Package: tigervnc-common Version: 1.12.0+dfsg-8 First reported to Ubuntu (https://bugs.launchpad.net/bugs/2088433), kicking it "upstream" as suggested. Repeating the main points here, see the Ubuntu bug for more details.
On startup, tigervncserver (via Wrapper.pm, which is Debian-specific) copies ~/.vnc/passwd (and other credential files) into a /tmp/tigervnc.XXXXXX directory and tells Xtigervnc to use those instead. There are at least two problems with this: 1: If the /tmp/tigervnc.XXXXXX directory is removed for some reason (e.g. via age-based /tmp cleaning, which is enabled by default on Ubuntu, though not in Debian; the default setting may affect/determine the severity of this bug), an unprivileged local attacker can recreate it with their own passwd file and gain access to the VNC server. Even if there is no attacker, the VNC server becomes inaccessible to its owner (unless they know how to recreate the directory and file(s) themself). 2: If the credential files (e.g. password) in ~/.vnc/ are changed, the running VNC server will not pick this up and will continue to use the old cached credential files. I think there should at least be a mechanism to enable/disable this caching behavior via a configuration file (and/or a command line argument). Also, if such caching is done, I think the proper location would be under $XDG_RUNTIME_DIR instead of /tmp. -- System Information: Debian Release: 12.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-25-amd64 (SMP w/6 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages tigervnc-common depends on: ii libc6 2.36-9+deb12u9 ii libgcc-s1 12.2.0-14 ii libstdc++6 12.2.0-14 ii libx11-6 2:1.8.4-2+deb12u2 tigervnc-common recommends no packages. tigervnc-common suggests no packages.
