Bug#948401: stretch-pu: package libvncserver/0.9.11+dfsg-1.3~+deb9u3
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
a regression in the recent libvncserver stretch-pu (~deb9u2) has been reported.
+ * Regression update.
+
+ * debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from
+ upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes:
+ #905786).
The just uploaded libvncserver package version (~deb9u3) pulls in three
more patches from upstream that resolve this regression issue.
thanks+greets,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog 2019-12-16 11:08:42.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/changelog 2020-01-08 08:22:51.000000000 +0100
@@ -1,3 +1,13 @@
+libvncserver (0.9.11+dfsg-1.3~deb9u3) stretch; urgency=medium
+
+ * Regression update.
+
+ * debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from
+ upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes:
+ #905786).
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 08 Jan 2020 08:22:51 +0100
+
libvncserver (0.9.11+dfsg-1.3~deb9u2) stretch; urgency=medium
* CVE-2019-15681:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series 2019-12-16 11:08:18.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series 2020-01-08 08:22:51.000000000 +0100
@@ -25,4 +25,7 @@
use-after-free/1.patch
use-after-free/2.patch
use-after-free/3.patch
+use-after-free/4.patch
+use-after-free/5.patch
+use-after-free/6.patch
0002-set-true-color-flag-to-1.patch
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch 2020-01-08 08:22:51.000000000 +0100
@@ -0,0 +1,24 @@
+From 7e63df224aa45a8b541cd63a870594454aba7526 Mon Sep 17 00:00:00 2001
+From: Andrzej Szombierski <qq@kuku.eu.org>
+Date: Tue, 28 May 2019 10:56:47 +0200
+Subject: [PATCH] rfbserver: don't close fd 0 accidentally
+
+pipe_notify_client_thread needs to be initialized to -1
+---
+ libvncserver/rfbserver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -462,6 +462,11 @@
+
+ cl->lastPtrX = -1;
+
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++ cl->pipe_notify_client_thread[0] = -1;
++ cl->pipe_notify_client_thread[1] = -1;
++#endif
++
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ /*
+ * Wait a few ms for the client to send one of:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch 2020-01-08 08:22:51.000000000 +0100
@@ -0,0 +1,26 @@
+From d0a76539835d11c0f4723499f8be4bc9c7724eb9 Mon Sep 17 00:00:00 2001
+From: Rajesh Sahoo <rajesh.sahoo@lge.com>
+Date: Tue, 11 Jun 2019 15:13:04 +0530
+Subject: [PATCH] avoid pthread_join if backgroundLoop is FALSE
+
+client_thread is created depending upon backgroundLoop, but joining
+without checking for same condition. so we are trying to join a garbage
+thread_id.
+---
+ libvncserver/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/libvncserver/main.c
++++ b/libvncserver/main.c
+@@ -1095,9 +1095,11 @@
+ }
+
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++ if(currentCl->screen->backgroundLoop) {
+ // Notify the thread and join it
+ write(currentCl->pipe_notify_client_thread[1], "\x00", 1);
+ pthread_join(currentCl->client_thread, NULL);
++ }
+ #else
+ rfbClientConnectionGone(currentCl);
+ #endif
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch 2020-01-08 08:22:51.000000000 +0100
@@ -0,0 +1,30 @@
+From d3a4292aa9ade2a335e0915523506b73e94251d7 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 6 Jan 2019 19:34:04 +0100
+Subject: [PATCH] Move pipe_notify_client_thread to end of rfbClientRec
+
+in order to retain ABI compatibility.
+---
+ rfb/rfb.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/rfb/rfb.h
++++ b/rfb/rfb.h
+@@ -466,7 +466,6 @@
+ int protocolMinorVersion;
+
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
+- int pipe_notify_client_thread[2];
+ pthread_t client_thread;
+ #endif
+
+@@ -696,6 +695,9 @@
+ wsCtx *wsctx;
+ char *wspath; /* Requests path component */
+ #endif
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++ int pipe_notify_client_thread[2];
++#endif
+ } rfbClientRec, *rfbClientPtr;
+
+ /**
Reply to: