Bug 26881 - libvncserver new security issues CVE-2019-20839, CVE-2020-1439[79], CVE-2020-1440[0-5]
Summary: libvncserver new security issues CVE-2019-20839, CVE-2020-1439[79], CVE-2020-...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-07-01 21:06 CEST by David Walser
Modified: 2020-11-19 14:53 CET (History)
5 users (show)

See Also:
Source RPM: libvncserver-0.9.12-2.3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-07-01 21:06:46 CEST
Debian-LTS has issued an advisory on June 30:
https://www.debian.org/lts/security/2020/dla-2264

The issues are fixed upstream in 0.9.13.
Comment 1 Lewis Smith 2020-07-01 21:48:30 CEST
This has no registered maintainer, but DavidG has been doing it, so assigning to you.

Assignee: bugsquad => geiger.david68210

Comment 2 Lewis Smith 2020-07-01 21:57:05 CEST
See also bug_26882, vino: https://bugs.mageia.org/show_bug.cgi?id=26882#c0
Should this one block that one?
Comment 3 David Walser 2020-07-01 23:25:57 CEST
No, vino doesn't depend on this because it bundles it.  That's the problem.
Comment 4 David GEIGER 2020-07-02 08:12:14 CEST
Done for mga7!
Comment 5 David Walser 2020-07-02 15:22:05 CEST
Advisory:
========================

Updated libvncserver packages fix security vulnerabilities:

libvncclient/sockets.c in LibVNCServer had a buffer overflow via a long socket
filename (CVE-2019-20839).

libvncserver/rfbregion.c had a NULL pointer dereference (CVE-2020-14397).

Byte-aligned data was accessed through uint32_t pointers in
libvncclient/rfbproto.c (CVE-2020-14399).

Byte-aligned data was accessed through uint16_t pointers in
libvncserver/translate.c (CVE-2020-14400).

libvncserver/scale.c had a pixel_value integer overflow (CVE-2020-14401).

libvncserver/corre.c allowed out-of-bounds access via encodings
(CVE-2020-14402).

libvncserver/hextile.c allowed out-of-bounds access via encodings
(CVE-2020-14403).

libvncserver/rre.c allowed out-of-bounds access via encodings
(CVE-2020-14404).

libvncclient/rfbproto.c does not limit TextChat size (CVE-2020-14405).

The libvncserver package has been updated to version 0.9.13, fixing these
issues and several others.  See the release announcement for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14405
https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.13
https://www.debian.org/lts/security/2020/dla-2264
========================

Updated packages in core/updates_testing:
========================
libvncserver1-0.9.13-1.mga7
libvncserver-devel-0.9.13-1.mga7

from libvncserver-0.9.13-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 6 PC LX 2020-07-02 20:10:48 CEST
Installed and tested without issues.

Tested on server side: x11vnc, krfb and linuxvnc.
Tested on client side: vncviewer and krdc.
No issues noticed.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.


$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q lib64vncserver1
lib64vncserver1-0.9.13-1.mga7
$ urpmq --whatrequires lib64vncserver1 | sort -u
krdc
krfb
lib64vncserver1
lib64vncserver-devel
linuxvnc
remmina-plugins-vnc
x11vnc
$ rpm -q krdc krfb x11vnc linuxvnc tigervnc
krdc-19.04.0-1.mga7
krfb-19.04.0-1.mga7
x11vnc-0.9.16-1.mga7
linuxvnc-0.9.10-4.mga7
tigervnc-1.10.1-1.1.mga7

Whiteboard: (none) => MGA7-64-OK
CC: (none) => mageia

Comment 7 David Walser 2020-07-02 23:15:00 CEST
This update also fixes CVE-2019-15680, though upstream says it's a non-issue:
https://ubuntu.com/security/notices/USN-4407-1
Comment 8 Thomas Andrews 2020-07-02 23:39:13 CEST
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-05 21:03:24 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 9 Mageia Robot 2020-07-05 21:49:34 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0280.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 10 David Walser 2020-07-17 00:08:19 CEST
Apparently the fix for CVE-2019-20839 also fixes CVE-2018-21247:
https://lists.suse.com/pipermail/sle-security-updates/2020-July/007136.html

And (see above), this update also fixed CVE-2019-20840 and CVE-2020-14398.
Comment 11 David Walser 2020-07-17 00:17:29 CEST
Another reference for CVE-2018-21247 and CVE-2019-20839:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NVP7TJVYJDXDFRHVQ3ENEN3H354QPXEZ/
Comment 13 David Walser 2020-07-29 23:03:37 CEST
This update also fixed CVE-2020-14396:
https://ubuntu.com/security/notices/USN-4434-1
Comment 14 David Walser 2020-11-19 14:53:21 CET
This update also fixed CVE-2020-25708:
https://ubuntu.com/security/notices/USN-4636-1

Note You need to log in before you can comment on or make changes to this bug.