Your message dated Sat, 09 May 2020 11:53:52 +0100 with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk> and subject line Closing requests included in 10.4 point release has caused the Debian Bug report #955395, regarding buster-pu: package libvncserver/0.9.11+dfsg-1.3+deb10u3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 955395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955395 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package libvncserver/0.9.11+dfsg-1.3+deb10u3
- From: Mike Gabriel <sunweaver@debian.org>
- Date: Tue, 31 Mar 2020 08:34:07 +0200
- Message-id: <158563644734.8539.6791795675384277520.reportbug@minobo.das-netzwerkteam.de>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Please accept the recent upload of libvncserver to buster containing the following low impact security fix: + [ Antoni Villalonga ] + * debian/patches: + + Add CVE-2019-15690 patch. libvncclient/cursor: limit + width/height input values. Avoids a possible heap overflow reported + by Pavel Cheremushkin. (Closes: #954163). Thanks, Mike -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enableddiff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog --- libvncserver-0.9.11+dfsg/debian/changelog 2020-01-08 08:22:51.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/changelog 2020-03-31 07:05:57.000000000 +0200 @@ -1,3 +1,13 @@ +libvncserver (0.9.11+dfsg-1.3+deb10u3) buster; urgency=medium + + [ Antoni Villalonga ] + * debian/patches: + + Add CVE-2019-15690 patch. libvncclient/cursor: limit + width/height input values. Avoids a possible heap overflow reported + by Pavel Cheremushkin. (Closes: #954163). + + -- Mike Gabriel <sunweaver@debian.org> Tue, 31 Mar 2020 07:05:57 +0200 + libvncserver (0.9.11+dfsg-1.3+deb10u2) buster; urgency=medium * Regression update. diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch --- libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch 2020-03-31 07:04:43.000000000 +0200 @@ -0,0 +1,34 @@ +Commit: 54220248886b5001fbbb9fa73c4e1a2cb9413fed +Author: Christian Beier <dontmind@freeshell.org> +Date: Sun Nov 17 17:18:35 2019 +0100 + + libvncclient/cursor: limit width/height input values + + Avoids a possible heap overflow reported by Pavel Cheremushkin + <Pavel.Cheremushkin@kaspersky.com>. + + re #275 + +diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c +index 67f4572..40ffb3b 100644 +--- a/libvncclient/cursor.c ++++ b/libvncclient/cursor.c +@@ -28,6 +28,8 @@ + #define OPER_SAVE 0 + #define OPER_RESTORE 1 + ++#define MAX_CURSOR_SIZE 1024 ++ + #define RGB24_TO_PIXEL(bpp,r,g,b) \ + ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \ + << client->format.redShift | \ +@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h + if (width * height == 0) + return TRUE; + ++ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE) ++ return FALSE; ++ + /* Allocate memory for pixel data and temporary mask data. */ + if(client->rcSource) + free(client->rcSource); diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series --- libvncserver-0.9.11+dfsg/debian/patches/series 2020-01-08 08:22:34.000000000 +0100 +++ libvncserver-0.9.11+dfsg/debian/patches/series 2020-03-31 07:05:57.000000000 +0200 @@ -29,3 +29,4 @@ use-after-free/5.patch use-after-free/6.patch 0002-set-true-color-flag-to-1.patch +CVE-2019-15690/0001-heap-buffer-overflow.patch
--- End Message ---
--- Begin Message ---
- To: 932251-done@bugs.debian.org, 933839-done@bugs.debian.org, 939120-done@bugs.debian.org, 942520-done@bugs.debian.org, 943889-done@bugs.debian.org, 947102-done@bugs.debian.org, 947142-done@bugs.debian.org, 947172-done@bugs.debian.org, 947442-done@bugs.debian.org, 948333-done@bugs.debian.org, 948381-done@bugs.debian.org, 948786-done@bugs.debian.org, 948855-done@bugs.debian.org, 949113-done@bugs.debian.org, 949702-done@bugs.debian.org, 949890-done@bugs.debian.org, 949891-done@bugs.debian.org, 949897-done@bugs.debian.org, 949921-done@bugs.debian.org, 950104-done@bugs.debian.org, 950105-done@bugs.debian.org, 950478-done@bugs.debian.org, 950546-done@bugs.debian.org, 950547-done@bugs.debian.org, 950655-done@bugs.debian.org, 950765-done@bugs.debian.org, 950773-done@bugs.debian.org, 950795-done@bugs.debian.org, 950854-done@bugs.debian.org, 950918-done@bugs.debian.org, 951146-done@bugs.debian.org, 951399-done@bugs.debian.org, 951563-done@bugs.debian.org, 951761-done@bugs.debian.org, 951769-done@bugs.debian.org, 951871-done@bugs.debian.org, 952414-done@bugs.debian.org, 952441-done@bugs.debian.org, 952586-done@bugs.debian.org, 952785-done@bugs.debian.org, 953005-done@bugs.debian.org, 953124-done@bugs.debian.org, 953246-done@bugs.debian.org, 953647-done@bugs.debian.org, 953737-done@bugs.debian.org, 953797-done@bugs.debian.org, 954001-done@bugs.debian.org, 954073-done@bugs.debian.org, 954269-done@bugs.debian.org, 954398-done@bugs.debian.org, 954404-done@bugs.debian.org, 954714-done@bugs.debian.org, 954757-done@bugs.debian.org, 954835-done@bugs.debian.org, 954838-done@bugs.debian.org, 954862-done@bugs.debian.org, 954985-done@bugs.debian.org, 955395-done@bugs.debian.org, 955410-done@bugs.debian.org, 955508-done@bugs.debian.org, 955509-done@bugs.debian.org, 955510-done@bugs.debian.org, 955547-done@bugs.debian.org, 955860-done@bugs.debian.org, 956155-done@bugs.debian.org, 956216-done@bugs.debian.org, 956315-done@bugs.debian.org, 956533-done@bugs.debian.org, 956535-done@bugs.debian.org, 956536-done@bugs.debian.org, 956801-done@bugs.debian.org, 956861-done@bugs.debian.org, 956890-done@bugs.debian.org, 956913-done@bugs.debian.org, 956932-done@bugs.debian.org, 958053-done@bugs.debian.org, 958141-done@bugs.debian.org, 958173-done@bugs.debian.org, 958395-done@bugs.debian.org, 958399-done@bugs.debian.org, 958489-done@bugs.debian.org, 958490-done@bugs.debian.org, 958568-done@bugs.debian.org, 958714-done@bugs.debian.org, 958716-done@bugs.debian.org, 958814-done@bugs.debian.org, 958887-done@bugs.debian.org, 958916-done@bugs.debian.org, 958931-done@bugs.debian.org, 958969-done@bugs.debian.org, 958994-done@bugs.debian.org, 959081-done@bugs.debian.org, 959101-done@bugs.debian.org, 959224-done@bugs.debian.org, 959431-done@bugs.debian.org, 959489-done@bugs.debian.org, 948191-done@bugs.debian.org
- Subject: Closing requests included in 10.4 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 May 2020 11:53:52 +0100
- Message-id: <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.4 Hi, Each of the uploads referred to by these bugs was included in today's stable point release. Regards, Adam
--- End Message ---