Version in base suite: 0.9.11+dfsg-1.3

Base version: libvncserver_0.9.11+dfsg-1.3
Target version: libvncserver_0.9.11+dfsg-1.3+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libv/libvncserver/libvncserver_0.9.11+dfsg-1.3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libv/libvncserver/libvncserver_0.9.11+dfsg-1.3+deb10u1.dsc

 changelog                                                                              |   13 +
 patches/0001-ignore_webclients.patch                                                   |    2 
 patches/0002-set-true-color-flag-to-1.patch                                            |   20 +
 patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch |   13 -
 patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch |   25 --
 patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch |   11 
 patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch |    7 
 patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch |    7 
 patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch      |    7 
 patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch |   11 
 patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch              |    7 
 patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch |    9 
 patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch |   17 -
 patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch |    7 
 patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch |   11 
 patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch |    7 
 patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch                 |    7 
 patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch |    7 
 patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch         |    7 
 patches/CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch      |   21 +
 patches/series                                                                         |    5 
 patches/use-after-free/1.patch                                                         |   39 +++
 patches/use-after-free/2.patch                                                         |  112 ++++++++++
 patches/use-after-free/3.patch                                                         |   23 ++
 24 files changed, 269 insertions(+), 126 deletions(-)

diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/changelog	2019-12-03 08:18:57.000000000 +0000
@@ -1,3 +1,16 @@
+libvncserver (0.9.11+dfsg-1.3+deb10u1) buster; urgency=medium
+
+  * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. (Closes:
+    #943793).
+  * debian/patches:
+    + Trivial patch rebasing.
+    + Add 3 use-after-free patches. Resolve a freeze during connection closure and a
+      segmentation fault on multi-threaded VNC servers. (Closes: #905786).
+    + Add 0002-set-true-color-flag-to-1.patch. Fix connecting to VMware servers.
+      (Closes: #880531).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Tue, 03 Dec 2019 09:18:57 +0100
+
 libvncserver (0.9.11+dfsg-1.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/0001-ignore_webclients.patch libvncserver-0.9.11+dfsg/debian/patches/0001-ignore_webclients.patch
--- libvncserver-0.9.11+dfsg/debian/patches/0001-ignore_webclients.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/0001-ignore_webclients.patch	2019-12-03 08:18:57.000000000 +0000
@@ -21,7 +21,7 @@
  bin_SCRIPTS = libvncserver-config
 --- a/configure.ac
 +++ b/configure.ac
-@@ -594,9 +594,6 @@
+@@ -583,9 +583,6 @@
  	libvncserver/Makefile
  	examples/Makefile
  	examples/android/Makefile
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/0002-set-true-color-flag-to-1.patch libvncserver-0.9.11+dfsg/debian/patches/0002-set-true-color-flag-to-1.patch
--- libvncserver-0.9.11+dfsg/debian/patches/0002-set-true-color-flag-to-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/0002-set-true-color-flag-to-1.patch	2019-12-03 08:18:57.000000000 +0000
@@ -0,0 +1,20 @@
+From 7c54f07ca55046c6f9b5859c44781a1f22002982 Mon Sep 17 00:00:00 2001
+From: dborth <dborth@gmail.com>
+Date: Mon, 3 Apr 2017 09:43:44 -0600
+Subject: [PATCH] Issue #141: Set trueColour flag to 1 instead of 255
+
+---
+ libvncclient/vncviewer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/libvncclient/vncviewer.c
++++ b/libvncclient/vncviewer.c
+@@ -161,7 +161,7 @@
+   client->format.depth = bitsPerSample*samplesPerPixel;
+   client->appData.requestedDepth=client->format.depth;
+   client->format.bigEndian = *(char *)&client->endianTest?FALSE:TRUE;
+-  client->format.trueColour = TRUE;
++  client->format.trueColour = 1;
+ 
+   if (client->format.bitsPerPixel == 8) {
+     client->format.redMax = 7;
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0001-tightvnc-filetransfer-tie-the-download-thread-to-the.patch	2019-12-03 08:18:57.000000000 +0000
@@ -13,11 +13,9 @@
  libvncserver/tightvnc-filetransfer/rfbtightproto.h             | 1 +
  2 files changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-index 0473783164f2..8e38f8880f5b 100644
 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
 +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-@@ -508,7 +508,6 @@ RunFileDownloadThread(void* client)
+@@ -506,7 +506,6 @@
  void
  HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
  {
@@ -25,7 +23,7 @@
  	FileTransferMsg fileDownloadMsg;
  	
  	memset(&fileDownloadMsg, 0, sizeof(FileTransferMsg));
-@@ -521,7 +520,7 @@ HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -519,7 +518,7 @@
  	rtcp->rcft.rcfd.downloadInProgress = FALSE;
  	rtcp->rcft.rcfd.downloadFD = -1;
  
@@ -34,11 +32,9 @@
  	cl) != 0) {
  		FileTransferMsg ftm = GetFileDownLoadErrMsg();
  		
-diff --git a/libvncserver/tightvnc-filetransfer/rfbtightproto.h b/libvncserver/tightvnc-filetransfer/rfbtightproto.h
-index d0fe642ecfa3..30fc5f5413aa 100644
 --- a/libvncserver/tightvnc-filetransfer/rfbtightproto.h
 +++ b/libvncserver/tightvnc-filetransfer/rfbtightproto.h
-@@ -148,6 +148,7 @@ typedef struct _rfbClientFileDownload {
+@@ -148,6 +148,7 @@
  	int downloadInProgress;
  	unsigned long mTime;
  	int downloadFD;
@@ -46,6 +42,3 @@
  } rfbClientFileDownload ;
  
  typedef struct _rfbClientFileUpload {
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0002-tightvnc-filetransfer-refactor-CloseUndoneFileTransf.patch	2019-12-03 08:18:57.000000000 +0000
@@ -16,11 +16,9 @@
  .../handlefiletransferrequest.c                      |  8 ++++----
  3 files changed, 16 insertions(+), 7 deletions(-)
 
-diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
-index 5f84e7f3d323..f674b9283126 100644
 --- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c
 +++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
-@@ -672,7 +672,7 @@ ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr rtcp, char* pBuf)
+@@ -670,7 +670,7 @@
  		char reason[] = "Error writing file data";
  		int reasonLen = strlen(reason);
  		ftm = CreateFileUploadErrMsg(reason, reasonLen);
@@ -29,7 +27,7 @@
  	}		
  	return ftm;
  }
-@@ -735,7 +735,7 @@ CreateFileUploadErrMsg(char* reason, unsigned int reasonLen)
+@@ -733,7 +733,7 @@
   ******************************************************************************/
  
  void
@@ -38,7 +36,7 @@
  {
  	/* TODO :: File Upload case is not handled currently */
  	/* TODO :: In case of concurrency we need to use Critical Section */
-@@ -759,6 +759,14 @@ CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -757,6 +757,14 @@
  
  		memset(rtcp->rcft.rcfu.fName, 0 , PATH_MAX);
  	}
@@ -53,11 +51,9 @@
  	
  	if(rtcp->rcft.rcfd.downloadInProgress == TRUE) {
  		rtcp->rcft.rcfd.downloadInProgress = FALSE;
-diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.h b/libvncserver/tightvnc-filetransfer/filetransfermsg.h
-index 3b27bd04d3f0..bbb9148db4d6 100644
 --- a/libvncserver/tightvnc-filetransfer/filetransfermsg.h
 +++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.h
-@@ -51,7 +51,8 @@ FileTransferMsg ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr data, c
+@@ -51,7 +51,8 @@
  
  void CreateDirectory(char* dirName);
  void FileUpdateComplete(rfbClientPtr cl, rfbTightClientPtr data);
@@ -67,11 +63,9 @@
  
  void FreeFileTransferMsg(FileTransferMsg ftm);
  
-diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-index 8e38f8880f5b..31163d0f62f3 100644
 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
 +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-@@ -492,7 +492,7 @@ RunFileDownloadThread(void* client)
+@@ -490,7 +490,7 @@
  
  				if(cl != NULL) {
  			    	rfbCloseClient(cl);
@@ -80,7 +74,7 @@
  				}
  				
  				FreeFileTransferMsg(fileDownloadMsg);
-@@ -592,7 +592,7 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -588,7 +588,7 @@
  					" reason <%s>\n", __FILE__, __FUNCTION__, reason);
  	
  	pthread_mutex_lock(&fileDownloadMutex);
@@ -89,7 +83,7 @@
  	pthread_mutex_unlock(&fileDownloadMutex);
  	
  	if(reason != NULL) {
-@@ -835,7 +835,7 @@ HandleFileUploadDataRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -831,7 +831,7 @@
  			FreeFileTransferMsg(ftm);
  		}
  
@@ -98,7 +92,7 @@
  
  	    if(pBuf != NULL) {
  	    	free(pBuf);
-@@ -935,7 +935,7 @@ HandleFileUploadFailedRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -931,7 +931,7 @@
  	rfbLog("File [%s]: Method [%s]: File Upload Failed Request received:"
  				" reason <%s>\n", __FILE__, __FUNCTION__, reason);
  
@@ -107,6 +101,3 @@
  
  	if(reason != NULL) {
  		free(reason);
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0003-tightvnc-filetransfer-wait-for-download-thread-end-i.patch	2019-12-03 08:18:57.000000000 +0000
@@ -15,11 +15,9 @@
  libvncserver/tightvnc-filetransfer/rfbtightserver.c  | 7 +++++--
  2 files changed, 7 insertions(+), 2 deletions(-)
 
-diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
-index f674b9283126..0003b11f6f50 100644
 --- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c
 +++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
-@@ -770,6 +770,8 @@ CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -768,6 +768,8 @@
  	
  	if(rtcp->rcft.rcfd.downloadInProgress == TRUE) {
  		rtcp->rcft.rcfd.downloadInProgress = FALSE;
@@ -28,8 +26,6 @@
  
  		if(rtcp->rcft.rcfd.downloadFD != -1) {			
  			close(rtcp->rcft.rcfd.downloadFD);
-diff --git a/libvncserver/tightvnc-filetransfer/rfbtightserver.c b/libvncserver/tightvnc-filetransfer/rfbtightserver.c
-index 67d4cb545fad..651d8fb7e75f 100644
 --- a/libvncserver/tightvnc-filetransfer/rfbtightserver.c
 +++ b/libvncserver/tightvnc-filetransfer/rfbtightserver.c
 @@ -26,6 +26,7 @@
@@ -40,7 +36,7 @@
  
  /*
   * Get my data!
-@@ -448,9 +449,11 @@ rfbTightExtensionMsgHandler(struct _rfbClientRec* cl, void* data,
+@@ -448,9 +449,11 @@
  void
  rfbTightExtensionClientClose(rfbClientPtr cl, void* data) {
  
@@ -54,6 +50,3 @@
  }
  
  void
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0004-tightvnc-filetransfer-when-creating-a-new-download-t.patch	2019-12-03 08:18:57.000000000 +0000
@@ -12,11 +12,9 @@
  libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 3 +--
  1 file changed, 1 insertion(+), 2 deletions(-)
 
-diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-index 31163d0f62f3..70e105f45adb 100644
 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
 +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-@@ -517,8 +517,7 @@ HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -515,8 +515,7 @@
  		FreeFileTransferMsg(fileDownloadMsg);
  		return;
  	}
@@ -26,6 +24,3 @@
  
  	if(pthread_create(&rtcp->rcft.rcfd.downloadThread, NULL, RunFileDownloadThread, (void*)
  	cl) != 0) {
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15126/0005-tightvnc-filetransfer-do-not-close-stuff-from-within.patch	2019-12-03 08:18:57.000000000 +0000
@@ -13,11 +13,9 @@
  .../tightvnc-filetransfer/handlefiletransferrequest.c       | 6 ------
  1 file changed, 6 deletions(-)
 
-diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-index 70e105f45adb..71fb08512470 100644
 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
 +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-@@ -489,12 +489,6 @@ RunFileDownloadThread(void* client)
+@@ -487,12 +487,6 @@
  			if(rfbWriteExact(cl, fileDownloadMsg.data, fileDownloadMsg.length) < 0)  {
  				rfbLog("File [%s]: Method [%s]: Error while writing to socket \n"
  						, __FILE__, __FUNCTION__);
@@ -30,6 +28,3 @@
  				FreeFileTransferMsg(fileDownloadMsg);
  				return NULL;
  			}
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-15127/0001-LibVNCServer-fix-heap-out-of-bound-write-access.patch	2019-12-03 08:18:57.000000000 +0000
@@ -11,11 +11,9 @@
  libvncserver/rfbserver.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
-index ed1365a55389..6ca511fee3ed 100644
 --- a/libvncserver/rfbserver.c
 +++ b/libvncserver/rfbserver.c
-@@ -1465,7 +1465,7 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
+@@ -1466,7 +1466,7 @@
      rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
      */
      if (length>0) {
@@ -24,6 +22,3 @@
          if (buffer!=NULL) {
              if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
                  if (n != 0)
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20019/0001-LibVNCClient-fix-three-possible-heap-buffer-overflow.patch	2019-12-03 08:18:57.000000000 +0000
@@ -14,11 +14,9 @@
  libvncclient/rfbproto.c | 10 ++++++----
  1 file changed, 6 insertions(+), 4 deletions(-)
 
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 8d6a4c1f0d9d..ac2a983597e4 100644
 --- a/libvncclient/rfbproto.c
 +++ b/libvncclient/rfbproto.c
-@@ -433,7 +433,7 @@ rfbHandleAuthResult(rfbClient* client)
+@@ -553,7 +553,7 @@
          /* we have an error following */
          if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
          reasonLen = rfbClientSwap32IfLE(reasonLen);
@@ -27,7 +25,7 @@
          if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; }
          reason[reasonLen]=0;
          rfbClientLog("VNC connection failed: %s\n",reason);
-@@ -461,7 +461,7 @@ ReadReason(rfbClient* client)
+@@ -581,7 +581,7 @@
      /* we have an error following */
      if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
      reasonLen = rfbClientSwap32IfLE(reasonLen);
@@ -36,7 +34,7 @@
      if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
      reason[reasonLen]=0;
      rfbClientLog("VNC connection failed: %s\n",reason);
-@@ -2187,10 +2187,12 @@ HandleRFBServerMessage(rfbClient* client)
+@@ -2245,10 +2245,12 @@
  
      msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
  
@@ -51,6 +49,3 @@
  
      buffer[msg.sct.length] = 0;
  
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20021/0001-LibVNCClient-fix-possible-infinite-loop.patch	2019-12-03 08:18:57.000000000 +0000
@@ -11,11 +11,9 @@
  libvncclient/rfbproto.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 808ad4d28b7f..8d6a4c1f0d9d 100644
 --- a/libvncclient/rfbproto.c
 +++ b/libvncclient/rfbproto.c
-@@ -1879,7 +1879,7 @@ HandleRFBServerMessage(rfbClient* client)
+@@ -1973,7 +1973,7 @@
  	/* Regardless of cause, do not divide by zero. */
  	linesToRead = bytesPerLine ? (RFB_BUFFER_SIZE / bytesPerLine) : 0;
  
