Debian Bug report logs -
#971272
tigervnc-viewer: CVE-2020-26117: VNC viewer certificate exceptions are mistakenly handled as certificate authorities
Reported by: Joachim Falk <joachim.falk@gmx.de>
Date: Mon, 28 Sep 2020 16:27:02 UTC
Severity: normal
Tags: security, upstream
Found in version tigervnc/1.7.0+dfsg-1
Fixed in version tigervnc/1.10.1+dfsg-9
Done: Joachim Falk <joachim.falk@gmx.de>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, They, stored, the, certificates, as, authorities, meaning, that, the, owner, of, a, certificate, could, impersonate, any, server, after, a, client, had, added, an, exception., This, issue, is, CVE-2020-26117, TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>:
Bug#971272; Package tigervnc-viewer.
(Mon, 28 Sep 2020 16:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Joachim Falk <joachim.falk@gmx.de>:
New Bug report received and forwarded. Copy sent to They, stored, the, certificates, as, authorities, meaning, that, the, owner, of, a, certificate, could, impersonate, any, server, after, a, client, had, added, an, exception., This, issue, is, CVE-2020-26117, TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>.
(Mon, 28 Sep 2020 16:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tigervnc-viewer
Version: 1.7.0+dfsg-1
Severity: normal
Tags: upstream
The VNC viewer mistakenly handles certificate exceptions as
certificate authorities. Thus, the owner of a certificate, for
which an exception was added, can impersonate any VNC server.
This is issue CVE-2020-26117.
-- System Information:
Debian Release: 10.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/16 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages tigervnc-viewer depends on:
ii libc6 2.28-10
ii libfltk-images1.3 1.3.4-9
ii libfltk1.3 1.3.4-9
ii libgcc1 1:8.3.0-6
ii libgnutls30 3.6.7-4+deb10u5
ii libjpeg62-turbo 1:1.5.2-2+b1
ii libstdc++6 8.3.0-6
ii libx11-6 2:1.6.7-1+deb10u1
ii libxext6 2:1.3.3-1+b2
ii libxrender1 1:0.9.10-1
ii zlib1g 1:1.2.11.dfsg-1
tigervnc-viewer recommends no packages.
Versions of packages tigervnc-viewer suggests:
ii tigervnc-common 1.10.1+dfsg-8~bpo10+1
-- no debconf information
Message sent on
to Joachim Falk <joachim.falk@gmx.de>:
Bug#971272.
(Mon, 28 Sep 2020 20:57:06 GMT) (full text, mbox, link).
Message #8 received at 971272-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #971272 in tigervnc reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian-remote-team/tigervnc/-/commit/7e3a7ef045d7e03373f2397238c32a93ee9ad459
------------------------------------------------------------------------
Properly store certificate exceptions in native and java VNC viewer (Closes: #971272)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/971272
Added tag(s) pending.
Request was from Joachim Falk <noreply@salsa.debian.org>
to 971272-submitter@bugs.debian.org.
(Mon, 28 Sep 2020 20:57:06 GMT) (full text, mbox, link).
Message sent on
to Joachim Falk <joachim.falk@gmx.de>:
Bug#971272.
(Mon, 28 Sep 2020 21:27:04 GMT) (full text, mbox, link).
Message #13 received at 971272-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #971272 in tigervnc reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian-remote-team/tigervnc/-/commit/7e3a7ef045d7e03373f2397238c32a93ee9ad459
------------------------------------------------------------------------
Properly store certificate exceptions in native and java VNC viewer (Closes: #971272)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/971272
Message sent on
to Joachim Falk <joachim.falk@gmx.de>:
Bug#971272.
(Mon, 28 Sep 2020 21:30:02 GMT) (full text, mbox, link).
Message #16 received at 971272-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #971272 in tigervnc reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian-remote-team/tigervnc/-/commit/7e3a7ef045d7e03373f2397238c32a93ee9ad459
------------------------------------------------------------------------
Properly store certificate exceptions in native and java VNC viewer (Closes: #971272)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/971272
Reply sent
to Joachim Falk <joachim.falk@gmx.de>:
You have taken responsibility.
(Mon, 28 Sep 2020 22:39:02 GMT) (full text, mbox, link).
Notification sent
to Joachim Falk <joachim.falk@gmx.de>:
Bug acknowledged by developer.
(Mon, 28 Sep 2020 22:39:02 GMT) (full text, mbox, link).
Message #21 received at 971272-close@bugs.debian.org (full text, mbox, reply):
Source: tigervnc
Source-Version: 1.10.1+dfsg-9
Done: Joachim Falk <joachim.falk@gmx.de>
We believe that the bug you reported is fixed in the latest version of
tigervnc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 971272@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joachim Falk <joachim.falk@gmx.de> (supplier of updated tigervnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 28 Sep 2020 22:43:11 +0200
Source: tigervnc
Architecture: source
Version: 1.10.1+dfsg-9
Distribution: unstable
Urgency: medium
Maintainer: TigerVNC Packaging Team <pkg-tigervnc-devel@lists.alioth.debian.org>
Changed-By: Joachim Falk <joachim.falk@gmx.de>
Closes: 971272
Changes:
tigervnc (1.10.1+dfsg-9) unstable; urgency=medium
.
[ Joachim Falk ]
* Properly store certificate exceptions in native and java VNC viewer. The
VNC viewers stored the certificate exceptions as authorities, meaning that
the owner of a certificate could impersonate any server after a client had
added an exception. This is issue CVE-2020-26117 (Closes: #971272).
Checksums-Sha1:
c1ddfe798c7fca3a8e9cefcc46c7eebb188088cc 3967 tigervnc_1.10.1+dfsg-9.dsc
bac8c2347e06483c44d422824f40c4d0467f1d44 65472 tigervnc_1.10.1+dfsg-9.debian.tar.xz
20d27f38df544c3f3c094e220de64c6eb5a3099a 7719 tigervnc_1.10.1+dfsg-9_source.buildinfo
Checksums-Sha256:
d01959b6e73e0454b9ccbf6acb3ee08854a947c7b80b904eb34e2e8099f5deb8 3967 tigervnc_1.10.1+dfsg-9.dsc
74ccb8be2755083645b38542c6c56855da02c13e80045320b394dc7f0d0608fb 65472 tigervnc_1.10.1+dfsg-9.debian.tar.xz
a5fc18154dc41104b7d23dedc2eaeef7ebdffbb76ba87c10fbc7414b75284f27 7719 tigervnc_1.10.1+dfsg-9_source.buildinfo
Files:
f26c47c5b8be1319af0018673fb1db66 3967 x11 optional tigervnc_1.10.1+dfsg-9.dsc
ecc6b16629e11c562036c86f85261f7f 65472 x11 optional tigervnc_1.10.1+dfsg-9.debian.tar.xz
ad5160b0208c1b688a2106d3e517d1d4 7719 x11 optional tigervnc_1.10.1+dfsg-9_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEd0JxOxv4oYU15116MFSGLSVGoYAFAl9yUjcUHGpvYWNoaW0u
ZmFsa0BnbXguZGUACgkQMFSGLSVGoYDTgRAA2XGhhV2i9thYEp0Y64l7GmWYm8o3
sZMjOI8WWsW5Oj1Bn3cOsJNlXoBfESjMw9jEUfmlIA5LC8dgNUNh6NEqSxNqVA5d
caWUFsV6aMuXtSO2lRYojIb1EldIB770cS8WTU5UKq1NjPwsblhaZTJmkvExX+9X
4OBX2vMRe8L98Y8+gN4g5F9fKQOyP9QGYLsdb4hMNh/V0wLXvbyRMk9MErrEMZam
/sYCRafRXgmfnOq03ru9ZPMDaAdaC/iQ74lOVpIAlEuutQ9cl70d320ags7Nqnrq
ClmQwGleyXJIYwAUfFacty+9YqLpIWIPcwxQfwOT9waIJkw0XMzVLd4Jc535mTMk
hxdFtBjog505jz4F7z29TLyy4a9RlheQ3UmmHTEXwtKCRf3WCqoDK4sg6BEpjD7C
iW3wkTfv1hgktwYGmtFQLKaDqGYKoGKqaw7HbwvM708ue+oHiF3nEAOZKjkTMSpw
Z99TQz0+6C2toozzjl4p497C9PV6hRcYNLQJuYoCQzblu4pdBfoTjD2oOOPum+57
MELZu/3tmNZ3BSPl+4ErRG0mzydjE61KUxqv8wQ2wBG/hqnaadnEqQgC8A/Kr9sr
2doPqXYOhJ/mfE35zPsYYWqmOvYJrKCCRd77L+5k5mpLHD/D2iTAuLm9aoHnlurc
bZ2muRyuhWgr6Kk=
=UQ/W
-----END PGP SIGNATURE-----
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Sep 2020 14:30:03 GMT) (full text, mbox, link).
Changed Bug title to 'tigervnc-viewer: CVE-2020-26117: VNC viewer certificate exceptions are mistakenly handled as certificate authorities' from 'tigervnc-viewer: VNC viewer certificate exceptions are mistakenly handled as certificate authorities'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Sep 2020 14:30:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Sep 30 10:25:07 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon