[CVE-2014-6051 to CVE-2014-6055] Multiple issues in libVNCserver

Debian Bug report logs - #762745
[CVE-2014-6051 to CVE-2014-6055] Multiple issues in libVNCserver

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: [CVE-2014-6051 to CVE-2014-6055] Multiple issues in libVNCserver

Date: Wed, 24 Sep 2014 23:20:05 +0200

Package: libvncserver
Severity: important
Tags: security

Hi there,
    the following vulnerabilities were published for libVNCserver:

CVE-2014-6051 Integer overflow in MallocFrameBuffer() on client side.
CVE-2014-6052 Lack of malloc() return value checking on client side.
CVE-2014-6053 Server crash on a very large ClientCutText message.
CVE-2014-6054 Server crash when scaling factor is set to zero.
CVE-2014-6055 Multiple stack overflows in File Transfer feature.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

http://seclists.org/oss-sec/2014/q3/639

Please adjust the affected versions in the BTS as needed and clone this bug if 
you are not going to fix all these problems together.

Regards, luciano  

Message #10 received at 762745@bugs.debian.org (full text, mbox, reply):

From: Christian Beier <dontmind@freeshell.org>

To: 762745@bugs.debian.org

Subject: [CVE-2014-6051 to CVE-2014-6055] Multiple issues in libVNCserver

Date: Wed, 22 Oct 2014 13:32:49 +0200

Hi,

I think all of those are fixed in the most recent upstream release:
https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.10

Cheers,
   Christian

Message #17 received at 762745@bugs.debian.org (full text, mbox, reply):

From: Tobias Frost <tobi@debian.org>

To: 762745@bugs.debian.org

Subject: libvncserver: diff for NMU version 0.9.9+dfsg-6.1

Date: Sun, 23 Nov 2014 16:34:21 +0100

Control: tags 762745 + patch

Dear maintainer,

I prepared below patch by cherry-picking upstream patches.
I did NOT yet test the resulting package, but I will do ASAP.
Meanwhile feeback is appreciated.

(I will after testing probably do an NMU to DELAY/5, but I will announce that seperatly.)

--
tobi

Regards.
diff -Nru libvncserver-0.9.9+dfsg/debian/changelog libvncserver-0.9.9+dfsg/debian/changelog
--- libvncserver-0.9.9+dfsg/debian/changelog	2014-08-12 16:02:30.000000000 +0200
+++ libvncserver-0.9.9+dfsg/debian/changelog	2014-11-23 16:19:53.000000000 +0100
@@ -1,3 +1,12 @@
+libvncserver (0.9.9+dfsg-6.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055:
+    Multiple issues in libVNCserver -- cherry picking targeted fixed from
+    upstream (Closes: #762745)
+
+ -- Tobias Frost <tobi@debian.org>  Sun, 23 Nov 2014 16:19:53 +0100
+
 libvncserver (0.9.9+dfsg-6) unstable; urgency=medium
 
   [ Luca Falavigna ]
diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6051.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6051.patch
--- libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6051.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6051.patch	2014-11-23 15:29:25.000000000 +0100
@@ -0,0 +1,39 @@
+Description: Fix integer overflow in MallocFrameBuffer() (CVE-2014-6051)
+ Promote integers to uint64_t to avoid integer overflow issue during
+ frame buffer allocation for very large screen sizes
+Origin: https://github.com/newsoft/libvncserver/commit/045a044e8ae79db9244593fbce154cdf6e843273
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: libvncserver-0.9.9+dfsg/libvncclient/vncviewer.c
+===================================================================
+--- libvncserver-0.9.9+dfsg.orig/libvncclient/vncviewer.c
++++ libvncserver-0.9.9+dfsg/libvncclient/vncviewer.c
+@@ -82,9 +82,27 @@ static char* ReadPassword(rfbClient* cli
+ #endif
+ }
+ static rfbBool MallocFrameBuffer(rfbClient* client) {
++uint64_t allocSize;
++
+   if(client->frameBuffer)
+     free(client->frameBuffer);
+-  client->frameBuffer=malloc(client->width*client->height*client->format.bitsPerPixel/8);
++
++  /* SECURITY: promote 'width' into uint64_t so that the multiplication does not overflow
++     'width' and 'height' are 16-bit integers per RFB protocol design
++     SIZE_MAX is the maximum value that can fit into size_t
++  */
++  allocSize = (uint64_t)client->width * client->height * client->format.bitsPerPixel/8;
++
++  if (allocSize >= SIZE_MAX) {
++    rfbClientErr("CRITICAL: cannot allocate frameBuffer, requested size is too large\n");
++    return FALSE;
++  }
++
++  client->frameBuffer=malloc( (size_t)allocSize );
++
++  if (client->frameBuffer == NULL)
++    rfbClientErr("CRITICAL: frameBuffer allocation failed, requested size too large or not enough memory?\n");
++
+   return client->frameBuffer?TRUE:FALSE;
+ }
+ 
diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6052.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6052.patch
--- libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6052.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6052.patch	2014-11-23 15:39:16.000000000 +0100
@@ -0,0 +1,56 @@
+Description:  Check for MallocFrameBuffer() return value (CVE-2014-6052)
+ If MallocFrameBuffer() returns FALSE, frame buffer pointer is left to
+ NULL. Subsequent writes into that buffer could lead to memory
+ corruption, or even arbitrary code execution.
+Origin: https://github.com/newsoft/libvncserver/commit/85a778c0e45e87e35ee7199f1f25020648e8b812
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c
+===================================================================
+--- libvncserver-0.9.9+dfsg.orig/libvncclient/rfbproto.c
++++ libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c
+@@ -1807,7 +1807,8 @@ HandleRFBServerMessage(rfbClient* client
+ 	client->updateRect.x = client->updateRect.y = 0;
+ 	client->updateRect.w = client->width;
+ 	client->updateRect.h = client->height;
+-	client->MallocFrameBuffer(client);
++  if (!client->MallocFrameBuffer(client))
++    return FALSE;
+ 	SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE);
+ 	rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h);
+ 	continue;
+@@ -2260,7 +2261,8 @@ HandleRFBServerMessage(rfbClient* client
+     client->updateRect.x = client->updateRect.y = 0;
+     client->updateRect.w = client->width;
+     client->updateRect.h = client->height;
+-    client->MallocFrameBuffer(client);
++    if (!client->MallocFrameBuffer(client))
++      return FALSE;
+     SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
+     rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
+     break;
+@@ -2276,7 +2278,9 @@ HandleRFBServerMessage(rfbClient* client
+     client->updateRect.x = client->updateRect.y = 0;
+     client->updateRect.w = client->width;
+     client->updateRect.h = client->height;
+-    client->MallocFrameBuffer(client);
++    if (!client->MallocFrameBuffer(client))
++      return FALSE;
++
+     SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
+     rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
+     break;
+Index: libvncserver-0.9.9+dfsg/libvncclient/vncviewer.c
+===================================================================
+--- libvncserver-0.9.9+dfsg.orig/libvncclient/vncviewer.c
++++ libvncserver-0.9.9+dfsg/libvncclient/vncviewer.c
+@@ -243,7 +243,8 @@ static rfbBool rfbInitConnection(rfbClie
+ 
+   client->width=client->si.framebufferWidth;
+   client->height=client->si.framebufferHeight;
+-  client->MallocFrameBuffer(client);
++  if (!client->MallocFrameBuffer(client))
++    return FALSE;
+ 
+   if (!SetFormatAndEncodings(client))
+     return FALSE;
diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6054.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6054.patch
--- libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6054.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6054.patch	2014-11-23 15:54:17.000000000 +0100
