tigervnc-1.13.1-8.el9.3

エラータID: AXSA:2024-8106:09

Release date: 
Monday, June 3, 2024 - 18:05
Subject: 
tigervnc-1.13.1-8.el9.3
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients.

Security Fix(es):

* xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents (CVE-2024-31080)
* xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice (CVE-2024-31081)
* xorg-x11-server: User-after-free in ProcRenderAddGlyphs (CVE-2024-31083)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-31080
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2024-31081
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2024-31083
A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.

Solution: 

Update packages.

CVEs: 
CVE-2024-31080
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2024-31081
A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
CVE-2024-31083
A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.
CVE-2023-5380
A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.
CVE-2023-5574
A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.
Additional Info: 

N/A

Download: 

SRPMS
  1. tigervnc-1.13.1-8.el9.3.src.rpm
    MD5: d2ef0240a3edb77e2340c9f1b781a038
    SHA-256: 0236d2642d8c8efe36c81b2fef994716f778adda703c147c1a16c86424d13eba
    Size: 1.94 MB

Asianux Server 9 for x86_64
  1. tigervnc-1.13.1-8.el9.3.x86_64.rpm
    MD5: f1a96cc999e3972a0f454c4f120e7806
    SHA-256: 61c051b030f4dd687a294d3a91fd511373407c433b35209cab1935ad1675ffa2
    Size: 301.04 kB
  2. tigervnc-icons-1.13.1-8.el9.3.noarch.rpm
    MD5: dc27580664a2cc30bfcefc9e2594bc6c
    SHA-256: 0c6193cb3a9b5e81aa2ce24c2c56fd238396f5e7c83e64c94af688c40bf78d2b
    Size: 36.62 kB
  3. tigervnc-license-1.13.1-8.el9.3.noarch.rpm
    MD5: a88b413f9e55ca6d06590c8f4d7aba32
    SHA-256: d04294421a06d348b01e157ba464d52f5834cb189afd5be0bcdc4fabd9e8094e
    Size: 16.54 kB
  4. tigervnc-selinux-1.13.1-8.el9.3.noarch.rpm
    MD5: 57a38f55ffd2a7e7f370fbab7babdfc2
    SHA-256: 9afbd688bf4b09d1b2d1b42033f35d06652db11eb05b5bf17b5634f50094acb0
    Size: 26.37 kB
  5. tigervnc-server-1.13.1-8.el9.3.x86_64.rpm
    MD5: 2f8e544826ccd9f049b131bc3a3a5efb
    SHA-256: 338c2a828a562e0ab667d778aa6a2a5ecebcf42c5422e2e39029af883ec3cb5e
    Size: 221.76 kB
  6. tigervnc-server-minimal-1.13.1-8.el9.3.x86_64.rpm
    MD5: a59fb70f2c4b3825e88ea0c1b611088e
    SHA-256: 24375819723b4b43f304b4ac9e13cf1cc86d90ee78e6dd15ed0bded19fe48839
    Size: 1.13 MB
  7. tigervnc-server-module-1.13.1-8.el9.3.x86_64.rpm
    MD5: 834932b20d2f7956700d6c1bfda00ff4
    SHA-256: fb79e66d6b596de08cd5999bdfa6e424c6228eba436ceea201e254a93934340d
    Size: 245.76 kB