Your message dated Sun, 22 Dec 2019 22:35:07 +0000
with message-id <[email protected]>
and subject line Bug#945364: fixed in tightvnc 1:1.3.9-9.1
has caused the Debian Bug report #945364,
regarding Patches available for CVE-2019-8287, CVE-2019-15678, CVE-2019-15679,
CVE-2019-15680
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
945364: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945364
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tightvnc
Version: 1:1.3.9-9
Just letting you know I've ported fixes for the above CVEs from (the actively
maintained) libvnc for NixOS: https://github.com/NixOS/nixpkgs/pull/73970/
files
robert.
--- End Message ---
--- Begin Message ---
Source: tightvnc
Source-Version: 1:1.3.9-9.1
We believe that the bug you reported is fixed in the latest version of
tightvnc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <[email protected]> (supplier of updated tightvnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 21 Dec 2019 10:35:50 +0100
Source: tightvnc
Architecture: source
Version: 1:1.3.9-9.1
Distribution: unstable
Urgency: medium
Maintainer: Ola Lundqvist <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Closes: 945364
Changes:
tightvnc (1:1.3.9-9.1) unstable; urgency=medium
.
* Security upload. (Closes: #945364).
* CVE-2014-6053: Check malloc() return value on client->server ClientCutText
message.
* CVE-2019-8287 (aka CVE-2018-20020): Fix heap out-of-bound write
vulnerability inside structure in VNC client code.
* CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
* CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
* CVE-2018-7225: Uninitialized and potentially sensitive data could be
accessed by remote attackers because the msg.cct.length in rfbserver.c was
not sanitized.
* CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB.
* Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore
server-sent reason strings longer than 1MB (see CVE-2018-20748/
libvncserver).
* CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name
length received before allocating memory for it and limit it to 1MB.
* CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c.
* CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
Checksums-Sha1:
7d85d4e168832ffc48199f25e5235e16caba9866 2011 tightvnc_1.3.9-9.1.dsc
6ccf44dcf37eb0319ea6498a47ce3fd308605d18 56508 tightvnc_1.3.9-9.1.debian.tar.xz
fa4a020c65eb741772a663792c9dad435fb9aceb 8082
tightvnc_1.3.9-9.1_source.buildinfo
Checksums-Sha256:
6b4e5a12d35bacfdf2b76bff80bab9a42421aa007cc8d7f69da758ac449993fe 2011
tightvnc_1.3.9-9.1.dsc
272c910d055ab3c8297bda3d11911909e43592458e19d469386a23fa0a6a0c01 56508
tightvnc_1.3.9-9.1.debian.tar.xz
934c4ae1ee03196fccab103844ae98b2e7944348f3c43482c33a95fb6c5cabb1 8082
tightvnc_1.3.9-9.1_source.buildinfo
Files:
76450de1cdd1ee6c6952405d2dfa29fe 2011 x11 optional tightvnc_1.3.9-9.1.dsc
d2a08f32adde4299ec1fe91f45a96272 56508 x11 optional
tightvnc_1.3.9-9.1.debian.tar.xz
616ed24352802d4cdba45b7a29951d72 8082 x11 optional
tightvnc_1.3.9-9.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3+W/kVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxtY4P/21463Et+wNIQ+JwOF3BBYJ/ulaQ
jr/grM9K3n5B6W8ukb+TTnYgCWU/kQwQH3LzPZ2FUUmw+oZq/mzt3XS8iIWcrhpK
/DLlO/NpxVuP0i3C9DCF7C5gbLGsrwou8ksddHCXgU1KDz2eZKLINDpY9avuOVh2
IUt+qDcxbgOpQF41DNhn+nAcMRIoI2OOaUTvWnK28v5owSCQ7ptBMwNmu3BSpJjo
R0AOogA0YN+0VJAAVtn7vWxVJ0zaRDeG8pYki5A1q05l4FJpDhmDf3fzsz12VvJ8
7J3ySql+aen+/3zJn48Lk0MUChfMJH5iwmjepoYQ6IYsLrOgRBXKestWRrIu4ClY
Bql/ckHAResExW52/RBLQIequyeGcAAP7rgf97UPywwaA94/QO+qXrYoyekyLdgU
DRaUdeBgKDC9vku1nXad4vN73biITruMnSwOb6WDLTG5MbiZ5nwbRwcbP8FU9la3
twsMsBHeAgfA6h6P2omZup/eKpCu1ytLqYC74THD3TbYc5TypT6Us3KBY/6divSW
IySxsCMkbb7aTaaCyQKxh27pMInfp2sESGVQ9ymnQe0FrGf7KLZ6YieatATGX+/j
Znfnldfp1ee+VTAxmTPNt7E0mdNJBNM0mEJY7Ix24H+6zzUekOsWQjvhuYw7KkEn
FaH755yCVYErba4V
=8ySE
-----END PGP SIGNATURE-----
--- End Message ---