@@ -0,0 +1,39 @@
+Description: Do not accept a scaling factor of zero (CVE-2014-6054)
+ Do not accept a scaling factor of zero on
+ PalmVNCSetScaleFactor and SetScale client->server messages. This would cause
+ a division by zero and crash the server.
+Origin: https://github.com/newsoft/libvncserver/commit/05a9bd41a8ec0a9d580a8f420f41718bdd235446
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c
+===================================================================
+--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c
++++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c
+@@ -2487,6 +2487,13 @@ rfbProcessClientNormalMessage(rfbClientP
+           rfbCloseClient(cl);
+           return;
+       }
++
++      if (msg.ssc.scale == 0) {
++          rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero");
++          rfbCloseClient(cl);
++          return;
++      }
++
+       rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg);
+       rfbLog("rfbSetScale(%d)\n", msg.ssc.scale);
+       rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale);
+@@ -2503,6 +2510,13 @@ rfbProcessClientNormalMessage(rfbClientP
+           rfbCloseClient(cl);
+           return;
+       }
++
++      if (msg.ssc.scale == 0) {
++          rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero");
++          rfbCloseClient(cl);
++          return;
++      }
++
+       rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg);
+       rfbLog("rfbSetScale(%d)\n", msg.ssc.scale);
+       rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale);
diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6055.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6055.patch
--- libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6055.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2014-6055.patch	2014-11-23 16:29:51.000000000 +0100
@@ -0,0 +1,152 @@
+Descript$ion: Fix multiple stack-based buffer overflows in file transfer feature
+ Note: The patch has been modified to be a targeting fix without the risk of breaking
+ABI -- https://bugzilla.redhat.com/show_bug.cgi?id=1144293#c2.
+However, as this function is not in header it is unlikely to be used outside of the lib.
+Origin: https://github.com/newsoft/libvncserver/commit/06ccdf016154fde8eccb5355613ba04c59127b2e
+Origin: https://github.com/newsoft/libvncserver/commit/f528072216dec01cee7ca35d94e171a3b909e677
+Origin: https://github.com/newsoft/libvncserver/commit/256964b884c980038cd8b2f0d180fbb295b1c748
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c
+===================================================================
+--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c
++++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c
+@@ -1237,21 +1237,35 @@ typedef struct {
+ #define RFB_FILE_ATTRIBUTE_TEMPORARY  0x100
+ #define RFB_FILE_ATTRIBUTE_COMPRESSED 0x800
+ 
+-rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, char *path, char *unixPath)
++rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, /* in */ char *path, /* out */ char *unixPath )
+ {
+     int x;
+     char *home=NULL;
+-
++    size_t unixPathMaxLen = MAX_PATH;
+     FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE);
+ 
++    /*
++     * Do not use strncpy() - truncating the file name would probably have undesirable side effects
++     * Instead check if destination buffer is big enough
++     */
++
++    if (strlen(path) >= unixPathMaxLen)
++      return FALSE;
++
+     /* C: */
+     if (path[0]=='C' && path[1]==':')
++    {
+       strcpy(unixPath, &path[2]);
++    }
+     else
+     {
+       home = getenv("HOME");
+       if (home!=NULL)
+       {
++        /* Re-check buffer size */
++        if ((strlen(path) + strlen(home) + 1) >= unixPathMaxLen)
++          return FALSE;
++
+         strcpy(unixPath, home);
+         strcat(unixPath,"/");
+         strcat(unixPath, path);
+@@ -1289,7 +1303,8 @@ rfbBool rfbSendDirContent(rfbClientPtr c
+     FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE);
+ 
+     /* Client thinks we are Winblows */
+-    rfbFilenameTranslate2UNIX(cl, buffer, path);
++    if (!rfbFilenameTranslate2UNIX(cl, buffer, path))
++      return FALSE;
+ 
+     if (DB) rfbLog("rfbProcessFileTransfer() rfbDirContentRequest: rfbRDirContent: \"%s\"->\"%s\"\n",buffer, path);
+ 
+@@ -1566,7 +1581,9 @@ rfbBool rfbProcessFileTransfer(rfbClient
+         /* add some space to the end of the buffer as we will be adding a timespec to it */
+         if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE;
+         /* The client requests a File */
+-        rfbFilenameTranslate2UNIX(cl, buffer, filename1);
++        if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1))
++          goto fail;
++
+         cl->fileTransfer.fd=open(filename1, O_RDONLY, 0744);
+ 
+         /*
+@@ -1660,16 +1677,17 @@ rfbBool rfbProcessFileTransfer(rfbClient
+         */
+         if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE;
+ 
+-        /* Parse the FileTime */
++        /* Parse the FileTime
++         * TODO: FileTime is actually never used afterwards
++         */
+         p = strrchr(buffer, ',');
+         if (p!=NULL) {
+             *p = '\0';
+-            strcpy(szFileTime, p+1);
++            strncpy(szFileTime, p+1, sizeof(szFileTime));
++            szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */
+         } else
+             szFileTime[0]=0;
+ 
+-
+-
+         /* Need to read in sizeHtmp */
+         if ((n = rfbReadExact(cl, (char *)&sizeHtmp, 4)) <= 0) {
+             if (n != 0)
+@@ -1681,7 +1699,8 @@ rfbBool rfbProcessFileTransfer(rfbClient
+         }
+         sizeHtmp = Swap32IfLE(sizeHtmp);
+         
+-        rfbFilenameTranslate2UNIX(cl, buffer, filename1);
++        if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1))
++          goto fail;
+ 
+         /* If the file exists... We can send a rfbFileChecksums back to the client before we send an rfbFileAcceptHeader */
+         /* TODO: Delta Transfer */
+@@ -1810,7 +1829,9 @@ rfbBool rfbProcessFileTransfer(rfbClient
+         if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE;
+         switch (contentParam) {
+         case rfbCDirCreate:  /* Client requests the creation of a directory */
+-            rfbFilenameTranslate2UNIX(cl, buffer, filename1);
++            if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1))
++              goto fail;
++
+             retval = mkdir(filename1, 0755);
+             if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCDirCreate(\"%s\"->\"%s\") %s\n", buffer, filename1, (retval==-1?"Failed":"Success"));
+             /*
+@@ -1819,7 +1840,9 @@ rfbBool rfbProcessFileTransfer(rfbClient
+             if (buffer!=NULL) free(buffer);
+             return retval;
+         case rfbCFileDelete: /* Client requests the deletion of a file */
+-            rfbFilenameTranslate2UNIX(cl, buffer, filename1);
++            if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1))
++              goto fail;
++
+             if (stat(filename1,&statbuf)==0)
+             {
+                 if (S_ISDIR(statbuf.st_mode))
+@@ -1837,8 +1860,12 @@ rfbBool rfbProcessFileTransfer(rfbClient
+             {
+                 /* Split into 2 filenames ('*' is a seperator) */
+                 *p = '\0';
+-                rfbFilenameTranslate2UNIX(cl, buffer, filename1);
+-                rfbFilenameTranslate2UNIX(cl, p+1,    filename2);
++                if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1))
++                  goto fail;
++
++                if (!rfbFilenameTranslate2UNIX(cl, p+1,    filename2))
++                  goto fail;
++
+                 retval = rename(filename1,filename2);
+                 if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCFileRename(\"%s\"->\"%s\" -->> \"%s\"->\"%s\") %s\n", buffer, filename1, p+1, filename2, (retval==-1?"Failed":"Success"));
+                 /*
+@@ -1858,6 +1885,10 @@ rfbBool rfbProcessFileTransfer(rfbClient
+     /* NOTE: don't forget to free(buffer) if you return early! */
+     if (buffer!=NULL) free(buffer);
+     return TRUE;
++
++fail:
++    if (buffer!=NULL) free(buffer);
++    return FALSE;
+ }
+ 
+ /*
diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-2015-6053.patch libvncserver-0.9.9+dfsg/debian/patches/CVE-2015-6053.patch
--- libvncserver-0.9.9+dfsg/debian/patches/CVE-2015-6053.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.9+dfsg/debian/patches/CVE-2015-6053.patch	2014-11-23 15:45:29.000000000 +0100
@@ -0,0 +1,24 @@
+Description: Check malloc() return value (CVE-2014-6053)
+ Check malloc() return value on client->server ClientCutText
+ message. Client can send up to 2**32-1 bytes of text, and such a large
+ allocation is likely to fail in case of high memory pressure. This would in a
+ server crash (write at address 0).
+Origin: https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c
+===================================================================
+--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c
++++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c
+@@ -2457,6 +2457,11 @@ rfbProcessClientNormalMessage(rfbClientP
+ 	msg.cct.length = Swap32IfLE(msg.cct.length);
+ 
+ 	str = (char *)malloc(msg.cct.length);
++	if (str == NULL) {
++		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
++		rfbCloseClient(cl);
++		return;
++	}
+ 
+ 	if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) {
+ 	    if (n != 0)
diff -Nru libvncserver-0.9.9+dfsg/debian/patches/series libvncserver-0.9.9+dfsg/debian/patches/series
--- libvncserver-0.9.9+dfsg/debian/patches/series	2014-08-11 00:21:58.000000000 +0200
+++ libvncserver-0.9.9+dfsg/debian/patches/series	2014-11-23 16:03:36.000000000 +0100
@@ -5,3 +5,8 @@
 listenSock.patch
 ppc64el.patch
 pkgconfig.patch
+CVE-2014-6051.patch
+CVE-2014-6052.patch
+CVE-2015-6053.patch
+CVE-2014-6054.patch
+CVE-2014-6055.patch

Message #26 received at 762745@bugs.debian.org (full text, mbox, reply):

From: Tobias Frost <tobi@debian.org>

To: 762745@bugs.debian.org

Subject: libvncserver -- will upload the NMU.

Date: Sun, 23 Nov 2014 16:57:28 +0100

After testing and looks that it is working, I will upload it to
DELAYED/5.
Please let me know if I should cancel it or delay it further.

Thanks!

-- 
tobi

Message #31 received at 762745@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Tobias Frost <tobi@debian.org>, 762745@bugs.debian.org

Cc: Luca Falavigna <dktrkranz@debian.org>

Subject: Re: Bug#762745: libvncserver -- will upload the NMU.

Date: Sun, 23 Nov 2014 21:44:13 +0100

Hi Tobi,

On Sun, Nov 23, 2014 at 04:57:28PM +0100, Tobias Frost wrote:
> After testing and looks that it is working, I will upload it to
> DELAYED/5.
> Please let me know if I should cancel it or delay it further.

Please note that there is ongoing work by the maintainer asking for a
pre-approval on the release team, see #770501. There is a probme as it
seems tehere is an API/ABI break.

So please double check with Luca (cc'ed him).

Regards,
Salvatore

Message #36 received at 762745@bugs.debian.org (full text, mbox, reply):

From: Tobias Frost <tobi@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 762745@bugs.debian.org, Luca Falavigna <dktrkranz@debian.org>

Subject: Re: Bug#762745: libvncserver -- will upload the NMU.

Date: Mon, 24 Nov 2014 01:04:48 +0100

Hi Salvatore,
Am Sonntag, den 23.11.2014, 21:44 +0100 schrieb Salvatore Bonaccorso:
> Hi Tobi,
> 
> On Sun, Nov 23, 2014 at 04:57:28PM +0100, Tobias Frost wrote:
> > After testing and looks that it is working, I will upload it to
> > DELAYED/5.
> > Please let me know if I should cancel it or delay it further.
> 
> Please note that there is ongoing work by the maintainer asking for a
> pre-approval on the release team, see #770501. There is a probme as it
> seems tehere is an API/ABI break.
> 
> So please double check with Luca (cc'ed him).
> 
> Regards,
> Salvatore

thanks for the feedback. 
Regarding the ABI -- my patch considers that: The ABI is strictly the
same, even if no application should use that ABI (it's exported, but not
declared by the header): The patch does not add the additional
parameter, but enforces the limit PATH_MAX -- this is consitent with the
usage of this function from (within) the library.
IMHO applications using this function would be buggy as it uses a
non-properly-prototyped-exported function; also codesearch.d.n indicates
that there is no such call in the archives [1]

Regarding #770501, thanks for the hint (sigh, why do people not indicate
that in the bugs they want to fix? :-/ e-g blocked-by or pending tags or
just submitting the patch to the BTS?)
(IMHO issue #766257, is not covered by the freeze policy)

-- 
tobi

[1] http://codesearch.debian.net/search?q=rfbFilenameTranslate2UNIX

Message #41 received at 762745-close@bugs.debian.org (full text, mbox, reply):

