Your message dated Sat, 7 Feb 2009 12:54:47 +0100
with message-id <20090207115447.ga10...@inguza.net>
and subject line Re: Bug#514360: tightvnc: Multiple vulnerabilites in TightVNC
has caused the Debian Bug report #514360,
regarding tightvnc: Multiple vulnerabilites in TightVNC
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
514360: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514360
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tightvnc
Version: 1.3.9-4
Severity: grave
Justification: user security hole
Tags: security
X-Debbugs-CC: t...@security.debian.org
Please see
http://www.heise-online.co.uk/news/Vulnerabilities-in-UltraVNC-and-TightVNC--/112562
for a description. 1.3.9 is affected, while 1.3.10 is fixed. I did not
verify the Debian version to be affected but believe so.
According to the linked advisories this is
Class: Integer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 33568
CVE Name: CVE-2009-0388
Since VNC connections might be used to shield an untrusted system from
a trusted one the remote exploitably is to be taken rather seriously.
I've no idea if UltraVNC is packaged in Debian as well; if so please
clone and reassign this bug to the appropriate package.
Please mention the CVE in your changelog when fixing this bug.
--
Dr. Helge Kreutzmann deb...@helgefjell.de
Dipl.-Phys. http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
Help keep free software "libre": http://www.ffii.de/
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Hi
It seems like there is a mistake. The code described is only for the Windows
version.
For the unix version there are even no such files and the functions described
do not
exists either.
Therefore I'm closing this bug.
Thanks for the bug report though. It is good to have people watching for
security
vulnerabilities.
Best regards,
// Ola
On Fri, Feb 06, 2009 at 10:36:12PM +0100, Nico Golde wrote:
> tags 514360 + patch
> thanks
>
> * Helge Kreutzmann <deb...@helgefjell.de> [2009-02-06 19:07]:
> > Please see
> > http://www.heise-online.co.uk/news/Vulnerabilities-in-UltraVNC-and-TightVNC--/112562
> > for a description. 1.3.9 is affected, while 1.3.10 is fixed. I did not
> > verify the Debian version to be affected but believe so.
> >
> > According to the linked advisories this is
> >
> > Class: Integer overflow
> > Remotely Exploitable: Yes
> > Locally Exploitable: No
> > Bugtraq ID: 33568
> > CVE Name: CVE-2009-0388
> [...]
>
> Upstream patch:
> http://vnc-tight.svn.sourceforge.net/viewvc/vnc-tight?view=rev&revision=3564
>
> Please reference the CVE id in the changelog if you fix
> this.
>
> Cheers
> Nico
> --
> Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
> For security reasons, all text in this mail is double-rot13 encrypted.
--
--------------------- Ola Lundqvist ---------------------------
/ o...@debian.org Annebergsslingan 37 \
| o...@inguza.com 654 65 KARLSTAD |
| http://inguza.com/ +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
--- End Message ---
