Your message dated Tue, 12 Jun 2018 19:33:49 +0000 with message-id <e1fsp37-000ct5...@fasolo.debian.org> and subject line Bug#894045: fixed in libvncserver 0.9.9+dfsg2-6.1+deb8u3 has caused the Debian Bug report #894045, regarding libvncserver: CVE-2018-7225 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 894045: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894045 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libvncserver Version: 0.9.11+dfsg-1 Severity: important Tags: patch security upstream Forwarded: https://github.com/LibVNC/libvncserver/issues/218 Hi, the following vulnerability was published for libvncserver. CVE-2018-7225[0]: | An issue was discovered in LibVNCServer through 0.9.11. | rfbProcessClientNormalMessage() in rfbserver.c does not sanitize | msg.cct.length, leading to access to uninitialized and potentially | sensitive data or possibly unspecified other impact (e.g., an integer | overflow) via specially crafted VNC packets. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-7225 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225 [1] https://github.com/LibVNC/libvncserver/issues/218 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libvncserver Source-Version: 0.9.9+dfsg2-6.1+deb8u3 We believe that the bug you reported is fixed in the latest version of libvncserver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 894...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libvncserver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 05 Jun 2018 14:05:57 +0200 Source: libvncserver Binary: libvncclient0 libvncserver0 libvncserver-dev libvncserver-config libvncclient0-dbg libvncserver0-dbg linuxvnc Architecture: source amd64 Version: 0.9.9+dfsg2-6.1+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Peter Spiess-Knafl <d...@spiessknafl.at> Changed-By: Markus Koschany <a...@debian.org> Description: libvncclient0 - API to write one's own vnc server - client library libvncclient0-dbg - debugging symbols for libvncclient libvncserver-config - API to write one's own vnc server - library utility libvncserver-dev - API to write one's own vnc server - development files libvncserver0 - API to write one's own vnc server libvncserver0-dbg - debugging symbols for libvncserver linuxvnc - VNC server to allow remote access to a tty Closes: 894045 Changes: libvncserver (0.9.9+dfsg2-6.1+deb8u3) jessie-security; urgency=high . * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. (Closes: #894045) Checksums-Sha1: 6d4ae6933c4b18f0772aec7ba16676a9e3e4c901 2608 libvncserver_0.9.9+dfsg2-6.1+deb8u3.dsc ef8496e2cf383b68f8efd5fa750c1e27976c7c39 29728 libvncserver_0.9.9+dfsg2-6.1+deb8u3.debian.tar.xz dd766d0af8da81a374bb1be035a978a8b376e6bf 124750 libvncclient0_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 0b7c73c2543d024a5dc9a3068f40f762623fd124 191294 libvncserver0_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 18ed0bd2f7f516aa6403e3d3d5273335b0872d3b 275334 libvncserver-dev_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 7ac5249ba135d9ada787b574830f7cbdb6debb8f 90362 libvncserver-config_0.9.9+dfsg2-6.1+deb8u3_amd64.deb db527abc9e165e99c55ff05c95d90a1d08759771 182880 libvncclient0-dbg_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 96fe5e791a01e053f7056ff6aaf812792d7e5306 382346 libvncserver0-dbg_0.9.9+dfsg2-6.1+deb8u3_amd64.deb a0469a91e496846e3bd2ce64fcd4374847100ded 86418 linuxvnc_0.9.9+dfsg2-6.1+deb8u3_amd64.deb Checksums-Sha256: 77466babd306534a118f47e6fa5900bcfdd856991391868d452e3e412027682b 2608 libvncserver_0.9.9+dfsg2-6.1+deb8u3.dsc 0387a9bc2d70ac8068203e05c15452c510534610be765d0bcf715b702a0ea552 29728 libvncserver_0.9.9+dfsg2-6.1+deb8u3.debian.tar.xz cbadb6a23351556871d8ea02991806c5a31129bbf1e282c59452e6cf0cfefd3c 124750 libvncclient0_0.9.9+dfsg2-6.1+deb8u3_amd64.deb ac0cba624162d0ac48f6cdcc87415c012609ba4b33643e08af9224a7a3bb54dd 191294 libvncserver0_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 26533a031962d9eddf3b8ee638601a55093b58aecfd6f726fb3ee6656f5cfc7c 275334 libvncserver-dev_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 9c6b9f17ec3e8aa76624e73b8765276afb0009454fb4d5e40399e2ac90e293fd 90362 libvncserver-config_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 8d37133da1e32496de4b3070e871ac967a93309336c4926af8cf3ef921aa03ef 182880 libvncclient0-dbg_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 064a12217c94742fb2584be8ee7b93f1e1dc216f120c374bf7ebdc8a7c57f90c 382346 libvncserver0-dbg_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 48c2beaa7591dd23298a0b3e06e2c5bb9425eea546f4731bfaffac483bb3cf43 86418 linuxvnc_0.9.9+dfsg2-6.1+deb8u3_amd64.deb Files: 04e0059200e8c7747467a22db4cf0106 2608 libs optional libvncserver_0.9.9+dfsg2-6.1+deb8u3.dsc bd7196e51d6a2f5a89b4a88aad153723 29728 libs optional libvncserver_0.9.9+dfsg2-6.1+deb8u3.debian.tar.xz 8494071b935ff4da60bbf296f57e1a50 124750 libs optional libvncclient0_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 041b0f96d1e0c17e17189f8f683922fa 191294 libs optional libvncserver0_0.9.9+dfsg2-6.1+deb8u3_amd64.deb a9868adec8024d1f31f1ef6cb9d662a2 275334 libdevel optional libvncserver-dev_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 6206d2208db66dfe39030dc31d40b0fd 90362 libdevel optional libvncserver-config_0.9.9+dfsg2-6.1+deb8u3_amd64.deb a4ec07528111003c820af7ec38c52c47 182880 debug extra libvncclient0-dbg_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 81ec91e4b53e099f479198ae00ce9265 382346 debug extra libvncserver0-dbg_0.9.9+dfsg2-6.1+deb8u3_amd64.deb 96e99f106a93959bc64597b95e457661 86418 net optional linuxvnc_0.9.9+dfsg2-6.1+deb8u3_amd64.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsYMO1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkyxMP/iRx+fwa8z+QeNB5zFDonELIPiGEjlYyh8oR D7zPrQJXIpVW/HsNwTZQE2AOzDhqXDIY1wIf6OXFcB/K2fnoykDVEM0qH67KIlF0 0bu9cWc00+jLiPqftFlASBgMYnDmtx5OvmJy/O3xsDOM6A2ShWtFVaii29oX4N/j FC2hYXBs2zGuoUTEriCoXSzCONN2u8aMB3aABR34PRhD/MQZupQXZGCd8wILHit/ kYeRR/8fVQOvwB5W9KAA79tau802sjO2+dGletU6il/H6BVhAxvfnOxoMdia9G+m phWQX6KjCWAk6nDIVB80YHMGNFNiK/ozo2h45A04FdJsyeB5gzug63ZDR1hmEbeu +cx0a0SLMKAQGIyK7lbDAcu/EaINOnwdlDQ1kuH6SjfDdZlP/CLo30fdQFm5Wc1v PE+VACvJ9eYJy/ZU933ynRhS3tyU4J5mWzfzVbV8qeB+HCc7D6mVaPyY7vzxefYR X5CX30cl8Y8i9DQBJs2vJFK+hR2A5MlxXaUdn9QTjdtH6iKuJXmj/FiomJLtcBXm UtdWQ718wfsN2KRctKiLK2YjTDrFriejybeTrxNY+g6hvZ+ZH2pN68R90VkXGkZM tEEKuquKcwav+45F5clfdxBjiilEmijhDedhZdz3XsJfMCwUoTAGMrZeWZS7jwYC PGl66S47 =fHB+ -----END PGP SIGNATURE-----
--- End Message ---
