For Cauldron, tigervnc-1.15.0-5.mga10 fixes the issue.


Suggested advisory:
========================

The updated packages fix a security vulnerability:

In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions. (CVE-2026-34352)

References:
https://www.openwall.com/lists/oss-security/2026/03/26/7
========================

Updated packages in core/updates_testing:
========================
tigervnc-1.13.1-2.10.mga9
tigervnc-java-1.13.1-2.10.mga9
tigervnc-server-1.13.1-2.10.mga9
tigervnc-server-module-1.13.1-2.10.mga9

from SRPM:
tigervnc-1.13.1-2.10.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Flags: affects_mga9+ => (none)
Status comment: Patch available from upstream => (none)
Source RPM: tigervnc-1.15.0-4.mga10.src.rpm, tigervnc-1.13.1-2.9.mga9.src.rpm => tigervnc-1.13.1-2.9.mga9.src.rpm
Version: Cauldron => 9

(In reply to Nicolas Salguero from comment #1)
> For Cauldron, tigervnc-1.15.0-5.mga10 fixes the issue.

I don't get it. Why not push version 1.16.2 on Cauldron ? Mageia 10 is not yet released, and we are already behind with TigerVNC.

(In reply to Frédéric "LpSolit" Buclin from comment #2)
> I don't get it. Why not push version 1.16.2 on Cauldron ? Mageia 10 is not
> yet released, and we are already behind with TigerVNC.

Version 1.16.x adds Wayland support (cf. bug 35071) and needs a complete rework of the packaging.  It will take me a lot of time and possibly be broken because I am not a tigervnc expert and our SPEC file is rather different from Fedora's one.

I will keep my hands off, since in the past I never got it configured properly.

CC: (none) => herman.viaene

Installed and tested without issues.

Tested:
- server and client;
- through a ssh tunnel;
- vncserver started using systemd service, which is started using a systemd socket.
- clients: vncclient, VncViewer.jar, and KRDC;
- also tested connecting to a Windows 10 system.
All OK.


System server: Mageia 9, x86_64, Plasma DE, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.
System client: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



##### ON THE SERVER #####

$ uname -a
Linux marte 6.6.130-server-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Mar 26 04:13:58 UTC 2026 x86_64 GNU/Linux
$ rpm -qa | grep tigervnc | sort -u
tigervnc-server-1.13.1-2.10.mga9
$ systemctl status vncserver@:1.service 
○ vncserver@:1.service - Remote desktop service (VNC)
     Loaded: loaded (/usr/lib/systemd/system/vncserver@.service; disabled; preset: disabled)
    Drop-In: /etc/systemd/system/vncserver@:1.service.d
             └─override.conf
     Active: inactive (dead)

abr 03 18:19:32 marte systemd[1]: Starting vncserver@:1.service...
abr 03 18:19:32 marte systemd[1]: Started vncserver@:1.service.
abr 03 18:28:58 marte systemd[1]: vncserver@:1.service: Deactivated successfully.
abr 03 18:28:58 marte sh[898866]: Running timer as unit: run-r7a51a766985d4af68314019bc6dfd0f1.timer
abr 03 18:28:58 marte sh[898866]: Will run service as unit: run-r7a51a766985d4af68314019bc6dfd0f1.service
$ cat /etc/systemd/system/vncserver@:1.service.d/override.conf
[Service]
ExecStopPost=+/usr/bin/bash -c '[[ "$SERVICE_RESULT" == "success" && "$EXIT_CODE" == "exited" ]] && /usr/bin/systemd-run --on-active=1s /usr/bin/systemctl start vncserver@1.socket'
$ cat /usr/local/lib/systemd/system/vncserver@.socket 
[Unit]
Description=VNC Server Socket
Conflicts=vncserver@:%i.service

[Socket]
ListenStream=127.0.0.1:590%i
Service=vncserver@:%i.service

[Install]
WantedBy=sockets.target 



##### On THE CLIENT #####

$ uname -a
Linux jupiter 6.6.130-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Mar 26 01:48:01 UTC 2026 x86_64 GNU/Linux
$ rpm -qa | grep tigervnc | sort
tigervnc-1.13.1-2.10.mga9
tigervnc-java-1.13.1-2.10.mga9
$ vncviewer -geometry 1920x1080 localhost:1

TigerVNC Viewer v1.13.1
Built on: 2026-04-02 08:07
Copyright (C) 1999-2022 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.

Fri Apr  3 18:36:18 2026
 DecodeManager: Detected 12 CPU core(s)
 DecodeManager: Creating 4 decoder thread(s)
 CConn:       Conectado ao host localhost porta 5901
 CConnection: Server supports RFB protocol version 3.8
 CConnection: Using RFB protocol version 3.8
 CConnection: Choosing security type VeNCrypt(19)
 CVeNCrypt:   Choosing security type TLSVnc (258)

Fri Apr  3 18:36:23 2026
 DesktopWindow: Ajustando tamanho de janela para evitar solicitação de tela
              cheia acidental
 CConn:       Usando formato de pixel depth 24 (32bpp) little-endian rgb888
 CConnection: Enabling continuous updates
$ java -jar /usr/share/java/VncViewer.jar

TigerVNC Java Viewer v1.13.1 (20260402)
Built on 2026-04-02 at 08:10:41
Copyright (C) 1999-2022 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
DecodeManager: Detected 12 CPU core(s)
DecodeManager: Creating 4 decoder thread(s)
CConn: connected to host localhost port 5901
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
CConn: Using pixel format depth 24 (32bpp) little-endian rgb888
CConnection: Enabling continuous updates

CC: (none) => mageia

This update has been in use for 3 days without issues. Giving it the OK for x86_64.

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0088.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED