Hi Daniel,
On Sa 04 Jan 2020 01:07:21 CET, Daniel Reichelt wrote:
On 02.01.20 16:39, Daniel Reichelt wrote:
With 7e63df224aa45a8b541cd63a870594454aba7526 applied, this happens 9
out of 10 times.
Actually, that's crap.
I noticed a ton of running x11vnc processes and re-tried ~debu10 with
7e63df224aa45a8b541cd63a870594454aba7526 applied.
Result: just the error message about "unknown encoding", so nothing
notably different than w/o said additional patch. (Although the
different behaviour when other x11vnc processes are lingering
is…"interesting"…it's not pertinent to the regression itself.)
I attached a .debdiff that reflects todays regression fix upload to
buster-pu (I also did one to stretch-pu). I cherry-pick 2 more patches
from upstream that relate to pthreading in libvncserver. I was able to
reproduce your x11vnc crash on buster and with libvncserver having the
attached .debdiff applied the crashes are gone.
Can you confirm that?
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog
libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog 2019-12-03 09:18:57.0
+0100
+++ libvncserver-0.9.11+dfsg/debian/changelog 2020-01-08 08:22:51.0
+0100
@@ -1,3 +1,13 @@
+libvncserver (0.9.11+dfsg-1.3+deb10u2) buster; urgency=medium
+
+ * Regression update.
+
+ * debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from
+upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes:
+#905786).
+
+ -- Mike Gabriel Wed, 08 Jan 2020 08:22:51 +0100
+
libvncserver (0.9.11+dfsg-1.3+deb10u1) buster; urgency=medium
* CVE-2019-15681: rfbserver: don't leak stack memory to the remote. (Closes:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series
libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series 2019-12-03
09:18:57.0 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series 2020-01-08
08:22:34.0 +0100
@@ -25,4 +25,7 @@
use-after-free/1.patch
use-after-free/2.patch
use-after-free/3.patch
+use-after-free/4.patch
+use-after-free/5.patch
+use-after-free/6.patch
0002-set-true-color-flag-to-1.patch
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch
libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch
1970-01-01 01:00:00.0 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch
2020-01-08 08:22:51.0 +0100
@@ -0,0 +1,24 @@
+From 7e63df224aa45a8b541cd63a870594454aba7526 Mon Sep 17 00:00:00 2001
+From: Andrzej Szombierski
+Date: Tue, 28 May 2019 10:56:47 +0200
+Subject: [PATCH] rfbserver: don't close fd 0 accidentally
+
+pipe_notify_client_thread needs to be initialized to -1
+---
+ libvncserver/rfbserver.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+--- a/libvncserver/rfbserver.c
b/libvncserver/rfbserver.c
+@@ -462,6 +462,11 @@
+
+ cl->lastPtrX = -1;
+
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++ cl->pipe_notify_client_thread[0] = -1;
++ cl->pipe_notify_client_thread[1] = -1;
++#endif
++
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ /*
+* Wait a few ms for the client to send one of:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch
libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch
1970-01-01 01:00:00.0 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch
2020-01-08 08:22:51.0 +0100
@@ -0,0 +1,26 @@
+From d0a76539835d11c0f4723499f8be4bc9c7724eb9 Mon Sep 17 00:00:00 2001
+From: Rajesh Sahoo
+Date: Tue, 11 Jun 2019 15:13:04 +0530
+Subject: [PATCH] avoid pthread_join if backgroundLoop is FALSE
+
+client_thread is created depending upon backgroundLoop, but joining
+without checking for same condition. so we are trying to join a garbage
+thread_id.
+---
+ libvncserver/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/libvncserver/main.c
b/libvncserver/main.c
+@@ -1095,9 +1095,11 @@
+ }
+
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++if(currentCl->screen->backgroundLoop) {
+ // Notify the thread and join it
+ write(currentCl->pipe_notify_client_thread[1], "\x00", 1);
+ pthread_join(currentCl->client_thread, NULL);
++}
+ #else
+ rfbClientConnectionGone(currentCl);
+ #endif
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch
libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch
---