Debian-LTS has issued an advisory on June 30: https://www.debian.org/lts/security/2020/dla-2264 The issues are fixed upstream in 0.9.13.
This has no registered maintainer, but DavidG has been doing it, so assigning to you.
Assignee: bugsquad => geiger.david68210
See also bug_26882, vino: https://bugs.mageia.org/show_bug.cgi?id=26882#c0 Should this one block that one?
No, vino doesn't depend on this because it bundles it. That's the problem.
Done for mga7!
Advisory: ======================== Updated libvncserver packages fix security vulnerabilities: libvncclient/sockets.c in LibVNCServer had a buffer overflow via a long socket filename (CVE-2019-20839). libvncserver/rfbregion.c had a NULL pointer dereference (CVE-2020-14397). Byte-aligned data was accessed through uint32_t pointers in libvncclient/rfbproto.c (CVE-2020-14399). Byte-aligned data was accessed through uint16_t pointers in libvncserver/translate.c (CVE-2020-14400). libvncserver/scale.c had a pixel_value integer overflow (CVE-2020-14401). libvncserver/corre.c allowed out-of-bounds access via encodings (CVE-2020-14402). libvncserver/hextile.c allowed out-of-bounds access via encodings (CVE-2020-14403). libvncserver/rre.c allowed out-of-bounds access via encodings (CVE-2020-14404). libvncclient/rfbproto.c does not limit TextChat size (CVE-2020-14405). The libvncserver package has been updated to version 0.9.13, fixing these issues and several others. See the release announcement for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14399 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14404 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14405 https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.13 https://www.debian.org/lts/security/2020/dla-2264 ======================== Updated packages in core/updates_testing: ======================== libvncserver1-0.9.13-1.mga7 libvncserver-devel-0.9.13-1.mga7 from libvncserver-0.9.13-1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
Installed and tested without issues. Tested on server side: x11vnc, krfb and linuxvnc. Tested on client side: vncviewer and krdc. No issues noticed. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q lib64vncserver1 lib64vncserver1-0.9.13-1.mga7 $ urpmq --whatrequires lib64vncserver1 | sort -u krdc krfb lib64vncserver1 lib64vncserver-devel linuxvnc remmina-plugins-vnc x11vnc $ rpm -q krdc krfb x11vnc linuxvnc tigervnc krdc-19.04.0-1.mga7 krfb-19.04.0-1.mga7 x11vnc-0.9.16-1.mga7 linuxvnc-0.9.10-4.mga7 tigervnc-1.10.1-1.1.mga7
Whiteboard: (none) => MGA7-64-OKCC: (none) => mageia
This update also fixes CVE-2019-15680, though upstream says it's a non-issue: https://ubuntu.com/security/notices/USN-4407-1
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0280.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Apparently the fix for CVE-2019-20839 also fixes CVE-2018-21247: https://lists.suse.com/pipermail/sle-security-updates/2020-July/007136.html And (see above), this update also fixed CVE-2019-20840 and CVE-2020-14398.
Another reference for CVE-2018-21247 and CVE-2019-20839: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NVP7TJVYJDXDFRHVQ3ENEN3H354QPXEZ/
Another reference for CVE-2019-20840: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4F6FUH4EFK4NAP6GT4TQRTBKWIRCZLIY/
This update also fixed CVE-2020-14396: https://ubuntu.com/security/notices/USN-4434-1
This update also fixed CVE-2020-25708: https://ubuntu.com/security/notices/USN-4636-1