--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package libvncserver/0.9.11+dfsg-1.3~deb9u2
- From: Mike Gabriel <sunweaver@debian.org>
- Date: Mon, 16 Dec 2019 11:17:02 +0100
- Message-id: <157649142298.22607.6024891182435137452.reportbug@minobo.das-netzwerkteam.de>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
I have just uploaded 0.99.11+dfsg-1.3~deb9u2 of src:libvncserver, bringing the
following changes to stretch:
+ * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. (Closes:
+ #943793).
Declared a <no-dsa> issue by the secteam.
+ * debian/patches:
+ + Trivial patch rebasing.
+ + Add 3 use-after-free patches. Resolve a freeze during connection closure and a
+ segmentation fault on multi-threaded VNC servers. (Closes: #905786).
Resolves freezes during connection closure. Cherry-picked from upstream.
+ + Add 0002-set-true-color-flag-to-1.patch. Fix connecting to VMware servers.
+ (Closes: #880531).
Resolves connecting to VMware servers.
Unfortunately, the two bug submitters of #880531 and #905786 were
unavailable for confirming their issues being fixed with the new version
of libvncserver. Neither was I presented with a test recipe for verifying
the bugs being fixed for buster myself.
Please note that this version for stretch is nearly identical with a just
uploaded similar update version for buster. (See: #946822).
Greets,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/changelog 2019-12-16 11:08:42.000000000 +0100
@@ -1,3 +1,17 @@
+libvncserver (0.9.11+dfsg-1.3~deb9u2) stretch; urgency=medium
+
+ * CVE-2019-15681:
+ + rfbserver: don't leak stack memory to the remote. (Closes: #943793).
+ * debian/patches:
+ + Trivial patch rebasing.
+ + Add 3 use-after-free patches. Resolve a freeze during connection
+ closure and a segmentation fault on multi-threaded VNC servers. (Closes:
+ #905786).
+ + Add 0002-set-true-color-flag-to-1.patch. Fix connecting to VMware servers.
+ (Closes: #880531).
+
+ -- Mike Gabriel <sunweaver@debian.org> Mon, 16 Dec 2019 11:08:42 +0100
+
libvncserver (0.9.11+dfsg-1.3~deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/0001-ignore_webclients.patch libvncserver-0.9.11+dfsg/debian/patches/0001-ignore_webclients.patch
--- libvncserver-0.9.11+dfsg/debian/patches/0001-ignore_webclients.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/0001-ignore_webclients.patch 2019-12-16 10:57:16.000000000 +0100
@@ -21,7 +21,7 @@
bin_SCRIPTS = libvncserver-config
--- a/configure.ac
+++ b/configure.ac
-@@ -594,9 +594,6 @@
+@@ -583,9 +583,6 @@
libvncserver/Makefile
examples/Makefile
examples/android/Makefile
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/0002-set-true-color-flag-to-1.patch libvncserver-0.9.11+dfsg/debian/patches/0002-set-true-color-flag-to-1.patch
--- libvncserver-0.9.11+dfsg/debian/patches/0002-set-true-color-flag-to-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/0002-set-true-color-flag-to-1.patch 2019-12-16 11:08:18.000000000 +0100
@@ -0,0 +1,20 @@
+From 7c54f07ca55046c6f9b5859c44781a1f22002982 Mon Sep 17 00:00:00 2001
+From: dborth <dborth@gmail.com>
+Date: Mon, 3 Apr 2017 09:43:44 -0600
+Subject: [PATCH] Issue #141: Set trueColour flag to 1 instead of 255
+
+---
+ libvncclient/vncviewer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/libvncclient/vncviewer.c
++++ b/libvncclient/vncviewer.c
+@@ -161,7 +161,7 @@
+ client->format.depth = bitsPerSample*samplesPerPixel;
+ client->appData.requestedDepth=client->format.depth;
+ client->format.bigEndian = *(char *)&client->endianTest?FALSE:TRUE;
+- client->format.trueColour = TRUE;
++ client->format.trueColour = 1;
+
+ if (client->format.bitsPerPixel == 8) {
+ client->format.redMax = 7;
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch 2019-12-16 10:57:16.000000000 +0100
@@ -13,11 +13,9 @@
libvncserver/tightvnc-filetransfer/rfbtightproto.h | 1 +
2 files changed, 2 insertions(+), 2 deletions(-)
-diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-index 0473783164f2..8e38f8880f5b 100644
--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
+++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-@@ -508,7 +508,6 @@ RunFileDownloadThread(void* client)
+@@ -506,7 +506,6 @@
void
HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
{
@@ -25,7 +23,7 @@
FileTransferMsg fileDownloadMsg;
memset(&fileDownloadMsg, 0, sizeof(FileTransferMsg));
-@@ -521,7 +520,7 @@ HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -519,7 +518,7 @@
rtcp->rcft.rcfd.downloadInProgress = FALSE;
rtcp->rcft.rcfd.downloadFD = -1;
@@ -34,11 +32,9 @@
cl) != 0) {
FileTransferMsg ftm = GetFileDownLoadErrMsg();
-diff --git a/libvncserver/tightvnc-filetransfer/rfbtightproto.h b/libvncserver/tightvnc-filetransfer/rfbtightproto.h
-index d0fe642ecfa3..30fc5f5413aa 100644
--- a/libvncserver/tightvnc-filetransfer/rfbtightproto.h
+++ b/libvncserver/tightvnc-filetransfer/rfbtightproto.h
-@@ -148,6 +148,7 @@ typedef struct _rfbClientFileDownload {
+@@ -148,6 +148,7 @@
int downloadInProgress;
unsigned long mTime;
int downloadFD;
@@ -46,6 +42,3 @@
} rfbClientFileDownload ;
typedef struct _rfbClientFileUpload {
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch 2019-12-16 10:57:16.000000000 +0100
@@ -16,11 +16,9 @@
.../handlefiletransferrequest.c | 8 ++++----
3 files changed, 16 insertions(+), 7 deletions(-)
-diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
-index 5f84e7f3d323..f674b9283126 100644
--- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c
+++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
-@@ -672,7 +672,7 @@ ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr rtcp, char* pBuf)
+@@ -670,7 +670,7 @@
char reason[] = "Error writing file data";
int reasonLen = strlen(reason);
ftm = CreateFileUploadErrMsg(reason, reasonLen);
@@ -29,7 +27,7 @@
}
return ftm;
}
-@@ -735,7 +735,7 @@ CreateFileUploadErrMsg(char* reason, unsigned int reasonLen)
+@@ -733,7 +733,7 @@
******************************************************************************/
void
@@ -38,7 +36,7 @@
{
/* TODO :: File Upload case is not handled currently */
/* TODO :: In case of concurrency we need to use Critical Section */
-@@ -759,6 +759,14 @@ CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -757,6 +757,14 @@
memset(rtcp->rcft.rcfu.fName, 0 , PATH_MAX);
}
@@ -53,11 +51,9 @@
if(rtcp->rcft.rcfd.downloadInProgress == TRUE) {
rtcp->rcft.rcfd.downloadInProgress = FALSE;
-diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.h b/libvncserver/tightvnc-filetransfer/filetransfermsg.h
-index 3b27bd04d3f0..bbb9148db4d6 100644
--- a/libvncserver/tightvnc-filetransfer/filetransfermsg.h
+++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.h
-@@ -51,7 +51,8 @@ FileTransferMsg ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr data, c
+@@ -51,7 +51,8 @@
void CreateDirectory(char* dirName);
void FileUpdateComplete(rfbClientPtr cl, rfbTightClientPtr data);
@@ -67,11 +63,9 @@
void FreeFileTransferMsg(FileTransferMsg ftm);
-diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-index 8e38f8880f5b..31163d0f62f3 100644
--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
+++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-@@ -492,7 +492,7 @@ RunFileDownloadThread(void* client)
+@@ -490,7 +490,7 @@
if(cl != NULL) {
rfbCloseClient(cl);
@@ -80,7 +74,7 @@
}
FreeFileTransferMsg(fileDownloadMsg);
-@@ -592,7 +592,7 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -588,7 +588,7 @@
" reason <%s>\n", __FILE__, __FUNCTION__, reason);
pthread_mutex_lock(&fileDownloadMutex);
@@ -89,7 +83,7 @@
pthread_mutex_unlock(&fileDownloadMutex);
if(reason != NULL) {
-@@ -835,7 +835,7 @@ HandleFileUploadDataRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -831,7 +831,7 @@
FreeFileTransferMsg(ftm);
}
@@ -98,7 +92,7 @@
if(pBuf != NULL) {
free(pBuf);
-@@ -935,7 +935,7 @@ HandleFileUploadFailedRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -931,7 +931,7 @@
rfbLog("File [%s]: Method [%s]: File Upload Failed Request received:"
" reason <%s>\n", __FILE__, __FUNCTION__, reason);
@@ -107,6 +101,3 @@
if(reason != NULL) {
free(reason);
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch 2019-12-16 10:57:16.000000000 +0100
@@ -15,11 +15,9 @@
libvncserver/tightvnc-filetransfer/rfbtightserver.c | 7 +++++--
2 files changed, 7 insertions(+), 2 deletions(-)
-diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
-index f674b9283126..0003b11f6f50 100644
--- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c
+++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
-@@ -770,6 +770,8 @@ CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -768,6 +768,8 @@
if(rtcp->rcft.rcfd.downloadInProgress == TRUE) {
rtcp->rcft.rcfd.downloadInProgress = FALSE;
@@ -28,8 +26,6 @@
if(rtcp->rcft.rcfd.downloadFD != -1) {
close(rtcp->rcft.rcfd.downloadFD);
-diff --git a/libvncserver/tightvnc-filetransfer/rfbtightserver.c b/libvncserver/tightvnc-filetransfer/rfbtightserver.c
-index 67d4cb545fad..651d8fb7e75f 100644
--- a/libvncserver/tightvnc-filetransfer/rfbtightserver.c
+++ b/libvncserver/tightvnc-filetransfer/rfbtightserver.c
@@ -26,6 +26,7 @@
@@ -40,7 +36,7 @@
/*
* Get my data!
-@@ -448,9 +449,11 @@ rfbTightExtensionMsgHandler(struct _rfbClientRec* cl, void* data,
+@@ -448,9 +449,11 @@
void
rfbTightExtensionClientClose(rfbClientPtr cl, void* data) {
@@ -54,6 +50,3 @@
}
void
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch 2019-12-16 10:57:16.000000000 +0100
@@ -12,11 +12,9 @@
libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
-diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-index 31163d0f62f3..70e105f45adb 100644
--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
+++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-@@ -517,8 +517,7 @@ HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -515,8 +515,7 @@
FreeFileTransferMsg(fileDownloadMsg);
return;
}
@@ -26,6 +24,3 @@
if(pthread_create(&rtcp->rcft.rcfd.downloadThread, NULL, RunFileDownloadThread, (void*)
cl) != 0) {
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch 2019-12-16 10:57:16.000000000 +0100
@@ -13,11 +13,9 @@
.../tightvnc-filetransfer/handlefiletransferrequest.c | 6 ------
1 file changed, 6 deletions(-)
-diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-index 70e105f45adb..71fb08512470 100644
--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
+++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-@@ -489,12 +489,6 @@ RunFileDownloadThread(void* client)
+@@ -487,12 +487,6 @@
if(rfbWriteExact(cl, fileDownloadMsg.data, fileDownloadMsg.length) < 0) {
rfbLog("File [%s]: Method [%s]: Error while writing to socket \n"
, __FILE__, __FUNCTION__);
@@ -30,6 +28,3 @@
FreeFileTransferMsg(fileDownloadMsg);
return NULL;
}
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch 2019-12-16 10:57:16.000000000 +0100
@@ -11,11 +11,9 @@
libvncserver/rfbserver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
-index ed1365a55389..6ca511fee3ed 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
-@@ -1465,7 +1465,7 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
+@@ -1466,7 +1466,7 @@
rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
*/
if (length>0) {
@@ -24,6 +22,3 @@
if (buffer!=NULL) {
if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
if (n != 0)
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch 2019-12-16 10:57:16.000000000 +0100
@@ -14,11 +14,9 @@
libvncclient/rfbproto.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 8d6a4c1f0d9d..ac2a983597e4 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
-@@ -433,7 +433,7 @@ rfbHandleAuthResult(rfbClient* client)
+@@ -553,7 +553,7 @@
/* we have an error following */
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
reasonLen = rfbClientSwap32IfLE(reasonLen);
@@ -27,7 +25,7 @@
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; }
reason[reasonLen]=0;
rfbClientLog("VNC connection failed: %s\n",reason);
-@@ -461,7 +461,7 @@ ReadReason(rfbClient* client)
+@@ -581,7 +581,7 @@
/* we have an error following */
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
reasonLen = rfbClientSwap32IfLE(reasonLen);
@@ -36,7 +34,7 @@
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
reason[reasonLen]=0;
rfbClientLog("VNC connection failed: %s\n",reason);
-@@ -2187,10 +2187,12 @@ HandleRFBServerMessage(rfbClient* client)
+@@ -2245,10 +2245,12 @@
msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
@@ -51,6 +49,3 @@
buffer[msg.sct.length] = 0;
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch 2019-12-16 10:57:16.000000000 +0100
@@ -11,11 +11,9 @@
libvncclient/rfbproto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 808ad4d28b7f..8d6a4c1f0d9d 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
-@@ -1879,7 +1879,7 @@ HandleRFBServerMessage(rfbClient* client)
+@@ -1973,7 +1973,7 @@
/* Regardless of cause, do not divide by zero. */
linesToRead = bytesPerLine ? (RFB_BUFFER_SIZE / bytesPerLine) : 0;
@@ -24,6 +22,3 @@
if (linesToRead > h)
linesToRead = h;
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch 2019-12-16 10:57:16.000000000 +0100
@@ -14,11 +14,9 @@
libvncclient/rfbproto.c | 2 ++
1 file changed, 2 insertions(+)
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 669e38848d15..808ad4d28b7f 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
-@@ -1643,6 +1643,7 @@ SendKeyEvent(rfbClient* client, uint32_t key, rfbBool down)
+@@ -1739,6 +1739,7 @@
if (!SupportsClient2Server(client, rfbKeyEvent)) return TRUE;
@@ -26,7 +24,7 @@
ke.type = rfbKeyEvent;
ke.down = down ? 1 : 0;
ke.key = rfbClientSwap32IfLE(key);
-@@ -1661,6 +1662,7 @@ SendClientCutText(rfbClient* client, char *str, int len)
+@@ -1757,6 +1758,7 @@
if (!SupportsClient2Server(client, rfbClientCutText)) return TRUE;
@@ -34,6 +32,3 @@
cct.type = rfbClientCutText;
cct.length = rfbClientSwap32IfLE(len);
return (WriteToRFBServer(client, (char *)&cct, sz_rfbClientCutTextMsg) &&
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch 2019-12-16 10:57:16.000000000 +0100
@@ -12,11 +12,9 @@
libvncclient/rfbproto.c | 8 ++++++--
2 files changed, 14 insertions(+), 4 deletions(-)
-diff --git a/examples/repeater.c b/examples/repeater.c
-index cf0350ff98a2..dbfa39e1d514 100644
--- a/examples/repeater.c
+++ b/examples/repeater.c
-@@ -12,6 +12,7 @@ int main(int argc,char** argv)
+@@ -12,6 +12,7 @@
char *repeaterHost;
int repeaterPort, sock;
char id[250];
@@ -24,7 +22,7 @@
rfbClientPtr cl;
int i,j;
-@@ -23,7 +24,12 @@ int main(int argc,char** argv)
+@@ -23,7 +24,12 @@
"Usage: %s <id> <repeater-host> [<repeater-port>]\n", argv[0]);
exit(1);
}
@@ -38,7 +36,7 @@
repeaterHost = argv[2];
repeaterPort = argc < 4 ? 5500 : atoi(argv[3]);
-@@ -48,7 +54,7 @@ int main(int argc,char** argv)
+@@ -48,7 +54,7 @@
perror("connect to repeater");
return 1;
}
@@ -47,11 +45,9 @@
perror("writing id");
return 1;
}
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index e5373bc4345f..669e38848d15 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
-@@ -363,6 +363,7 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
+@@ -487,6 +487,7 @@
rfbProtocolVersionMsg pv;
int major,minor;
char tmphost[250];
@@ -59,7 +55,7 @@
#ifdef LIBVNCSERVER_IPv6
client->sock = ConnectClientToTcpAddr6(repeaterHost, repeaterPort);
-@@ -398,8 +399,11 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
+@@ -522,8 +523,11 @@
rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor);
@@ -73,6 +69,3 @@
return FALSE;
return TRUE;
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch 2019-12-16 10:57:16.000000000 +0100
@@ -11,11 +11,9 @@
libvncclient/rfbproto.c | 5 +++++
1 file changed, 5 insertions(+)
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 4541e0d53ad3..8792dbf67c48 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
-@@ -2217,6 +2217,11 @@ HandleRFBServerMessage(rfbClient* client)
+@@ -2251,6 +2251,11 @@
msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
@@ -27,6 +25,3 @@
buffer = malloc((uint64_t)msg.sct.length+1);
if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch 2019-12-16 10:57:16.000000000 +0100
@@ -10,11 +10,9 @@
libvncclient/rfbproto.c | 45 +++++++++++++++++++----------------------
1 file changed, 21 insertions(+), 24 deletions(-)
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 8792dbf67c48..ba7d70a71575 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
-@@ -412,11 +412,29 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
+@@ -536,11 +536,29 @@
extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd);
extern void rfbClientEncryptBytes2(unsigned char *where, const int length, unsigned char *key);
@@ -46,7 +44,7 @@
if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE;
-@@ -431,13 +449,7 @@ rfbHandleAuthResult(rfbClient* client)
+@@ -555,13 +573,7 @@
if (client->major==3 && client->minor>7)
{
/* we have an error following */
@@ -61,7 +59,7 @@
return FALSE;
}
rfbClientLog("VNC authentication failed\n");
-@@ -452,21 +464,6 @@ rfbHandleAuthResult(rfbClient* client)
+@@ -576,21 +588,6 @@
return FALSE;
}
@@ -83,6 +81,3 @@
static rfbBool
ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth)
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch 2019-12-16 10:57:16.000000000 +0100
@@ -11,11 +11,9 @@
libvncclient/rfbproto.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index e56e778f6b91..6af21a54f07b 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
-@@ -1224,8 +1224,12 @@ InitialiseRFBConnection(rfbClient* client)
+@@ -1293,8 +1293,12 @@
client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax);
client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength);
@@ -30,6 +28,3 @@
if (!client->desktopName) {
rfbClientLog("Error allocating memory for desktop name, %lu bytes\n",
(unsigned long)client->si.nameLength);
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch 2019-12-16 10:57:16.000000000 +0100
@@ -10,11 +10,9 @@
libvncclient/rfbproto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 6af21a54f07b..2f887c32978f 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
-@@ -2227,7 +2227,7 @@ HandleRFBServerMessage(rfbClient* client)
+@@ -2257,7 +2257,7 @@
return FALSE;
}
@@ -23,6 +21,3 @@
if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
free(buffer);
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch 2019-12-16 10:57:16.000000000 +0100
@@ -11,11 +11,9 @@
libvncserver/rfbserver.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
-diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
-index 6ca511fee3ed..e210a32f5c45 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
-@@ -1461,11 +1461,21 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
+@@ -1462,11 +1462,21 @@
int n=0;
FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
@@ -39,6 +37,3 @@
if (buffer!=NULL) {
if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
if (n != 0)
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch 2019-12-16 10:57:16.000000000 +0100
@@ -17,11 +17,9 @@
libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 2 ++
1 file changed, 2 insertions(+)
-diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-index c511eed17fcd..0473783164f2 100644
--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
+++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-@@ -585,6 +585,8 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -575,6 +575,8 @@
"FileDownloadCancelMsg\n", __FILE__, __FUNCTION__);
rfbCloseClient(cl);
@@ -30,6 +28,3 @@
}
rfbLog("File [%s]: Method [%s]: File Download Cancel Request received:"
---
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch 2019-12-16 10:57:16.000000000 +0100
@@ -0,0 +1,21 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+---
+ libvncserver/rfbserver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -3529,6 +3529,8 @@
+ rfbServerCutTextMsg sct;
+ rfbClientIteratorPtr iterator;
+
++ memset((char *)&sct, 0, sizeof(sct));
++
+ iterator = rfbGetClientIterator(rfbScreen);
+ while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
+ sct.type = rfbServerCutText;
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series 2019-02-02 22:41:23.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series 2019-12-16 11:08:18.000000000 +0100
@@ -21,3 +21,8 @@
CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch
CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch
CVE-2018-20750/0001-Limit-lenght-to-INT_MAX-bytes-in-rfbProcessFileTrans.patch
+CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch
+use-after-free/1.patch
+use-after-free/2.patch
+use-after-free/3.patch
+0002-set-true-color-flag-to-1.patch
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/1.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/1.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/1.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/1.patch 2019-12-16 11:08:10.000000000 +0100
@@ -0,0 +1,39 @@
+From 96e163bdae65aa2c68e4301cf9ebe29e9f53f3d9 Mon Sep 17 00:00:00 2001
+From: Quentin BUATHIER <qbuathier@tetrane.com>
+Date: Wed, 8 Aug 2018 16:14:39 +0200
+Subject: [PATCH] Fix use-after-free
+
+---
+ libvncserver/main.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/libvncserver/main.c
++++ b/libvncserver/main.c
+@@ -1064,15 +1064,21 @@
+
+ void rfbShutdownServer(rfbScreenInfoPtr screen,rfbBool disconnectClients) {
+ if(disconnectClients) {
+- rfbClientPtr cl;
+ rfbClientIteratorPtr iter = rfbGetClientIterator(screen);
+- while( (cl = rfbClientIteratorNext(iter)) ) {
+- if (cl->sock > -1) {
+- /* we don't care about maxfd here, because the server goes away */
+- rfbCloseClient(cl);
+- rfbClientConnectionGone(cl);
++ rfbClientPtr nextCl, currentCl = rfbClientIteratorNext(iter);
++
++ while(currentCl) {
++ nextCl = rfbClientIteratorNext(iter);
++ if (currentCl->sock > -1) {
++ /* we don't care about maxfd here, because the server goes away */
++ rfbCloseClient(currentCl);
+ }
++
++ rfbClientConnectionGone(currentCl);
++
++ currentCl = nextCl;
+ }
++
+ rfbReleaseClientIterator(iter);
+ }
+
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/2.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/2.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/2.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/2.patch 2019-12-16 11:08:10.000000000 +0100
@@ -0,0 +1,112 @@
+From cedae6e6f97b14f5df3ea7c5f7efd59f2bc9ad82 Mon Sep 17 00:00:00 2001
+From: Quentin BUATHIER <qbuathier@tetrane.com>
+Date: Thu, 9 Aug 2018 09:33:59 +0200
+Subject: [PATCH] Fix the concurrent issue hapenning between the freeing of the
+ client and the clientOutput thread
+
+---
+ libvncserver/main.c | 29 ++++++++++++++++++++++++++---
+ libvncserver/rfbserver.c | 5 +++++
+ rfb/rfb.h | 1 +
+ 3 files changed, 32 insertions(+), 3 deletions(-)
+
+--- a/libvncserver/main.c
++++ b/libvncserver/main.c
+@@ -33,6 +33,7 @@
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <unistd.h>
++#include <fcntl.h>
+ #endif
+
+ #include <signal.h>
+@@ -524,6 +525,7 @@
+
+ FD_ZERO(&rfds);
+ FD_SET(cl->sock, &rfds);
++ FD_SET(cl->pipe_notify_client_thread[0], &rfds);
+ FD_ZERO(&efds);
+ FD_SET(cl->sock, &efds);
+
+@@ -532,9 +534,13 @@
+ if ((cl->fileTransfer.fd!=-1) && (cl->fileTransfer.sending==1))
+ FD_SET(cl->sock, &wfds);
+
++ int nfds = cl->pipe_notify_client_thread[0] > cl->sock ? cl->pipe_notify_client_thread[0] : cl->sock;
++
+ tv.tv_sec = 60; /* 1 minute */
+ tv.tv_usec = 0;
+- n = select(cl->sock + 1, &rfds, &wfds, &efds, &tv);
++
++ n = select(nfds + 1, &rfds, &wfds, &efds, &tv);
++
+ if (n < 0) {
+ rfbLogPerror("ReadExact: select");
+ break;
+@@ -549,6 +555,13 @@
+ if (FD_ISSET(cl->sock, &wfds))
+ rfbSendFileTransferChunk(cl);
+
++ if (FD_ISSET(cl->pipe_notify_client_thread[0], &rfds))
++ {
++ // Reset the pipe
++ char buf;
++ while (read(cl->pipe_notify_client_thread[0], &buf, sizeof(buf)) == sizeof(buf));
++ }
++
+ if (FD_ISSET(cl->sock, &rfds) || FD_ISSET(cl->sock, &efds))
+ {
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+@@ -619,8 +632,12 @@
+ {
+ cl->onHold = FALSE;
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
+- if(cl->screen->backgroundLoop)
+- pthread_create(&cl->client_thread, NULL, clientInput, (void *)cl);
++ if(cl->screen->backgroundLoop) {
++ pipe(cl->pipe_notify_client_thread);
++ fcntl(cl->pipe_notify_client_thread[0], F_SETFL, O_NONBLOCK);
++
++ pthread_create(&cl->client_thread, NULL, clientInput, (void *)cl);
++ }
+ #endif
+ }
+
+@@ -1074,7 +1091,13 @@
+ rfbCloseClient(currentCl);
+ }
+
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++ // Notify the thread and join it
++ write(currentCl->pipe_notify_client_thread[1], "\x00", 1);
++ pthread_join(currentCl->client_thread, NULL);
++#else
+ rfbClientConnectionGone(currentCl);
++#endif
+
+ currentCl = nextCl;
+ }
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -622,6 +622,11 @@
+ UNLOCK(cl->sendMutex);
+ TINI_MUTEX(cl->sendMutex);
+
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++ close(cl->pipe_notify_client_thread[0]);
++ close(cl->pipe_notify_client_thread[1]);
++#endif
++
+ rfbPrintStats(cl);
+ rfbResetStats(cl);
+
+--- a/rfb/rfb.h
++++ b/rfb/rfb.h
+@@ -466,6 +466,7 @@
+ int protocolMinorVersion;
+
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++ int pipe_notify_client_thread[2];
+ pthread_t client_thread;
+ #endif
+
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/3.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/3.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/3.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/3.patch 2019-12-16 11:08:10.000000000 +0100
@@ -0,0 +1,23 @@
+From 00bae113d54014bafcf20c9f4c8c296e3e91bde5 Mon Sep 17 00:00:00 2001
+From: Quentin BUATHIER <qbuathier@tetrane.com>
+Date: Thu, 6 Dec 2018 09:16:51 +0100
+Subject: [PATCH] Check the return code of pipe
+
+---
+ libvncserver/main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/libvncserver/main.c
++++ b/libvncserver/main.c
+@@ -633,7 +633,10 @@
+ cl->onHold = FALSE;
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
+ if(cl->screen->backgroundLoop) {
+- pipe(cl->pipe_notify_client_thread);
++ if (pipe(cl->pipe_notify_client_thread) == -1) {
++ cl->pipe_notify_client_thread[0] = -1;
++ cl->pipe_notify_client_thread[1] = -1;
++ }
+ fcntl(cl->pipe_notify_client_thread[0], F_SETFL, O_NONBLOCK);
+
+ pthread_create(&cl->client_thread, NULL, clientInput, (void *)cl);
--- End Message ---