887067 – <net-libs/libvncserver-0.9.14: multiple vulnerabilities

Bug 887067 - <net-libs/libvncserver-0.9.14: multiple vulnerabilities

Summary: <net-libs/libvncserver-0.9.14: multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/LibVNC/libvncserve...
Whiteboard:	B? [glsa?]
Keywords:	PullRequest

Depends on:	894652
Blocks:
	Show dependency tree

Reported:	2022-12-18 22:21 UTC by John Helmert III
Modified:	2023-02-20 20:45 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/28833 https://github.com/gentoo/gentoo/pull/29641
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-12-18 22:21:43 UTC

"## LibVNCServer/LibVNCClient:

  * Fixed several potential multiplication overflows.


  * Fixes of several memory leaks and buffer overflows."

Please bump to 0.9.14.

Comment 1 Larry the Git Cow gentoo-dev

2022-12-27 10:23:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14545c056ef18019e9de4cfb41ec1d8da538a8c8

commit 14545c056ef18019e9de4cfb41ec1d8da538a8c8
Author:     Alexander Tsoy <alexander@tsoy.me>
AuthorDate: 2022-12-27 00:26:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-27 10:22:17 +0000

    net-libs/libvncserver: version bump to 0.9.14
    
    Bug: https://bugs.gentoo.org/887067
    Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
    Closes: https://github.com/gentoo/gentoo/pull/28833
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/libvncserver/Manifest                   |  1 +
 net-libs/libvncserver/libvncserver-0.9.14.ebuild | 71 ++++++++++++++++++++++++
 2 files changed, 72 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-02-18 13:06:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29bd18220587faa63d90afb87447327f638257c2

commit 29bd18220587faa63d90afb87447327f638257c2
Author:     Alexander Tsoy <alexander@tsoy.me>
AuthorDate: 2023-02-17 21:35:03 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-02-18 13:06:13 +0000

    net-libs/libvncserver: security cleanup
    
    Bug: https://bugs.gentoo.org/887067
    Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
    Closes: https://github.com/gentoo/gentoo/pull/29641
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 net-libs/libvncserver/Manifest                     |  1 -
 .../files/libvncserver-0.9.13-CVE-2020-29260.patch | 27 --------
 .../libvncserver-0.9.13-test-fix-includetest.patch | 54 ---------------
 .../libvncserver-0.9.13-test-fix-tjunittest.patch  | 29 ---------
 .../libvncserver/libvncserver-0.9.13-r1.ebuild     | 76 ----------------------
 5 files changed, 187 deletions(-)

Comment 3 John Helmert III archtester

2023-02-20 20:45:55 UTC

Thanks! Any input on the impact from anyone?