[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987564: marked as done (NMU: CVE-2020-25708 - Fix possible divide-by-zero.)

Your message dated Thu, 29 Apr 2021 19:33:51 +0100
with message-id <f0a5098112e6f543168cb12a22c88dc623cdf2c9.camel@kathenas.org>
and subject line Re: Bug#987564: NMU: CVE-2020-25708 - Fix possible divide-by-zero.
has caused the Debian Bug report #987564,
regarding NMU: CVE-2020-25708 - Fix possible divide-by-zero.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987564: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987564
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Sorry, no bug associated here, was confused how to subject the mail. Guidance for the future would
be appreciated.

I would like to do an NMU for CVE-2020-25708[1].

This seems to have been waiting a while and is fixed already in bullseye/sid and stretch. Because
of this I feel it can just go into the next point release if approved.

This update has been done during and part of this weekends bsp-2021-04-at-salzburg.

Note: I am not a DM or DD and this will require a sponsor to upload if approved.

[1] https://security-tracker.debian.org/tracker/CVE-2020-25708

Regards

Phil

-- 
*** Playing the game for the games own sake. ***

WWW: https://kathenas.org

Twitter: @kathenasorg

Instagram: @kathenasorg

IRC: kathenas

GPG: 724AA9B52F024C8B

diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog	2020-08-28 22:40:37.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/changelog	2021-04-25 17:01:53.000000000 +0100
@@ -1,3 +1,10 @@
+libvncserver (0.9.11+dfsg-1.3+deb10u5) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2020-25708: libvncserver: fix possible divide-by-zero.
+
+ -- Phil Wyett <philip.wyett@kathenas.org>  Sun, 25 Apr 2021 17:01:53 +0100
+
 libvncserver (0.9.11+dfsg-1.3+deb10u4) buster; urgency=medium
 
   * CVE-2019-20839: libvncclient: bail out if unix socket name would overflow.
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2020-25708.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2020-25708.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2020-25708.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2020-25708.patch	2021-04-25 17:01:53.000000000 +0100
@@ -0,0 +1,14 @@
+Index: libvncserver-0.9.11+dfsg/libvncserver/rfbserver.c
+===================================================================
+--- libvncserver-0.9.11+dfsg.orig/libvncserver/rfbserver.c
++++ libvncserver-0.9.11+dfsg/libvncserver/rfbserver.c
+@@ -3294,6 +3294,9 @@ rfbSendRectEncodingRaw(rfbClientPtr cl,
+     char *fbptr = (cl->scaledScreen->frameBuffer + (cl->scaledScreen->paddedWidthInBytes * y)
+                    + (x * (cl->scaledScreen->bitsPerPixel / 8)));
+
++    if(!h || !w)
++    	return TRUE; /* nothing to send */
++
+     /* Flush the buffer to guarantee correct alignment for translateFn(). */
+     if (cl->ublen > 0) {
+         if (!rfbSendUpdateBuf(cl))
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series	2020-08-28 22:40:19.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series	2021-04-25 17:01:53.000000000 +0100
@@ -37,3 +37,4 @@
 CVE-2020-14401.patch
 CVE-2020-14402+14403+14404.patch
 CVE-2020-14405.patch
+CVE-2020-25708.patch

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
> Control: tags -1 - moreinfo

On Sun, 2021-04-25 at 19:32 +0100, Philip Wyett wrote:
> Control: tags -1 + moreinfo
> 
> On Sun, 2021-04-25 at 18:34 +0100, Philip Wyett wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> > 
> > Hi,
> > 
> > Sorry, no bug associated here, was confused how to subject the mail. Guidance for the future
> > would
> > be appreciated.
> > 
> > I would like to do an NMU for CVE-2020-25708[1].
> > 
> > This seems to have been waiting a while and is fixed already in bullseye/sid and stretch.
> > Because
> > of this I feel it can just go into the next point release if approved.
> > 
> > This update has been done during and part of this weekends bsp-2021-04-at-salzburg.
> > 
> > Note: I am not a DM or DD and this will require a sponsor to upload if approved.
> > 
> > [1] https://security-tracker.debian.org/tracker/CVE-2020-25708
> > 
> > Regards
> > 
> > Phil
> > 
> 
> Hi,
> 
> I have been asked to contact maintainer regarding this and a number of other bugs. Marking
> 'moreinfo' until I have spoken with the maintainer.
> 
> Regards
> 
> Phil
> 

Hi,

Package maintainer has submitted/uploaded this fix, so closing this bug.

Regards

Phil

-- 
*** Playing the game for the games own sake. ***

WWW: https://kathenas.org

Twitter: @kathenasorg

Instagram: @kathenasorg

IRC: kathenas

GPG: 724AA9B52F024C8B

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
Reply to: