Bug#1024480: bullseye-pu: package libvncserver/0.9.13+dfsg-2+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1024480: bullseye-pu: package libvncserver/0.9.13+dfsg-2+deb11u1
From: Mike Gabriel <sunweaver@debian.org>
Date: Sun, 20 Nov 2022 13:54:28 +0100
Message-id: <[🔎] 166894886862.1876506.8021254745033573303.reportbug@sunobo.fritz.box>
Reply-to: Mike Gabriel <sunweaver@debian.org>, 1024480@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Provide CVE fix contributed by the Debian LTS team; resolve annoying
screensize limit for people using large resolutions via VNC.

[ Impact ]
CVE issue stays unfixed; people with large screens cannot export
them via VNC.

[ Tests ]
Manual test (locally). CVE-2020-29260 has also been tested for LTS.

[ Risks ]
Code changes are rather trivial and non-invasive.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

+  [ Mike Gabriel ]
+  * debian/patches:
+    + Trivially rebase patches 0001 and 0002.

-> So that patches cleanly apply, chrerry-picked from unstable.

+    + Add 0003-rfb-increase-update-buf-size.patch. Allow larger screen sizes.
+      (Closes: #1010449).

Allows for larger screensizes (1x 8k, 2x 4k, etc.).

+  [ Thorsten Alteholz ]
+    + CVE-2020-29260: Add CVE-2020-29260.patch. Resolve memory leak in function
+      rfbClientCleanup(). (Closes: #1019228).

-> CVE-2020-29260 (no-dsa)

[ Other info ]
None.

diff -Nru libvncserver-0.9.13+dfsg/debian/changelog libvncserver-0.9.13+dfsg/debian/changelog
--- libvncserver-0.9.13+dfsg/debian/changelog	2021-02-28 15:37:06.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/changelog	2022-11-20 13:18:12.000000000 +0100
@@ -1,3 +1,17 @@
+libvncserver (0.9.13+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  [ Mike Gabriel ]
+  * debian/patches:
+    + Trivially rebase patches 0001 and 0002.
+    + Add 0003-rfb-increase-update-buf-size.patch. Allow larger screen sizes.
+      (Closes: #1010449).
+
+  [ Thorsten Alteholz ]
+    + CVE-2020-29260: Add CVE-2020-29260.patch. Resolve memory leak in function
+      rfbClientCleanup(). (Closes: #1019228).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sun, 20 Nov 2022 13:18:12 +0100
+
 libvncserver (0.9.13+dfsg-2) unstable; urgency=medium
 
   [ Marco Trevisan (Treviño) ]
diff -Nru libvncserver-0.9.13+dfsg/debian/patches/0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch libvncserver-0.9.13+dfsg/debian/patches/0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch
--- libvncserver-0.9.13+dfsg/debian/patches/0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch	2021-02-28 15:35:53.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/patches/0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch	2022-11-20 13:17:58.000000000 +0100
@@ -15,11 +15,9 @@
  libvncserver/main.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
-diff --git a/libvncserver/main.c b/libvncserver/main.c
-index 6477ee8..06efe6e 100644
 --- a/libvncserver/main.c
 +++ b/libvncserver/main.c
-@@ -1021,7 +1021,8 @@ void rfbScreenCleanup(rfbScreenInfoPtr screen)
+@@ -1110,7 +1110,8 @@
    FREE_IF(underCursorBuffer);
    TINI_MUTEX(screen->cursorMutex);
  
@@ -29,6 +27,3 @@
  
  #ifdef LIBVNCSERVER_HAVE_LIBZ
    rfbZlibCleanup(screen);
--- 
-2.25.1
-
diff -Nru libvncserver-0.9.13+dfsg/debian/patches/0002-zlib-Clear-buffer-pointers-on-cleanup.patch libvncserver-0.9.13+dfsg/debian/patches/0002-zlib-Clear-buffer-pointers-on-cleanup.patch
--- libvncserver-0.9.13+dfsg/debian/patches/0002-zlib-Clear-buffer-pointers-on-cleanup.patch	2021-02-28 15:35:53.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/patches/0002-zlib-Clear-buffer-pointers-on-cleanup.patch	2022-11-20 13:17:58.000000000 +0100
@@ -26,11 +26,9 @@
  libvncserver/zlib.c | 2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/libvncserver/zlib.c b/libvncserver/zlib.c
-index ac20c9c..6b7731e 100644
 --- a/libvncserver/zlib.c
 +++ b/libvncserver/zlib.c
-@@ -63,11 +63,13 @@ void rfbZlibCleanup(rfbScreenInfoPtr screen)
+@@ -64,11 +64,13 @@
  {
    if (zlibBeforeBufSize) {
      free(zlibBeforeBuf);
@@ -44,6 +42,3 @@
    }
  }
  
--- 
-2.25.1
-
diff -Nru libvncserver-0.9.13+dfsg/debian/patches/0003-rfb-increase-update-buf-size.patch libvncserver-0.9.13+dfsg/debian/patches/0003-rfb-increase-update-buf-size.patch
--- libvncserver-0.9.13+dfsg/debian/patches/0003-rfb-increase-update-buf-size.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/patches/0003-rfb-increase-update-buf-size.patch	2022-11-20 13:17:58.000000000 +0100
@@ -0,0 +1,28 @@
+From fdf67fb31ed583549ae2f8827593ec4eb3dfed5c Mon Sep 17 00:00:00 2001
+From: Christian Beier <info@christianbeier.net>
+Date: Mon, 9 May 2022 15:56:11 +0200
+Subject: [PATCH] rfb/rfb.h: increase UPDATE_BUF_SIZE by 2768 bytes
+
+Simply raise the default to 32768 which is not an awful lot of an
+increase and should not hurt the embedded guys.
+
+If someone needs more, we can still go down the malloc() route and
+make the buffer size configurable, but leave this to the users to
+request and KISS for now.
+
+Closes #521
+---
+ rfb/rfb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/rfb/rfb.h
++++ b/rfb/rfb.h
+@@ -555,7 +555,7 @@
+      * means 8K minimum.
+      */
+ 
+-#define UPDATE_BUF_SIZE 30000
++#define UPDATE_BUF_SIZE 32768
+ 
+     char updateBuf[UPDATE_BUF_SIZE];
+     int ublen;
diff -Nru libvncserver-0.9.13+dfsg/debian/patches/CVE-2020-29260.patch libvncserver-0.9.13+dfsg/debian/patches/CVE-2020-29260.patch
--- libvncserver-0.9.13+dfsg/debian/patches/CVE-2020-29260.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/patches/CVE-2020-29260.patch	2022-11-20 13:17:58.000000000 +0100
@@ -0,0 +1,22 @@
+commit bef41f6ec4097a8ee094f90a1b34a708fbd757ec
+Author: Christian Beier <info@christianbeier.net>
+Date:   Sat Nov 21 12:52:31 2020 +0100
+
+    libvncclient: free vncRec memory in rfbClientCleanup()
+   
+    Otherwise we leak memory. Spotted by Ramin Farajpour Cami
+    <ramin.blackhat@gmail.com>, thanks!
+
+diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c
+index d6b91f02..0a1bdcf6 100644
+--- a/libvncclient/vncviewer.c
++++ b/libvncclient/vncviewer.c
+@@ -534,6 +534,8 @@ void rfbClientCleanup(rfbClient* client) {
+     client->clientData = next;
+   }
+
++  free(client->vncRec);
++
+   if (client->sock != RFB_INVALID_SOCKET)
+     rfbCloseSocket(client->sock);
+   if (client->listenSock != RFB_INVALID_SOCKET)
diff -Nru libvncserver-0.9.13+dfsg/debian/patches/series libvncserver-0.9.13+dfsg/debian/patches/series
--- libvncserver-0.9.13+dfsg/debian/patches/series	2021-02-28 15:36:01.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/patches/series	2022-11-20 13:17:58.000000000 +0100
@@ -1,2 +1,5 @@
 0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch
 0002-zlib-Clear-buffer-pointers-on-cleanup.patch
+0003-rfb-increase-update-buf-size.patch
+
+CVE-2020-29260.patch

Reply to:

Follow-Ups:
- Bug#1024480: libvncserver 0.9.13+dfsg-2+deb11u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: Re: Bug#1022340: redmine: FTBFS: Could not find gem 'csv (~> 3.2.0)' in cached gems or installed locally. The source contains the following gems matching 'csv': csv-3.1.9
Next by Date: Bug#1024380: transition: simdjson
Previous by thread: Processed: Re: Bug#1022340: redmine: FTBFS: Could not find gem 'csv (~> 3.2.0)' in cached gems or installed locally. The source contains the following gems matching 'csv': csv-3.1.9
Next by thread: Bug#1024480: libvncserver 0.9.13+dfsg-2+deb11u1 flagged for acceptance
Index(es):
- Date
- Thread