From: Tobias Frost <tobi@debian.org>

To: 762745-close@bugs.debian.org

Subject: Bug#762745: fixed in libvncserver 0.9.9+dfsg-6.1

Date: Fri, 28 Nov 2014 16:34:50 +0000

Source: libvncserver
Source-Version: 0.9.9+dfsg-6.1

We believe that the bug you reported is fixed in the latest version of
libvncserver, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 762745@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tobias Frost <tobi@debian.org> (supplier of updated libvncserver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 23 Nov 2014 16:19:53 +0100
Source: libvncserver
Binary: libvncclient0 libvncserver0 libvncserver-dev libvncserver-config libvncclient0-dbg libvncserver0-dbg linuxvnc
Architecture: source amd64
Version: 0.9.9+dfsg-6.1
Distribution: unstable
Urgency: medium
Maintainer: Luca Falavigna <dktrkranz@debian.org>
Changed-By: Tobias Frost <tobi@debian.org>
Description:
 libvncclient0 - API to write one's own vnc server - client library
 libvncclient0-dbg - debugging symbols for libvncclient
 libvncserver-config - API to write one's own vnc server - library utility
 libvncserver-dev - API to write one's own vnc server - development files
 libvncserver0 - API to write one's own vnc server
 libvncserver0-dbg - debugging symbols for libvncserver
 linuxvnc   - VNC server to allow remote access to a tty
Closes: 762745
Changes:
 libvncserver (0.9.9+dfsg-6.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055:
     Multiple issues in libVNCserver -- cherry picking targeted fixed from
     upstream (Closes: #762745)
Checksums-Sha1:
 6546f3f98c88d0bdc851f5641d2bf8b6bd02b057 2406 libvncserver_0.9.9+dfsg-6.1.dsc
 dfabe375125fffd77a13c98e7d313a6437490925 21860 libvncserver_0.9.9+dfsg-6.1.debian.tar.xz
 a9e8c19c6f542007f942e513f403f32e671eeb64 125226 libvncclient0_0.9.9+dfsg-6.1_amd64.deb
 30e0f191ca5907e78c14a4c02bbe8452084cf602 192034 libvncserver0_0.9.9+dfsg-6.1_amd64.deb
 b0b6ff06bd03ff520edf4a62e0824ebd268cf0dd 275632 libvncserver-dev_0.9.9+dfsg-6.1_amd64.deb
 92a549c988835ab7855de08c81920e5dedbbb3aa 90512 libvncserver-config_0.9.9+dfsg-6.1_amd64.deb
 efd4f67a6ebfd78d0ad8c8d2ce163d8808696d39 173156 libvncclient0-dbg_0.9.9+dfsg-6.1_amd64.deb
 c0ccdfe9c81db6882e24ac18c84d42716e979eb7 382900 libvncserver0-dbg_0.9.9+dfsg-6.1_amd64.deb
 adea0233aa3d38dec44d7d58c308ea19013c6498 86500 linuxvnc_0.9.9+dfsg-6.1_amd64.deb
Checksums-Sha256:
 7a28bf115be27d84240ac7a6c4964cddc7d4b7ef7d73133436b732219c1f5664 2406 libvncserver_0.9.9+dfsg-6.1.dsc
