libvncserver (0.9.13+dfsg-2+deb11u1) bullseye; urgency=medium [ Mike Gabriel ] * debian/patches: + Trivially rebase patches 0001 and 0002. + Add 0003-rfb-increase-update-buf-size.patch. Allow larger screen sizes. (Closes: #1010449). [ Thorsten Alteholz ] + CVE-2020-29260: Add CVE-2020-29260.patch. Resolve memory leak in function rfbClientCleanup(). (Closes: #1019228). -- Mike Gabriel Sun, 20 Nov 2022 13:18:12 +0100 libvncserver (0.9.13+dfsg-2) unstable; urgency=medium [ Marco Trevisan (TreviƱo) ] * debian/patches: + Fix crashes when using desktop sharing with gnome-remote-desktop (LP: #1915410; closes: #982940). [ Mike Gabriel ] * debian/patches/series: + White-space cleanup. * debian/control: + Bump Standards-Version: to 4.5.1. No changes needed. * debian/watch: + Switch to format version 4. * debian/copyright: + Amend attributions. The files common/md5.* don't exist anymore. -- Mike Gabriel Sun, 28 Feb 2021 15:37:06 +0100 libvncserver (0.9.13+dfsg-1) unstable; urgency=medium * New upstream release: - CVE-2018-21247: When connecting to a repeater, only send initialised string - CVE-2019-20839: libvncclient: bail out if unix socket name would overflow - CVE-2019-20840: fix crash because of unaligned accesses in hybiReadAndDecode() - CVE-2020-14396: libvncclient/tls_openssl: do not deref a NULL pointer - CVE-2020-14397: libvncserver: add missing NULL pointer checks - CVE-2020-14398: libvncclient: handle half-open TCP connections - CVE-2020-14399: libvncclient: fix pointer aliasing/alignment issue - CVE-2020-14400: libvncserver: fix pointer aliasing/alignment issue - CVE-2020-14401: libvncserver: scale: cast to 64 bit before shifting - CVE-2020-14402: libvncserver: encodings: prevent OOB accesses - CVE-2020-14403: encodings: prevent OOB accesses - CVE-2020-14404: libvncserver: encodings: prevent OOB accesses - CVE-2020-14405: libvncclient/rfbproto: limit max textchat size * debian/patches: + Drop all patches. All applied upstream. + Add README file explaining on our patch naming scheme. * debian/*.symbols: + Update symbols. * debian/control: + Bump DH compat level to version 13. -- Mike Gabriel Mon, 29 Jun 2020 14:44:43 +0200 libvncserver (0.9.12+dfsg-9) unstable; urgency=medium * Bump Standards-Version: to 4.5.0. No changes needed. * debian/patches: + Add CVE-2019-15690/0001-heap-buffer-overflow.patch. (Closes: #954163). -- Antoni Villalonga Sat, 21 Mar 2020 12:51:24 +0100 libvncserver (0.9.12+dfsg-8) unstable; urgency=medium * debian/changelog: + Typo fix in previous upload stanza. * debian/patches: + Add 0005_LibVNCCient-fix-regression-in-tight-raw-decoding.patch. LibVNCClient: Fix regression in Tight/Raw decoding. (Closes: #950330). -- Mike Gabriel Sat, 01 Feb 2020 23:05:21 +0100 libvncserver (0.9.12+dfsg-7) unstable; urgency=medium * debian/patches: + Add 0003_rfbserver-dont-close-fd-0-accidentally.patch and 0004_avoid-pthread-join-if-backgroundLoop-is-FALSE.patch. Follow-up fixes for concurrency issue during client closure between client and clientOutput thread. (See #905786). -- Mike Gabriel Wed, 08 Jan 2020 10:36:05 +0100 libvncserver (0.9.12+dfsg-6) unstable; urgency=medium [ Sebastien Bacher ] * debian/tests: + Use the correct compiler for proposed autopkgtest cross-testing support. (Closes: #946615). [ Mike Gabriel ] * debian/patches: + Add 0002_fix-crash-because-of-unaligned-accesses-in-hybiReadAndDecode.patch. Fix FTBFS on sparc64 architecture. (Closes: #947808). -- Mike Gabriel Thu, 02 Jan 2020 15:04:42 +0100 libvncserver (0.9.12+dfsg-5) unstable; urgency=medium [ Mike Gabriel ] * debian/control: + Add Ds (libvncserver-dev): libgcrypt20-dev, liblzo2-dev and libsasl2-dev. (As found under B-D). (Closes: #946865). * debian/tests/control: + White-space cleanup. [ Antoni Villalonga ] * Add debian/.gitlab.yml salsa tests. [ Sebastien Bacher ] * debian/control: + Use the correct team name in the Vcs references -- Mike Gabriel Wed, 18 Dec 2019 09:51:48 +0100 libvncserver (0.9.12+dfsg-4) unstable; urgency=medium [ Antoni Villalonga ] * debian/control: + Remove obsolete D (libvncserver-dev): libvncserver-config. (Closes: #946598). -- Mike Gabriel Wed, 11 Dec 2019 21:58:16 +0100 libvncserver (0.9.12+dfsg-3) unstable; urgency=medium * Re-upload to unstable as-is. -- Mike Gabriel Wed, 11 Dec 2019 08:02:19 +0100 libvncserver (0.9.12+dfsg-2) experimental; urgency=medium * debian/changelog: + Weave-in NMU changelog stanzas from previous security uploads (0.9.11+dfsg-1.1 through to 0.9.11+dfsg-1.3). * debian/patches: + Use subdirs for CVE issues. + Re-add erroneously removed patch/fix for CVE-2018-20750. + Rebase patch/fix for CVE-2019-15681. -- Mike Gabriel Fri, 29 Nov 2019 09:50:45 +0100 libvncserver (0.9.12+dfsg-1) experimental; urgency=medium * New upstream release to experimental. (Closes: #918777). * debian/{control,compat}: + Switch to debhelper-compat notation. Bump DH compat level to version 12. * debian/control: + Bump Standards-Version: to 4.4.1. No changes needed. + Add Rules-Requires-Root: field and set it to "no". + Move package maintenance to Debian Remote Maintainers team, after personal communication with Peter Spiess-Knafl. Thanks for all previous contributions. Also, make myself uploader. + Update Vcs-*: fields. Packaging VCS has been moved over to salsa.debian.org. + Update B-Ds; Use cmake for building this package from now on. Autotools support has been dropped by upstream. + Add B-D: liblzo2-dev. Avoid building embedded miniLZO implementation. + Add B-D: libsasl2-dev. * debian/patches: + Drop all previous added CVE security fixes. All applied upstream. + Drop 0001-ignore_webclients.patch. No automake support available in upstream sources anymore. + Drop remove-libpng.patch. Not required anymore since cmake build switch. + Add 0001_cmake-multiarch-support.patch. Fix install_targets, so that they install to multi-arch libdir. + CVE-2019-15681: Add CVE-2019-15681.patch. rfbserver: don't leak stack memory to the remote. (Closes: #943793). * debian/rules: + Add get-orig-source target for maintainers' convenience. + Fully switch to cmake based build. Make sure WITH_PNG gets disabled. + Enable all hardening flags. * debian/{control,libvncserver-config.*}: + Drop bin:pkg libvncserver-config. Replace by pkgconfig .pc files. * debian/libvnc*.symbols: + Update symbols files. + Add *Build-Depends-Package: meta-data fields. * debian/libvncserver-dev.install: + Drop *.a files. No built by cmake based build implementation anymore. * debian/{control,rules}: + Drop dbg:pkgs, start a very late dbgsym migration. * debian/source/lintian-overrides: + Override debug-symbol-migration-possibly-complete. It will be in bullseye+1. * debian/copyright: + Use secure URL in Format: field. * debian/libvncserver-dev.examples: + Install examples/ folder into dev:pkg. * debian/{changelog,control,copyright}: + Strip white-spaces off at EOLs. * debian/tests/smoketest-libvnc*: + Stop using $ADDTMP, replace by $AUTOPKGTEST_TMP. * debian/upstream/metadata: + Add DEP-12 compliant metadata file -- Mike Gabriel Thu, 28 Nov 2019 23:43:20 +0100 libvncserver (0.9.11+dfsg-1.3) unstable; urgency=medium * Non-maintainer upload. * LibVNCClient: ignore server-sent cut text longer than 1MB (CVE-2018-20748) (Closes: #920941) * LibVNCClient: ignore server-sent reason strings longer than 1MB (CVE-2018-20748) (Closes: #920941) * LibVNCClient: fail on server-sent desktop name lengths longer than 1MB (CVE-2018-20748) (Closes: #920941) * LibVNCClient: remove now-useless cast (CVE-2018-20748) (Closes: #920941) * Error out in rfbProcessFileTransferReadBuffer if length can not be allocated (CVE-2018-20749) (Closes: #920941) * Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer() (CVE-2018-20750) (Closes: #920941) -- Salvatore Bonaccorso Wed, 30 Jan 2019 22:39:15 +0100 libvncserver (0.9.11+dfsg-1.2) unstable; urgency=high * Non-maintainer upload. * Fix multiple security vulnerabilities (Closes: #916941) - Use-after-free in file transfer extension allows for potential code execution (CVE-2018-15126) - Heap out-of-bounds write in rfbserver.c:rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - Multiple heap out-of-bound writes in VNC client code (CVE-2018-20019) - Heap out-of-bound write inside structure in VNC client code allows for potential code execution (CVE-2018-20020) - Infinite loop in VNC client code allows for denial of service (CVE-2018-20021) - Improper initialization in VNC client code allows for information disclosure (CVE-2018-20022) - Improper initialization in VNC Repeater client code allows for information disclosure (CVE-2018-20023) - NULL pointer dereference in VNC client code allows for denial of service (CVE-2018-20024) - Use-after-free in file transfer extension server code allows for potential code execution (CVE-2018-6307) * Update symbols file for libvncserver1. The fix for CVE-2018-15126 removes CloseUndoneFileTransfer and introduces new CloseUndoneFileDownload and CloseUndoneFileUpload. -- Salvatore Bonaccorso Wed, 02 Jan 2019 16:26:53 +0100 libvncserver (0.9.11+dfsg-1.1) unstable; urgency=high * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. (Closes: #894045) -- Markus Koschany Tue, 05 Jun 2018 14:43:47 +0200 libvncserver (0.9.11+dfsg-1) unstable; urgency=high * New upstream release, containing security fixes for - CVE-2016-9941 - CVE-2016-9942 * Remove upstream applied patches -- Peter Spiess-Knafl Tue, 03 Jan 2017 11:50:27 +0100 libvncserver (0.9.10+dfsg-3) unstable; urgency=medium * Avoid regeneration of rfbint.h and rfbconfig.h (Closes: #786822) -- Peter Spiess-Knafl Tue, 26 May 2015 00:12:15 +0200 libvncserver (0.9.10+dfsg-2) unstable; urgency=medium * Changed maintainer email. * Upload to unstable. -- Peter Spiess-Knafl Sun, 24 May 2015 10:22:09 +0200 libvncserver (0.9.10+dfsg-1) experimental; urgency=medium * New Maintainer (Closes: #755299) * New upstream version (Closes: #766335) - Set opcode correctly for binary frames (Closes: #766257) * Split out linuxvnc into new source package (vncterm) * Removed upstream applied patches * Bugfix in watchfile (Closes: #776162) * Fix in short description (Closes: #758754) * Replaced non-free sha1 implementations in common/sha1.* * Added patch for libgcrypt init before use (Closes: #782570) * Bump SONAME 0 -> 1 -- Peter Spiess-Knafl Fri, 30 Jan 2015 16:09:03 +0000 libvncserver (0.9.9+dfsg-6.1) unstable; urgency=medium * Non-maintainer upload. * CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055: Multiple issues in libVNCserver -- cherry picking targeted fixed from upstream (Closes: #762745) -- Tobias Frost Sun, 23 Nov 2014 16:19:53 +0100 libvncserver (0.9.9+dfsg-6) unstable; urgency=medium [ Luca Falavigna ] * debian/patches/pkgconfig.patch: - Use Libs.private to avoid unnecessary linkage (Closes: #747539). * debian/tests/*: - Provide a simple test to check whether the package is functional as per DEP8 (autopkgtests). * debian/control: - (Build-)depends on libgnutls28-dev and libgcrypt20-dev instead of libgnutls-dev and libgcrypt11-dev (Closes: #753126). - Point Homepage field to the new home page. * debian/copyright: - Point Source field to the new download location. * debian/watch: - Point to GitHub. [ Gianfranco Costamagna ] * Drop the libpng12-dev build conflict, relying instead on a better --without-png configure flag [ Matthias Klose ] * debian/patches/ppc64el.patch - Patch acinclude.m4 for ppc64el (Closes: #756809). -- Luca Falavigna Tue, 12 Aug 2014 16:02:26 +0200 libvncserver (0.9.9+dfsg-5) unstable; urgency=medium * debian/patches/listenSock.patch: - Cherry-pick patch from upstream to fix a segfault on listenSock and listen6Sock, thanks to Shaddy Baddah (Closes: #746260). * debian/control: - Build-depends on libgcrypt11-dev, thanks to Andreas Metzler for the bug report (Closes: #745954). -- Luca Falavigna Thu, 01 May 2014 10:20:21 +0200 libvncserver (0.9.9+dfsg-4) unstable; urgency=medium * debian/copyright: - Document missing copyright information (Closes: #734849). -- Luca Falavigna Mon, 20 Jan 2014 16:35:02 +0100 libvncserver (0.9.9+dfsg-3) unstable; urgency=medium * Provide libvncclient in a separate binary package (Closes: #620322). * debian/control: - Drop obsolete Breaks/Replaces fields in libvncserver-config. * debian/libvncclient0.symbols, debian/libvncserver0.symbols: - Provide symbol files for both libraries. * debian/libvncserver-config.docs: - Install documentation in libvncserver-config. -- Luca Falavigna Thu, 09 Jan 2014 09:25:22 +0100 libvncserver (0.9.9+dfsg-2) unstable; urgency=medium [ Luca Falavigna ] * debian/patches/format_string.patch: - Use format string argument in gtkvncviewer (Closes: #711805). * debian/control: - Add Build-Conflicts on libpng12-0 and libpng12-dev (Closes: #725480). - Bump Standards-Version to 3.9.5. - Use canonic URIs for the Vcs-* fields. * debian/clean: - Remove files created at build time. * debian/rules: - Enable verbose build log. [ Prach Pongpanich ] * debian/patches/multiarch.patch: - Avoid regenerating header files at build time (Closes: #671790). -- Luca Falavigna Thu, 02 Jan 2014 12:17:18 +0100 libvncserver (0.9.9+dfsg-1) unstable; urgency=low * New upstream release. * Patches refreshed for the new upstream version. * Multi-arch support (Closes: #664883). * debian/patches/format_string.patch: - Use format string argument with fprintf. * debian/patches/02_linux_test.patch: - Removed, applied upstream. * debian/patches/04_rename_linuxvnc.patch: - Removed, applied upstream. * debian/patches/05_GnuTLS.patch: - Removed, applied upstream. * debian/compat: - Bump compatibility level to 9. * debian/control: - Add libvncserver-config binary package, needed for Multi-arch. - Bump Standards-Version to 3.9.3. * debian/copyright: - Convert to DEP5 