[Pkg-tigervnc-devel] Bug#1141381: trixie-pu: package tigervnc/1.15.0+dfsg-2.1~deb13u1
Adrian Bunk
bunk at debian.org
Fri Jul 3 18:07:16 BST 2026
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: tigervnc at packages.debian.org, security at debian.org
Control: affects -1 + src:tigervnc
User: release.debian.org at packages.debian.org
Usertags: pu
* CVE-2026-34352: Prevent other users reading x0vncserver screen
(Closes: #1132166)
-------------- next part --------------
diffstat for tigervnc-1.15.0+dfsg tigervnc-1.15.0+dfsg
changelog | 15 +++++
patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch | 28 ++++++++++
patches/series | 1
3 files changed, 44 insertions(+)
diff -Nru tigervnc-1.15.0+dfsg/debian/changelog tigervnc-1.15.0+dfsg/debian/changelog
--- tigervnc-1.15.0+dfsg/debian/changelog 2025-05-06 01:30:59.000000000 +0300
+++ tigervnc-1.15.0+dfsg/debian/changelog 2026-07-03 19:13:02.000000000 +0300
@@ -1,3 +1,18 @@
+tigervnc (1.15.0+dfsg-2.1~deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for trixie.
+
+ -- Adrian Bunk <bunk at debian.org> Fri, 03 Jul 2026 19:13:02 +0300
+
+tigervnc (1.15.0+dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2026-34352: Prevent other users reading x0vncserver screen
+ (Closes: #1132166)
+
+ -- Adrian Bunk <bunk at debian.org> Wed, 01 Jul 2026 11:47:57 +0300
+
tigervnc (1.15.0+dfsg-2) unstable; urgency=medium
[ Stephan Springl ]
diff -Nru tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch
--- tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch 1970-01-01 02:00:00.000000000 +0200
+++ tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch 2026-07-01 11:47:08.000000000 +0300
@@ -0,0 +1,28 @@
+From 8010762320e95f56152af4e327b3fe19b27e6d37 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <ossman at cendio.se>
+Date: Tue, 24 Mar 2026 09:52:01 +0100
+Subject: Prevent other users reading x0vncserver screen
+
+Prevent other users from observing the screen, or modifying what is sent
+to the client. Malicious attackers can even crash x0vncserver if they
+time the modifications right.
+---
+ unix/x0vncserver/Image.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx
+index bfe5e730..77554ea3 100644
+--- a/unix/x0vncserver/Image.cxx
++++ b/unix/x0vncserver/Image.cxx
+@@ -287,7 +287,7 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo)
+
+ shminfo->shmid = shmget(IPC_PRIVATE,
+ xim->bytes_per_line * xim->height,
+- IPC_CREAT|0777);
++ IPC_CREAT|0600);
+ if (shminfo->shmid == -1) {
+ perror("shmget");
+ vlog.error("shmget() failed (%d bytes requested)",
+--
+2.47.3
+
diff -Nru tigervnc-1.15.0+dfsg/debian/patches/series tigervnc-1.15.0+dfsg/debian/patches/series
--- tigervnc-1.15.0+dfsg/debian/patches/series 2025-05-06 01:30:32.000000000 +0300
+++ tigervnc-1.15.0+dfsg/debian/patches/series 2026-07-01 11:47:56.000000000 +0300
@@ -39,3 +39,4 @@
# The following patches are security fixes
CVE-2014-8240-849479.patch
+0001-Prevent-other-users-reading-x0vncserver-screen.patch
More information about the Pkg-tigervnc-devel
mailing list