Bug#948400: buster-pu: package libvncserver/0.9.11+dfsg-1.3+deb10u2

Mike Gabriel Tue, 07 Jan 2020 23:46:00 -0800

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu


Dear release team,

a regression in the recent libvncserver buster-pu (+deb10u1) has been reported.

+  * Regression update.
+
+  * debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from
+    upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes:
+    #905786).

The just uploaded libvncserver package version (+deb10u2) pulls in three
more patches from upstream that resolve this regression issue.

thanks+greets,
Mike

-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru libvncserver-0.9.11+dfsg/debian/changelog 
libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog   2019-12-03 09:18:57.000000000 
+0100
+++ libvncserver-0.9.11+dfsg/debian/changelog   2020-01-08 08:22:51.000000000 
+0100
@@ -1,3 +1,13 @@
+libvncserver (0.9.11+dfsg-1.3+deb10u2) buster; urgency=medium
+
+  * Regression update.
+
+  * debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from
+    upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes:
+    #905786).
+
+ -- Mike Gabriel <sunwea...@debian.org>  Wed, 08 Jan 2020 08:22:51 +0100
+
 libvncserver (0.9.11+dfsg-1.3+deb10u1) buster; urgency=medium
 
   * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. (Closes:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series 
libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series      2019-12-03 
09:18:57.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series      2020-01-08 
08:22:34.000000000 +0100
@@ -25,4 +25,7 @@
 use-after-free/1.patch
 use-after-free/2.patch
 use-after-free/3.patch
+use-after-free/4.patch
+use-after-free/5.patch
+use-after-free/6.patch
 0002-set-true-color-flag-to-1.patch
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch 
libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch      
1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch      
2020-01-08 08:22:51.000000000 +0100
@@ -0,0 +1,24 @@
+From 7e63df224aa45a8b541cd63a870594454aba7526 Mon Sep 17 00:00:00 2001
+From: Andrzej Szombierski <q...@kuku.eu.org>
+Date: Tue, 28 May 2019 10:56:47 +0200
+Subject: [PATCH] rfbserver: don't close fd 0 accidentally
+
+pipe_notify_client_thread needs to be initialized to -1
+---
+ libvncserver/rfbserver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -462,6 +462,11 @@
+ 
+       cl->lastPtrX = -1;
+ 
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++      cl->pipe_notify_client_thread[0] = -1;
++      cl->pipe_notify_client_thread[1] = -1;
++#endif
++
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+       /*
+        * Wait a few ms for the client to send one of:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch 
libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch      
1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch      
2020-01-08 08:22:51.000000000 +0100
@@ -0,0 +1,26 @@
+From d0a76539835d11c0f4723499f8be4bc9c7724eb9 Mon Sep 17 00:00:00 2001
+From: Rajesh Sahoo <rajesh.sa...@lge.com>
+Date: Tue, 11 Jun 2019 15:13:04 +0530
+Subject: [PATCH] avoid pthread_join if backgroundLoop is FALSE
+
+client_thread is created depending upon backgroundLoop, but joining
+without checking for same condition. so we are trying to join a garbage
+thread_id.
+---
+ libvncserver/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/libvncserver/main.c
++++ b/libvncserver/main.c
+@@ -1095,9 +1095,11 @@
+       }
+ 
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++    if(currentCl->screen->backgroundLoop) {
+       // Notify the thread and join it
+       write(currentCl->pipe_notify_client_thread[1], "\x00", 1);
+       pthread_join(currentCl->client_thread, NULL);
++    }
+ #else
+       rfbClientConnectionGone(currentCl);
+ #endif
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch 
libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch      
1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch      
2020-01-08 08:22:51.000000000 +0100
@@ -0,0 +1,30 @@
+From d3a4292aa9ade2a335e0915523506b73e94251d7 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontm...@freeshell.org>
+Date: Sun, 6 Jan 2019 19:34:04 +0100
+Subject: [PATCH] Move pipe_notify_client_thread to end of rfbClientRec
+
+in order to retain ABI compatibility.
+---
+ rfb/rfb.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/rfb/rfb.h
++++ b/rfb/rfb.h
+@@ -466,7 +466,6 @@
+     int protocolMinorVersion;
+ 
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
+-    int pipe_notify_client_thread[2];
+     pthread_t client_thread;
+ #endif
+ 
+@@ -696,6 +695,9 @@
+     wsCtx     *wsctx;
+     char *wspath;                          /* Requests path component */
+ #endif
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++    int pipe_notify_client_thread[2];
++#endif
+ } rfbClientRec, *rfbClientPtr;
+ 
+ /**

Bug#948400: buster-pu: package libvncserver/0.9.11+dfsg-1.3+deb10u2

Reply via email to