 502670cd2ae96d5cbafa0387e94529421152617aa59d20d726a57e24e771a18a 21860 libvncserver_0.9.9+dfsg-6.1.debian.tar.xz
 1e2b4fb28dea737cf0aa583552a57ff02244b378f9529f706e7dd8c8cd1deb37 125226 libvncclient0_0.9.9+dfsg-6.1_amd64.deb
 15359ef274f3be793e78691dfef20ef5e4dbbc089e9f99fc8c79e249c05e5a5a 192034 libvncserver0_0.9.9+dfsg-6.1_amd64.deb
 2bd51d2a8cfb4c970c312edb779b373a003e768237c9dfeaba0f945342ba71c5 275632 libvncserver-dev_0.9.9+dfsg-6.1_amd64.deb
 9da87b8a87437d0ee57a35e240425ecb1f4625abc04190bb3fd4f5bdb938668c 90512 libvncserver-config_0.9.9+dfsg-6.1_amd64.deb
 f263a992583303c5923cb6fd3bb5c392ccda22831f40adb87f9c56dc1e2ea77f 173156 libvncclient0-dbg_0.9.9+dfsg-6.1_amd64.deb
 17bdc1d11ae316b57257631f520286769416e3397f53b367ef0801965d436200 382900 libvncserver0-dbg_0.9.9+dfsg-6.1_amd64.deb
 1a3c632899de38b39733313c252a17f4ea71f4f53a451b3e6b7c2455053f03ff 86500 linuxvnc_0.9.9+dfsg-6.1_amd64.deb
Files:
 255d829efb55501d225cc1731e0c48d6 2406 libs optional libvncserver_0.9.9+dfsg-6.1.dsc
 c2458b74138d3b9692bb59b1f7c769ed 21860 libs optional libvncserver_0.9.9+dfsg-6.1.debian.tar.xz
 a1cc3624641b5432a9884eb6d1825e9c 125226 libs optional libvncclient0_0.9.9+dfsg-6.1_amd64.deb
 1052b76b045ae7e5c26ce0b99a6c7351 192034 libs optional libvncserver0_0.9.9+dfsg-6.1_amd64.deb
 d707b0a09ab7dc8e255bed42e4cf442c 275632 libdevel optional libvncserver-dev_0.9.9+dfsg-6.1_amd64.deb
 899ddb909fa86533822f18325b84000d 90512 libdevel optional libvncserver-config_0.9.9+dfsg-6.1_amd64.deb
 8aef5bde882fec80429c8c72ac94da01 173156 debug extra libvncclient0-dbg_0.9.9+dfsg-6.1_amd64.deb
 5f783c82b79257cb7dd0d702cd1b1e35 382900 debug extra libvncserver0-dbg_0.9.9+dfsg-6.1_amd64.deb
 4e6d20c50bf3607027f4f954f45fd3e0 86500 net optional linuxvnc_0.9.9+dfsg-6.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUcgTLAAoJEJFk+h0XvV02V/UP/2kXde1kJnmnqKPZO0/4bV+c
mkJJF17cNKLuPwZcuzmuzfUPAF1wKCulqO5LfNkD386octdoQo/dkuZTT2JWVczK
Z3+0KbSslhW89yzPPc+tXEhj1SVOlfvuVONeqOo3jSR7I9UpEAtSKckULp6amKy3
JqSsLEAPJEFVIIHEMAA1VgxwLO7+wuySXUN2b+jL759r8JyCHQ+h49tvTMTNDtfc
SHbOSTZ0Y/rH4JSVRM5YkR1dgXGtufwlWnlBpZoj6hGbMtJSNJLFs0EmShdGQ7s1
HAmdn5MUHdGGKYcaxys0YRjyYfGpfCF1gZt1ZWxfmgHF3M9CPLGqJgd5vxgJNmIY
aypMdDTVELH1RvONUOFcOlmHJoq28IgWjI7MqLyEA3lzSPQ/37FBbdhcnrq6+NuR
HZXnFj/xADEUeS5E3qKCelbHMbBouaBpcmWL097YLz1yZkWww45FCTPzlqLbGcUu
949VKBy0RwseMgZJ+pPg73dcZKtfsf4DYj2fsq7Ye390s9iGkGA6gjXkOnmEEn4b
hXBv1uD+Ahtj+1RxSkx54/NMKD6S1/DrgN6E4y7mMBKkuaxyVF5Oljr3z+TleiRh
Imwajbuqadclcf/MB4x16VT4ZmVy56BO5NcSPzBuQWtApVCWu83Siieg9tGxCbAR
ypAWCQnMnQr7EEJf26in
=7AIs
-----END PGP SIGNATURE-----

