Your message dated Sun, 29 Dec 2019 14:44:47 +0000
with message-id <[email protected]>
and subject line Bug#945364: fixed in tightvnc 1:1.3.9-9+deb9u1
has caused the Debian Bug report #945364,
regarding Patches available for CVE-2019-8287, CVE-2019-15678, CVE-2019-15679,
CVE-2019-15680
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
945364: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945364
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tightvnc
Version: 1:1.3.9-9
Just letting you know I've ported fixes for the above CVEs from (the actively
maintained) libvnc for NixOS: https://github.com/NixOS/nixpkgs/pull/73970/
files
robert.
--- End Message ---
--- Begin Message ---
Source: tightvnc
Source-Version: 1:1.3.9-9+deb9u1
We believe that the bug you reported is fixed in the latest version of
tightvnc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <[email protected]> (supplier of updated tightvnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 21 Dec 2019 10:35:50 +0100
Source: tightvnc
Architecture: source
Version: 1:1.3.9-9+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Ola Lundqvist <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Closes: 945364
Changes:
tightvnc (1:1.3.9-9+deb9u1) stretch; urgency=medium
.
* Security upload. (Closes: #945364).
* CVE-2014-6053: Check malloc() return value on client->server ClientCutText
message.
* CVE-2019-8287 (aka CVE-2018-20020): Fix heap out-of-bound write
vulnerability inside structure in VNC client code.
* CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
* CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
* CVE-2018-7225: Uninitialized and potentially sensitive data could be
accessed by remote attackers because the msg.cct.length in rfbserver.c was
not sanitized.
* CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB.
* Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore
server-sent reason strings longer than 1MB (see CVE-2018-20748/
libvncserver).
* CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name
length received before allocating memory for it and limit it to 1MB.
* CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c.
* CVE-2019-15681: rfbserver: don't leak stack memory to the remote.
Checksums-Sha1:
ad5e09609a4e6cf94aa285a1e8530454cfb82b04 2031 tightvnc_1.3.9-9+deb9u1.dsc
ab3fc2db4673aa89ad6c9cddbfcb269f3a2c51fd 56520
tightvnc_1.3.9-9+deb9u1.debian.tar.xz
aea1bdbbf93b0b142aa3c1c293b0df8586ba06c1 8102
tightvnc_1.3.9-9+deb9u1_source.buildinfo
Checksums-Sha256:
0fee71179202c93094b8619a86647549218be2a70821ec2b71305cf9176b5a1a 2031
tightvnc_1.3.9-9+deb9u1.dsc
f9bfda27ecac0a8850132a1d644b6a5cdb63d57b994c09c8ce8d7d0a75378e44 56520
tightvnc_1.3.9-9+deb9u1.debian.tar.xz
da0e2ceb522c334c42db1706945b046ff0816724436770f645e068bb6a7db71f 8102
tightvnc_1.3.9-9+deb9u1_source.buildinfo
Files:
204c56026b3310d604206ea8956d04d1 2031 x11 optional tightvnc_1.3.9-9+deb9u1.dsc
2c36a76f7618aeeb9ca2240201f10fd6 56520 x11 optional
tightvnc_1.3.9-9+deb9u1.debian.tar.xz
fbdfeb2f9d082e0422094618afbf3ed3 8102 x11 optional
tightvnc_1.3.9-9+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl4A5N0VHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxhXkP/Rgn92iK8XpqlpfYYV0C8ZoNFUaq
gjldf1yio7hZwddx/kUJ5PnzJRNpyLdlARPq+2AbsKAwRt7DgOUD18Ux7C97vMsj
GaprrVfJuV2QKC0fEgRF74lAF2O9/pi/9PT9n3FsO57xcT6qI9NRxw+K0OWQq+0i
iKMkKy/PXoWYxUDJyug8Rov9kOwEAJUYKyQweumWlwj5mKD8FZcdBHzKVFGcBjZC
A6gWJek1yLGnkk7rx7OyfoVh9vt68jMRF+k85NG2iAvp8PD+33e8RyMKheQlLeAt
0zVok8MPdeLu8k6Cf/nmMGxfIsqaDw075Grba1zR6kvK2OB9k+yuyStKXqptfv0k
QLEn5PXQLTgFngvVE+ZmvzQXHBPLHwlQmvmhQdxaHfKjDmOvKXuwupZKYaVNLcOz
tjFUvx+TC+KHqPvcmod17yEk/pfdu334iMZSpR6Fcac3agZsbi2CedtPmN5+Vv5y
L+xpGAtravk/+dgNjwAIrHj16+2nRB4qFQomesX2IbgW4bGB8vSO9Vjs6MKPDlGx
TKsijZNVvmS+NwTs9QlWa4XV8x60FsiT/Ot6WIoqAMTk9MBDL9sGekyuPx8HGv1O
+LGYiRGsj+Hg5gob7MN4fkkPiIIblZt1Ik1BZVE/EDCFqpggPu7OnjpaIeHVrRd8
idxtrys/Ra2/vOQ+
=FgAZ
-----END PGP SIGNATURE-----
--- End Message ---
