-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 20 Dec 2019 16:04:53 +0100 Source: tightvnc Binary: tightvncserver xtightvncviewer Architecture: source amd64 Version: 1.3.9-6.5+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Ola Lundqvist <opal@debian.org> Changed-By: Mike Gabriel <sunweaver@debian.org> Description: tightvncserver - virtual network computing server software xtightvncviewer - virtual network computing client software for X Changes: tightvnc (1.3.9-6.5+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2014-6053: Check malloc() return value on client->server ClientCutText message. * CVE-2018-20020: Fix heap out-of-bound write vulnerability inside structure in VNC client code. * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. * CVE-2018-20022: CWE-665: Improper Initialization vulnerability. * CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB. * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore server-sent reason strings longer than 1MB (see CVE-2018-20748/libvncserver). * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name length received before allocating memory for it. * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c. * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. * Cherry-pick 782620-crashfix.patch from newer tightvnc src:pkg. Fixes segfault on amd64 systems when e.g. KDEPIM is being used inside an Xvnc session. Checksums-Sha1: d2bcf9b9a7294547f8d67e2b20f009d1de93c7c3 2037 tightvnc_1.3.9-6.5+deb8u1.dsc 0b21a60e060602e225b176695c1ddd787f007ed2 2246697 tightvnc_1.3.9.orig.tar.gz d53fd4dce5140b75258a176782b1c8339446fa11 55568 tightvnc_1.3.9-6.5+deb8u1.debian.tar.xz 8f23492f13b0eda65242e08e75181199f1c7767d 661368 tightvncserver_1.3.9-6.5+deb8u1_amd64.deb 154443c99984afa21337b7255a8aa5e392b3814e 88346 xtightvncviewer_1.3.9-6.5+deb8u1_amd64.deb Checksums-Sha256: 233b0d228df753aba61fea571e7ec44d7f9a4b517c9ee05952236fc623ffbfce 2037 tightvnc_1.3.9-6.5+deb8u1.dsc 56062708bb547425f8e8f0f9c571d4fa06fcc89a11146a5b15c608fd8debdb80 2246697 tightvnc_1.3.9.orig.tar.gz 94de3481d6a3db67571e9883229a91b875bb7c40b60a992c325b63abf8563f1f 55568 tightvnc_1.3.9-6.5+deb8u1.debian.tar.xz 22480ce862b66d0f8db540b6a0a90570f621f39e828cab3c4510a01b4627d4b5 661368 tightvncserver_1.3.9-6.5+deb8u1_amd64.deb 0aa98dcaec9712e41b898a4a04257413d8a8babf27fe47ba9f890361d66d8c77 88346 xtightvncviewer_1.3.9-6.5+deb8u1_amd64.deb Files: 59f805137181dbc42d860f42a4fbc6f8 2037 x11 optional tightvnc_1.3.9-6.5+deb8u1.dsc 80b904d4a10fccee9045d0feeaa65df8 2246697 x11 optional tightvnc_1.3.9.orig.tar.gz c8c4cf5d11e1d1aaa106867d2457c923 55568 x11 optional tightvnc_1.3.9-6.5+deb8u1.debian.tar.xz 9a28986b026246a1d2b86412fe603acc 661368 x11 optional tightvncserver_1.3.9-6.5+deb8u1_amd64.deb a06f5a3d6efa6fc80c4dc1f6e76d9960 88346 x11 optional xtightvncviewer_1.3.9-6.5+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3+OUEVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxXuUP/1vsy6X/C5mk/kABqJ6AhZYAkHo4 idz3TgkHYWJRmIWQ0eNXvLRmUhlZ7jX4YL9QpkruYuZTAEIjRmrJEfjAzRK6EruQ Lnu2UIrC0mXQNvZdZVfS7yChh573OTkIcc6ud9/S4g+6lYEXoi8wSrxrjlzwshPi tA5oz1jP29r1ND0x1jU2SIFGSpEeqnE0nfxqLMsZTEz8133wsWkN8iLXheFuNSAS EeSvDiG7hZQuebDNXx9nBxNSF5yOXw70LSb/IodZ1ZPMINrHtxunn5RgURbJd+F0 uCX1cDs9VD/yrkuGK5aLBmbMqU6ZDBd/1JJurBjnnKDSpzAXov5AqvtyHb/V6bBD dsVB41J01Jt+kNbcQIMVQih0LoWWg+P+wZLEN2T0iBdtDLCnlH2F0JA08zA8sSvQ oiRNceaw6lZr/U0RJpNalojfeHdGZnFBwaMAMtHgjOUV2kaLTQxC83jRKv3dqy9n UX1H9rsga7JaV/u2hSFirVFde48mrPtsTvCdksNs/54E+3ZICJkPBgG/XlYdAS1+ U36QsL9obsMY1a0zOrHEudMSDbQeSNjGkCamjnqZl9emOF/+OZynXWiPzX6bDkNA HBnkZ3/6MEIsj5UvpG0+0UpT3T6nwW5asromxvszkbMISnDEeYkD8tFdfFCTJsOS cEfKDUPdJrXK7fDE =eERf -----END PGP SIGNATURE-----
