libvncserver has the same problem as realvnc (CVE-2006-2369) although it's completely different code. Upstream has silently fixed it in cvs* but is unsure when to do a new release. Vapier please advise.
well i can bump libvncserver in our cvs now or wait for whenever, doesnt matter to me
Mailed vendor-sec to see wether a release date is set, otherwise we should go ahead some time next week.
SUSE has released updates for this. mike please go ahead.
libvncserver-0.8.2 now in portage
Arches please test and mark stable.
ppc stable
1) emerges fine 2) passes collision test 3) SRC_URI http://libvncserver.sourceforge.net/LibVNCServer-${PV/_}.tar.gz is invalid, fall back on mirror://sf... succeeds 4) only did compile testing, because I have no possibility to test VNC Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-gentoo-r13 i686) ================================================================= System uname: 2.6.16-gentoo-r13 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.6.15 app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon fdftk ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
emerges fine on x86 and amd64 tough: i needed to fetch the distfiles myself .. but that should be the fault of my GENTOO_MIRRORS (using belnet => belgium) greetings diox
x86 stable.
(In reply to comment #9) > x86 stable. It doesn't look like x86 actually marked this one stable. 23 Jul 2006; Joshua Jackson <tsunam@gentoo.org> ChangeLog: Stable x86; bug #136916 Keywords for net-libs/libvncserver: | a a a h i m m p p p s s s x x | l m r p a 6 i p p p 3 h p 8 8 | p d m p 6 8 p c c c 9 a 6 6 | h 6 a 4 k s 6 - 0 r - | a 4 4 m c f | a b | c s | o d | s ------+------------------------------ 0.7 | + + + + + 0.7.1 | ~ ~ ~ ~ ~ 0.8 | ~ ~ ~ ~ ~ 0.8.2 | ~ ~ + ~ ~
amd64 stable.
really stable for x86 now
Stable on SPARC
stable on hppa
Ready for GLSA vote -- I vote yes
yes
voting yes switching to [glsa] status
This is one more of those bugs not fitting the scheme; remote non-root access. Anyway, it'd be more of B1, since once I'm authed, it should be no problem to create (and execute) arbitrary code. Or am I missing something?
Frilled I you're right -> rerating.
Ugh ... we need to identify packages coming with a bundled version of libvncserver, I'm afraid. x11vnc definitely comes with one (not sure whether versions between those two packages match, though) -> should go into GLSA, too. If anybody knows of other bundled versions, please let us know ASAP, thanks!
I went through a lot of vnc packages and found some more: kde-base/krfb (bundled, under ./krfb/libvncserver) net-misc/vino (bundled, under ./server/libvncserver) Talk about annoyances :( CCing kde and gnome for advice.
Without going in a while library update (that isn't easy, I was trying to get krfb use the system copy of libvncserver some time ago, and failed miserably), do we have a patch to apply?
Using the system libvncserver would be the ultimate goal of course. Don't know about a patch, in fact, we'd probably need to find out whether the bundled versions are affected (as they might well have been modified :/) first. Maybe the auditing team can assist here?
Moved other packages to separate bugs: x11-misc/x11vnc bug #142559 net-misc/vino bug #142558 kde-base/krfb bug #142557
To comment on the system libvncserver issue: For x11vnc using the system libvncserver is a no go. x11vnc is the "driving project" of libvncserver and the included libvncserver is often more recent (snapshot) and includes more features that are needed by x11vnc.
GLSA 200608-05
Excuse me if this is a stupid question, but why not build the system libvncserver by extracting x11vnc sources, then?