[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#905712: stretch-pu: package x11vnc/0.9.13-2



Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stretch version of x11vnc has a couple of bugs that cause frequent
crashes, which renders package hardly usable on some archiutectures
(especially arm*).

There are several bug reports in BTS related to this issue, including
#851496, #859213.

In sid this is fixed in 0.9.13-6 version, by applying patches from
upstream.

In ubuntu it is patched as well.

I'm getting requests from users to get it fixed in stretch.
Thus I'm asking to upload the below debdiff to stretch.

Note that although bugs are formally buffer overflows, there is no known
way to exploit them, and security team decided not to issue DSA on this.


diff -Nru x11vnc-0.9.13/debian/changelog x11vnc-0.9.13/debian/changelog
- - --- x11vnc-0.9.13/debian/changelog      2016-12-21 17:59:50.000000000 +0300
+++ x11vnc-0.9.13/debian/changelog      2018-05-07 23:13:43.000000000 +0300
@@ -1,3 +1,9 @@
+x11vnc (0.9.13-2+deb9u1) stretch; urgency=medium
+
+  * Add two buffer overflow fixes from upstream. Closes: #851496, #859213.
+
+ -- Nikita Yushchenko <yoush@debian.org>  Mon, 07 May 2018 23:13:43 +0300
+
 x11vnc (0.9.13-2) unstable; urgency=medium
 
   * Add patches:
diff -Nru x11vnc-0.9.13/debian/patches/fix-buffer-overflow-in-record_CW.patch x11vnc-0.9.13/debian/patches/fix-buffer-overflow-in-record_CW.patch
- - --- x11vnc-0.9.13/debian/patches/fix-buffer-overflow-in-record_CW.patch 1970-01-01 03:00:00.000000000 +0300
+++ x11vnc-0.9.13/debian/patches/fix-buffer-overflow-in-record_CW.patch 2018-05-07 23:13:43.000000000 +0300
@@ -0,0 +1,11 @@
+--- a/x11vnc/xrecord.c
++++ b/x11vnc/xrecord.c
+@@ -964,7 +964,7 @@
+       data = (char *)req;
+       data += sz_xConfigureWindowReq;
+ 
+-      for (i=0; i<req->length; i++) {
++      for (i = 0; i < req->length - sz_xConfigureWindowReq / 4 && i < 4; i++) {
+               unsigned int v;
+               /*
+                * We use unsigned int for the values.  There were
diff -Nru x11vnc-0.9.13/debian/patches/fix-buffer-overflow-in-snapshot_stack_list.patch x11vnc-0.9.13/debian/patches/fix-buffer-overflow-in-snapshot_stack_list.patch
- - --- x11vnc-0.9.13/debian/patches/fix-buffer-overflow-in-snapshot_stack_list.patch       1970-01-01 03:00:00.000000000 +0300
+++ x11vnc-0.9.13/debian/patches/fix-buffer-overflow-in-snapshot_stack_list.patch       2018-05-07 23:13:43.000000000 +0300
@@ -0,0 +1,13 @@
+--- a/x11vnc/win_utils.c
++++ b/x11vnc/win_utils.c
+@@ -262,8 +262,8 @@
+       }
+ 
+       last_snap = now;
+-      if (num > stack_list_len + blackouts) {
+-              int n = 2*num;
++      if (num + stack_list_len > blackouts) {
++              int n = 2 * (num + blackouts);
+               free(stack_list);
+               stack_list = (winattr_t *) malloc(n*sizeof(winattr_t));
+               stack_list_len = n;
diff -Nru x11vnc-0.9.13/debian/patches/series x11vnc-0.9.13/debian/patches/series
- - --- x11vnc-0.9.13/debian/patches/series 2016-12-21 17:59:50.000000000 +0300
+++ x11vnc-0.9.13/debian/patches/series 2018-05-07 23:13:43.000000000 +0300
@@ -3,3 +3,5 @@
 10_usepkgconfig.diff
 do-not-run-dbus-launch.patch
 enforce-bash.patch
+fix-buffer-overflow-in-snapshot_stack_list.patch
+fix-buffer-overflow-in-record_CW.patch


- -- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (650, 'stable-updates'), (650, 'stable'), (620, 'testing'), (600, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-7-amd64 (SMP w/8 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iG8EARECAC8WIQQZpQMQRPJ0qhZ2HP2/fHk6yRMt2wUCW2reuBEceW91c2hAZGVi
aWFuLm9yZwAKCRC/fHk6yRMt23CVAJ9/ros67MLQKMs4kfisZtJQY/VI9QCfVC0H
yckFmhKBLXrjtTzUSFiekGM=
=pDpi
-----END PGP SIGNATURE-----


Reply to: