Package: libvncserver1 Version: 0.9.11+dfsg-1+deb9u1 Severity: important Tags: patch
In the upstream source of the project, there is an use-after-free that can lead to an infinite wait of a non-existing thread during the shutdown of the VNC server if some clients are still connected. This causing an issue in Virtualbox which uses this package when a VNC client is connected and that we shutdown the VM (the VM will be stuck in a buggy state). See https://www.virtualbox.org/ticket/17396 for the ticket in Virtualbox's bug tracker for more informations. There is actually a pull request on upstream fixing this issue (https://github.com/LibVNC/libvncserver/pull/238). There is also another issue, a segmentation fault in the same use case when we are using a multi-threaded VNC server (also fixed by the same pull request). Virtualbox need both fixes to work correctly without a segmentation fault or a infinite wait and probably some others packages using libvncserver. The issue isn't present on Jessie with the version 0.9.9 of the package. -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-7-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libvncserver1 depends on: ii libc6 2.24-11+deb9u3 ii libgcrypt20 1.7.6-2+deb9u3 ii libgnutls30 3.5.8-5+deb9u3 ii libjpeg62-turbo 1:1.5.1-2 ii zlib1g 1:1.2.8.dfsg-5 libvncserver1 recommends no packages. libvncserver1 suggests no packages.
