Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 700464 (CVE-2019-15691, CVE-2019-15692, CVE-2019-15694, CVE-2019-15695, CVE-2020-26117) - <net-misc/tigervnc-1.12.0-r2: Multiple vulnerabilities (CVE-2019-{15691, 15692, 15694, 15695}, CVE-2020-26117)
Summary: <net-misc/tigervnc-1.12.0-r2: Multiple vulnerabilities (CVE-2019-{15691, 1569...
Status: IN_PROGRESS
Alias: CVE-2019-15691, CVE-2019-15692, CVE-2019-15694, CVE-2019-15695, CVE-2020-26117
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 3 votes (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa? cve]
Keywords: PullRequest
Depends on: 745981 746227 842723 852014
Blocks:
  Show dependency tree
 
Reported: 2019-11-18 09:17 UTC by Jeroen Roovers (RETIRED)
Modified: 2023-02-04 10:21 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2019-11-18 09:17:56 UTC
TigerVNC 1.10.0
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2019-12-20 18:03:20 UTC
"This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side.

No working exploit is known at this time, and the issues require the peer to first be authenticated. We still urge users to upgrade when possible."
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 04:07:25 UTC
(In reply to Jeroen Roovers from comment #1)
> "This is a security release to fix a number of issues that were found by
> Kaspersky Lab. These issues affect both the client and server and could
> theoretically allow an malicious peer to take control over the software on
> the other side.
> 
> No working exploit is known at this time, and the issues require the peer to
> first be authenticated. We still urge users to upgrade when possible."

* CVE-2019-15691:

Description:
"TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity."

Patch: https://github.com/CendioOssman/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40

* CVE-2019-15692

Description:
"TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow. Vulnerability could be triggered from CopyRectDecoder due to incorrect value checks. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity."

Patch: https://github.com/CendioOssman/tigervnc/commit/996356b6c65ca165ee1ea46a571c32a1dc3c3821
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2020-03-18 06:43:41 UTC
Maintainers, please create an appropriate ebuild, and let us know when to call for stabilization when ready.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-05 22:43:50 UTC
@maintainer(s): ping
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-08 04:05:16 UTC
(In reply to Sam James (sec padawan) from comment #4)
> @maintainer(s): ping

Any news?
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-25 22:39:55 UTC
CVE-2019-15693:

TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which occurs in TightDecoder::FilterGradient. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

CVE-2019-15694:

TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which could be triggered from DecodeManager::decodeRect. Vulnerability occurs due to the signdness error in processing MemOutStream. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

CVE-2019-15695:

TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflow, which could be triggered from CMsgReader::readSetCursor. This vulnerability occurs due to insufficient sanitization of PixelFormat. Since remote attacker can choose offset from start of the buffer to start writing his values, exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 05:48:01 UTC
ping
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-28 18:28:30 UTC
CVE-2020-26117:

In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-01 11:49:16 UTC
Working on a 1.11.0 ebuild.
Comment 10 Larry the Git Cow gentoo-dev 2020-10-01 11:55:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00ed40dff1941e226cd8bdac67fb96ba19e447a5

commit 00ed40dff1941e226cd8bdac67fb96ba19e447a5
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-10-01 11:46:34 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-10-01 11:55:13 +0000

    net-misc/tigervnc: Version 1.11.0
    
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/700464
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/tigervnc/Manifest               |   1 +
 net-misc/tigervnc/tigervnc-1.11.0.ebuild | 178 +++++++++++++++++++++++++++++++
 2 files changed, 179 insertions(+)
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-01 12:18:55 UTC
Looks like 1.11.0 installs the vncserver Perl script to /usr/libexec when USE=server. For some reason.
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-01 12:27:43 UTC
Yes, right there:

unix/vncserver/CMakeLists.txt:

install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncserver DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-01 12:29:21 UTC
(In reply to Sam James from comment #4)
> @maintainer(s): ping

Did you see the referenced pull request added by the maintainer?
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-01 12:38:26 UTC
Also, $HOME/.vnc/xstartup appears to be ignored now.

Apparently it needs to be one of

    foreach $cmd ("/etc/X11/xinit/Xsession", "/etc/X11/Xsession") {
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-01 12:39:58 UTC
I guess that is what files/tigervnc-1.9.0-055_xstartup.patch does.
Comment 16 Joakim Tjernlund 2020-10-01 12:43:53 UTC
You may want to add
https://github.com/TigerVNC/tigervnc/commit/331a27addf46d39635fb4d195ae2f94058689832

Prevents a clipboard related server crash
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-01 12:53:44 UTC
(In reply to Joakim Tjernlund from comment #16)
> You may want to add
> https://github.com/TigerVNC/tigervnc/commit/
> 331a27addf46d39635fb4d195ae2f94058689832
> 
> Prevents a clipboard related server crash

We'll be here until Christmas I guess. Bring a sleeping bag? :-)
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 12:59:58 UTC
(In reply to Jeroen Roovers from comment #13)
> (In reply to Sam James from comment #4)
> > @maintainer(s): ping
> 
> Did you see the referenced pull request added by the maintainer?

The stalled pull request pending feedback for several months and needing changes?
Comment 19 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-17 04:55:27 UTC
CVE-2019-15694:

TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which could be triggered from DecodeManager::decodeRect. Vulnerability occurs due to the signdness error in processing MemOutStream. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

CVE-2019-15695:

TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflow, which could be triggered from CMsgReader::readSetCursor. This vulnerability occurs due to insufficient sanitization of PixelFormat. Since remote attacker can choose offset from start of the buffer to start writing his values, exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
Comment 20 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-18 18:53:33 UTC
Now unmasked, thanks to both ceamac and Anarchy.
Comment 21 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 06:04:56 UTC
\o/
Comment 22 Till Schäfer 2022-03-21 10:50:00 UTC
Bug 835730 -> net-misc/tigervnc-1.12.0-r2: /etc/conf.d/tigervnc: setting $VNC_OPTS causes service to fail
Comment 23 Jan Sever 2022-03-23 20:18:55 UTC
I'd appreciate if v1.12 got stabilized soon since only tigervnc[server] blocks xorg-server from being updated in my system.
Comment 24 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-23 21:57:50 UTC
(In reply to Jan Sever from comment #23)
> I'd appreciate if v1.12 got stabilized soon since only tigervnc[server]
> blocks xorg-server from being updated in my system.

Yes, it will be in due course, but it was also unmasked a few days ago after a long time of needing a fix. Just add to package.accept_keywords for now?
Comment 25 Viorel Munteanu gentoo-dev 2022-03-24 09:29:04 UTC
Please do not start stabilization yet - I'm still trying to clean up the dependencies and I've also found a bug regarding xdg.  If all goes well I'll make a new PR tomorrow.
Comment 26 Joonas Niilola gentoo-dev 2022-03-24 12:26:36 UTC
(In reply to Viorel from comment #25)
> Please do not start stabilization yet - I'm still trying to clean up the
> dependencies and I've also found a bug regarding xdg.  If all goes well I'll
> make a new PR tomorrow.

Thanks for brining that up!
Comment 27 Larry the Git Cow gentoo-dev 2022-05-13 20:04:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aabb6b116e78b4e93773e599018811120e5c4ca5

commit aabb6b116e78b4e93773e599018811120e5c4ca5
Author:     Viorel Munteanu <ceamac.paragon@gmail.com>
AuthorDate: 2022-05-09 16:10:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-13 20:03:45 +0000

    net-misc/tigervnc: drop 1.9.0-r2
    
    Bug: https://bugs.gentoo.org/700464
    Signed-off-by: Viorel Munteanu <ceamac.paragon@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/25403
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/tigervnc/Manifest                         |   2 -
 .../files/tigervnc-1.9.0-030_manpages.patch        |  55 ------
 .../files/tigervnc-1.9.0-055_xstartup.patch        |  33 ----
 net-misc/tigervnc/files/tigervnc.confd             |   9 -
 net-misc/tigervnc/files/tigervnc.initd             |  72 --------
 .../files/xserver120-drmfourcc-header.patch        |  36 ----
 net-misc/tigervnc/files/xserver120.patch           |  91 ----------
 net-misc/tigervnc/tigervnc-1.9.0-r2.ebuild         | 185 ---------------------
 8 files changed, 483 deletions(-)
Comment 28 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 08:17:56 UTC
Think tree is clean?
Comment 29 Viorel Munteanu gentoo-dev 2023-02-04 10:21:46 UTC
Yesterday I added 1.13.0 and there are no versions older than 1.12.0-r7.

I think this bug can be closed.

Thank you!