@@ -24,6 +22,3 @@
  	  if (linesToRead > h)
  	    linesToRead = h;
  
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20022/0001-LibVNCClient-don-t-leak-uninitialised-memory-to-remo.patch	2019-12-03 08:18:57.000000000 +0000
@@ -14,11 +14,9 @@
  libvncclient/rfbproto.c | 2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 669e38848d15..808ad4d28b7f 100644
 --- a/libvncclient/rfbproto.c
 +++ b/libvncclient/rfbproto.c
-@@ -1643,6 +1643,7 @@ SendKeyEvent(rfbClient* client, uint32_t key, rfbBool down)
+@@ -1739,6 +1739,7 @@
  
    if (!SupportsClient2Server(client, rfbKeyEvent)) return TRUE;
  
@@ -26,7 +24,7 @@
    ke.type = rfbKeyEvent;
    ke.down = down ? 1 : 0;
    ke.key = rfbClientSwap32IfLE(key);
-@@ -1661,6 +1662,7 @@ SendClientCutText(rfbClient* client, char *str, int len)
+@@ -1757,6 +1758,7 @@
  
    if (!SupportsClient2Server(client, rfbClientCutText)) return TRUE;
  
@@ -34,6 +32,3 @@
    cct.type = rfbClientCutText;
    cct.length = rfbClientSwap32IfLE(len);
    return  (WriteToRFBServer(client, (char *)&cct, sz_rfbClientCutTextMsg) &&
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20023/0001-When-connecting-to-a-repeater-only-send-initialised-.patch	2019-12-03 08:18:57.000000000 +0000
@@ -12,11 +12,9 @@
  libvncclient/rfbproto.c |  8 ++++++--
  2 files changed, 14 insertions(+), 4 deletions(-)
 
-diff --git a/examples/repeater.c b/examples/repeater.c
-index cf0350ff98a2..dbfa39e1d514 100644
 --- a/examples/repeater.c
 +++ b/examples/repeater.c
-@@ -12,6 +12,7 @@ int main(int argc,char** argv)
+@@ -12,6 +12,7 @@
    char *repeaterHost;
    int repeaterPort, sock;
    char id[250];
@@ -24,7 +22,7 @@
    rfbClientPtr cl;
  
    int i,j;
-@@ -23,7 +24,12 @@ int main(int argc,char** argv)
+@@ -23,7 +24,12 @@
        "Usage: %s <id> <repeater-host> [<repeater-port>]\n", argv[0]);
      exit(1);
    }
@@ -38,7 +36,7 @@
    repeaterHost = argv[2];
    repeaterPort = argc < 4 ? 5500 : atoi(argv[3]);
  
-@@ -48,7 +54,7 @@ int main(int argc,char** argv)
+@@ -48,7 +54,7 @@
      perror("connect to repeater");
      return 1;
    }
@@ -47,11 +45,9 @@
      perror("writing id");
      return 1;
    }
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index e5373bc4345f..669e38848d15 100644
 --- a/libvncclient/rfbproto.c
 +++ b/libvncclient/rfbproto.c
-@@ -363,6 +363,7 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
+@@ -487,6 +487,7 @@
    rfbProtocolVersionMsg pv;
    int major,minor;
    char tmphost[250];
@@ -59,7 +55,7 @@
  
  #ifdef LIBVNCSERVER_IPv6
    client->sock = ConnectClientToTcpAddr6(repeaterHost, repeaterPort);
-@@ -398,8 +399,11 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
+@@ -522,8 +523,11 @@
  
    rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor);
  
@@ -73,6 +69,3 @@
      return FALSE;
  
    return TRUE;
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0001-LibVNCClient-ignore-server-sent-cut-text-longer-than.patch	2019-12-03 08:18:57.000000000 +0000
@@ -11,11 +11,9 @@
  libvncclient/rfbproto.c | 5 +++++
  1 file changed, 5 insertions(+)
 
