+++ This bug was initially created as a clone of Bug #25917 +++ TigerVNC 1.10.1 has been released today (December 20), fixing security issues: https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1 More details are here: https://www.openwall.com/lists/oss-security/2019/12/20/2 It sounds like there will be more CVEs forthcoming. Mageia 7 is also affected.
Summary: tigervnc new security issues CVE-2019-1569[1-5] => tigervnc: Invalid Display SizeKeywords: advisory, validated_update => (none)Source RPM: tigervnc-1.9.0-4.mga8.src.rpm => tigervnc-1.10.1-1.mga7.src.rpm
I'm trying to connect to my work computer (Mageia 7 to Mageia 7) which is running (and logged in) with screen locked X session. I have tried two methods of connecting to the existing X session on that machine via ssh and our vpn. x0vncserver -display=:0 -PasswordFile=$HOME/.vnc/passwd and I also tried x11vnc -usepw In both cases with the 1.10 update it asks for the connection password and then crashes with "Invalid screen size". Downgrading to 1.9.0 fixes the problem as described by a couple of other people in the 25917 bug. I know Dave Hodgins didn't have a problem with his method but PC LX ran into the same crash I and the other two commenters saw. I am connecting over vpn.
The "Invalid display size" error appears in SOURCES/tigervnc-1.8.0-CVE-2014-8240.patch, which we took from Debian, who also still has it in 1.10.1. Google doesn't show any references to this error besides us.
CC: qa-bugs, security, sysadmin-bugs, tmb => (none)
Another note, my work machine has tigervnc-1.10.1-1.mga7 and tigervnc-server-1.10.1-1.mga7 and works ok so long as my client machine has tigervnc-1.9.0-3.mga7. So it would appear the viewer/client piece has the problem. I checked upstream bug tracking and didn't see anything related to this there either.
From https://bugs.mageia.org/show_bug.cgi?id=26118#c6 ... While the existing mageia verison works ok for connecting to an existing X display, it cannot create a new one as is needed for xen. replacing /usr/bin/vncviewer with the version downloaded from https://bintray.com/tigervnc/stable/download_file?file_path=tigervnc-1.10.1.x86_64.tar.gz fixes the problem.
Closing as a duplicate *** This bug has been marked as a duplicate of bug 26118 ***
Resolution: (none) => DUPLICATEStatus: NEW => RESOLVED