Bug#849479: marked as done (tigervnc: CVE-2014-8240: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling)

[Debian Bug Tracking System]

Your message dated Thu, 29 Dec 2016 19:49:59 +0000
with message-id <e1cmgi7-0005lb...@fasolo.debian.org>
and subject line Bug#849479: fixed in tigervnc 1.7.0-1
has caused the Debian Bug report #849479,
regarding tigervnc: CVE-2014-8240: integer overflow flaw, leading to a 
heap-based buffer overflow in screen size handling
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
849479: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849479
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: tigervnc
Version: 1.6.0+dfsg-4
Severity: grave
Tags: security patch upstream
Justification: user security hole

Hi,

the following vulnerability was published for tigervnc.

CVE-2014-8240[0]:
| Integer overflow in TigerVNC allows remote VNC servers to cause a
| denial of service (crash) and possibly execute arbitrary code via
| vectors related to screen size handling, which triggers a heap-based
| buffer overflow, a similar issue to CVE-2014-6051.

More details are in the Red Hat bug[1] which includes a patch[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-8240
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8240
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1151307
[2] https://bugzilla.redhat.com/attachment.cgi?id=947578

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: tigervnc
Source-Version: 1.7.0-1

We believe that the bug you reported is fixed in the latest version of
tigervnc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <o...@debian.org> (supplier of updated tigervnc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 28 Nov 2016 23:20:20 +0100
Source: tigervnc
Binary: tigervnc-common tigervnc-scraping-server tigervnc-standalone-server 
tigervnc-xorg-extension tigervnc-viewer
Architecture: source amd64
Version: 1.7.0-1
Distribution: unstable
Urgency: high
Maintainer: TigerVNC Packaging Team <pkg-tigervnc-de...@lists.alioth.debian.org>
Changed-By: Ola Lundqvist <o...@debian.org>
Description:
 tigervnc-common - Virtual network computing; Common software needed by servers
 tigervnc-scraping-server - VNC server uses screen scraping of an already 
running X server
 tigervnc-standalone-server - Standalone VNC server
 tigervnc-viewer - Virtual network computing client software for X
 tigervnc-xorg-extension - X server vnc extension
Closes: 843543 849479
Changes:
 tigervnc (1.7.0-1) unstable; urgency=high
 .
   * Fresh upstream that help to solve #843543.
    - Modified a special patch for VeNCrypt support as it all parts that made
      sense is already in there.
    - Removed a few patches that are already applied upstream.
    - Did quilt refresh on a few more.
   * Correction to make it build against xorg source 1.19. Closes: #843543.
   * Security correction for CVE-2014-8240 that corrects an integer overflow
     flaw, leading to a heap-based buffer overflow in screen size handling.
     Closes: #849479.
Checksums-Sha1:
 f0e7557a5972e63d117797df058f7c7cf670ee8d 4407 tigervnc_1.7.0-1.dsc
 cd152c1b633fcb13e7e6479583195d57462ea227 1405952 tigervnc_1.7.0.orig.tar.gz
 a01b0b3fd900fe274f510cf256328449bdaeca91 41964 tigervnc_1.7.0-1.debian.tar.xz
 5d810e8cd5a514f760ebffece412244be0effc14 235770 
tigervnc-common-dbgsym_1.7.0-1_amd64.deb
 1358b9490adf37c37cd05f2f807fc2e38da2a7c2 63916 
tigervnc-common_1.7.0-1_amd64.deb
 3c795edf77c45f7758593c79bdf531021ccbcfac 1152348 
tigervnc-scraping-server-dbgsym_1.7.0-1_amd64.deb
 11c37f6263432f1552ca1620e42d6020497cac6b 185632 
tigervnc-scraping-server_1.7.0-1_amd64.deb
 99cf8a61d7c962ec4957e52632d34cc5d21fc475 5833060 
tigervnc-standalone-server-dbgsym_1.7.0-1_amd64.deb
 06ed8cd6f6c87e0405d0ff632f8daaa343d03335 982710 
tigervnc-standalone-server_1.7.0-1_amd64.deb
 04b8d6a015babb7f1b046f400715ff02660c755a 1008412 
tigervnc-viewer-dbgsym_1.7.0-1_amd64.deb
 6180c8085a26b0c259505de5f20be332932c0de2 164914 
tigervnc-viewer_1.7.0-1_amd64.deb
