CVE-2023-1393 and TigerVNC
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tigervnc (Debian) |
Fix Released
|
Unknown
|
|||
tigervnc (Ubuntu) |
Fix Released
|
Medium
|
Aaron Rainbolt | ||
Focal |
Fix Released
|
Medium
|
Aaron Rainbolt | ||
Jammy |
Fix Released
|
Medium
|
Aaron Rainbolt | ||
Lunar |
Fix Released
|
Medium
|
Aaron Rainbolt | ||
Mantic |
Fix Released
|
Medium
|
Aaron Rainbolt | ||
Noble |
Fix Released
|
Medium
|
Aaron Rainbolt |
Bug Description
[ Impact ]
In the TigerVNC package published for Mantic and earlier releases, it is possible for TigerVNC to be built against a version of xorg-server-source containing a known security vulnerability (CVE-2023-1393). This leaves TigerVNC open to potential attacks as a result.
This SRU is essentially a no-change rebuild so that the latest xorg-server-source is picked up, but it also includes a version requirement that ensures that any version of xorg-server-source with the aforementioned CVE will *not* be used during the build.
[ Test Plan ]
1: Install TigerVNC server on one machine or VM on the local network.
2: Install TigerVNC client on another machine or VM on the local network.
3: Attempt to remote into the server machine from the cilent and ensure that basic VNC functionality works.
[ Where problems could occur ]
A typo or accident made during the packaging procedure could result in an FTBFS condition or cause TigerVNC to not function correctly any longer. The newer versions of software TigerVNC is going to be built against could cause similar issues. The test plan and careful review of the debdiffs should avoid this. As this is virtually identical to a no-change rebuild, I do not expect this to have a high likelihood of going wrong.
-----
Old bug report:
Debian have released a fix to tigervnc for CVE-2023-1393 - see
https:/
It would be good if this security fix was available in Ubuntu too.
ProblemType: Bug
DistroRelease: Ubuntu 23.10
Package: tigervnc-
ProcVersionSign
Uname: Linux 6.5.0-14-generic x86_64
ApportVersion: 2.27.0-0ubuntu5
Architecture: amd64
CasperMD5CheckR
Date: Sat Jan 6 21:41:15 2024
InstallationDate: Installed on 2018-12-01 (1862 days ago)
InstallationMedia: Lubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
SourcePackage: tigervnc
UpgradeStatus: Upgraded to mantic on 2020-11-06 (1156 days ago)
CVE References
Changed in tigervnc (Debian): | |
status: | Unknown → Fix Released |
Changed in tigervnc (Ubuntu): | |
assignee: | nobody → Aaron Rainbolt (arraybolt3) |
importance: | Undecided → Medium |
Changed in tigervnc (Ubuntu Mantic): | |
assignee: | nobody → Aaron Rainbolt (arraybolt3) |
Changed in tigervnc (Ubuntu Lunar): | |
assignee: | nobody → Aaron Rainbolt (arraybolt3) |
Changed in tigervnc (Ubuntu Jammy): | |
assignee: | nobody → Aaron Rainbolt (arraybolt3) |
Changed in tigervnc (Ubuntu Focal): | |
assignee: | nobody → Aaron Rainbolt (arraybolt3) |
Changed in tigervnc (Ubuntu Mantic): | |
importance: | Undecided → Medium |
Changed in tigervnc (Ubuntu Lunar): | |
importance: | Undecided → Medium |
Changed in tigervnc (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in tigervnc (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in tigervnc (Ubuntu Noble): | |
status: | New → Fix Released |
status: | Fix Released → New |
description: | updated |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res