TigerVNC 1.10.0
"This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side. No working exploit is known at this time, and the issues require the peer to first be authenticated. We still urge users to upgrade when possible."
(In reply to Jeroen Roovers from comment #1) > "This is a security release to fix a number of issues that were found by > Kaspersky Lab. These issues affect both the client and server and could > theoretically allow an malicious peer to take control over the software on > the other side. > > No working exploit is known at this time, and the issues require the peer to > first be authenticated. We still urge users to upgrade when possible." * CVE-2019-15691: Description: "TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity." Patch: https://github.com/CendioOssman/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40 * CVE-2019-15692 Description: "TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow. Vulnerability could be triggered from CopyRectDecoder due to incorrect value checks. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity." Patch: https://github.com/CendioOssman/tigervnc/commit/996356b6c65ca165ee1ea46a571c32a1dc3c3821
Maintainers, please create an appropriate ebuild, and let us know when to call for stabilization when ready.
@maintainer(s): ping
(In reply to Sam James (sec padawan) from comment #4) > @maintainer(s): ping Any news?
CVE-2019-15693: TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which occurs in TightDecoder::FilterGradient. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity. CVE-2019-15694: TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which could be triggered from DecodeManager::decodeRect. Vulnerability occurs due to the signdness error in processing MemOutStream. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity. CVE-2019-15695: TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflow, which could be triggered from CMsgReader::readSetCursor. This vulnerability occurs due to insufficient sanitization of PixelFormat. Since remote attacker can choose offset from start of the buffer to start writing his values, exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
ping
CVE-2020-26117: In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.
Working on a 1.11.0 ebuild.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00ed40dff1941e226cd8bdac67fb96ba19e447a5 commit 00ed40dff1941e226cd8bdac67fb96ba19e447a5 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-10-01 11:46:34 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-10-01 11:55:13 +0000 net-misc/tigervnc: Version 1.11.0 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Bug: https://bugs.gentoo.org/700464 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-misc/tigervnc/Manifest | 1 + net-misc/tigervnc/tigervnc-1.11.0.ebuild | 178 +++++++++++++++++++++++++++++++ 2 files changed, 179 insertions(+)
Looks like 1.11.0 installs the vncserver Perl script to /usr/libexec when USE=server. For some reason.
Yes, right there: unix/vncserver/CMakeLists.txt: install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncserver DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
(In reply to Sam James from comment #4) > @maintainer(s): ping Did you see the referenced pull request added by the maintainer?
Also, $HOME/.vnc/xstartup appears to be ignored now. Apparently it needs to be one of foreach $cmd ("/etc/X11/xinit/Xsession", "/etc/X11/Xsession") {
I guess that is what files/tigervnc-1.9.0-055_xstartup.patch does.
You may want to add https://github.com/TigerVNC/tigervnc/commit/331a27addf46d39635fb4d195ae2f94058689832 Prevents a clipboard related server crash
(In reply to Joakim Tjernlund from comment #16) > You may want to add > https://github.com/TigerVNC/tigervnc/commit/ > 331a27addf46d39635fb4d195ae2f94058689832 > > Prevents a clipboard related server crash We'll be here until Christmas I guess. Bring a sleeping bag? :-)
(In reply to Jeroen Roovers from comment #13) > (In reply to Sam James from comment #4) > > @maintainer(s): ping > > Did you see the referenced pull request added by the maintainer? The stalled pull request pending feedback for several months and needing changes?
CVE-2019-15694: TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which could be triggered from DecodeManager::decodeRect. Vulnerability occurs due to the signdness error in processing MemOutStream. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity. CVE-2019-15695: TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflow, which could be triggered from CMsgReader::readSetCursor. This vulnerability occurs due to insufficient sanitization of PixelFormat. Since remote attacker can choose offset from start of the buffer to start writing his values, exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
Now unmasked, thanks to both ceamac and Anarchy.
\o/
Bug 835730 -> net-misc/tigervnc-1.12.0-r2: /etc/conf.d/tigervnc: setting $VNC_OPTS causes service to fail
I'd appreciate if v1.12 got stabilized soon since only tigervnc[server] blocks xorg-server from being updated in my system.
(In reply to Jan Sever from comment #23) > I'd appreciate if v1.12 got stabilized soon since only tigervnc[server] > blocks xorg-server from being updated in my system. Yes, it will be in due course, but it was also unmasked a few days ago after a long time of needing a fix. Just add to package.accept_keywords for now?
Please do not start stabilization yet - I'm still trying to clean up the dependencies and I've also found a bug regarding xdg. If all goes well I'll make a new PR tomorrow.
(In reply to Viorel from comment #25) > Please do not start stabilization yet - I'm still trying to clean up the > dependencies and I've also found a bug regarding xdg. If all goes well I'll > make a new PR tomorrow. Thanks for brining that up!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aabb6b116e78b4e93773e599018811120e5c4ca5 commit aabb6b116e78b4e93773e599018811120e5c4ca5 Author: Viorel Munteanu <ceamac.paragon@gmail.com> AuthorDate: 2022-05-09 16:10:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-05-13 20:03:45 +0000 net-misc/tigervnc: drop 1.9.0-r2 Bug: https://bugs.gentoo.org/700464 Signed-off-by: Viorel Munteanu <ceamac.paragon@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/25403 Signed-off-by: Sam James <sam@gentoo.org> net-misc/tigervnc/Manifest | 2 - .../files/tigervnc-1.9.0-030_manpages.patch | 55 ------ .../files/tigervnc-1.9.0-055_xstartup.patch | 33 ---- net-misc/tigervnc/files/tigervnc.confd | 9 - net-misc/tigervnc/files/tigervnc.initd | 72 -------- .../files/xserver120-drmfourcc-header.patch | 36 ---- net-misc/tigervnc/files/xserver120.patch | 91 ---------- net-misc/tigervnc/tigervnc-1.9.0-r2.ebuild | 185 --------------------- 8 files changed, 483 deletions(-)
Think tree is clean?
Yesterday I added 1.13.0 and there are no versions older than 1.12.0-r7. I think this bug can be closed. Thank you!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e75e0cf896e1c89e3272ed5fc6f40c3101cf79be commit e75e0cf896e1c89e3272ed5fc6f40c3101cf79be Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-05 08:04:14 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-07-05 08:04:55 +0000 [ GLSA 202407-14 ] TigerVNC: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/700464 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202407-14.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)
