2024-01-06 21:45:22 |
Andrew Aitchison |
bug |
|
|
added bug |
2024-01-06 21:46:39 |
Andrew Aitchison |
information type |
Private Security |
Public Security |
|
2024-01-07 10:18:29 |
Hans Joachim Desserud |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051921 |
|
2024-01-07 10:18:29 |
Hans Joachim Desserud |
bug task added |
|
tigervnc (Debian) |
|
2024-01-07 10:18:43 |
Hans Joachim Desserud |
cve linked |
|
2023-1393 |
|
2024-01-07 16:24:59 |
Bug Watch Updater |
tigervnc (Debian): status |
Unknown |
Fix Released |
|
2024-01-19 19:47:37 |
Marc Deslauriers |
tags |
amd64 apport-bug mantic |
amd64 apport-bug community-security mantic |
|
2024-01-21 18:39:11 |
Aaron Rainbolt |
tigervnc (Ubuntu): assignee |
|
Aaron Rainbolt (arraybolt3) |
|
2024-01-21 18:40:58 |
Aaron Rainbolt |
tigervnc (Ubuntu): importance |
Undecided |
Medium |
|
2024-01-23 16:59:39 |
Aaron Rainbolt |
nominated for series |
|
Ubuntu Focal |
|
2024-01-23 16:59:39 |
Aaron Rainbolt |
bug task added |
|
tigervnc (Ubuntu Focal) |
|
2024-01-23 16:59:39 |
Aaron Rainbolt |
nominated for series |
|
Ubuntu Noble |
|
2024-01-23 16:59:39 |
Aaron Rainbolt |
bug task added |
|
tigervnc (Ubuntu Noble) |
|
2024-01-23 16:59:39 |
Aaron Rainbolt |
nominated for series |
|
Ubuntu Mantic |
|
2024-01-23 16:59:39 |
Aaron Rainbolt |
bug task added |
|
tigervnc (Ubuntu Mantic) |
|
2024-01-23 16:59:39 |
Aaron Rainbolt |
nominated for series |
|
Ubuntu Jammy |
|
2024-01-23 16:59:39 |
Aaron Rainbolt |
bug task added |
|
tigervnc (Ubuntu Jammy) |
|
2024-01-23 16:59:39 |
Aaron Rainbolt |
nominated for series |
|
Ubuntu Lunar |
|
2024-01-23 16:59:39 |
Aaron Rainbolt |
bug task added |
|
tigervnc (Ubuntu Lunar) |
|
2024-01-23 16:59:50 |
Aaron Rainbolt |
tigervnc (Ubuntu Mantic): assignee |
|
Aaron Rainbolt (arraybolt3) |
|
2024-01-23 16:59:52 |
Aaron Rainbolt |
tigervnc (Ubuntu Lunar): assignee |
|
Aaron Rainbolt (arraybolt3) |
|
2024-01-23 16:59:53 |
Aaron Rainbolt |
tigervnc (Ubuntu Jammy): assignee |
|
Aaron Rainbolt (arraybolt3) |
|
2024-01-23 16:59:56 |
Aaron Rainbolt |
tigervnc (Ubuntu Focal): assignee |
|
Aaron Rainbolt (arraybolt3) |
|
2024-01-23 16:59:59 |
Aaron Rainbolt |
tigervnc (Ubuntu Mantic): importance |
Undecided |
Medium |
|
2024-01-23 17:00:01 |
Aaron Rainbolt |
tigervnc (Ubuntu Lunar): importance |
Undecided |
Medium |
|
2024-01-23 17:00:10 |
Aaron Rainbolt |
tigervnc (Ubuntu Jammy): importance |
Undecided |
Medium |
|
2024-01-23 17:00:12 |
Aaron Rainbolt |
tigervnc (Ubuntu Focal): importance |
Undecided |
Medium |
|
2024-01-23 17:00:21 |
Aaron Rainbolt |
tigervnc (Ubuntu Noble): status |
New |
Fix Released |
|
2024-01-23 17:02:14 |
Aaron Rainbolt |
tigervnc (Ubuntu Noble): status |
Fix Released |
New |
|
2024-01-23 17:06:34 |
Aaron Rainbolt |
tigervnc (Ubuntu Noble): status |
New |
Fix Released |
|
2024-01-23 17:18:01 |
Aaron Rainbolt |
description |
Debian have released a fix to tigervnc for CVE-2023-1393 - see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051921
It would be good if this security fix was available in Ubuntu too.
ProblemType: Bug
DistroRelease: Ubuntu 23.10
Package: tigervnc-standalone-server 1.12.0+dfsg-8
ProcVersionSignature: Ubuntu 6.5.0-14.14-generic 6.5.3
Uname: Linux 6.5.0-14-generic x86_64
ApportVersion: 2.27.0-0ubuntu5
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Sat Jan 6 21:41:15 2024
InstallationDate: Installed on 2018-12-01 (1862 days ago)
InstallationMedia: Lubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
SourcePackage: tigervnc
UpgradeStatus: Upgraded to mantic on 2020-11-06 (1156 days ago) |
[ Impact ]
In the TigerVNC package published for Mantic and earlier releases, it is possible for TigerVNC to be built against a version of xorg-server-source containing a known security vulnerability (CVE-2023-1393). This leaves TigerVNC open to potential attacks as a result.
This SRU is essentially a no-change rebuild so that the latest xorg-server-source is picked up, but it also includes a version requirement that ensures that any version of xorg-server-source with the aforementioned CVE will *not* be used during the build.
[ Test Plan ]
1: Install TigerVNC server on one machine or VM on the local network.
2: Install TigerVNC client on another machine or VM on the local network.
3: Attempt to remote into the server machine from the cilent and ensure that basic VNC functionality works.
[ Where problems could occur ]
A typo or accident made during the packaging procedure could result in an FTBFS condition or cause TigerVNC to not function correctly any longer. The newer versions of software TigerVNC is going to be built against could cause similar issues. The test plan and careful review of the debdiffs should avoid this. As this is virtually identical to a no-change rebuild, I do not expect this to have a high likelihood of going wrong.
-----
Old bug report:
Debian have released a fix to tigervnc for CVE-2023-1393 - see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051921
It would be good if this security fix was available in Ubuntu too.
ProblemType: Bug
DistroRelease: Ubuntu 23.10
Package: tigervnc-standalone-server 1.12.0+dfsg-8
ProcVersionSignature: Ubuntu 6.5.0-14.14-generic 6.5.3
Uname: Linux 6.5.0-14-generic x86_64
ApportVersion: 2.27.0-0ubuntu5
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Sat Jan 6 21:41:15 2024
InstallationDate: Installed on 2018-12-01 (1862 days ago)
InstallationMedia: Lubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
SourcePackage: tigervnc
UpgradeStatus: Upgraded to mantic on 2020-11-06 (1156 days ago) |
|
2024-01-23 18:36:05 |
Aaron Rainbolt |
attachment added |
|
mantic-fix.patch https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442/+attachment/5741734/+files/mantic-fix.patch |
|
2024-01-23 18:54:02 |
Aaron Rainbolt |
attachment added |
|
lunar-fix.patch https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442/+attachment/5741738/+files/lunar-fix.patch |
|
2024-01-23 19:21:40 |
Aaron Rainbolt |
attachment added |
|
jammy-fix.patch https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442/+attachment/5741739/+files/jammy-fix.patch |
|
2024-01-23 20:58:02 |
Aaron Rainbolt |
attachment added |
|
focal-fix.patch https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442/+attachment/5741757/+files/focal-fix.patch |
|
2024-01-25 12:34:21 |
Launchpad Janitor |
tigervnc (Ubuntu Lunar): status |
New |
Fix Released |
|
2024-01-25 12:34:22 |
Launchpad Janitor |
tigervnc (Ubuntu Jammy): status |
New |
Fix Released |
|
2024-01-25 12:39:17 |
Launchpad Janitor |
tigervnc (Ubuntu Mantic): status |
New |
Fix Released |
|
2024-01-25 12:39:19 |
Launchpad Janitor |
tigervnc (Ubuntu Focal): status |
New |
Fix Released |
|