Bug#975875: marked as done (x11vnc: CVE-2020-29074)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 28 Nov 2020 21:21:35 +0000
with message-id <E1kj7ex-000AiU-Ic@fasolo.debian.org>
and subject line Bug#975875: fixed in x11vnc 0.9.16-5
has caused the Debian Bug report #975875,
regarding x11vnc: CVE-2020-29074
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
975875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975875
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: x11vnc: CVE-2020-29074
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 26 Nov 2020 05:59:50 +0100
• Message-id: <[🔎] 160636679070.21596.5047756596306060570.reportbug@lorien.valinor.li>

Source: x11vnc
Version: 0.9.13-6
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 0.9.16-4

Hi,

The following vulnerability was published for x11vnc.

CVE-2020-29074[0]:
| scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which
| allows access by actors other than the current user.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-29074
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29074
[1] https://github.com/LibVNC/x11vnc/commit/69eeb9f7baa14ca03b16c9de821f9876def7a36a

Given the relative minor change I have already picked up the commit
for a buster-security update as well.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 975875-close@bugs.debian.org
• Subject: Bug#975875: fixed in x11vnc 0.9.16-5
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 28 Nov 2020 21:21:35 +0000
• Message-id: <E1kj7ex-000AiU-Ic@fasolo.debian.org>
• Reply-to: Antoni Villalonga <antoni@friki.cat>

Source: x11vnc
Source-Version: 0.9.16-5
Done: Antoni Villalonga <antoni@friki.cat>

We believe that the bug you reported is fixed in the latest version of
x11vnc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 975875@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoni Villalonga <antoni@friki.cat> (supplier of updated x11vnc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 28 Nov 2020 09:01:54 +0100
Source: x11vnc
Architecture: source
Version: 0.9.16-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <debian-remote@lists.debian.org>
Changed-By: Antoni Villalonga <antoni@friki.cat>
Closes: 975875
Changes:
 x11vnc (0.9.16-5) unstable; urgency=medium
 .
   [ Salvatore Bonaccorso ]
   * scan: limit access to shared memory segments to current user
     (CVE-2020-29074) (Closes: #975875)
 .
   [ Antoni Villalonga ]
   * Update to debhelper-compat 13
   * dPatches: Add Forwarder DEP-3 tag
   * dPatches: Add patch 0006-fix-manpage-acute-accents.patch
   * dControl: Bump Standards-Version to 4.5.1
Checksums-Sha1:
 8b6fc8fd785b856933eff97ca07a33530b4faf9c 2086 x11vnc_0.9.16-5.dsc
 fa01a0637962b770db91142c803e141a7f11dde2 22116 x11vnc_0.9.16-5.debian.tar.xz
 445311d7d5dc791e9d99981cddd9d3ea98df9631 8973 x11vnc_0.9.16-5_source.buildinfo
Checksums-Sha256:
 09f81b8398a4fa491474553b1de17c9cff05cb3f80e0e70989de07fb13141147 2086 x11vnc_0.9.16-5.dsc
 37f004689a088c89fb029be0d974457da720fa926eef354029ad00089a6c500a 22116 x11vnc_0.9.16-5.debian.tar.xz
 267193b02c64fec69926b59942519ec70d48f53cd5e331c146385fd746830a7e 8973 x11vnc_0.9.16-5_source.buildinfo
Files:
 34cd1ee106034f4b32a6ac009dcbc537 2086 x11 optional x11vnc_0.9.16-5.dsc
 c34f9a8fa7c7208ce38def26cf7e1d43 22116 x11 optional x11vnc_0.9.16-5.debian.tar.xz
 99714965be5a41c9f6b7cf84e5d95cef 8973 x11 optional x11vnc_0.9.16-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl/CtxoACgkQmvRrMCV3
GzHIqw//Z8rFvh/eOKKJa9w3qTzl04uYhJTkL+rCvr0/Bx7y5G6L+gTMGExOD4jD
dkJpzmf3fw+aGDBC5pKwujHOHGpi03lNLsNF0y+3/3Skmapo4bg5ZHysmOgnRhkE
yb7sSFlIKUC6UMBJvmRttzVjwN3r7W1JB62h/0FeFnuPaQQMpwTJKGQ0s9JroJFg
5Qose2CS7R1YesHt/4+o1mSmahLb2DVylwLUTSSrlq6rUH+/gABJ1Wm8jiSLBJy4
5hPPkyxJLB4XEA6u2YOdEcGDOii8MW03Jr4N3+AD7PPPWbTsDlcC6eGEmSvole1Z
ED5U5Smx8M98rhLdoHtstjrutMLGLbUWwq7B2drAf6fAFynQlO+wVAWaCBtGDxWz
Otp6LPzI8RsoT5Tn8VXveTPjRS8JZxkxl8jTq2dt8rGi3Q/3p+Q6LIAAqarSKZI+
iV0GuH7IDO9fWSoxnt1k+e0xatoDE3STnXeQZlDToD2k8km52eHa8vEyTFHpRVat
uprVMVstysNs9xVOWaxLMCdMuo3jSBLmFbk31K9iMSfGZqM2TCHQR9qLPXrVIYYt
2iq2dlE9YZbm8bLie1jfWIOxtiWiZIc/vDZpPkq5QGJUh1P4SXjXjgPL39Di8eHc
pwmyoo55g/gqnEBB+CGbEG+Dlwgr9oXhifQzRLA82nd9mwvQJCs=
=U2cj
-----END PGP SIGNATURE-----

--- End Message ---