Bug 31523 - x11-server, tigervnc new security issue CVE-2023-0494
Summary: x11-server, tigervnc new security issue CVE-2023-0494
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 31732
  Show dependency treegraph
 
Reported: 2023-02-07 16:55 CET by David Walser
Modified: 2023-03-31 02:15 CEST (History)
7 users (show)

See Also:
Source RPM: tigervnc-1.11.0-4.1.mga8.src.rpm, x11-server-1.20.14-4.1.mga8.src.rpm
CVE: CVE-2023-0494
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-07 16:55:18 CET 
RedHat has issued an advisory today (February 7):
https://access.redhat.com/errata/RHSA-2023:0622

Upstream advisory from today:
https://lists.x.org/archives/xorg-announce/2023-February/003320.html

The issue is fixed in x11-server 21.1.7:
https://lists.x.org/archives/xorg-announce/2023-February/003321.html

Tigervnc needs to be fixed again too (like in Bug 31386), but this time it wasn't just a simple rebuild, RedHat added a patch:
https://git.centos.org/rpms/tigervnc/c/ddb7d417b4c24c867eb924a5c113b1d9fd9685ef?branch=c9

Mageia 8 is also affected.
David Walser 2023-02-07 16:57:04 CET

Status comment: (none) => Fixed upstream in 21.1.7
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-02-07 16:58:23 CET 
It looks like the xwayland 22.1.8 announcement is referencing the same bug:
https://lists.x.org/archives/xorg-announce/2023-February/003322.html
Comment 3 Marja Van Waes 2023-02-07 22:04:10 CET 
Assignng to our x11-server maintainer.

Does creating a separate bug report for tiger-vnc need to wait till after fixed x11-server gets pushed?

CC: (none) => marja11
Assignee: bugsquad => thierry.vignaud

Comment 4 David Walser 2023-02-07 22:12:06 CET 
Tigervnc just should be built after x11-server.  It doesn't need to be pushed.  It can be in this bug.
Comment 5 Nicolas Salguero 2023-02-09 16:06:31 CET 
Hi,

For Cauldron, x11-server-21.1.7-1.mga9, x11-server-xwayland-22.1.8-1.mga9 and tigervnc-1.12.0-4.mga9 fixed the issue (for tigervnc, the patch given in comment 0 is, in fact, already applied).

Best regards,

CC: (none) => nicolas.salguero
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 6 David Walser 2023-02-09 17:06:44 CET 
Yeah, they probably only needed to apply the patch because they hadn't updated x11-server yet.

RedHat advisory that includes both tigervnc and x11-server:
https://access.redhat.com/errata/RHSA-2023:0675
Comment 7 David Walser 2023-02-09 17:39:08 CET 
Debian has issued an advisory for x11-server on February 7:
https://www.debian.org/security/2023/dsa-5342
Comment 8 David Walser 2023-02-09 17:43:49 CET 
(In reply to David Walser from comment #7)
> Debian has issued an advisory for x11-server on February 7:
> https://www.debian.org/security/2023/dsa-5342

as has Ubuntu:
https://ubuntu.com/security/notices/USN-5846-1
Comment 10 Nicolas Salguero 2023-03-16 13:34:03 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

DeepCopyPointerClasses use-after-free leads to privilege elevation. (CVE-2023-0494)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0494
https://access.redhat.com/errata/RHSA-2023:0622
https://lists.x.org/archives/xorg-announce/2023-February/003320.html
https://lists.x.org/archives/xorg-announce/2023-February/003321.html
https://lists.x.org/archives/xorg-announce/2023-February/003322.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HSNILY742FXA5BCFCFYJFV25HDJSBYFG/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DILJFVN2VRCI733YOB627LK2NDU5FO4Q/
https://access.redhat.com/errata/RHSA-2023:0675
https://www.debian.org/security/2023/dsa-5342
https://ubuntu.com/security/notices/USN-5846-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EW32TRKDYCE243TZOU75JUXT4AHPPDVT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VXKWNOBBI2ZCTIV3D4TT7EVVWMLTF6P2/
========================

Updated packages in core/updates_testing:
========================
tigervnc-1.11.0-4.2.mga8
tigervnc-java-1.11.0-4.2.mga8
tigervnc-server-1.11.0-4.2.mga8
tigervnc-server-module-1.11.0-4.2.mga8

x11-server-1.20.14-4.2.mga8
x11-server-common-1.20.14-4.2.mga8
x11-server-devel-1.20.14-4.2.mga8
x11-server-xdmx-1.20.14-4.2.mga8
x11-server-xephyr-1.20.14-4.2.mga8
x11-server-xnest-1.20.14-4.2.mga8
x11-server-xorg-1.20.14-4.2.mga8
x11-server-xvfb-1.20.14-4.2.mga8
x11-server-xwayland-1.20.14-4.2.mga8

from SRPMS:
tigervnc-1.11.0-4.2.mga8.src.rpm
x11-server-1.20.14-4.2.mga8.src.rpm

Source RPM: x11-server-21.1.6-1.mga9.src.rpm => tigervnc-1.11.0-4.1.mga8.src.rpm, x11-server-1.20.14-4.1.mga8.src.rpm
Status: NEW => ASSIGNED
Assignee: thierry.vignaud => qa-bugs
CVE: (none) => CVE-2023-0494
Status comment: Fixed upstream in 21.1.7 => (none)

Comment 11 Morgan Leijström 2023-03-16 20:06:46 CET 
mga8-64, only testing X11, Plasma, nvidia-current. OK for me

Updated installed packages to:
- x11-server-common-1.20.14-4.2.mga8.x86_64
- x11-server-xephyr-1.20.14-4.2.mga8.x86_64
- x11-server-xnest-1.20.14-4.2.mga8.x86_64
- x11-server-xorg-1.20.14-4.2.mga8.x86_64
- x11-server-xwayland-1.20.14-4.2.mga8.x86_64

Rebooted
Normal desktop activities; surf, video, libreoffice
VirtualBox clients mga8-32 and MSW7, with videos

CC: (none) => fri

Comment 12 PC LX 2023-03-17 01:14:11 CET 
Testing tigervnc now and seeing one (minor) issue.

When running vncserver the message "Please read /usr/share/doc/tigervnc/HOWTO.md for more information." is shown but the actual file is at "/usr/share/doc/tigervnc-server/HOWTO.md".

$ vncserver
vncserver has been replaced by a systemd unit.
Please read /usr/share/doc/tigervnc/HOWTO.md for more information.
$ rpm -ql tigervnc-server | grep HOWTO.md
/usr/share/doc/tigervnc-server/HOWTO.md
$ rpm -q tigervnc-server 
tigervnc-server-1.11.0-4.2.mga8

CC: (none) => mageia

Comment 13 PC LX 2023-03-17 17:27:35 CET 
Testing tigervnc-java and seeing one issue with TLS that was already present so it is not a regression.


Trying to use TLS aborts with the exception:
"com.tigervnc.rdr.SystemException: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)"

$ rpm -q tigervnc-java
tigervnc-java-1.11.0-4.2.mga8
$ java -jar /usr/share/java/VncViewer.jar

TigerVNC Java Viewer v1.11.0 (20230316)
Built on 2023-03-16 at 12:27:01
Copyright (C) 1999-2020 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
DecodeManager: Detected 12 CPU core(s)
DecodeManager: Creating 4 decoder thread(s)
CConn: connected to host jupiter-vm-mageia-8.lan port 5901
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
com.tigervnc.rdr.SystemException: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at com.tigervnc.rfb.CSecurityTLS.processMsg(CSecurityTLS.java:139)
        at com.tigervnc.rfb.CSecurityStack.processMsg(CSecurityStack.java:41)
        at com.tigervnc.rfb.CSecurityVeNCrypt.processMsg(CSecurityVeNCrypt.java:177)
        at com.tigervnc.rfb.CConnection.processSecurityMsg(CConnection.java:296)
        at com.tigervnc.rfb.CConnection.processMsg(CConnection.java:146)
        at com.tigervnc.vncviewer.VncViewer.run(VncViewer.java:430)
        at java.base/java.lang.Thread.run(Thread.java:829)




Previous tigervnc-java shows the same issue so it is not a regression.

$ rpm -q tigervnc-java
tigervnc-java-1.11.0-4.1.mga8
$ java -jar /usr/share/java/VncViewer.jar

TigerVNC Java Viewer v1.11.0 (20230110)
Built on 2023-01-10 at 14:54:17
Copyright (C) 1999-2020 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
DecodeManager: Detected 12 CPU core(s)
DecodeManager: Creating 4 decoder thread(s)
CConn: connected to host jupiter-vm-mageia-8.lan port 5901
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
com.tigervnc.rdr.SystemException: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at com.tigervnc.rfb.CSecurityTLS.processMsg(CSecurityTLS.java:139)
        at com.tigervnc.rfb.CSecurityStack.processMsg(CSecurityStack.java:41)
        at com.tigervnc.rfb.CSecurityVeNCrypt.processMsg(CSecurityVeNCrypt.java:177)
        at com.tigervnc.rfb.CConnection.processSecurityMsg(CConnection.java:296)
        at com.tigervnc.rfb.CConnection.processMsg(CConnection.java:146)
        at com.tigervnc.vncviewer.VncViewer.run(VncViewer.java:430)
        at java.base/java.lang.Thread.run(Thread.java:829)




Without TLS works.

$ java -jar /usr/share/java/VncViewer.jar

TigerVNC Java Viewer v1.11.0 (20230316)
Built on 2023-03-16 at 12:27:01
Copyright (C) 1999-2020 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
DecodeManager: Detected 12 CPU core(s)
DecodeManager: Creating 4 decoder thread(s)
CConn: connected to host jupiter-vm-mageia-8.lan port 5901
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
CConn: Using pixel format depth 24 (32bpp) little-endian rgb888
CConnection: Enabling continuous updates




SSH tunnel also works.

$ java -jar /usr/share/java/VncViewer.jar

TigerVNC Java Viewer v1.11.0 (20230316)
Built on 2023-03-16 at 12:27:01
Copyright (C) 1999-2020 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
DecodeManager: Detected 12 CPU core(s)
DecodeManager: Creating 4 decoder thread(s)
Tunnel: SSH command line: /usr/bin/ssh -f -L 34987:localhost:5901 jupiter-vm-mageia-8.lan sleep 20
CConn: connected to localhost port 34987
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
CConn: Using pixel format depth 24 (32bpp) little-endian rgb888
CConnection: Enabling continuous updates
Comment 14 PC LX 2023-03-17 17:39:38 CET 
Tested tigervnc packages. Both server and client worked. Two issues noticed (comment 12 and comment 13).
These two issues are NOT regressions so this update gets an OK from me.


Tested both client and server on host and QEMU/KVM VM.
Tested various clients: vncviewer, vncviewer-java, KRDC, MultiVNC Android app.


System Host: Mageia 8, x86_64, Plasma DE, AMD APU.
System Guest: Mageia 8, x86_64, LXQt DE, AMD GPU PCI pass through, virtio QXL.


$ uname -a
Linux jupiter-vm-mageia-8 6.1.18-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Sun Mar 12 11:03:46 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep tigervnc
tigervnc-1.11.0-4.2.mga8
tigervnc-server-1.11.0-4.2.mga8
tigervnc-java-1.11.0-4.2.mga8
Comment 15 PC LX 2023-03-20 00:11:57 CET 
Installed and tested without issue.

Tested for three days of workstation usage and in a QEMU/KVM VM using QXL or using AMD GPU PCI pass though.



System host   : Mageia 8, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.
System guest 1: Mageia 8, x86_64, LXQt DE  , AMD Ryzen 5 5600G with Radeon Graphics, QXL graphics using SPICE.
System guest 2: Mageia 8, x86_64, LXQt DE  , AMD Ryzen 5 5600G with Radeon Graphics, AMD Radeon RX 6500 XT PCI pass through using amdgpu driver.



$ # HOST
$ uname -a
Linux jupiter 6.1.15-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Mar  4 11:14:54 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ lspcidrake | grep VGA
Card:ATI Volcanic Islands and later (amdgpu): Advanced Micro Devices, Inc. [AMD/ATI]|Cezanne [DISPLAY_VGA] (rev: c9)
Card:AMD Southern Islands and later (amdgpu): Advanced Micro Devices, Inc. [AMD/ATI]|Navi 24 [Radeon RX 6400 / 6500 XT] [DISPLAY_VGA] (rev: c1)
$ rpm -qa | grep x11-server
x11-server-xwayland-1.20.14-4.2.mga8
x11-server-common-1.20.14-4.2.mga8
x11-server-xorg-1.20.14-4.2.mga8



$ # Guest 1
$ uname -a
Linux jupiter-vm-mageia-8 6.1.18-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Sun Mar 12 11:03:46 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ lspcidrake | grep VGA
Card:Virtio virtual video card: Red Hat, Inc.|Virtio GPU [DISPLAY_VGA] (rev: 01)
$ rpm -qa | grep x11-server
x11-server-xorg-1.20.14-4.2.mga8
x11-server-common-1.20.14-4.2.mga8
x11-server-xwayland-1.20.14-4.2.mga8



$ # Guest 2
$ uname -a
Linux jupiter-vm-mageia-8 6.1.18-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Sun Mar 12 11:03:46 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ lspcidrake | grep VGA
Card:AMD Southern Islands and later (amdgpu): Advanced Micro Devices, Inc. [AMD/ATI]|Navi 24 [Radeon RX 6400 / 6500 XT] [DISPLAY_VGA] (rev: c1)
$ rpm -qa | grep x11-server
x11-server-xorg-1.20.14-4.2.mga8
x11-server-common-1.20.14-4.2.mga8
x11-server-xwayland-1.20.14-4.2.mga8
Comment 16 PC LX 2023-03-25 13:42:56 CET 
Working for over a week without issues so I'm going to give it the OK to push it forward. Please undo if appropriate.

Whiteboard: (none) => MGA8-64-OK

Comment 17 Thomas Andrews 2023-03-25 20:16:17 CET 
Sounds good to me. Thanks.

Validating. Advisory in comment 10.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-29 15:13:28 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

David Walser 2023-03-30 20:06:37 CEST

Blocks: (none) => 31732

Comment 18 Mageia Robot 2023-03-31 02:15:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0118.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.