CVE-2019-15681 (https://nvd.nist.gov/vuln/detail/CVE-2019-15681): LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in commit d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ae4ada68cdf7aa131d7a50c9305b55ba14fcd43 commit 5ae4ada68cdf7aa131d7a50c9305b55ba14fcd43 Author: Alexander Tsoy <alexander@tsoy.me> AuthorDate: 2019-10-31 18:41:58 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2019-11-01 14:10:59 +0000 net-libs/libvncserver: Add a bunch of upstream fixes * fix CVE-2018-20750 (the fix for CVE-2018-15127 was incomplete) * fix CVE-2019-15681 * fix libdir in pkgconfig files * fix regression in Tight/Raw decoding Bug: https://bugs.gentoo.org/699036 Closes: https://bugs.gentoo.org/676942 Closes: https://bugs.gentoo.org/691848 Package-Manager: Portage-2.3.76, Repoman-2.3.16 Signed-off-by: Alexander Tsoy <alexander@tsoy.me> Closes: https://github.com/gentoo/gentoo/pull/13509 Signed-off-by: Joonas Niilola <juippis@gentoo.org> .../files/libvncserver-0.9.12-CVE-2018-20750.patch | 47 ++++++++++++++ .../files/libvncserver-0.9.12-CVE-2019-15681.patch | 26 ++++++++ .../files/libvncserver-0.9.12-cmake-libdir.patch | 32 ++++++++-- ...ibvncserver-0.9.12-fix-tight-raw-decoding.patch | 40 ++++++++++++ .../libvncserver-0.9.12-pkgconfig-libdir.patch | 41 ++++++++++++ .../libvncserver/libvncserver-0.9.12-r3.ebuild | 73 ++++++++++++++++++++++ 6 files changed, 255 insertions(+), 4 deletions(-)
Lets stabilize =net-libs/libvncserver-0.9.12-r3 Can somebody help with modifying keywords and package list?
sparc stable
amd64 stable
ppc64 stable
ppc stable
ia64 stable
x86 stable
arm64 stable
arm stable
commit 4eadcbe351d47b9e91bbcb525b0576f714ff360b Author: Rolf Eike Beer <eike@sf-mail.de> Date: Thu Nov 21 17:20:53 2019 +0100 net-libs/libvncserver: stable 0.9.12-r3 for hppa, bug #699036
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f025d1be661d04fc3c216735c5eea788abbe2c4e commit f025d1be661d04fc3c216735c5eea788abbe2c4e Author: Alexander Tsoy <alexander@tsoy.me> AuthorDate: 2020-01-28 19:36:47 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-01-28 20:55:14 +0000 net-libs/libvncserver: Drop vulnerable version Bug: https://bugs.gentoo.org/699036 Signed-off-by: Alexander Tsoy <alexander@tsoy.me> Closes: https://github.com/gentoo/gentoo/pull/14490 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../libvncserver/libvncserver-0.9.12-r2.ebuild | 69 ---------------------- 1 file changed, 69 deletions(-)
Cleanup done.
Arches and Maintainer(s), Thank you for your work.
