Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 136916
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 136916 depends on: Show dependency tree
Bug 136916 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-06-15 10:58 0000 
libvncserver has the same problem as realvnc (CVE-2006-2369)
although it's completely different code. Upstream has silently fixed
it in cvs* but is unsure when to do a new release.

Vapier please advise.

------- Comment #1 From SpanKY 2006-06-15 20:11:19 0000 ------- 
well i can bump libvncserver in our cvs now or wait for whenever, doesnt matter
to me

------- Comment #2 From Sune Kloppenborg Jeppesen 2006-06-30 09:18:17 0000 ------- 
Mailed vendor-sec to see wether a release date is set, otherwise we should go
ahead some time next week.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-06-30 09:27:07 0000 ------- 
SUSE has released updates for this.

mike please go ahead.

------- Comment #4 From SpanKY 2006-07-14 18:40:07 0000 ------- 
libvncserver-0.8.2 now in portage

------- Comment #5 From Sune Kloppenborg Jeppesen 2006-07-22 23:55:14 0000 ------- 
Arches please test and mark stable.

------- Comment #6 From Tobias Scherbaum 2006-07-23 00:41:18 0000 ------- 
ppc stable

------- Comment #7 From Christian Faulhammer 2006-07-23 00:59:13 0000 ------- 
1) emerges fine
2) passes collision test
3) SRC_URI http://libvncserver.sourceforge.net/LibVNCServer-${PV/_}.tar.gz is
invalid, fall back on mirror://sf... succeeds
4) only did compile testing, because I have no possibility to test VNC


Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4,
2.6.16-gentoo-r13 i686)
=================================================================
System uname: 2.6.16-gentoo-r13 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.6.15
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash
/etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi
bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo
cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus
dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss
encode esd evo exif expat fam fat fbcon fdftk ffmpeg firefox foomaticdb fortran
ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn
imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim
libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng
mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl
nptlonly nsplugin nvidia ogg opengl pam pcre pdf pdflib perl plotutils pmu png
ppds pppd preview-latex print python qt qt3 qt4 quicktime readline reflection
reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd
theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos
vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc
input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU
video_cards_radeon video_cards_vesa video_cards_fbdev"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #8 From Dimitry Bradt (RETIRED) 2006-07-23 07:13:03 0000 ------- 
emerges fine on x86 and amd64
tough: i needed to fetch the distfiles myself .. 
but that should be the fault of my GENTOO_MIRRORS
(using belnet => belgium)

greetings
diox

------- Comment #9 From Joshua Jackson 2006-07-23 15:22:54 0000 ------- 
x86 stable.

------- Comment #10 From Thomas Cort (RETIRED) 2006-07-27 10:36:00 0000 ------- 
(In reply to comment #9)
> x86 stable.

It doesn't look like x86 actually marked this one stable.

  23 Jul 2006; Joshua Jackson <tsunam@gentoo.org> ChangeLog:
  Stable x86; bug #136916

Keywords for net-libs/libvncserver:

      | a a a h i m m p p p s s s x x
      | l m r p a 6 i p p p 3 h p 8 8
      | p d m p 6 8 p c c c 9   a 6 6
      | h 6   a 4 k s   6 - 0   r   -
      | a 4             4 m     c   f
      |                   a         b
      |                   c         s
      |                   o         d
      |                   s
------+------------------------------
0.7   |   +   +       +         + +
0.7.1 |   ~   ~       ~         ~ ~
0.8   |   ~   ~       ~         ~ ~
0.8.2 |   ~   ~       +         ~ ~

------- Comment #11 From Thomas Cort (RETIRED) 2006-07-27 10:36:18 0000 ------- 
amd64 stable.

------- Comment #12 From Alastair Tse (RETIRED) 2006-07-27 11:08:45 0000 ------- 
really stable for x86 now

------- Comment #13 From Jason Wever (RETIRED) 2006-07-28 15:52:35 0000 ------- 
Stable on SPARC

------- Comment #14 From René Nussbaumer 2006-07-29 02:00:40 0000 ------- 
stable on hppa

------- Comment #15 From Thierry Carrez (RETIRED) 2006-07-29 05:18:28 0000 ------- 
Ready for GLSA vote -- I vote yes

------- Comment #16 From Wolf Giesen (RETIRED) 2006-07-29 05:51:50 0000 ------- 
yes

------- Comment #17 From Matthias Geerdsen 2006-07-29 09:46:41 0000 ------- 
voting yes

switching to [glsa] status

------- Comment #18 From Wolf Giesen (RETIRED) 2006-07-30 22:31:35 0000 ------- 
This is one more of those bugs not fitting the scheme; remote non-root access.
Anyway, it'd be more of B1, since once I'm authed, it should be no problem to
create (and execute) arbitrary code. Or am I missing something?

------- Comment #19 From Sune Kloppenborg Jeppesen 2006-07-31 00:46:25 0000 ------- 
Frilled I you're right -> rerating.

------- Comment #20 From Wolf Giesen (RETIRED) 2006-08-01 23:09:14 0000 ------- 
Ugh ... we need to identify packages coming with a bundled version of
libvncserver, I'm afraid. x11vnc definitely comes with one (not sure whether
versions between those two packages match, though) -> should go into GLSA, too.

If anybody knows of other bundled versions, please let us know ASAP, thanks!

------- Comment #21 From Wolf Giesen (RETIRED) 2006-08-01 23:39:55 0000 ------- 
I went through a lot of vnc packages and found some more:

kde-base/krfb (bundled, under ./krfb/libvncserver)
net-misc/vino (bundled, under ./server/libvncserver)

Talk about annoyances :(

CCing kde and gnome for advice.

------- Comment #22 From Diego E. 'Flameeyes' Pettenò 2006-08-02 00:41:41 0000 ------- 
Without going in a while library update (that isn't easy, I was trying to get
krfb use the system copy of libvncserver some time ago, and failed miserably),
do we have a patch to apply?

------- Comment #23 From Wolf Giesen (RETIRED) 2006-08-02 00:45:32 0000 ------- 
Using the system libvncserver would be the ultimate goal of course. Don't know
about a patch, in fact, we'd probably need to find out whether the bundled
versions are affected (as they might well have been modified :/) first. Maybe
the auditing team can assist here?

------- Comment #24 From Sune Kloppenborg Jeppesen 2006-08-02 08:54:54 0000 ------- 
Moved other packages to separate bugs:

x11-misc/x11vnc bug #142559
net-misc/vino bug #142558
kde-base/krfb bug #142557

------- Comment #25 From Sven Wegener 2006-08-02 10:41:40 0000 ------- 
To comment on the system libvncserver issue: For x11vnc using the system
libvncserver is a no go. x11vnc is the "driving project" of libvncserver and
the included libvncserver is often more recent (snapshot) and includes more
features that are needed by x11vnc.

------- Comment #26 From Sune Kloppenborg Jeppesen 2006-08-03 21:59:05 0000 ------- 
GLSA 200608-05

------- Comment #27 From Wolf Giesen (RETIRED) 2006-08-04 00:18:20 0000 ------- 
Excuse me if this is a stupid question, but why not build the system
libvncserver by extracting x11vnc sources, then?
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug