Package: tightvnc / 1:1.3.9-10

Metadata

Package Version Patches format
tightvnc 1:1.3.9-10 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
fix spelling.patch | (download)

Xvnc/lib/font/Type1/t1funcs.c | 2 1 + 1 - 0 !
Xvnc/programs/Xserver/Xvnc.man | 4 2 + 2 - 0 !
vncpasswd/vncpasswd.man | 4 2 + 2 - 0 !
3 files changed, 5 insertions(+), 5 deletions(-)

 fix spelling in various files
20 vncviewer vncviewer.man.patch | (download)

vncviewer/vncviewer.man | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 vncviewer/vncviewer.man: fix hyphens
30 ftbfs mips.patch | (download)

Xvnc/config/cf/linux.cf | 31 30 + 1 - 0 !
1 file changed, 30 insertions(+), 1 deletion(-)

 [patch] xvnc/config/cf/linux.cf: mips changes
Organization: Private
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit


Signed-off-by: Jari Aalto <jari.aalto@cante.net>

debian changes 1.3.9 6.1.patch | (download)

Xvnc/config/cf/Imake.cf | 4 2 + 2 - 0 !
Xvnc/config/cf/Imake.tmpl | 2 1 + 1 - 0 !
Xvnc/config/cf/X11.tmpl | 12 6 + 6 - 0 !
Xvnc/config/cf/svr3.cf | 2 1 + 1 - 0 !
Xvnc/programs/Xserver/Xserver.man | 2 1 + 1 - 0 !
Xvnc/programs/Xserver/Xvnc.man | 2 1 + 1 - 0 !
Xvnc/programs/Xserver/cfb/Imakefile | 5 4 + 1 - 0 !
Xvnc/programs/Xserver/dix/dixfonts.c | 7 4 + 3 - 0 !
Xvnc/programs/Xserver/include/servermd.h | 14 14 + 0 - 0 !
Xvnc/programs/Xserver/os/osinit.c | 2 1 + 1 - 0 !
vncserver | 199 179 + 20 - 0 !
vncserver.man | 25 22 + 3 - 0 !
12 files changed, 236 insertions(+), 40 deletions(-)

 upstream changes introduced in version 1.3.9-6.1
 This patch has been created by dpkg-source during the package build.
 Here's the last changelog entry, hopefully it gives details on why
 those changes were made:
 .
 tightvnc (1.3.9-6.1) unstable; urgency=low
 .
   * Non-maintainer upload.
     - Update to packaging format "3.0 (quilt)".
   * debian/compat
     - Update to 7.
   * debian/control
     - (Build-Depends): Update xutils to xutils-dev (important;
       Closes: #575865). Update to debhelper 7.1. Remove obsolete x-dev.
     - (Depends): Add ${misc:Depends}.
     - (Homepage): New field.
     - (Standards-Version): Update to 3.8.4.
     - (tightvncserver::Depends): Replace obsolete xbase-clients with
       x11-utils and xauth. The needed binaries xdpyinfo and xauth
       are used in Perl program /usr/bin/tightvncserver.
   * debian/copyright
     - Point to GPL-2.
   * debian/patches
     - (10, 20): Add new patches.
     - (30): Convert original MIPS patch to apply to current sources.
     - (tightvnc-ftbfs-mips.patch): Removed. See 30.
    * debian/*.{postrm,prerm}
     - Add "set -e".
     - Fix Lintian maintainer-script-without-set-e.
   * debian/rules
     - (CC): Add. Export variable for xmkmf(1).
     - (DH_COMPAT): Delete; use debian/compat.
     - (install): Correct tightvncpasswd.1x to tightvncpasswd.1.
     - (binary-arch): Remove empty directories.
   * debian/source/format
     - New file.
   * debian/watch
     - New file.
   * debian/tightvncserver.doc-base
     - New file.
   * debian/xtightvncviewer.menu
     - (section): Update obsolete Apps/Net to
       Applications/Network/Communication.
 .
 The person named in the Author field signed this changelog entry.
Bug-Debian: http://bugs.debian.org/575865
aarch64.patch | (download)

Xvnc/config/cf/Imake.cf | 4 4 + 0 - 0 !
Xvnc/config/cf/linux.cf | 8 8 + 0 - 0 !
2 files changed, 12 insertions(+)

 add aarch64 (arm64) support
ppc64el.patch | (download)

Xvnc/config/cf/Imake.cf | 4 4 + 0 - 0 !
Xvnc/config/cf/linux.cf | 8 7 + 1 - 0 !
Xvnc/include/Xmd.h | 2 1 + 1 - 0 !
Xvnc/lib/Xdmcp/Alloc.c | 2 1 + 1 - 0 !
Xvnc/programs/Xserver/hw/vnc/rfb.h | 1 1 + 0 - 0 !
Xvnc/programs/Xserver/include/misc.h | 6 0 + 6 - 0 !
Xvnc/programs/Xserver/include/servermd.h | 23 23 + 0 - 0 !
7 files changed, 37 insertions(+), 9 deletions(-)

 add ppc64el support
782620 crashfix.patch | (download)

Xvnc/config/cf/Imake.tmpl | 3 3 + 0 - 0 !
Xvnc/config/cf/linux.cf | 4 4 + 0 - 0 !
Xvnc/programs/Xserver/cfb/cfb8cppl.c | 2 1 + 1 - 0 !
Xvnc/programs/Xserver/dix/Imakefile | 11 9 + 2 - 0 !
Xvnc/programs/Xserver/dix/ffsl.c | 11 11 + 0 - 0 !
Xvnc/programs/Xserver/hw/vnc/httpd.c | 6 4 + 2 - 0 !
Xvnc/programs/Xserver/mi/mibitblt.c | 4 2 + 2 - 0 !
Xvnc/programs/Xserver/os/WaitFor.c | 8 4 + 4 - 0 !
Xvnc/programs/Xserver/os/connection.c | 11 6 + 5 - 0 !
Xvnc/programs/Xserver/os/io.c | 7 4 + 3 - 0 !
10 files changed, 48 insertions(+), 19 deletions(-)

 crash fix
more arm64 fixes.patch | (download)

Xvnc/include/Xmd.h | 2 1 + 1 - 0 !
Xvnc/programs/Xserver/include/servermd.h | 20 20 + 0 - 0 !
2 files changed, 21 insertions(+), 1 deletion(-)


          
CVE 2019 15680.patch | (download)

vncviewer/zlib.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

---
CVE 2019 15681.patch | (download)

Xvnc/programs/Xserver/hw/vnc/rfbserver.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] rfbserver: don't leak stack memory to the remote

Thanks go to Pavel Cheremushkin of Kaspersky for reporting.

[sunweaver] Ported to rfbserver.c in tightvnc


CVE 2014 6053.patch | (download)

Xvnc/programs/Xserver/hw/vnc/rfbserver.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch] check malloc() return value on client->server clientcuttext
 message. Client can send up to 2**32-1 bytes of text, and such a large
 allocation is likely to fail in case of high memory pressure. This would in a
 server crash (write at address 0).

[sunweaver] port libvncserver patch over to tightvnc's vnc server code


CVE 2018 7225.patch | (download)

Xvnc/programs/Xserver/hw/vnc/rfbserver.c | 21 20 + 1 - 0 !
1 file changed, 20 insertions(+), 1 deletion(-)

 cve-2018-7225

Bug-Debian: https://bugs.debian.org/894045
CVE 2018 20021.patch | (download)

vncviewer/rfbproto.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 cve-2018-20021
 CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
 attacker to consume excessive amount of resources like CPU and RAM

CVE 2019 8287.patch | (download)

vncviewer/corre.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 cve-2019-8287
 (same as CVE-2018-20020/libvncserver)
 heap out-of-bound write vulnerability inside structure in VNC client code that
 can result remote code execution

CVE 2018 20022.patch | (download)

vncviewer/rfbproto.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 cve-2018-20022
 multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC
 client code that allows attacker to read stack memory and can be abused for
 information disclosure. Combined with another vulnerability, it can be used
 to leak stack memory layout and in bypassing ASLR

CVE 2019 15679.patch | (download)

vncviewer/rfbproto.c | 10 4 + 6 - 0 !
1 file changed, 4 insertions(+), 6 deletions(-)

 [patch] libvncclient: fail on server-sent desktop name lengths longer
 than 1MB

re #273

CVE 2019 15678.patch | (download)

vncviewer/rfbproto.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 [patch] libvncclient: ignore server-sent cut text longer than 1mb

This is in line with how LibVNCServer does it
(28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273.

[sunweaver] Port to tightvnc.


CVE 2019 15678 addon.patch | (download)

vncviewer/rfbproto.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch] libvncclient: ignore server-sent reason strings longer than
 1MB

Fixes #273

[sunweaver] Extract these few lines from the above referenced patch and port to tightvnc.
            This patch was part of the fix series for CVE-2018-20748/libvncserver


fix deprecated_BSD+SVID option.patch | (download)

Xvnc/config/cf/linux.cf | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 replace _bsd_source and _svid_source by _default_source
 Warnings say "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
 _DEFAULT_SOURCE".
ftbfs gcc 10.patch | (download)

Xvnc/programs/Xserver/cfb/cfballpriv.c | 4 2 + 2 - 0 !
Xvnc/programs/Xserver/cfb/cfbbitblt.c | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 ensure tightvnc builds with gcc-10
 Apply the measure suggested on https://gcc.gnu.org/gcc-10/porting_to.html.
 For further documentation refer to
 https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html.
Bug-Debian: https://bugs.debian.org/957878
no stipple.patch | (download)

Xvnc/programs/Xserver/cfb/Imakefile | 22 0 + 22 - 0 !
1 file changed, 22 deletions(-)

 don't use assembler code
 PIE versus stipmips.s results in a FTBFS.
 .
 stipmips.s is assembler code from 1990,
 such assembler optimizations are no
 longer necessary.