Your message dated Sun, 29 Dec 2019 11:47:19 +0000
with message-id <[email protected]>
and subject line Bug#945364: fixed in tightvnc 1:1.3.9-9+deb10u1
has caused the Debian Bug report #945364,
regarding Patches available for CVE-2019-8287, CVE-2019-15678, CVE-2019-15679,
CVE-2019-15680
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
945364: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945364
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tightvnc
Version: 1:1.3.9-9
Just letting you know I've ported fixes for the above CVEs from (the actively
maintained) libvnc for NixOS: https://github.com/NixOS/nixpkgs/pull/73970/
files
robert.
--- End Message ---
--- Begin Message ---
Source: tightvnc
Source-Version: 1:1.3.9-9+deb10u1
We believe that the bug you reported is fixed in the latest version of
tightvnc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <[email protected]> (supplier of updated tightvnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 21 Dec 2019 10:35:50 +0100
Source: tightvnc
Architecture: source
Version: 1:1.3.9-9+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Ola Lundqvist <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Closes: 945364
Changes:
tightvnc (1:1.3.9-9+deb10u1) buster; urgency=medium
.
* Security upload. (Closes: #945364).
* CVE-2014-6053: Check malloc() return value on client->server ClientCutText
message.
* CVE-2018-20020: Fix heap out-of-bound write vulnerability inside structure
in VNC client code.
* CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
* CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
* CVE-2018-7225: Uninitialized and potentially sensitive data could be
accessed by remote attackers because the msg.cct.length in rfbserver.c was
not sanitized.
* CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB.
* Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore
server-sent reason strings longer than 1MB (see CVE-2018-20748/
libvncserver).
* CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name
length received before allocating memory for it and limit it to 1MB.
* CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c.
* CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
Checksums-Sha1:
6bddd686d68b91a81f1bde2893c1dcdd4def8837 2035 tightvnc_1.3.9-9+deb10u1.dsc
beacc2670ec9f0ac02c9475f05ded9df48dbe48d 56508
tightvnc_1.3.9-9+deb10u1.debian.tar.xz
f16963ce2316c3efc78b523dcc2142fb96244262 8106
tightvnc_1.3.9-9+deb10u1_source.buildinfo
Checksums-Sha256:
80b3f3e01e32a3131a8f367517250eca84870094ba81f0ad22851b14e273fcf4 2035
tightvnc_1.3.9-9+deb10u1.dsc
bfffa6d39caea23e7f87c8cc6f527cb42e5ce4040685e3ba8240193efc502f31 56508
tightvnc_1.3.9-9+deb10u1.debian.tar.xz
e82eb368b3d42c0cbf67ed1399b76caf6c7c95de355d1eec1e738eb36acec4e6 8106
tightvnc_1.3.9-9+deb10u1_source.buildinfo
Files:
7d7aa549b132d974974aa3d4829e6a76 2035 x11 optional tightvnc_1.3.9-9+deb10u1.dsc
0c3c6da8f7d2df44abc5564a2be8221e 56508 x11 optional
tightvnc_1.3.9-9+deb10u1.debian.tar.xz
50c07865c7ce63258fb436f5fcf06037 8106 x11 optional
tightvnc_1.3.9-9+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl4A5EMVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxXksQAJOwX62PNe7We+ZvDnAReFhn3PJD
ZpmJ4MOZVceO12O+gAGeNhsJITyBBV/hBWd4ioAjcutnWI7HWx0u36I13FBXFjqI
IfcAnkBiuN71kke0BueCeUBUjdFSQDmOukZ9QV+76bcjA60mGskeKYvxTtWYGo8B
/4LxUaYY/lurcaotQcGCmFWe1V6AjkMKiiIQYQRCN3/IUMJTOLahn6/GH86qlfXk
TzMuX40RUZH2hQVAId7MUt0I+QbQb1T6j5nPv8KA6T6d6KbPT8l/RBproXaXZ5OC
ZOLQnFS+gV16Jsbb9aQNEAS8q7XN5JIVk+tzEIw3i+BVIGHXQe0AzQGQ7qRp0Y1Q
YrCNb0WY8va5Y2fZcR/98xpVwwJKxUm6+pzIheTpJeJ2yXG0QMX12keFV6SgO5+J
0ktFUdndDxFzQ761S7BBDjvomju0SerNjHL3z+QEislbmkkvF4LJwGB8x+JpeXDO
UmP3aim98daU06rokCceOyM9DlI+o1S4mLExni7YHyGL6Om/gfGlyi6GLZXMEFQH
cAjrniPPecMvXm9qupbXwApS3dMnK06PUy7V2RlXT/BIFDgOkXpNXgcM+3aolWl+
axuWg5ubyOc3NvWy+YqKbPpTvp40Ju/MeydzvtjuWrX7gPuLiKHIVIoISQqAl52v
Lb9B6OnZ2KBoZ18c
=GEWx
-----END PGP SIGNATURE-----
--- End Message ---
