[Bug 1399584] [NEW] Sync libvncserver 0.9.9+dfsg-6.1 (main) from Debian unstable (main)

Launchpad Bug Tracker 1399584 at bugs.launchpad.net
Fri Dec 5 09:42:19 UTC 2014 

You have been subscribed to a public bug by LocutusOfBorg (costamagnagianfranco):

Please sync libvncserver 0.9.9+dfsg-6.1 (main) from Debian unstable
(main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: denial of service and possible code execution via
    integer overflow and lack of malloc error handling in
    MallocFrameBuffer()
    - debian/patches/CVE-2014-6051-6052.patch: check size and handle
      return code in libvncclient/vncviewer.c, handle return code in
      libvncclient/rfbproto.c.
    - CVE-2014-6051
    - CVE-2014-6052
  * SECURITY UPDATE: denial of service via large ClientCutText message
    - debian/patches/CVE-2014-6053.patch: check malloc result in
      libvncserver/rfbserver.c.
    - CVE-2014-6053
  * SECURITY UPDATE: denial of service via zero scaling factor
    - debian/patches/CVE-2014-6054.patch: prevent zero scaling factor in
      libvncserver/rfbserver.c, check for integer overflow in
      libvncserver/scale.c.
    - CVE-2014-6054
  * SECURITY UPDATE: denial of service and possible code execution via
    stack overflows in File Transfer feature
    - debian/patches/CVE-2014-6055.patch: check sizes in
      libvncserver/rfbserver.c.
    - CVE-2014-6055
  * SECURITY UPDATE: denial of service and possible code execution via
    integer overflow and lack of malloc error handling in
    MallocFrameBuffer()
    - debian/patches/CVE-2014-6051-6052.patch: check size and handle
      return code in libvncclient/vncviewer.c, handle return code in
      libvncclient/rfbproto.c.
    - CVE-2014-6051
    - CVE-2014-6052
  * SECURITY UPDATE: denial of service via large ClientCutText message
    - debian/patches/CVE-2014-6053.patch: check malloc result in
      libvncserver/rfbserver.c.
    - CVE-2014-6053
  * SECURITY UPDATE: denial of service via zero scaling factor
    - debian/patches/CVE-2014-6054.patch: prevent zero scaling factor in
      libvncserver/rfbserver.c, check for integer overflow in
      libvncserver/scale.c.
    - CVE-2014-6054
  * SECURITY UPDATE: denial of service and possible code execution via
    stack overflows in File Transfer feature
    - debian/patches/CVE-2014-6055.patch: check sizes in
      libvncserver/rfbserver.c.
    - CVE-2014-6055

Debian fixed them too

Changelog entries since current vivid version 0.9.9+dfsg-6ubuntu1:

libvncserver (0.9.9+dfsg-6.1) unstable; urgency=medium

  * Non-maintainer upload.
  * CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055:
    Multiple issues in libVNCserver -- cherry picking targeted fixed from
    upstream (Closes: #762745)

 -- Tobias Frost <tobi at debian.org>  Sun, 23 Nov 2014 16:19:53 +0100

** Affects: libvncserver (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Sync libvncserver 0.9.9+dfsg-6.1 (main) from Debian unstable (main)
https://bugs.launchpad.net/bugs/1399584
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list