format. * debian/libvncserver-config.1: - Fix hyphen-used-as-minus-sign lintian warning. * debian/rules: - Implement a get-orig-source target to get rid of webclients directory, which contains Java classes without sources. * debian/watch: - Mangle "+dfsg" prefix from version number. -- Luca Falavigna Sat, 05 May 2012 23:45:15 +0200 libvncserver (0.9.8.2-2) unstable; urgency=low * debian/*.1: - Refresh man pages to consider new parameters (Closes: #518617). * debian/libvncserver-dev.install: - Install libvncserver.pc and libvncclient files (Closes: #649481). -- Luca Falavigna Thu, 08 Dec 2011 11:55:19 +0100 libvncserver (0.9.8.2-1) unstable; urgency=low * New upstream bugfix release. - Fix a regression in libvncclient with Apple Remote Desktop support that prevented viewers to connect to ARD servers (Closes: #644455). -- Luca Falavigna Wed, 09 Nov 2011 23:31:28 +0100 libvncserver (0.9.8.1-1) unstable; urgency=low * New upstream bugfix release. - Fix ABI break (Closes: #644455). * debian/compat: - Bump compatibility to 8. * debian/control: - Adopting package. - Add Vcs-* fields. - Build-depend on dh-autoreconf instead of automake and libtool. - Add libgnutls-dev to libvncserver-dev dependencies. * debian/not-installed: - Not needed, removed. * debian/rules: - Build with autoreconf support. -- Luca Falavigna Wed, 12 Oct 2011 19:59:26 +0200 libvncserver (0.9.8-2) unstable; urgency=low * QA upload. * debian/control: - Build-depend on libgnutls-dev for GNUTLS support. -- Luca Falavigna Sun, 02 Oct 2011 14:27:56 +0200 libvncserver (0.9.8-1) unstable; urgency=low * QA upload. * New upstream release (Closes: #621705). - Fix segfault launching "linuxvnc 1 -help" (Closes: #399501). - Close socket when connection ends (Closes: #525226). - Fix no input caused by stucked CTRL key (Closes: #555988). * debian/patches/*: - Refresh patches for new upstream release. * debian/patches/05_GnuTLS.patch: - Backport patch from upstream repository to drop deprecated GnuTLS functions (gnutls_*_set_priority -> gnutls_priority_set_direct). * debian/control: - Build-depend on pkg-config. - Remove duplicate section field for libvncserver0 binary. - Bump Standards-Version to 3.9.2. * debian/libvncserver-config.1: - Use minus signs instead of hypens. * debian/README.source: - Dropped, no longer needed. * debian/watch: - Provide watch file. -- Luca Falavigna Sun, 02 Oct 2011 02:54:05 +0200 libvncserver (0.9.7-3) unstable; urgency=low * QA upload * Change (build-)depdendencies on libjpeg62-dev to libjpeg-dev (closes: #629976). * Migrate to source format 3.0 (quilt): - add debian/source/format - remove build-dependency on quilt - debian/rules: drop --with-quilt from dh invocation * debian/rules, clean target: also remove generated file _configs.sed -- Ralf Treinen Fri, 10 Jun 2011 19:39:44 +0200 libvncserver (0.9.7-2) unstable; urgency=low * QA upload. * Don't build linuxvnc on non-linux architectures (Closes: #542592). * Add a debian/README.source. -- Aurelien Jarno Sun, 30 Aug 2009 17:15:14 +0200 libvncserver (0.9.7-1) unstable; urgency=low * QA upload. * New upstream release (Closes: #529010): - x11vnc is removed upstream from libvncserver sources. Now, it is released separately. * Added patches: - 03_no_x11vnc_subdir.patch Remove x11vnc remaining occurrences from the build system. - 04_rename_linuxvnc.patch Rename LinuxVNC to linuxvnc. * Bumped debian/compat from 5 to 7. * Updated debian/control: - Cleanuped build