vnc4 authentication bypass

cve: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2369
debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=395809

Thanks for this report! If anyone has time to package up a debdiff for Dapper and Edgy, I would be happy to review and publish the USN.

I've backported the appropriate patch from 4.1.2 to the versions in Dapper and Edgy (which happen to be the same).

I note that this vulnerability was released over 7 months ago now... It was reported (in bug 50913) a little over a month after it was discovered, and pitti posted a comment mentioning that a MOTU could take care of it if they wanted. Unfortunately, there's no proper universe security process, so nobody else really even saw the bug. I think this process needs to be rethought, so we don't have nasty flaws like this one around for such a long period of time.

Hmm... an additional problem with vnc4 is that it doesn't build on edgy (or feisty), it seems. Were you able to build and test your debdiff on edgy? Perhaps the best approach would be to fix the build in feisty first, and then figure out what's needed to make it build edgy from there:

dpkg-checkbuilddeps: Unmet build dependencies: mesa-swrast-source (>> 6.4.1)

mesa-swrast-source seems to have been replaced by mesa-swx11-source, so I've updated the Build-Depends. Also killing the build were a few bashisms in debian/rules. I've fixed them, and tested it (I made the mistake of thinking that if the changes worked in Dapper, they'd work in Edgy too; of course, I overlooked the fact that it had never built in Edgy, sorry). It works, and isn't vulnerable.

Looks great! Go ahead and upload a version to feisty, since your fix should work there as well.

Fix uploaded to Feisty.

The sparc version FTBFSed on Edgy and Feisty, due to a removed header being included in the included Xorg. Here's a debdiff which should fix the issue.

Great! Thanks for tracking down that sneaky bit.

Since the sparc FTBFS happened on the security buildd's, I needed to bump the version for the edgy-security debdiff. I'll upload that and get it building again. (I changed the edgy debdiff version to vnc4_4.1.1+xorg1.0.2-0ubuntu1.6.10.1)

I went ahead and published the Dapper updates.

This update seemed to have break vnc4server in Edgy, see bug #78282. It was working with version:

vnc4 4.1.1+xorg1.0.2-0ubuntu1

That is true, unfortunately. Not a use-case I tested, as I didn't expect an Edgy build to cause a /etc/X11/Xsession running with DISPLAY set to an Xvnc server to cause the process executing it to terminate, when running an xterm and the like on the Xvnc server ran fine. A rather odd problem, this is.

Is this still a vunerability in Fiesty?

Shouldn't Fiesty merge to the upstream version 4.1.2 which doesn't have the problem? Its very confusing to tell if vunerable or not if fixes are backported, but the version number is still based at the known broken 4.1.1.