 e5d8b7c4ca9e8a54a58e6642fcdebf903e9e2bd5 1309332 
tigervnc-xorg-extension-dbgsym_1.7.0-1_amd64.deb
 f8f704f80e619b662f1ca34b6a4e7757c9d90b2c 194322 
tigervnc-xorg-extension_1.7.0-1_amd64.deb
 5dc0608c4ed832d8df91ee4da0c5d3be21d814d1 14017 tigervnc_1.7.0-1_amd64.buildinfo
Checksums-Sha256:
 178ff2fde0a5cb2858a7ce295eaeadd70b0a90dbff8871ca30d27e5b9a0dfdfa 4407 
tigervnc_1.7.0-1.dsc
 4aa704747b4f8f1d59768b663c488fa937e6783db2a46ae407cd2a599cfbf8b1 1405952 
tigervnc_1.7.0.orig.tar.gz
 a53f75dbe8bf0399d6fd29c12daa9468c67e4af84915be4f81626d4c365cc8c6 41964 
tigervnc_1.7.0-1.debian.tar.xz
 d3f21ac74d2ed971be46e53974070671c045ce35eef3e81a2c3d9b927aa15cd3 235770 
tigervnc-common-dbgsym_1.7.0-1_amd64.deb
 3f912170bb1330c3643626edaae3c631d95f7ba2a8d7ba360d01d0b19a0956e5 63916 
tigervnc-common_1.7.0-1_amd64.deb
 3d62bb099dccaefce059982d89375f45c5695548a73bbc789e1a1f55a0f72635 1152348 
tigervnc-scraping-server-dbgsym_1.7.0-1_amd64.deb
 08a98833513f5a00bd00b78e3df4fb05ec03bb0b96ae5bfee6f33b33072bc4e0 185632 
tigervnc-scraping-server_1.7.0-1_amd64.deb
 927555c447b14f95cb698175cc4a8943c72d1c9844c5d07fe580e88ed4181f14 5833060 
tigervnc-standalone-server-dbgsym_1.7.0-1_amd64.deb
 1ad4e2bdfa135f57302fe2c5df9f2759aafe99169648c73f4b2cc861d6cc1486 982710 
tigervnc-standalone-server_1.7.0-1_amd64.deb
 f458af3d7a010db547314896cb55a13688f2859b668558b364146e019b0833bc 1008412 
tigervnc-viewer-dbgsym_1.7.0-1_amd64.deb
 a8a4b056253e19d719520d9cb920b6017d4ac769397856a97fe449e5fbd8c9a6 164914 
tigervnc-viewer_1.7.0-1_amd64.deb
 c0126967d97e21b8ef378769be12caec003aa2d56616d85ae4134339cddd6b4b 1309332 
tigervnc-xorg-extension-dbgsym_1.7.0-1_amd64.deb
 611abeb979db2a203ffa551c8a3c05ee187b5f3ca3e5a855fb59c41017e35210 194322 
tigervnc-xorg-extension_1.7.0-1_amd64.deb
 789acdb5aefca9ee4c2442765f08509889674dfebc69e80faa0a1a443dd18ec2 14017 
tigervnc_1.7.0-1_amd64.buildinfo
Files:
 2ce396bba420ac1eaf4abfeb6f9194ce 4407 x11 optional tigervnc_1.7.0-1.dsc
 0930edf4f339283d856ce7027db40308 1405952 x11 optional 
tigervnc_1.7.0.orig.tar.gz
 bb2dd45700f41c48ed38ccfb13f0ded4 41964 x11 optional 
tigervnc_1.7.0-1.debian.tar.xz
 1ecccb39ee429584b4bc0e0d2d648b0f 235770 debug extra 
tigervnc-common-dbgsym_1.7.0-1_amd64.deb
 1d12343296156a29f1e19f0f61774333 63916 x11 optional 
tigervnc-common_1.7.0-1_amd64.deb
 ff181adc107c40c0852efa601e2abe18 1152348 debug extra 
tigervnc-scraping-server-dbgsym_1.7.0-1_amd64.deb
 2158ff3a7c1f7bb594123976231ea23a 185632 x11 optional 
tigervnc-scraping-server_1.7.0-1_amd64.deb
 a33d1f4ef059bc6ea63dcfed3fb26322 5833060 debug extra 
tigervnc-standalone-server-dbgsym_1.7.0-1_amd64.deb
 89e3f447293c05a36a1d2595336c24ff 982710 x11 optional 
tigervnc-standalone-server_1.7.0-1_amd64.deb
 6125b78fece2a7f558a245f3c32250af 1008412 debug extra 
tigervnc-viewer-dbgsym_1.7.0-1_amd64.deb
 4a59bffaa7a00be2da02f550bb6c83ec 164914 x11 optional 
tigervnc-viewer_1.7.0-1_amd64.deb
 c1174aa0b2ae724ef6b96b95ab2dd175 1309332 debug extra 
tigervnc-xorg-extension-dbgsym_1.7.0-1_amd64.deb
 d5aaae70a64fcd3f847f07410f58a1b0 194322 x11 optional 
tigervnc-xorg-extension_1.7.0-1_amd64.deb
 3be59e149eb3bb221928fb859d075c6b 14017 x11 optional 
tigervnc_1.7.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEIvIyxrHg9L8rJgpqXpDc+pQmh28FAlhlZgYACgkQXpDc+pQm
h2+8OQ//QO+T9LRFTbblPRfZC8dxc7dSi3FOYDzz6zskDrOIGcWPcUM32cXoL9Vb
K8WDq8ZrRQkBU3LkFrCVDM7+HrHagibrffCgWF4ekSM0l/MLuNVZVOnLkgILBUfp
KzMaFjj9YcTY4/k8SgIsOxOoALXwPV3wTf4VniJNTxr/olrtcd33auUz/olROoX9
rWsCgymYeqzOPcER0Je8wpd9uqBbI1SoHbYPFKsxvTmrYqOPn9+sd2ai5Q3DeWVb
eQnmaVivbS9rwoqbgkTxGSA70zhoyB1D8m4ZbYFa9TxvmdSNZU1eWkWKz8D9vX+/
Q6RqAVINruSw8pagFPmr6ljrNUl5jyW58Pf5OxLJRohoTnw7V6fr70QrQjhq3cxt
0VcnbVU1MeCeMnSKYqN3Gwro0G85OzPUCvnjn4oDJVnmOhOYM3qddbFVo0oalEDg
P9KL72zUwHXVrFn+6cb7omtdsxUc79m7D/z11a1X511Y87FglX5SDN02TSyT8TM8
0YlI3fyzJODhCHDG7Y6Nb17bZcSiizLODCOy7mV4dlhb5fXn4sh9F7JXoxUD5eBJ
y2LovI0RIN2HDkRoa/ut7SQyrANWEpEYaUHJ6dtmj9oaOQZYoVXNSKxHA/uzCoFF
UZJ2AWX1p5gjQ00X6k27VOj4VkPlXGw2R8ZArvAzSmvLUXbk/XY=
=pTeE
-----END PGP SIGNATURE-----

--- End Message ---