Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 136916 - net-libs/libvncserver Authentication bypass (CVE-2006-2450)
Summary: net-libs/libvncserver Authentication bypass (CVE-2006-2450)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://libvncserver.cvs.sourceforge.n...
Whiteboard: B1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-15 10:58 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-08-04 00:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-15 10:58:25 UTC
libvncserver has the same problem as realvnc (CVE-2006-2369)
although it's completely different code. Upstream has silently fixed
it in cvs* but is unsure when to do a new release.

Vapier please advise.
Comment 1 SpanKY gentoo-dev 2006-06-15 20:11:19 UTC
well i can bump libvncserver in our cvs now or wait for whenever, doesnt matter to me
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-30 09:18:17 UTC
Mailed vendor-sec to see wether a release date is set, otherwise we should go ahead some time next week.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-30 09:27:07 UTC
SUSE has released updates for this.

mike please go ahead.
Comment 4 SpanKY gentoo-dev 2006-07-14 18:40:07 UTC
libvncserver-0.8.2 now in portage
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-22 23:55:14 UTC
Arches please test and mark stable.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-07-23 00:41:18 UTC
ppc stable
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2006-07-23 00:59:13 UTC
1) emerges fine
2) passes collision test
3) SRC_URI http://libvncserver.sourceforge.net/LibVNCServer-${PV/_}.tar.gz is invalid, fall back on mirror://sf... succeeds
4) only did compile testing, because I have no possibility to test VNC


Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-gentoo-r13 i686)
=================================================================
System uname: 2.6.16-gentoo-r13 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.6.15
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon fdftk ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 8 Dimitry Bradt (RETIRED) gentoo-dev 2006-07-23 07:13:03 UTC
emerges fine on x86 and amd64
tough: i needed to fetch the distfiles myself .. 
but that should be the fault of my GENTOO_MIRRORS
(using belnet => belgium)

greetings
diox
Comment 9 Joshua Jackson (RETIRED) gentoo-dev 2006-07-23 15:22:54 UTC
x86 stable.
Comment 10 Thomas Cort (RETIRED) gentoo-dev 2006-07-27 10:36:00 UTC
(In reply to comment #9)
> x86 stable.

It doesn't look like x86 actually marked this one stable.

  23 Jul 2006; Joshua Jackson <tsunam@gentoo.org> ChangeLog:
  Stable x86; bug #136916

Keywords for net-libs/libvncserver:

      | a a a h i m m p p p s s s x x
      | l m r p a 6 i p p p 3 h p 8 8
      | p d m p 6 8 p c c c 9   a 6 6
      | h 6   a 4 k s   6 - 0   r   -
      | a 4             4 m     c   f
      |                   a         b
      |                   c         s
      |                   o         d
      |                   s
------+------------------------------
0.7   |   +   +       +         + +
0.7.1 |   ~   ~       ~         ~ ~
0.8   |   ~   ~       ~         ~ ~
0.8.2 |   ~   ~       +         ~ ~
Comment 11 Thomas Cort (RETIRED) gentoo-dev 2006-07-27 10:36:18 UTC
amd64 stable.
Comment 12 Alastair Tse (RETIRED) gentoo-dev 2006-07-27 11:08:45 UTC
really stable for x86 now
Comment 13 Jason Wever (RETIRED) gentoo-dev 2006-07-28 15:52:35 UTC
Stable on SPARC
Comment 14 René Nussbaumer (RETIRED) gentoo-dev 2006-07-29 02:00:40 UTC
stable on hppa
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2006-07-29 05:18:28 UTC
Ready for GLSA vote -- I vote yes
Comment 16 Wolf Giesen (RETIRED) gentoo-dev 2006-07-29 05:51:50 UTC
yes
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2006-07-29 09:46:41 UTC
voting yes

switching to [glsa] status
Comment 18 Wolf Giesen (RETIRED) gentoo-dev 2006-07-30 22:31:35 UTC
This is one more of those bugs not fitting the scheme; remote non-root access. Anyway, it'd be more of B1, since once I'm authed, it should be no problem to create (and execute) arbitrary code. Or am I missing something?
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-31 00:46:25 UTC
Frilled I you're right -> rerating.
Comment 20 Wolf Giesen (RETIRED) gentoo-dev 2006-08-01 23:09:14 UTC
Ugh ... we need to identify packages coming with a bundled version of libvncserver, I'm afraid. x11vnc definitely comes with one (not sure whether versions between those two packages match, though) -> should go into GLSA, too.

If anybody knows of other bundled versions, please let us know ASAP, thanks!
Comment 21 Wolf Giesen (RETIRED) gentoo-dev 2006-08-01 23:39:55 UTC
I went through a lot of vnc packages and found some more:

kde-base/krfb (bundled, under ./krfb/libvncserver)
net-misc/vino (bundled, under ./server/libvncserver)

Talk about annoyances :(

CCing kde and gnome for advice.
Comment 22 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-08-02 00:41:41 UTC
Without going in a while library update (that isn't easy, I was trying to get krfb use the system copy of libvncserver some time ago, and failed miserably), do we have a patch to apply?
Comment 23 Wolf Giesen (RETIRED) gentoo-dev 2006-08-02 00:45:32 UTC
Using the system libvncserver would be the ultimate goal of course. Don't know about a patch, in fact, we'd probably need to find out whether the bundled versions are affected (as they might well have been modified :/) first. Maybe the auditing team can assist here?
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-02 08:54:54 UTC
Moved other packages to separate bugs:

x11-misc/x11vnc bug #142559
net-misc/vino bug #142558
kde-base/krfb bug #142557
Comment 25 Sven Wegener gentoo-dev 2006-08-02 10:41:40 UTC
To comment on the system libvncserver issue: For x11vnc using the system libvncserver is a no go. x11vnc is the "driving project" of libvncserver and the included libvncserver is often more recent (snapshot) and includes more features that are needed by x11vnc.
Comment 26 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-03 21:59:05 UTC
GLSA 200608-05
Comment 27 Wolf Giesen (RETIRED) gentoo-dev 2006-08-04 00:18:20 UTC
Excuse me if this is a stupid question, but why not build the system libvncserver by extracting x11vnc sources, then?