Your message dated Thu, 29 Apr 2021 19:33:51 +0100
with message-id <[email protected]>
and subject line Re: Bug#987564: NMU: CVE-2020-25708 - Fix possible
divide-by-zero.
has caused the Debian Bug report #987564,
regarding NMU: CVE-2020-25708 - Fix possible divide-by-zero.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
987564: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987564
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Hi,
Sorry, no bug associated here, was confused how to subject the mail. Guidance
for the future would
be appreciated.
I would like to do an NMU for CVE-2020-25708[1].
This seems to have been waiting a while and is fixed already in bullseye/sid
and stretch. Because
of this I feel it can just go into the next point release if approved.
This update has been done during and part of this weekends
bsp-2021-04-at-salzburg.
Note: I am not a DM or DD and this will require a sponsor to upload if approved.
[1] https://security-tracker.debian.org/tracker/CVE-2020-25708
Regards
Phil
--
*** Playing the game for the games own sake. ***
WWW: https://kathenas.org
Twitter: @kathenasorg
Instagram: @kathenasorg
IRC: kathenas
GPG: 724AA9B52F024C8B
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog 2020-08-28 22:40:37.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/changelog 2021-04-25 17:01:53.000000000 +0100
@@ -1,3 +1,10 @@
+libvncserver (0.9.11+dfsg-1.3+deb10u5) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2020-25708: libvncserver: fix possible divide-by-zero.
+
+ -- Phil Wyett <[email protected]> Sun, 25 Apr 2021 17:01:53 +0100
+
libvncserver (0.9.11+dfsg-1.3+deb10u4) buster; urgency=medium
* CVE-2019-20839: libvncclient: bail out if unix socket name would overflow.
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2020-25708.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2020-25708.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2020-25708.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2020-25708.patch 2021-04-25 17:01:53.000000000 +0100
@@ -0,0 +1,14 @@
+Index: libvncserver-0.9.11+dfsg/libvncserver/rfbserver.c
+===================================================================
+--- libvncserver-0.9.11+dfsg.orig/libvncserver/rfbserver.c
++++ libvncserver-0.9.11+dfsg/libvncserver/rfbserver.c
+@@ -3294,6 +3294,9 @@ rfbSendRectEncodingRaw(rfbClientPtr cl,
+ char *fbptr = (cl->scaledScreen->frameBuffer + (cl->scaledScreen->paddedWidthInBytes * y)
+ + (x * (cl->scaledScreen->bitsPerPixel / 8)));
+
++ if(!h || !w)
++ return TRUE; /* nothing to send */
++
+ /* Flush the buffer to guarantee correct alignment for translateFn(). */
+ if (cl->ublen > 0) {
+ if (!rfbSendUpdateBuf(cl))
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series 2020-08-28 22:40:19.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series 2021-04-25 17:01:53.000000000 +0100
@@ -37,3 +37,4 @@
CVE-2020-14401.patch
CVE-2020-14402+14403+14404.patch
CVE-2020-14405.patch
+CVE-2020-25708.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
> Control: tags -1 - moreinfo
On Sun, 2021-04-25 at 19:32 +0100, Philip Wyett wrote:
> Control: tags -1 + moreinfo
>
> On Sun, 2021-04-25 at 18:34 +0100, Philip Wyett wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: [email protected]
> > Usertags: pu
> >
> > Hi,
> >
> > Sorry, no bug associated here, was confused how to subject the mail.
> > Guidance for the future
> > would
> > be appreciated.
> >
> > I would like to do an NMU for CVE-2020-25708[1].
> >
> > This seems to have been waiting a while and is fixed already in
> > bullseye/sid and stretch.
> > Because
> > of this I feel it can just go into the next point release if approved.
> >
> > This update has been done during and part of this weekends
> > bsp-2021-04-at-salzburg.
> >
> > Note: I am not a DM or DD and this will require a sponsor to upload if
> > approved.
> >
> > [1] https://security-tracker.debian.org/tracker/CVE-2020-25708
> >
> > Regards
> >
> > Phil
> >
>
> Hi,
>
> I have been asked to contact maintainer regarding this and a number of other
> bugs. Marking
> 'moreinfo' until I have spoken with the maintainer.
>
> Regards
>
> Phil
>
Hi,
Package maintainer has submitted/uploaded this fix, so closing this bug.
Regards
Phil
--
*** Playing the game for the games own sake. ***
WWW: https://kathenas.org
Twitter: @kathenasorg
Instagram: @kathenasorg
IRC: kathenas
GPG: 724AA9B52F024C8B
signature.asc
Description: This is a digitally signed message part
--- End Message ---
