Bug 30917 - libvncserver new security issue CVE-2020-29260
Summary: libvncserver new security issue CVE-2020-29260
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-30 20:38 CEST by David Walser
Modified: 2023-02-28 09:51 CET (History)
6 users (show)

See Also:
Source RPM: libvncserver-0.9.13-1.mga8.src.rpm, italc-3.0.3-6.mga8.src.rpm
CVE: CVE-2020-29260
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-09-30 20:38:01 CEST 
Debian-LTS has issued an advisory on September 29:
https://www.debian.org/lts/security/2022/dla-3125

The other CVE in that advisory was already fixed in Bug 26881.

Since this CVE is for libvncclient code, I'm guessing it's not part of the code that's bundled in italc, but we should verify that (and I still think that should be dropped in Cauldron).

Mageia 8 is also affected.
Comment 1 Lewis Smith 2022-10-01 20:36:43 CEST 
> libvncclient
> I still think that should be dropped in Cauldron
Is this noted in the umbrella bug for possible pkgs to drop?

Assigning globally since no one packager in view.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2022-10-01 20:38:25 CEST 
Quoting error by Lewis.  The package to drop is italc.  Libvncclient is part of the libvncserver package.
Comment 3 Nicolas Salguero 2022-10-03 11:13:25 CEST 
Hi,

Regarding italc, there are bad and good news: italc seems to be affected but it also seems to have been removed from Cauldron (I find it neither in the branch "packages/cauldron" nor in the branch "obsolete" in SVN).

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 4 Nicolas Salguero 2022-10-03 11:17:30 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup(). (CVE-2020-29260)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29260
https://www.debian.org/lts/security/2022/dla-3125
========================

Updated packages in core/updates_testing:
========================
italc-3.0.3-6.1.mga8
italc-client-3.0.3-6.1.mga8
italc-client-autostart-3.0.3-6.1.mga8
italc-master-3.0.3-6.1.mga8

lib(64)vncserver1-0.9.13-1.1.mga8
lib(64)vncserver-devel-0.9.13-1.1.mga8

from SRPMS:
italc-3.0.3-6.1.mga8.src.rpm
libvncserver-0.9.13-1.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-29260
Source RPM: libvncserver-0.9.13-3.mga9.src.rpm => libvncserver-0.9.13-1.mga8.src.rpm, italc-3.0.3-6.mga8.src.rpm
Version: Cauldron => 8

Comment 5 Herman Viaene 2022-10-05 16:50:26 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Got the same error on launching italc on the CLI as described in previous update bug 27404.
I will not pretend to be cleverer thanThomas or Dave, so as the update does not seem to harm anything else on my LAN, I give the OK on clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-10-07 03:21:17 CEST 
It was good enough last time, so it's good enough this time.

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-08 19:51:54 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-10-08 22:23:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0363.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 8 jonas wade 2023-02-28 09:51:57 CET Comment hidden (spam)

CC: (none) => arunn3620
Note You need to log in before you can comment on or make changes to this bug.