Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2024/04/03/13 There are fixed in xorg-server 21.1.12 and xwayland 23.2.5 or with the commits provided in the link above. As usual, tigervnc will need a rebuild to include the fixes from the package x11-server-source, once xorg-server is patched (for Mageia 9) or updated (for Cauldron).
CVE: (none) => CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083Source RPM: (none) => x11-server, x11-server-xwayland, tigervncWhiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed upstream in xorg-server 21.1.12 and xwayland 23.2.5 and patches available from upsteam
x11-server version 21.1.12 is already in Cauldron, thanks to Nicolas. version 23.2.5 of x11-server-xwayland likewise already there. Nicolas has also already done the necessary tigervnc rebuild. So Caudron already sorted! Assigning globally for the Mageia 9 updates.
Assignee: bugsquad => pkg-bugs
CVE-2024-31082 only affects the Xquartz server for MacOS systems.
Version: Cauldron => 9CVE: CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083 => CVE-2024-31080, CVE-2024-31081, CVE-2024-31083Status comment: Fixed upstream in xorg-server 21.1.12 and xwayland 23.2.5 and patches available from upsteam => (none)Summary: x11-server, x11-server-xwayland and tigervnc new security issues CVE-2024-3108[0-3] => x11-server, x11-server-xwayland and tigervnc new security issues CVE-2024-3108[013]Whiteboard: MGA9TOO => (none)
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Heap buffer overread/data leakage in ProcXIGetSelectedEvents. (CVE-2024-31080) Heap buffer overread/data leakage in ProcXIPassiveGrabDevice. (CVE-2024-31081) User-after-free in ProcRenderAddGlyphs. (CVE-2024-31083) References: https://www.openwall.com/lists/oss-security/2024/04/03/13 ======================== Updated packages in core/updates_testing: ======================== x11-server-21.1.8-7.4.mga9 x11-server-common-21.1.8-7.4.mga9 x11-server-devel-21.1.8-7.4.mga9 x11-server-source-21.1.8-7.4.mga9 x11-server-xephyr-21.1.8-7.4.mga9 x11-server-xnest-21.1.8-7.4.mga9 x11-server-xorg-21.1.8-7.4.mga9 x11-server-xvfb-21.1.8-7.4.mga9 x11-server-xwayland-22.1.9-1.4.mga9 x11-server-xwayland-devel-22.1.9-1.4.mga9 tigervnc-1.13.1-2.4.mga9 tigervnc-java-1.13.1-2.4.mga9 tigervnc-server-1.13.1-2.4.mga9 tigervnc-server-module-1.13.1-2.4.mga9 from SRPMS: x11-server-21.1.8-7.4.mga9.src.rpm x11-server-xwayland-22.1.9-1.4.mga9.src.rpm tigervnc-1.13.1-2.4.mga9.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
CC: (none) => mageia
Keywords: (none) => advisory
RH mageia 9 x86_64 These packages were updated without issues LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing x11-server-xorg-21.1.8-7.4.mga9.x86_64.rpm x11-server-common-21.1.8-7.4.mga9.x86_64.rpm x11-server-xwayland-22.1.9-1.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ###################################################################################### 1/3: x11-server-common ###################################################################################### 2/3: x11-server-xorg ###################################################################################### 3/3: x11-server-xwayland ###################################################################################### 1/3: removing x11-server-xwayland-22.1.9-1.3.mga9.x86_64 ###################################################################################### 2/3: removing x11-server-xorg-21.1.8-7.3.mga9.x86_64 ###################################################################################### 3/3: removing x11-server-common-21.1.8-7.3.mga9.x86_64 ######################################################################################
RH mageia 9 x86_64 After reboot, test Plasma X11 Not issues detected
RH mageia 9 x86_64 Plasma Wayland session Not issues detected
