Bug#1024480: bullseye-pu: package libvncserver/0.9.13+dfsg-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Provide CVE fix contributed by the Debian LTS team; resolve annoying
screensize limit for people using large resolutions via VNC.
[ Impact ]
CVE issue stays unfixed; people with large screens cannot export
them via VNC.
[ Tests ]
Manual test (locally). CVE-2020-29260 has also been tested for LTS.
[ Risks ]
Code changes are rather trivial and non-invasive.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
+ [ Mike Gabriel ]
+ * debian/patches:
+ + Trivially rebase patches 0001 and 0002.
-> So that patches cleanly apply, chrerry-picked from unstable.
+ + Add 0003-rfb-increase-update-buf-size.patch. Allow larger screen sizes.
+ (Closes: #1010449).
Allows for larger screensizes (1x 8k, 2x 4k, etc.).
+ [ Thorsten Alteholz ]
+ + CVE-2020-29260: Add CVE-2020-29260.patch. Resolve memory leak in function
+ rfbClientCleanup(). (Closes: #1019228).
-> CVE-2020-29260 (no-dsa)
[ Other info ]
None.
diff -Nru libvncserver-0.9.13+dfsg/debian/changelog libvncserver-0.9.13+dfsg/debian/changelog
--- libvncserver-0.9.13+dfsg/debian/changelog 2021-02-28 15:37:06.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/changelog 2022-11-20 13:18:12.000000000 +0100
@@ -1,3 +1,17 @@
+libvncserver (0.9.13+dfsg-2+deb11u1) bullseye; urgency=medium
+
+ [ Mike Gabriel ]
+ * debian/patches:
+ + Trivially rebase patches 0001 and 0002.
+ + Add 0003-rfb-increase-update-buf-size.patch. Allow larger screen sizes.
+ (Closes: #1010449).
+
+ [ Thorsten Alteholz ]
+ + CVE-2020-29260: Add CVE-2020-29260.patch. Resolve memory leak in function
+ rfbClientCleanup(). (Closes: #1019228).
+
+ -- Mike Gabriel <sunweaver@debian.org> Sun, 20 Nov 2022 13:18:12 +0100
+
libvncserver (0.9.13+dfsg-2) unstable; urgency=medium
[ Marco Trevisan (Treviño) ]
diff -Nru libvncserver-0.9.13+dfsg/debian/patches/0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch libvncserver-0.9.13+dfsg/debian/patches/0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch
--- libvncserver-0.9.13+dfsg/debian/patches/0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch 2021-02-28 15:35:53.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/patches/0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch 2022-11-20 13:17:58.000000000 +0100
@@ -15,11 +15,9 @@
libvncserver/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/libvncserver/main.c b/libvncserver/main.c
-index 6477ee8..06efe6e 100644
--- a/libvncserver/main.c
+++ b/libvncserver/main.c
-@@ -1021,7 +1021,8 @@ void rfbScreenCleanup(rfbScreenInfoPtr screen)
+@@ -1110,7 +1110,8 @@
FREE_IF(underCursorBuffer);
TINI_MUTEX(screen->cursorMutex);
@@ -29,6 +27,3 @@
#ifdef LIBVNCSERVER_HAVE_LIBZ
rfbZlibCleanup(screen);
---
-2.25.1
-
diff -Nru libvncserver-0.9.13+dfsg/debian/patches/0002-zlib-Clear-buffer-pointers-on-cleanup.patch libvncserver-0.9.13+dfsg/debian/patches/0002-zlib-Clear-buffer-pointers-on-cleanup.patch
--- libvncserver-0.9.13+dfsg/debian/patches/0002-zlib-Clear-buffer-pointers-on-cleanup.patch 2021-02-28 15:35:53.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/patches/0002-zlib-Clear-buffer-pointers-on-cleanup.patch 2022-11-20 13:17:58.000000000 +0100
@@ -26,11 +26,9 @@
libvncserver/zlib.c | 2 ++
1 file changed, 2 insertions(+)
-diff --git a/libvncserver/zlib.c b/libvncserver/zlib.c
-index ac20c9c..6b7731e 100644
--- a/libvncserver/zlib.c
+++ b/libvncserver/zlib.c
-@@ -63,11 +63,13 @@ void rfbZlibCleanup(rfbScreenInfoPtr screen)
+@@ -64,11 +64,13 @@
{
if (zlibBeforeBufSize) {
free(zlibBeforeBuf);
@@ -44,6 +42,3 @@
}
}
---
-2.25.1
-
diff -Nru libvncserver-0.9.13+dfsg/debian/patches/0003-rfb-increase-update-buf-size.patch libvncserver-0.9.13+dfsg/debian/patches/0003-rfb-increase-update-buf-size.patch
--- libvncserver-0.9.13+dfsg/debian/patches/0003-rfb-increase-update-buf-size.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/patches/0003-rfb-increase-update-buf-size.patch 2022-11-20 13:17:58.000000000 +0100
@@ -0,0 +1,28 @@
+From fdf67fb31ed583549ae2f8827593ec4eb3dfed5c Mon Sep 17 00:00:00 2001
+From: Christian Beier <info@christianbeier.net>
+Date: Mon, 9 May 2022 15:56:11 +0200
+Subject: [PATCH] rfb/rfb.h: increase UPDATE_BUF_SIZE by 2768 bytes
+
+Simply raise the default to 32768 which is not an awful lot of an
+increase and should not hurt the embedded guys.
+
+If someone needs more, we can still go down the malloc() route and
+make the buffer size configurable, but leave this to the users to
+request and KISS for now.
+
+Closes #521
+---
+ rfb/rfb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/rfb/rfb.h
++++ b/rfb/rfb.h
+@@ -555,7 +555,7 @@
+ * means 8K minimum.
+ */
+
+-#define UPDATE_BUF_SIZE 30000
++#define UPDATE_BUF_SIZE 32768
+
+ char updateBuf[UPDATE_BUF_SIZE];
+ int ublen;
diff -Nru libvncserver-0.9.13+dfsg/debian/patches/CVE-2020-29260.patch libvncserver-0.9.13+dfsg/debian/patches/CVE-2020-29260.patch
--- libvncserver-0.9.13+dfsg/debian/patches/CVE-2020-29260.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/patches/CVE-2020-29260.patch 2022-11-20 13:17:58.000000000 +0100
@@ -0,0 +1,22 @@
+commit bef41f6ec4097a8ee094f90a1b34a708fbd757ec
+Author: Christian Beier <info@christianbeier.net>
+Date: Sat Nov 21 12:52:31 2020 +0100
+
+ libvncclient: free vncRec memory in rfbClientCleanup()
+
+ Otherwise we leak memory. Spotted by Ramin Farajpour Cami
+ <ramin.blackhat@gmail.com>, thanks!
+
+diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c
+index d6b91f02..0a1bdcf6 100644
+--- a/libvncclient/vncviewer.c
++++ b/libvncclient/vncviewer.c
+@@ -534,6 +534,8 @@ void rfbClientCleanup(rfbClient* client) {
+ client->clientData = next;
+ }
+
++ free(client->vncRec);
++
+ if (client->sock != RFB_INVALID_SOCKET)
+ rfbCloseSocket(client->sock);
+ if (client->listenSock != RFB_INVALID_SOCKET)
diff -Nru libvncserver-0.9.13+dfsg/debian/patches/series libvncserver-0.9.13+dfsg/debian/patches/series
--- libvncserver-0.9.13+dfsg/debian/patches/series 2021-02-28 15:36:01.000000000 +0100
+++ libvncserver-0.9.13+dfsg/debian/patches/series 2022-11-20 13:17:58.000000000 +0100
@@ -1,2 +1,5 @@
0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch
0002-zlib-Clear-buffer-pointers-on-cleanup.patch
+0003-rfb-increase-update-buf-size.patch
+
+CVE-2020-29260.patch
Reply to: