Re: CVE-2019-15690/libvncserver: reference embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot ?

[Sylvain Beucler <beuc@beuc.net>]

Hi all,

On 18/03/2020 19:27, Moritz Muehlenhoff wrote:
> On Wed, Mar 18, 2020 at 06:14:36PM +0100, Sylvain Beucler wrote:
>> I excluded 3 out of 8 packages. I only added packages that actually
>> contain the impacted code (VNC client connection, using original RealVNC
>> codebase).
> 
> "Contains the impacted code" is not the relevant criterion here, it's
> "contains the impacted code and the respective library function can be
> triggered in a security-relevant scenario/trust boundaries are crossed".

For the record, I believe this fits the criterion.

Usually we need to prove that a program is /not/ vulnerable before we
stop working on it. Here it sounds like we need prove that a program is
vulnerable to merely start tracking it.

Conversely it is likely that similar, past issues affecting this code
were not flagged in packages that embed it (I complemented
embedded-code-copies only last week).

I'm surprised that other members of Debian Security or Debian LTS hadn't
anything to add.

Cheers!
Sylvain