2020-01-04 15:09:42 CET; 7s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 27164 ExecStart=/etc/rc.d/init.d/vncserver start (code=exited, status=0/SUCCESS)

jan 04 15:09:42 mach5.hviaene.thuis systemd[1]: Starting LSB: Start TigerVNC server at boot time...
jan 04 15:09:42 mach5.hviaene.thuis vncserver[27164]: Starting vncserver: [  OK  ]
jan 04 15:09:42 mach5.hviaene.thuis systemd[1]: Started LSB: Start TigerVNC server at boot time.
[root@mach5 ~]# vncpasswd 
Password:
Verify:
Would you like to enter a view-only password (y/n)? n

Opened up firewall, and then tried vncviewer from deesktop PC, but I keep running into "unable connect to socket: connection refused".
I've never been able to get a connection to tigervnc. Over to someone more knowledgeable.

CC: (none) => herman.viaene

Comment 5 David Walser 2020-01-05 19:43:24 CET
Do you see tigervnc listening when you check with the following?:

netstat -ntlp
Comment 6 PC LX 2020-01-06 12:04:48 CET
Installed without issues but can't get it to work.

Both the x0vncserver and vncserver seem to start correctly but I always get a "Invalid display size" error message from the vncviewer client, whatever I try. I'm probably doing something wrong but I just can't solve it.



$ x0vncserver -PasswordFile=.vnc/passwd -localhost -geometry 1920x1080

Mon Jan  6 10:50:19 2020
 Geometry:    Desktop geometry is set to 1920x1080+0+0
 XDesktop:    Using evdev codemap
 XDesktop:    
 XDesktop:    XTest extension present - version 2.2
 Main:        Listening on port 5900

Mon Jan  6 10:50:25 2020
 Connections: accepted: 127.0.0.1::46556
 SConnection: Client needs protocol version 3.8
 SConnection: Client requests security type VeNCrypt(19)
 SVeNCrypt:   Client requests security type TLSVnc (258)

Mon Jan  6 10:50:28 2020
 XDesktop:    Enabling 8 buttons of X pointer device
 XDesktop:    Allocated shared memory image
 VNCSConnST:  Server default pixel format depth 24 (32bpp) little-endian rgb888
 VNCSConnST:  closing 127.0.0.1::46556: Clean disconnection
 EncodeManager: Framebuffer updates: 0
 EncodeManager:   Total: 0 rects, 0 pixels
 EncodeManager:          0 B (1:-nan ratio)
 TLS:         TLS session wasn't terminated gracefully
 TcpSocket:   unable to get peer name for socket
 Connections: closed: ::0
 ComparingUpdateTracker: 0 pixels in / 0 pixels out
 ComparingUpdateTracker: (1:-nan ratio)
^C
Mon Jan  6 10:50:35 2020
 Main:        Terminated



$ vncviewer localhost:0

Visualizador TigerVNC 64 bits v1.10.1
Compilado em: 2019-12-22 07:52
Copyright (C) 1999-2019 Equipe TigerVNC e muitos outros (veja README.rst)
Veja https://www.tigervnc.org para informação sobre o TigerVNC.

Mon Jan  6 10:50:25 2020
 DecodeManager: Detected 4 CPU core(s)
 DecodeManager: Creating 4 decoder thread(s)
 CConn:       Conectado ao host localhost porta 5900
 CConnection: Server supports RFB protocol version 3.8
 CConnection: Using RFB protocol version 3.8
 CConnection: Choosing security type VeNCrypt(19)
 CVeNCrypt:   Choosing security type TLSVnc (258)

Mon Jan  6 10:50:28 2020
 CConn:       Invalid display size

CC: (none) => mageia

Comment 7 Herman Viaene 2020-01-06 13:50:14 CET
@ David
# systemctl -l start vncserver
# systemctl -l status vncserver
● vncserver.service - LSB: Start TigerVNC server at boot time
   Loaded: loaded (/etc/rc.d/init.d/vncserver; generated)
   Active: active (exited) since Mon 2020-01-06 13:47:10 CET; 7s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 12602 ExecStart=/etc/rc.d/init.d/vncserver start (code=exited, status=0/SUCCESS)

jan 06 13:47:10 mach5.hviaene.thuis systemd[1]: Starting LSB: Start TigerVNC server at boot time...
jan 06 13:47:10 mach5.hviaene.thuis vncserver[12602]: Starting vncserver: [  OK  ]
jan 06 13:47:10 mach5.hviaene.thuis systemd[1]: Started LSB: Start TigerVNC server at boot time.

# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      1444/cupsd          
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      3366/master         
tcp        0      0 127.0.0.1:10026         0.0.0.0:*               LISTEN      3366/master         
tcp6       0      0 :::631                  :::*                    LISTEN      1444/cupsd          
tcp6       0      0 ::1:25                  :::*                    LISTEN      3366/master
Comment 8 David Walser 2020-01-06 15:27:40 CET
Well that's not good.
Comment 9 Dave Hodgins 2020-01-16 22:20:41 CET
Used ssh to connect from source system running konsole under X to a dest system as the user running X on the dest system over, my local lan.

In the ssh session ran the following script ...
$ cat bin/myvnctiger 
#!/bin/bash
killall x0vncserver
x0vncserver display=:0 -SecurityTypes=None &
sleep 4
vncviewer -compresslevel 9 localhost:0
killall x0vncserver

Working fine here.

Did the same in the other direction as the one computer has the updates installed
while the other doesn't. Working ok in both directions, so that tests both the
server and guest functions.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2020-01-19 10:41:32 CET

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 10 Mageia Robot 2020-01-19 11:12:12 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0042.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 11 Herman Viaene 2020-01-20 14:06:44 CET
@ Dave
The way you describe works. 
But if I understand and see this correctly, this uses the tigervncserver as the x11vncserver: i.e. connect to an existing session.
But I think the purpose of vnc is to connect remotely to a vnc server and run there a session which is different from the users/sessions running at that time. And that's what I've never been able to get going and your procedure does not demonstrate either.
Comment 12 David Walser 2020-01-20 15:33:41 CET
No, VNC is typically used to connect to an existing session.
Comment 13 David Walser 2020-01-23 23:30:38 CET
openSUSE has issued an advisory for this on January 21:
https://lists.opensuse.org/opensuse-updates/2020-01/msg00087.html

Note You need to log in before you can comment on or make changes to this bug.