Debian Bug report logs -
#920941
libvncserver: CVE-2018-20748 CVE-2018-20749 CVE-2018-20750
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 30 Jan 2019 18:21:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version libvncserver/0.9.11+dfsg-1.2
Fixed in version libvncserver/0.9.11+dfsg-1.3
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, jmm@debian.org, Peter Spiess-Knafl <dev@spiessknafl.at>:
Bug#920941; Package src:libvncserver.
(Wed, 30 Jan 2019 18:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, jmm@debian.org, Peter Spiess-Knafl <dev@spiessknafl.at>.
(Wed, 30 Jan 2019 18:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libvncserver
Version: 0.9.11+dfsg-1.2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for libvncserver, stretch
is not affected by those CVEs as no inocomplete fix was ever applied
there yet in a released version. When issuing the DSA we should make
sure to include the complete fixes for CVE-2018-20019 and
CVE-2018-15127. Details in [3].
CVE-2018-20748[0]:
Incomplete fix for CVE-2018-20019
CVE-2018-20749[1]:
Incomplete fix for CVE-2018-15127
CVE-2018-20750[2]:
Incomplete fix for CVE-2018-15127
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20748
[1] https://security-tracker.debian.org/tracker/CVE-2018-20749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20749
[2] https://security-tracker.debian.org/tracker/CVE-2018-20750
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20750
[3] https://github.com/LibVNC/libvncserver/issues/273#issuecomment-459040241
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Spiess-Knafl <dev@spiessknafl.at>:
Bug#920941; Package src:libvncserver.
(Wed, 30 Jan 2019 22:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Spiess-Knafl <dev@spiessknafl.at>.
(Wed, 30 Jan 2019 22:03:03 GMT) (full text, mbox, link).
Message #10 received at 920941@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 920941 + patch
Hi Peter,
I've prepared an NMU for libvncserver (versioned as 0.9.11+dfsg-1.3). The diff
is attached to this message. I did upload this time without delay
given the fixes were needed from the previous fixes (incomplete fixes
for CVEs).
I have pushed as well the changes to the packaging repository on
salsa.
it is a bit short on time, but it might maybe possible to still upload
new upstream version in time for buster?
Regards,
Salvatore
[libvncserver-0.9.11+dfsg-1.3-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 920941-submit@bugs.debian.org.
(Wed, 30 Jan 2019 22:03:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 30 Jan 2019 22:06:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 30 Jan 2019 22:06:05 GMT) (full text, mbox, link).
Message #17 received at 920941-close@bugs.debian.org (full text, mbox, reply):
Source: libvncserver
Source-Version: 0.9.11+dfsg-1.3
We believe that the bug you reported is fixed in the latest version of
libvncserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 920941@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libvncserver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 30 Jan 2019 22:39:15 +0100
Source: libvncserver
Binary: libvncclient1 libvncclient1-dbg libvncserver-config libvncserver-dev libvncserver1 libvncserver1-dbg
Architecture: source
Version: 0.9.11+dfsg-1.3
Distribution: unstable
Urgency: medium
Maintainer: Peter Spiess-Knafl <dev@spiessknafl.at>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 920941
Description:
libvncclient1 - API to write one's own VNC server - client library
libvncclient1-dbg - debugging symbols for libvncclient
libvncserver-config - API to write one's own VNC server - library utility
libvncserver-dev - API to write one's own VNC server - development files
libvncserver1 - API to write one's own VNC server
libvncserver1-dbg - debugging symbols for libvncserver
Changes:
libvncserver (0.9.11+dfsg-1.3) unstable; urgency=medium
.
* Non-maintainer upload.
* LibVNCClient: ignore server-sent cut text longer than 1MB (CVE-2018-20748)
(Closes: #920941)
* LibVNCClient: ignore server-sent reason strings longer than 1MB
(CVE-2018-20748) (Closes: #920941)
* LibVNCClient: fail on server-sent desktop name lengths longer than 1MB
(CVE-2018-20748) (Closes: #920941)
* LibVNCClient: remove now-useless cast (CVE-2018-20748) (Closes: #920941)
* Error out in rfbProcessFileTransferReadBuffer if length can not be
allocated (CVE-2018-20749) (Closes: #920941)
* Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer()
(CVE-2018-20750) (Closes: #920941)
Checksums-Sha1:
1283eac81fef47ad3c3459d2ca21aa66eacbbe92 2561 libvncserver_0.9.11+dfsg-1.3.dsc
00a01dbd9737965ad9d3e045a241c5712ab15ece 21212 libvncserver_0.9.11+dfsg-1.3.debian.tar.xz
Checksums-Sha256:
f3f01f4d3e5dbc6eae9b067c5972de27b027f4457c5fb62b9bf9bd4c078479fb 2561 libvncserver_0.9.11+dfsg-1.3.dsc
fcbb00848a548f15e151b293639cd1576591d894b7101682c659f36cf78e8bf7 21212 libvncserver_0.9.11+dfsg-1.3.debian.tar.xz
Files:
8f6fae2c32e0b79d54fb4ccd40b7bea0 2561 libs optional libvncserver_0.9.11+dfsg-1.3.dsc
b6cc75c50051e2efd0d4620cd9f2d5a9 21212 libs optional libvncserver_0.9.11+dfsg-1.3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxSG8FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJ1MP/2ztoxqoW9o20EylfmjiyCuzVwj3f32U
YY8RxDaipXvqXgGWB4O9LmJffFAE3ENYG1yVXUpGPvZ/UpUniAe9pE5HC0pBdD1q
JDZguJl4F/u+JMA8/kjzGmcnrldtVslpdYAu0zTcwJSjo3xzFeBDW1rF0Sq3ast7
v8XUWiiUiLnIB6Hy+6DqZWc7wfb+GF8F/OAhVYsgJhKRodTtrVBzsXRWbhnPs5lR
wjiM+mejmDDT9uczU0EWH+T0s2vsZO6Vhls8dHhhLnEp/tkNa4fINItzvICD44iY
k9cqWf9coREeT1z3VIEjmcCiFbWVc1RtTMmfsyjWkEluxY4+l25p4JVD9x1qgTCd
YcPpopBScAcm92B7KW4GvpnoAtxf1WLv1xqs7Hj9JsnMKhQe8sM95O8rfqwjbaAE
lEMmSPALJ5UVR74cdFOJjveSlylkePVKQUIJWLXesdbCBz8A+ItJzMckFBZ530OH
jWV2RCSjcDQAEIFVFfi43YYMB5Dt/kiY2728FQlSDGXQJtvg8+8xlrW5lNeJYhWe
NbxnqY514DzZNBVnfXDBNiMeANnbnrmBNr8kJEHWXjnz1oY1o60wDzvKjGZQSN5i
8XD2Sr1sujKsXtq8J0R0aAv2sB11FrxYUIupHKkJY/+BnBZR0fLzvLEitC84SfGF
eFd2Q7rS5DuV
=/V4/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 04 Mar 2019 07:30:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:11:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon