Your message dated Tue, 12 Jun 2018 22:03:58 +0000 with message-id <e1fsroq-0008zp...@fasolo.debian.org> and subject line Bug#894045: fixed in libvncserver 0.9.11+dfsg-1+deb9u1 has caused the Debian Bug report #894045, regarding libvncserver: CVE-2018-7225 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 894045: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894045 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libvncserver Version: 0.9.11+dfsg-1 Severity: important Tags: patch security upstream Forwarded: https://github.com/LibVNC/libvncserver/issues/218 Hi, the following vulnerability was published for libvncserver. CVE-2018-7225[0]: | An issue was discovered in LibVNCServer through 0.9.11. | rfbProcessClientNormalMessage() in rfbserver.c does not sanitize | msg.cct.length, leading to access to uninitialized and potentially | sensitive data or possibly unspecified other impact (e.g., an integer | overflow) via specially crafted VNC packets. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-7225 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7225 [1] https://github.com/LibVNC/libvncserver/issues/218 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libvncserver Source-Version: 0.9.11+dfsg-1+deb9u1 We believe that the bug you reported is fixed in the latest version of libvncserver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 894...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libvncserver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 05 Jun 2018 14:43:47 +0200 Source: libvncserver Binary: libvncclient1 libvncserver1 libvncserver-dev libvncserver-config libvncclient1-dbg libvncserver1-dbg Architecture: source amd64 Version: 0.9.11+dfsg-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Peter Spiess-Knafl <d...@spiessknafl.at> Changed-By: Markus Koschany <a...@debian.org> Description: libvncclient1 - API to write one's own VNC server - client library libvncclient1-dbg - debugging symbols for libvncclient libvncserver-config - API to write one's own VNC server - library utility libvncserver-dev - API to write one's own VNC server - development files libvncserver1 - API to write one's own VNC server libvncserver1-dbg - debugging symbols for libvncserver Closes: 894045 Changes: libvncserver (0.9.11+dfsg-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. (Closes: #894045) Checksums-Sha1: d61561702a566a06def1535ad2ed988bff1fb082 2577 libvncserver_0.9.11+dfsg-1+deb9u1.dsc bd42abab1860bd92890b580453d9865fc9d8e229 525748 libvncserver_0.9.11+dfsg.orig.tar.gz cf342155af44b53cfaa65900b1875fac872c63c7 13460 libvncserver_0.9.11+dfsg-1+deb9u1.debian.tar.xz b4c9dfb2d4d263ee019e86c05a05a6f14d4ba408 219782 libvncclient1-dbg_0.9.11+dfsg-1+deb9u1_amd64.deb 6b0f2390f9e7f6cbd08d254251c7f3fac1082b46 140254 libvncclient1_0.9.11+dfsg-1+deb9u1_amd64.deb 5131495416fedb99b0a3b6f14480aa667826deff 108338 libvncserver-config_0.9.11+dfsg-1+deb9u1_amd64.deb 4b8b71bb4d0649bc0187565bf1f0d0c5d86d7f7b 295712 libvncserver-dev_0.9.11+dfsg-1+deb9u1_amd64.deb 7b071ff1b253193942763407204d124bc72915cb 459548 libvncserver1-dbg_0.9.11+dfsg-1+deb9u1_amd64.deb 205d12f4aee741eaceeffd706671ef00f92a2511 208712 