Hi I agree that the VNC situation in Debian is sub-optimal. Frankly speaking not just in Debian. This popular software has diverged quite a lot with lot of packages sharing similar code-base.
I had a brief look at vnc4 as well. It does not seem to share the same code base as libvncserver so it should not be affected. Best regards // Ola On Wed, 30 Oct 2019 at 16:10, Mike Gabriel <mike.gabr...@das-netzwerkteam.de> wrote: > Hi all, > > today I looked into libvncserver/CVE-2019-15681. The VNC situation is > non-optimal in Debian... > > The gist (which also applies to Debian) can be found in [1]. Thanks to > Pavel Cheremushkin from Kaspersky for publishing his findings. > > I looked at all packages I could think of that are related to VNC and > came up with this list: > > x11vnc -> uses system's libvncserver and system's libvncclient, but > still > bundles older versions of both in the orig tarball. (See [2]). > NOT AFFECTED > > italc -> bundles libvncserver (shame on myself+upstream) and uses it. > It > probably needs to be listed for all libvncserver CVEs we have > seen > in the past (luckily italc has been removed from unstable > recently > and replaced by veyon) > AFFECTED (LOVE NEEDED) > > krfb -> ships rfbserver.c from libvncserver, but uses its own > implementation > of an rfbserver rewritten in C++/Qt > NOT AFFECTED > > ssvnc -> VNC client only; ships libvncclient code files, probably > affected by > all libvncclient CVEs > NEEDS MORE TRIAGING > > veyon -> uses system-wide libvncserver, but still bundles libvncclient > (this will be resolved with veyon 4.3.0, I heard from > upstream) > NEEDS MORE TRIAGING > > vino -> bundles libvncserver and uses it. It probably needs to > be listed for all libvncserver CVEs we have seen in the past > AFFECTED (LOVE NEEDED) > > vncsnapshot -> contains a small subset the libvncclient files > NEEDS MORE TRIAGING > > tightvnc -> has copy+pasted code from libvncserver, e.g. rfbserver.(ch) > and also from libvncclient > PARTIALLY AFFECTED (LOVE NEEDED) > > tigervnc -> VNC code has been entirely rewritten in C++, not related > to libvncserver / libvncclient (anymore?) as it seems > > Please add more packages, if you see fit, that belong to the same > category of packages. Please provide feedback if you think otherwise > on statements I made above. > > light+love > Mike > > [1] https://www.openwall.com/lists/oss-security/2018/12/10/5 > [2] https://bugs.debian.org/943833 > -- > > DAS-NETZWERKTEAM > c\o Technik- und Ökologiezentrum Eckernförde > Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde > mobile: +49 (1520) 1976 148 > landline: +49 (4351) 850 8940 > > GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 > mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
