[Pkg-tigervnc-devel] Bug#1141381: trixie-pu: package tigervnc/1.15.0+dfsg-2.1~deb13u1

Adrian Bunk bunk at debian.org
Fri Jul 3 18:07:16 BST 2026


Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: tigervnc at packages.debian.org, security at debian.org
Control: affects -1 + src:tigervnc
User: release.debian.org at packages.debian.org
Usertags: pu

  * CVE-2026-34352: Prevent other users reading x0vncserver screen
    (Closes: #1132166)
-------------- next part --------------
diffstat for tigervnc-1.15.0+dfsg tigervnc-1.15.0+dfsg

 changelog                                                         |   15 +++++
 patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch |   28 ++++++++++
 patches/series                                                    |    1 
 3 files changed, 44 insertions(+)

diff -Nru tigervnc-1.15.0+dfsg/debian/changelog tigervnc-1.15.0+dfsg/debian/changelog
--- tigervnc-1.15.0+dfsg/debian/changelog	2025-05-06 01:30:59.000000000 +0300
+++ tigervnc-1.15.0+dfsg/debian/changelog	2026-07-03 19:13:02.000000000 +0300
@@ -1,3 +1,18 @@
+tigervnc (1.15.0+dfsg-2.1~deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for trixie.
+
+ -- Adrian Bunk <bunk at debian.org>  Fri, 03 Jul 2026 19:13:02 +0300
+
+tigervnc (1.15.0+dfsg-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-34352: Prevent other users reading x0vncserver screen
+    (Closes: #1132166)
+
+ -- Adrian Bunk <bunk at debian.org>  Wed, 01 Jul 2026 11:47:57 +0300
+
 tigervnc (1.15.0+dfsg-2) unstable; urgency=medium
 
   [ Stephan Springl ]
diff -Nru tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch
--- tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch	1970-01-01 02:00:00.000000000 +0200
+++ tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch	2026-07-01 11:47:08.000000000 +0300
@@ -0,0 +1,28 @@
+From 8010762320e95f56152af4e327b3fe19b27e6d37 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <ossman at cendio.se>
+Date: Tue, 24 Mar 2026 09:52:01 +0100
+Subject: Prevent other users reading x0vncserver screen
+
+Prevent other users from observing the screen, or modifying what is sent
+to the client. Malicious attackers can even crash x0vncserver if they
+time the modifications right.
+---
+ unix/x0vncserver/Image.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx
+index bfe5e730..77554ea3 100644
+--- a/unix/x0vncserver/Image.cxx
++++ b/unix/x0vncserver/Image.cxx
+@@ -287,7 +287,7 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo)
+ 
+   shminfo->shmid = shmget(IPC_PRIVATE,
+                           xim->bytes_per_line * xim->height,
+-                          IPC_CREAT|0777);
++                          IPC_CREAT|0600);
+   if (shminfo->shmid == -1) {
+     perror("shmget");
+     vlog.error("shmget() failed (%d bytes requested)",
+-- 
+2.47.3
+
diff -Nru tigervnc-1.15.0+dfsg/debian/patches/series tigervnc-1.15.0+dfsg/debian/patches/series
--- tigervnc-1.15.0+dfsg/debian/patches/series	2025-05-06 01:30:32.000000000 +0300
+++ tigervnc-1.15.0+dfsg/debian/patches/series	2026-07-01 11:47:56.000000000 +0300
@@ -39,3 +39,4 @@
 
 # The following patches are security fixes
 CVE-2014-8240-849479.patch
+0001-Prevent-other-users-reading-x0vncserver-screen.patch


More information about the Pkg-tigervnc-devel mailing list