RH mageia 9 i586 Packages updated without issues installing x11-server-common-21.1.8-7.4.mga9.i586.rpm x11-server-xorg-21.1.8-7.4.mga9.i586.rpm x11-server-xwayland-22.1.9-1.4.mga9.i586.rpm from //home/katnatek/qa-testing/i586 Preparing... ################################################################ 1/3: x11-server-common ################################################################ 2/3: x11-server-xorg ################################################################ 3/3: x11-server-xwayland ################################################################ 1/3: removing x11-server-xwayland-22.1.9-1.3.mga9.i586 ################################################################ 2/3: removing x11-server-xorg-21.1.8-7.3.mga9.i586 ################################################################ 3/3: removing x11-server-common-21.1.8-7.3.mga9.i586 ################################################################ Reboot and start Plasma X11 session , not issues detected. It would be good if someone test tigervnc packages
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. Rebooted after installation, logged in to Plasma Waylnd, no ill effects on the laptop. Now for the tiger stuff: # systemctl start vncserver # systemctl -l status vncserver ● vncserver.service - LSB: Start TigerVNC server at boot time Loaded: loaded (/etc/rc.d/init.d/vncserver; generated) Active: active (exited) since Wed 2024-04-10 15:15:36 CEST; 3s ago Docs: man:systemd-sysv-generator(8) Process: 21928 ExecStart=/etc/rc.d/init.d/vncserver start (code=exited, status=0/SUCCESS) CPU: 75ms Apr 10 15:15:36 mach4.hviaene.thuis systemd[1]: Starting vncserver.service... Apr 10 15:15:36 mach4.hviaene.thuis vncserver[21928]: Starting vncserver: [ OK ] Apr 10 15:15:36 mach4.hviaene.thuis systemd[1]: Started vncserver.service. and opened up port 5900/tcp Then as normal user: $ vncviewer TigerVNC Viewer v1.13.1 Built on: 2024-04-05 06:22 Copyright (C) 1999-2022 TigerVNC Team and many others (see README.rst) See https://www.tigervnc.org for information on TigerVNC. Wed Apr 10 15:20:49 2024 DecodeManager: Detected 4 CPU core(s) DecodeManager: Creating 4 decoder thread(s) CConn: unable to connect to socket: Connection refused (111) DecodeManager: Total: 0 rects, 0 pixels DecodeManager: 0 B (1:-nan ratio) The dialogue comes up, I enter my laptop name and get unable to connect, connection refused. In all the years I run Mageia, I've never been able to get around this, so I won't spend any further time on it. I will not object the OK when someone els drops in.
CC: (none) => herman.viaene
MGA9-64, Xfce, Asus Laptop AMD A6-9225 RADEON R4 RTL8723BE Bluetooth The following 3 packages are going to be installed: - x11-server-common-21.1.8-7.4.mga9.x86_64 - x11-server-xorg-21.1.8-7.4.mga9.x86_64 - x11-server-xwayland-22.1.9-1.4.mga9.x86_64 136B of additional disk space will be used. --- rebooted Living with this for several days, no issues.
CC: (none) => brtians1
MGA9-64 Plasma, i5-7500, Nvidia Quadro K620 (nvidia-current) graphics. Updated the same packages as comment 9, used it yesterday afternoon and today, no issues to report.
CC: (none) => andrewsfarm
TigerVNC testing Server: Plasma desktop The following 2 packages are going to be installed: - tigervnc-server-1.13.1-2.4.mga9.x86_64 - tigervnc-server-module-1.13.1-2.4.mga9.x86_64 After install I run the utility to set up the access password for VNC $ vncpasswd --- follow the prompts Make sure you open port 5900/tcp in your firewall if you are doing a true remote test. next run server from command line: $ x0vncserver -passwordfile ~/.vnc/passwd Wed Apr 10 16:04:06 2024 Geometry: Desktop geometry is set to 1920x1080+0+0 XDesktop: Using evdev codemap XDesktop: XDesktop: XTest extension present - version 2.2 XDesktop: DAMAGE extension not present XDesktop: Will have to poll screen for changes Main: Listening for VNC connections on all interface(s), port 5900 FYI - get your server ip ---- now on client Xfce installed updates. then run TigerVnc Viewer - I picked it from the menu Enter IP when prompted Enter Password you set up in vnc above it is working as expected for me. (typed from client connected to the server). Have fun
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0121.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED