Bug#975875: marked as done (x11vnc: CVE-2020-29074)
Your message dated Sat, 28 Nov 2020 19:32:07 +0000
with message-id <E1kj5x1-000DcV-Ul@fasolo.debian.org>
and subject line Bug#975875: fixed in x11vnc 0.9.13-6+deb10u1
has caused the Debian Bug report #975875,
regarding x11vnc: CVE-2020-29074
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
975875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975875
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: x11vnc
Version: 0.9.13-6
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 0.9.16-4
Hi,
The following vulnerability was published for x11vnc.
CVE-2020-29074[0]:
| scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which
| allows access by actors other than the current user.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-29074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29074
[1] https://github.com/LibVNC/x11vnc/commit/69eeb9f7baa14ca03b16c9de821f9876def7a36a
Given the relative minor change I have already picked up the commit
for a buster-security update as well.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: x11vnc
Source-Version: 0.9.13-6+deb10u1
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
x11vnc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 975875@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated x11vnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 26 Nov 2020 06:09:34 +0100
Source: x11vnc
Architecture: source
Version: 0.9.13-6+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Nikita Yushchenko <yoush@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 975875
Changes:
x11vnc (0.9.13-6+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* scan: limit access to shared memory segments to current user
(CVE-2020-29074) (Closes: #975875)
Checksums-Sha1:
16d3c4dfa4aaf811bc7c885eee7a71a846d28533 2170 x11vnc_0.9.13-6+deb10u1.dsc
f011d81488ac94dc8dce2d88739c23bd85a976fa 2853769 x11vnc_0.9.13.orig.tar.gz
ce965df4ed9efa21d37c3e0e4967dfa0d18cec0a 13476 x11vnc_0.9.13-6+deb10u1.debian.tar.xz
Checksums-Sha256:
bff91ddc76f2ce22c8ca70c27ac2fd1906dc3c8acac7d8a4ead4f00d5cfa7ef8 2170 x11vnc_0.9.13-6+deb10u1.dsc
f6829f2e629667a5284de62b080b13126a0736499fe47cdb447aedb07a59f13b 2853769 x11vnc_0.9.13.orig.tar.gz
9e62ccbc50636a36f77bffbf108c3d3f75e2cc50a14d64fa7a2a6d4d2b90f8ee 13476 x11vnc_0.9.13-6+deb10u1.debian.tar.xz
Files:
49c1a0810287c83ba2bfe7d30e63da49 2170 x11 optional x11vnc_0.9.13-6+deb10u1.dsc
a372ec4fe8211221547b1c108cf56e4c 2853769 x11 optional x11vnc_0.9.13.orig.tar.gz
5985e1622df030255586b4f6e01dc6a0 13476 x11 optional x11vnc_0.9.13-6+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl+/Ov9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENbkP/2dQ+AM4WB/LhsrcXzo/TuO8CF0QVfd9
ho/NavHwD5UXa4/QvXtsGFPQ12DXoEfY8mFju5NwbVZOyUz+hbksD8WB2usKc6EH
hcqjUzLHVDSE95AkmJLxDAJoMBqost79Cmt+uZChCjJQT6Omp63Jyp4GnFw8NulT
zRsAXNdF1s2LCt9G+cTAVKr1wI+KJIEwQDPzDlhXokPYxuE8SrXCUQk+DUm14JHb
m/2JSc2ukDiqNMYYcQPth0VjdwYcC3FOj7nxlzyuCzxd0dtjt1rKhpYXyF1DrD7a
Fw0721pE6Coq1W9GgIzCus3K+2nyTTBXeNm/tOdHsINA6F2AeJLKZQkMkPpAEW/F
MDb6rQOBaaHY8gJPbDwYhFsBUk+PZcHMDjkOiQxy8YZpo/WasBQiLOPW73vFwmis
FxbsBLa6eOFdKhM7ehrV4MrBLuQ7tn/anG/ObQh1ScD/qC3Fg5u9S/yP8GsXFlu8
iZXJzCFkJQXKP3fAb17sEkFOv9iX7eaBjHcPHJ72h7XKl8ouByhS/9Ca7mRP6a5V
T5HXanz2PgT0UNht2CDcaW+M5R0fOtUgRe5CI2JwwM2u//LrKhY5zUBZLvx+UI5s
rD2zOokdAKt2cBJf+HzSrViX/95lg87lR4wiFd9zkwUq+bIauSUM3C68446DeKAU
bc9TzhyecZOb
=roUR
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: