Bug#905786: libvncserver1: Use-after-free on shutdown when clients are still connected (causing issue for Virtualbox)
Hi Mike, I don't think so, I worked on this on my job and it's currently not what I'm working on. Greets, Quentin Le mar. 3 déc. 2019 à 12:00, Mike Gabriel a écrit : > Hi Quentin, > > On Di 03 Dez 2019 11:54:29 CET, quentin buathier wrote: > > > Hi Mike, > > > > Thanks for taking care of this and updating the package to the last > > release. > > This should fix the issue but I don't have the opportunity (as I'm not on > > buster yet) nor the time to test it. > > > > Greets, > > Quentin > > If I provided you with a stretch version of the package (which is > pretty similar), could you imagine albeit time restraints to test that? > > Greets, > Mike > -- > > DAS-NETZWERKTEAM > c\o Technik- und Ökologiezentrum Eckernförde > Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde > mobile: +49 (1520) 1976 148 > landline: +49 (4351) 850 8940 > > GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 > mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de > >
Bug#905786: libvncserver1: Use-after-free on shutdown when clients are still connected (causing issue for Virtualbox)
Hi Mike, Thanks for taking care of this and updating the package to the last release. This should fix the issue but I don't have the opportunity (as I'm not on buster yet) nor the time to test it. Greets, Quentin Le mar. 3 déc. 2019 à 09:28, Mike Gabriel a écrit : > Hi Quentin, > > thanks for reporting the below bug and fixing things upstream... > > On Thu, 09 Aug 2018 15:52:29 +0200 Quentin BUATHIER > wrote: > > Package: libvncserver1 > > Version: 0.9.11+dfsg-1+deb9u1 > > Severity: important > > Tags: patch > > > > In the upstream source of the project, there is an use-after-free > that can lead > > to an infinite wait of a non-existing thread during the shutdown of > the VNC > > server if some clients are still connected. > > > > This causing an issue in Virtualbox which uses this package when a > VNC client > > is connected and that we shutdown the VM (the VM will be stuck in a > buggy > > state). See https://www.virtualbox.org/ticket/17396 for the ticket in > > Virtualbox's bug tracker for more informations. > > > > There is actually a pull request on upstream fixing this issue > > (https://github.com/LibVNC/libvncserver/pull/238). There is also > another issue, > > a segmentation fault in the same use case when we are using a > multi-threaded > > VNC server (also fixed by the same pull request). > > > > Virtualbox need both fixes to work correctly without a segmentation > fault or a > > infinite wait and probably some others packages using libvncserver. > > > > The issue isn't present on Jessie with the version 0.9.9 of the package. > > As the new libvncserver Debian maintainer, I have prepared a test build > and upload candidate for Debian buster of libvncserver that fixes this > issue: > http://packages.sunweavers.net/debian/pool/main/libv/libvncserver/ > > You can also add "deb http://packages.sunweavers.net/debian buster main" > to your APT configuration and use apt for installing the upload > candidate. (Make sure you disable the repo again afterwards and that you > don't grab other packages from there by accident). > > Here is the archive key: > https://packages.sunweavers.net/archive.key > > If you don't have time for testing this, I'd appreciate a quick feedback > anyway. > > Greets + Thanks, > Mike >
Bug#905786: libvncserver1: Use-after-free on shutdown when clients are still connected (causing issue for Virtualbox)
Package: libvncserver1 Version: 0.9.11+dfsg-1+deb9u1 Severity: important Tags: patch In the upstream source of the project, there is an use-after-free that can lead to an infinite wait of a non-existing thread during the shutdown of the VNC server if some clients are still connected. This causing an issue in Virtualbox which uses this package when a VNC client is connected and that we shutdown the VM (the VM will be stuck in a buggy state). See https://www.virtualbox.org/ticket/17396 for the ticket in Virtualbox's bug tracker for more informations. There is actually a pull request on upstream fixing this issue (https://github.com/LibVNC/libvncserver/pull/238). There is also another issue, a segmentation fault in the same use case when we are using a multi-threaded VNC server (also fixed by the same pull request). Virtualbox need both fixes to work correctly without a segmentation fault or a infinite wait and probably some others packages using libvncserver. The issue isn't present on Jessie with the version 0.9.9 of the package. -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-7-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libvncserver1 depends on: ii libc62.24-11+deb9u3 ii libgcrypt20 1.7.6-2+deb9u3 ii libgnutls30 3.5.8-5+deb9u3 ii libjpeg62-turbo 1:1.5.1-2 ii zlib1g 1:1.2.8.dfsg-5 libvncserver1 recommends no packages. libvncserver1 suggests no packages.