dependencies. - Switched to quilt patch system. - Added Homepage field. - Added libjpeg62-dev and zlib1g-dev dependencies to libvncserver-dev. (Closes: #515029) - Added priority extra and section debug to libvncserver0-dbg. - Removed x11vnc package. * Added debian/not-installed: - *.la files are not installed anymore in libvncserver-dev. * Switched debian/rules from cdbs to dh usage. -- Fathi Boudra Fri, 07 Aug 2009 15:45:36 +0200 libvncserver (0.9.3.dfsg.1-2) unstable; urgency=low * QA upload. * Drop useless build-depends on linux-libc-dev. -- Aurelien Jarno Wed, 13 May 2009 20:11:07 +0200 libvncserver (0.9.3.dfsg.1-1) unstable; urgency=low * QA upload. * New upstream release. (Closes: #448942) - CVS tag X11VNC_REL_0_9_3 * Switched rules to CDBS. * Bumped compat to 5. * Bumped Standards-Version to 3.7.2 * Enabled shared libraries. (Closes: #373298) * Dropped vncommand, since it isn't installed by make install. - All hate-mail should be sent to debian@pusling.com * Added debug package. * Removed the classes/ dir, there are no sources for the jar files. - Appended .dfsg.1 to source version. - Added patch 01_ignore_classes to allow building without classes/ dir. * Added patch 02_linux_test to look for /usr/include/linux instead of /dev/vcsa -- Matthew Rosewarne Mon, 05 Nov 2007 03:22:20 -0500 libvncserver (0.8.2-2) unstable; urgency=low * Orphaning package -- Ludovic Drolez Wed, 25 Apr 2007 12:00:32 +0200 libvncserver (0.8.2-1) unstable; urgency=high * New upstream release. Closes: #373808 * This new release fixes a security bug which might be present in the previous release of the package. Closes: #376824 * urgency=high because a probable security bug was fixed. -- Ludovic Drolez Mon, 17 Jul 2006 20:43:38 +0200 libvncserver (0.7.1-5) unstable; urgency=high * Re-upload with urgency=high because the package in testing is unusable -- Ludovic Drolez Thu, 12 Jan 2006 15:30:00 +0100 libvncserver (0.7.1-4) unstable; urgency=low * Put x11vnc 0.7.3 sources in their own directory. Closes: #333880 * Updated build-depends. Closes: #347019 -- Ludovic Drolez Mon, 9 Jan 2006 23:13:15 +0100 libvncserver (0.7.1-3) unstable; urgency=low * Added x11vnc 0.7.3 sources. Closes: #328943 * Added the x11vnc FAQ which is in the README. Closes: #325479 * Added build dependencies on libxdamage-dev, libfixes-dev, libxrandr-dev -- Ludovic Drolez Wed, 28 Sep 2005 19:00:05 +0200 libvncserver (0.7.1-2) unstable; urgency=low * Removed the /dev/vcsa1 test to fix the pbuilder bug. Closes: #322643 * new vncommand package: allows you to attach a VNC server to any command -- Ludovic Drolez Fri, 26 Aug 2005 18:02:16 +0200 libvncserver (0.7.1-1) unstable; urgency=low * New upstream release. Closes: #309385 -- Ludovic Drolez Fri, 25 Mar 2005 20:48:38 +0100 libvncserver (0.7-1) unstable; urgency=low * New upstream release * New upstream x11vnc man page. Closes: Bug#277510 -- Ludovic Drolez Mon, 31 Jan 2005 23:06:17 +0100 libvncserver (0.6-3) unstable; urgency=low * Added the latest x11vnc.c (0.6.1) which has the -scale option. * Added the scale option in the manual. -- Ludovic Drolez Fri, 16 Jul 2004 16:26:09 +0200 libvncserver (0.6-2) unstable; urgency=low * Added the latest x11vnc.c from the CVS. Closes: Bug#246205 -- Ludovic Drolez Thu, 29 Apr 2004 22:09:53 +0200 libvncserver (0.6-1) unstable; urgency=low * Initial Release. * Integrated the last release of x11vnc. -- Ludovic Drolez Wed, 10 Mar 2004 23:42:26 +0100