libvncserver1_0.9.11+dfsg-1+deb9u1_amd64.deb 1a5f4a99e566052c29a0299d8584f03f8f0ce382 8384 libvncserver_0.9.11+dfsg-1+deb9u1_amd64.buildinfo Checksums-Sha256: d7dbcf9b7ed0711880cc24ecc1a434052d704f0459c2cd81284b21c869599248 2577 libvncserver_0.9.11+dfsg-1+deb9u1.dsc ea27be2b923cc5e89fb2d93415fdc2373c90cdd2379cf9c671fa234482c69509 525748 libvncserver_0.9.11+dfsg.orig.tar.gz aaec034b52b96969178f843602ad0e9133ba63a55ae8a8fa6f6be887ff39719b 13460 libvncserver_0.9.11+dfsg-1+deb9u1.debian.tar.xz bfc28b5178f19798f44cca0eb32c5b7ce972daa76865cd1fe89c2493b9ad242e 219782 libvncclient1-dbg_0.9.11+dfsg-1+deb9u1_amd64.deb b5cedece3632ee730dd06e6e548bb3300dd24742304075275d6170e1d61ee47a 140254 libvncclient1_0.9.11+dfsg-1+deb9u1_amd64.deb b2dcc9f5e88dba25c4a9b5308e8b1566bc06fde1c03b6483c5a304fa33a70e84 108338 libvncserver-config_0.9.11+dfsg-1+deb9u1_amd64.deb 80e8846ce7de50c6553eb4f1a10fb9d760af354223b5c0220246b14ccac51f76 295712 libvncserver-dev_0.9.11+dfsg-1+deb9u1_amd64.deb e0233fd91504725739dfd639894b4e75928805391693fd89ea4b860beb16c7a9 459548 libvncserver1-dbg_0.9.11+dfsg-1+deb9u1_amd64.deb eb8dcd91be95d41e54c980e4d98100de171c29d138716201adf5c4164e69abab 208712 libvncserver1_0.9.11+dfsg-1+deb9u1_amd64.deb 1fd0936961d78821abfe298014d0d9ca3a9dcec50775bb04b9e591a9eeb25a93 8384 libvncserver_0.9.11+dfsg-1+deb9u1_amd64.buildinfo Files: 66e736e3f02a336259f7a44439ce22a1 2577 libs optional libvncserver_0.9.11+dfsg-1+deb9u1.dsc 192d76504c82a2b6a1a0eb979b2b0733 525748 libs optional libvncserver_0.9.11+dfsg.orig.tar.gz fdb3b661b4694ed08af5251c3bb33532 13460 libs optional libvncserver_0.9.11+dfsg-1+deb9u1.debian.tar.xz f0ea8d85c47e12474b2a0e51ce4ba53b 219782 debug extra libvncclient1-dbg_0.9.11+dfsg-1+deb9u1_amd64.deb f886cec7db412c7585c6f0215caf702d 140254 libs optional libvncclient1_0.9.11+dfsg-1+deb9u1_amd64.deb 5e0d9859740468b3d2653f0565378084 108338 libdevel optional libvncserver-config_0.9.11+dfsg-1+deb9u1_amd64.deb b2a953825313ee1f7cc3e8c056f7a495 295712 libdevel optional libvncserver-dev_0.9.11+dfsg-1+deb9u1_amd64.deb 71f7d9f17677e24e4dcafbe6b9d26e81 459548 debug extra libvncserver1-dbg_0.9.11+dfsg-1+deb9u1_amd64.deb 9eb4e9f07f1fd1c81b805b003a2ed3b8 208712 libs optional libvncserver1_0.9.11+dfsg-1+deb9u1_amd64.deb 23ee7c61a0f3ff66dcbcceeaa9bb1411 8384 libs optional libvncserver_0.9.11+dfsg-1+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsYMENfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk+9cP/3ZhpQr/xdyfjiu4BkooDoQJhbKnGRRU86s2 dEjKArqIAxCvbNach/gGVmXOLqjJmWbCs5O+M6aNikxKDFgecq9gLQq2qelRzyb1 Zshwj32A/ZRdQ3DqhIGGDOCDGkJ3HBrR1F4kLhi4hw2HNMpiQXKc9kepIYOvIdMH MaCm4rCk7KDyZ1MhKAH/wdvHsGMdKDZ+mPCOCU/zIIvj26RsM8E11O8nRSkSWmr5 cVH/GlcAo7NvW6Z7hLDC407pANJBp0t2PemdLZYshbg/XuMsJmoJDypqeS2eJCnh fHqas4aWiHSWKEgmvhpdDaNfNHvkay64vfOEJpSTWMgktvL3ZPMxiLOxAnAssXHC 1z4e0X5zDgG8+Z7n782ttcHgdQDl5kiU3gCLn7VHVaUgMnOL0+42WuEk5jLnT9q8 aqVN5+9lWx60XurGFNzSPUWcay5p8xKVehpL4/SLin1s0InzEIy1AKrgWS+0c3u7 4r93BRVEKRajjjw2X19F7To26+6QSkI5nh0SQaMKblOLoAqWsYUgXlwLm2Xnhnw3 AWMHK4k0oJEoC2lmox1AZc0bQxSiXKpyFOtSN2c/5TMgaP4rMpFrVFYS5FCHKbKk ft8s2tJQi02G+ICmXQ6nu3RkuTKE0vOv6YQIV7tjoHB+qu0ozxQf94yWvQGU7Xlo 01Ia/ixE =xgfu -----END PGP SIGNATURE-----
--- End Message ---
