Univention Bugzilla – Bug 48591
libvncserver: Multiple issues (4.3)
Last modified: 2019-02-06 12:35:50 CET
New Debian libvncserver 0.9.11+dfsg-1.3~deb9u1 fixes: This update addresses the following issues: * Use-after-free in file transfer extension server code allows for potential code execution (CVE-2018-6307) * Use-after-free in file transfer extension allows for potential code execution (CVE-2018-15126) * Heap out-of-bounds write in rfbserver.c:rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) * Multiple heap out-of-bound writes in VNC client code (CVE-2018-20019) * Heap out-of-bound write inside structure in VNC client code allows for potential code execution (CVE-2018-20020) * Infinite loop in VNC client code allows for denial of service (CVE-2018-20021) * Improper initialization in VNC client code allows for information disclosure (CVE-2018-20022) * Improper initialization in VNC Repeater client code allows for information disclosure (CVE-2018-20023) * NULL pointer dereference in VNC client code allows for denial of service (CVE-2018-20024)
--- mirror/ftp/4.3/unmaintained/4.3-2/source/libvncserver_0.9.11+dfsg-1+deb9u1.dsc +++ apt/ucs_4.3-0-errata4.3-3/source/libvncserver_0.9.11+dfsg-1.3~deb9u1.dsc @@ -1,4 +1,51 @@ -0.9.11+dfsg-1+deb9u1 [Tue, 05 Jun 2018 14:43:47 +0200] Markus Koschany <apo@debian.org>: +0.9.11+dfsg-1.3~deb9u1 [Sat, 02 Feb 2019 22:41:23 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * Rebuild for stretch-security. + +0.9.11+dfsg-1.3 [Wed, 30 Jan 2019 22:39:15 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload. + * LibVNCClient: ignore server-sent cut text longer than 1MB (CVE-2018-20748) + (Closes: #920941) + * LibVNCClient: ignore server-sent reason strings longer than 1MB + (CVE-2018-20748) (Closes: #920941) + * LibVNCClient: fail on server-sent desktop name lengths longer than 1MB + (CVE-2018-20748) (Closes: #920941) + * LibVNCClient: remove now-useless cast (CVE-2018-20748) (Closes: #920941) + * Error out in rfbProcessFileTransferReadBuffer if length can not be + allocated (CVE-2018-20749) (Closes: #920941) + * Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer() + (CVE-2018-20750) (Closes: #920941) + +0.9.11+dfsg-1.2 [Wed, 02 Jan 2019 16:26:53 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload. + * Fix multiple security vulnerabilities (Closes: #916941) + - Use-after-free in file transfer extension allows for potential + code execution (CVE-2018-15126) + - Heap out-of-bounds write in + rfbserver.c:rfbProcessFileTransferReadBuffer() allows for + potential code execution (CVE-2018-15127) + - Multiple heap out-of-bound writes in VNC client code + (CVE-2018-20019) + - Heap out-of-bound write inside structure in VNC client code allows + for potential code execution (CVE-2018-20020) + - Infinite loop in VNC client code allows for denial of service + (CVE-2018-20021) + - Improper initialization in VNC client code allows for information + disclosure (CVE-2018-20022) + - Improper initialization in VNC Repeater client code allows for + information disclosure (CVE-2018-20023) + - NULL pointer dereference in VNC client code allows for denial of + service (CVE-2018-20024) + - Use-after-free in file transfer extension server code allows for + potential code execution (CVE-2018-6307) + * Update symbols file for libvncserver1. + The fix for CVE-2018-15126 removes CloseUndoneFileTransfer and + introduces new CloseUndoneFileDownload and CloseUndoneFileUpload. + +0.9.11+dfsg-1.1 [Tue, 05 Jun 2018 14:43:47 +0200] Markus Koschany <apo@debian.org>: * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be <http://10.200.17.11/4.3-3/#413696957010537505>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-3] 3e086c5f57 Bug #48591: libvncserver 0.9.11+dfsg-1.3~deb9u1 doc/errata/staging/libvncserver.yaml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+)
<http://errata.software-univention.de/ucs/4.3/415.html>