CVE-2023-1393 and TigerVNC

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

The fix for this bug in Debian is already present in Noble, so marking it as "Fix Released" so that the SRUs for older releases can proceed as intended.

Debdiff for Mantic.

Debdiff for Lunar.

Debdiff for Jammy.

Debdiff for Focal. (This took a while longer to prep than the others because I ended up having to spin up a whole new build environment thanks to the fact that the Focal package still uses CDBS.)

ACK on the debdiffs. At first I thought the version used for xorg-server in lunar and mantic looked odd, but that's because the package was last rebuilt before lunar's release, so it makes sense.

I have changed the pocket to -security, and have uploaded them to the following PPA for testing:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once you have tested them, please comment in this bug and I will release them as security updates.

Thanks!

TigerVNC on Mantic functions as expected. Took me a while to figure out how to set it up, but once I got it sorted it works nicely.

TigerVNC on Lunar functions as expected.

TigerVNC on Jammy functions as expected.

TigerVNC on Focal works as expected (I wasn't able to figure out how to get a true Lubuntu session up and running in it, but an LXQt session is close enough (themed funky but whatever), and I'm pretty sure I just don't know what config option to change to get a true Lubuntu session going with this old of a version of TigerVNC).

This bug was fixed in the package tigervnc - 1.12.0+dfsg-8ubuntu0.23.04.1

---------------
tigervnc (1.12.0+dfsg-8ubuntu0.23.04.1) lunar-security; urgency=medium

  * SECURITY UPDATE: Enforce building of TigerVNC against a version of
    xorg-server-source that is not vulnerable to CVE-2023-1393.
    (LP: #2048442)

 -- Aaron Rainbolt <email address hidden> Tue, 23 Jan 2024 17:21:24 +0000

This bug was fixed in the package tigervnc - 1.12.0+dfsg-4ubuntu0.22.04.1

---------------
tigervnc (1.12.0+dfsg-4ubuntu0.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Enforce building of TigerVNC against a version of
    xorg-server-source that is not vulnerable to CVE-2023-1393.
    (LP: #2048442)

 -- Aaron Rainbolt <email address hidden> Tue, 23 Jan 2024 19:20:24 +0000

This bug was fixed in the package tigervnc - 1.12.0+dfsg-8ubuntu0.23.10.1

---------------
tigervnc (1.12.0+dfsg-8ubuntu0.23.10.1) mantic-security; urgency=medium

  * SECURITY UPDATE: Enforce building of TigerVNC against a version of
    xorg-server-source that is not vulnerable to CVE-2023-1393.
    (LP: #2048442)

 -- Aaron Rainbolt <email address hidden> Tue, 23 Jan 2024 17:21:24 +0000

This bug was fixed in the package tigervnc - 1.10.1+dfsg-3ubuntu0.20.04.1

---------------
tigervnc (1.10.1+dfsg-3ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: Enforce building of TigerVNC against a version of
    xorg-server-source that is not vulnerable to CVE-2023-1393.
    (LP: #2048442)

 -- Aaron Rainbolt <email address hidden> Tue, 23 Jan 2024 14:31:07 -0600