Message #46 received at 762745-close@bugs.debian.org (full text, mbox, reply):

From: Tobias Frost <tobi@debian.org>

To: 762745-close@bugs.debian.org

Subject: Bug#762745: fixed in libvncserver 0.9.9+dfsg-1+deb7u1

Date: Mon, 08 Dec 2014 15:32:27 +0000

Source: libvncserver
Source-Version: 0.9.9+dfsg-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
libvncserver, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 762745@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tobias Frost <tobi@debian.org> (supplier of updated libvncserver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 28 Nov 2014 21:34:11 +0000
Source: libvncserver
Binary: libvncserver0 libvncserver-dev libvncserver-config libvncserver0-dbg linuxvnc
Architecture: source amd64
Version: 0.9.9+dfsg-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Luca Falavigna <dktrkranz@debian.org>
Changed-By: Tobias Frost <tobi@debian.org>
Description: 
 libvncserver-config - API to write one's own vnc server - library utility
 libvncserver-dev - API to write one's own vnc server - development files
 libvncserver0 - API to write one's own vnc server
 libvncserver0-dbg - debugging symbols for libvncserver
 linuxvnc   - VNC server to allow remote access to a tty
Closes: 762745
Changes: 
 libvncserver (0.9.9+dfsg-1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload for the Security Team.
   * CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055:
     Multiple issues in libVNCserver -- cherry picking targeted fixed from
     upstream. (Closes: #762745)
Checksums-Sha1: 
 9c10b0dab7b8ae2a093d50b32ca782ecce7684ba 2214 libvncserver_0.9.9+dfsg-1+deb7u1.dsc
 753f8242b08a0bd263b8c6d0842752b85c2752c9 870165 libvncserver_0.9.9+dfsg.orig.tar.gz
 90acc2d53c53e2c37b0fe839d2537ca08c34eff6 16968 libvncserver_0.9.9+dfsg-1+deb7u1.debian.tar.gz
 7ccb1f68dd3dd1eb9e650ec4f4fdd00580e5686c 279898 libvncserver0_0.9.9+dfsg-1+deb7u1_amd64.deb
 b9a5fbd15cbe0a5cde52c8a02a1cd429044c8c46 334830 libvncserver-dev_0.9.9+dfsg-1+deb7u1_amd64.deb
 7d02a0bb0eaf0dd77a531e770125cb06987276ea 74754 libvncserver-config_0.9.9+dfsg-1+deb7u1_amd64.deb
 141cda543570a6731be708e8e147662aa58d250a 595114 libvncserver0-dbg_0.9.9+dfsg-1+deb7u1_amd64.deb
 38bb36ebc4a9280a8f01ecc55454e6e59228de15 86864 linuxvnc_0.9.9+dfsg-1+deb7u1_amd64.deb
Checksums-Sha256: 
 e1d3bcd74a0ac271fe68f8f40f9187463c39c9da3a85d66f8614f9ca8bb1b9f0 2214 libvncserver_0.9.9+dfsg-1+deb7u1.dsc
 8586a0b6caa3ddb2efada804e888713232b2ced8e86a83b96b81c2016c387412 870165 libvncserver_0.9.9+dfsg.orig.tar.gz
 015c7de9a50149c4931f878191459444231d6257b946914653b87f98a1879c57 16968 libvncserver_0.9.9+dfsg-1+deb7u1.debian.tar.gz
 e5b44e2a33296941a5b685bc3ffecda419c8c9e9efaaf43bd18403227c2882a5 279898 libvncserver0_0.9.9+dfsg-1+deb7u1_amd64.deb
 f02c7a7a97b076421d6c79fe7078e200bfc5bcdff7b9b6ef1274bb6345dbbf62 334830 libvncserver-dev_0.9.9+dfsg-1+deb7u1_amd64.deb
 fd3bdb43a43c678a27a95c5d6933f213a4f3c5c0a725390e5f7a566fa4bd75e3 74754 libvncserver-config_0.9.9+dfsg-1+deb7u1_amd64.deb
 9d7079f26c8971f034bfc965e948654b18f21643eb04c2d80bf9c177671b9f77 595114 libvncserver0-dbg_0.9.9+dfsg-1+deb7u1_amd64.deb
 9eab74c8e3ce3c42be2077f2b96ed4d0490b9962e0a7ea231319d83d01e021b5 86864 linuxvnc_0.9.9+dfsg-1+deb7u1_amd64.deb
Files: 
 a96c660abd3188674f089568661f511b 2214 libs optional libvncserver_0.9.9+dfsg-1+deb7u1.dsc
 2321da04142992da018a6176bcdf774e 870165 libs optional libvncserver_0.9.9+dfsg.orig.tar.gz
 30bffb6b53e1a7b1020720a4df42389c 16968 libs optional libvncserver_0.9.9+dfsg-1+deb7u1.debian.tar.gz
 551167e335bacf56c51ad552c243a21f 279898 libs optional libvncserver0_0.9.9+dfsg-1+deb7u1_amd64.deb
 cae464263857ca0e97ef220f36928035 334830 libdevel optional libvncserver-dev_0.9.9+dfsg-1+deb7u1_amd64.deb
 d80382c57cbf2d673c2cec459cccdc6a 74754 libdevel optional libvncserver-config_0.9.9+dfsg-1+deb7u1_amd64.deb
 96018cd3dc3964109bcaffcd2e9aec34 595114 debug extra libvncserver0-dbg_0.9.9+dfsg-1+deb7u1_amd64.deb
 f6d9dc0499afc18b3f05cd55c4ed822c 86864 net optional linuxvnc_0.9.9+dfsg-1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUecgQAAoJEJFk+h0XvV02u3gQANFHZR10k60xRj2Mzko0GbV3
AFNRP7mfXOeR78wad3SZPNnfIu7eSTWhdM11cKdXyGJoxFM/uwyFaE6ymwpoHWVB
avZvLiLPc8uKqufU39pZUMSFkfIkR/Kk+0Fo/06gtpXIvZHzx7wOjCoGcEhVUvfz
ieBwsexhoGsrwamtZR3MQjchfB5SCvuvOiLD4HFiKMpgzjz56e+zBBtUKk5Jjvs4
bRapBo1dSuaHVOKV4hjCqJ1p/wU99Fuu/uMRrDTK053WLYREKiw2KCC3wUWusDJi
7eEdkiP69JhKKSDT3vTIuv5yyNILlTzn1duXdI3QI0rlAiTDY4AwLyreSVLde7S4
GBnpdt8/bpMfxqWNOs3ICCTPQfqaICwWxTJg21+AP2R1uOvpRyrJHXzgo9Wjo31v
ST5clCXZffjcrlb8i5LI+UfAZJ4cgJ7wadL8qWoL49e5Bqo/wjgSTej9XwLlXEKA
9AQQgVzAF4QffpXOD+QwSleBipL7M+3ldb5UNlMLtfkxFohv7z5ZGjQGeKshMH3k
XucH9xMhF4UzeUKIPSlL2HPd9PgHdlfJpk1Dwg8hNbPrRs1829o/RqxSdhIXU8gc
KAFEfBRv9DIcXtou9r1q9htBpoPVFwOMS8ut3dAsoViSjHgjg1n32GSDm3Y6Pbyn
gzbC3uR/GixNB7yxklhM
=ntGD
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.