Bug 25918 - libvncserver new security issue CVE-2019-15690
Summary: libvncserver new security issue CVE-2019-15690
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-20 22:03 CET by David Walser
Modified: 2020-03-20 12:07 CET (History)
2 users (show)

See Also:
Source RPM: libvncserver-0.9.12-2.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-12-20 22:03:07 CET
A security issue discovered in libvncserver has been mentioned here:
https://www.openwall.com/lists/oss-security/2019/12/20/2

There doesn't appear to be a fix available yet.

Mageia 7 is also affected.
David Walser 2019-12-20 22:03:15 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-21 20:40:55 CET
No registered maintainer, so assigning yet again to DavidG since you have been the actual committer of updates for this package.
Re-assign it to pkg-bugs if this is too much. Time to breath at least:
> There doesn't appear to be a fix available yet

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2020-03-18 13:43:02 CET
Debian-LTS has issued an advisory for this today (March 18):
https://www.debian.org/lts/security/2020/dla-2146

Status comment: (none) => Patches available from Debian and upstream

Comment 3 David GEIGER 2020-03-19 06:12:33 CET
Done for both Cauldron and mga7!
Comment 4 David Walser 2020-03-19 11:24:22 CET
Advisory:
========================

Updated libvncserver packages fix security vulnerability:

In libvncserver, through libvncclient/cursor.c, there is a possibility of a
heap overflow, as reported by Pavel Cheremushkin (CVE-2019-15690).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15690
https://www.debian.org/lts/security/2020/dla-2146
========================

Updated packages in core/updates_testing:
========================
libvncserver1-0.9.12-2.2.mga7
libvncserver-devel-0.9.12-2.2.mga7

from libvncserver-0.9.12-2.2.mga7.src.rpm

CC: (none) => geiger.david68210
Whiteboard: MGA7TOO => (none)
Assignee: geiger.david68210 => qa-bugs
Status comment: Patches available from Debian and upstream => (none)
Version: Cauldron => 7

Comment 5 Herman Viaene 2020-03-20 12:07:33 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Installed x11vnc , run this on the laptop defining a password.
Try to connet from desktop using the vncviewer as in bug 25788. I get response from the laptop in the way that the question comes to input the password. Then I get the dreaded box: "Invalid display size".
That has prevented me in the past to ever use teigervncserver successfully, but x11vnc never presented this problem up to now. Running out of options.

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.