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 4541e0d53ad3..8792dbf67c48 100644
 --- a/libvncclient/rfbproto.c
 +++ b/libvncclient/rfbproto.c
-@@ -2217,6 +2217,11 @@ HandleRFBServerMessage(rfbClient* client)
+@@ -2251,6 +2251,11 @@
  
      msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
  
@@ -27,6 +25,3 @@
      buffer = malloc((uint64_t)msg.sct.length+1);
  
      if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0002-LibVNCClient-ignore-server-sent-reason-strings-longe.patch	2019-12-03 08:18:57.000000000 +0000
@@ -10,11 +10,9 @@
  libvncclient/rfbproto.c | 45 +++++++++++++++++++----------------------
  1 file changed, 21 insertions(+), 24 deletions(-)
 
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 8792dbf67c48..ba7d70a71575 100644
 --- a/libvncclient/rfbproto.c
 +++ b/libvncclient/rfbproto.c
-@@ -412,11 +412,29 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
+@@ -536,11 +536,29 @@
  extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd);
  extern void rfbClientEncryptBytes2(unsigned char *where, const int length, unsigned char *key);
  
@@ -46,7 +44,7 @@
  
      if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE;
  
-@@ -431,13 +449,7 @@ rfbHandleAuthResult(rfbClient* client)
+@@ -555,13 +573,7 @@
        if (client->major==3 && client->minor>7)
        {
          /* we have an error following */
@@ -61,7 +59,7 @@
          return FALSE;
        }
        rfbClientLog("VNC authentication failed\n");
-@@ -452,21 +464,6 @@ rfbHandleAuthResult(rfbClient* client)
+@@ -576,21 +588,6 @@
      return FALSE;
  }
  
@@ -83,6 +81,3 @@
  
  static rfbBool
  ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth)
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0003-LibVNCClient-fail-on-server-sent-desktop-name-length.patch	2019-12-03 08:18:57.000000000 +0000
@@ -11,11 +11,9 @@
  libvncclient/rfbproto.c | 8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)
 
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index e56e778f6b91..6af21a54f07b 100644
 --- a/libvncclient/rfbproto.c
 +++ b/libvncclient/rfbproto.c
-@@ -1224,8 +1224,12 @@ InitialiseRFBConnection(rfbClient* client)
+@@ -1293,8 +1293,12 @@
    client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax);
    client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength);
  
@@ -30,6 +28,3 @@
    if (!client->desktopName) {
      rfbClientLog("Error allocating memory for desktop name, %lu bytes\n",
              (unsigned long)client->si.nameLength);
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch	2019-12-03 08:18:57.000000000 +0000
@@ -10,11 +10,9 @@
  libvncclient/rfbproto.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
-index 6af21a54f07b..2f887c32978f 100644
 --- a/libvncclient/rfbproto.c
 +++ b/libvncclient/rfbproto.c
-@@ -2227,7 +2227,7 @@ HandleRFBServerMessage(rfbClient* client)
+@@ -2257,7 +2257,7 @@
  	    return FALSE;
      }  
  
@@ -23,6 +21,3 @@
  
      if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
        free(buffer);
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch	2019-12-03 08:18:57.000000000 +0000
@@ -11,11 +11,9 @@
  libvncserver/rfbserver.c | 14 ++++++++++++--
  1 file changed, 12 insertions(+), 2 deletions(-)
 
-diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
-index 6ca511fee3ed..e210a32f5c45 100644
 --- a/libvncserver/rfbserver.c
 +++ b/libvncserver/rfbserver.c
-@@ -1461,11 +1461,21 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
+@@ -1462,11 +1462,21 @@
      int   n=0;
  
      FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
@@ -39,6 +37,3 @@
          if (buffer!=NULL) {
              if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
                  if (n != 0)
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2018-6307/0001-tightvnc-filetransfer-fix-heap-use-after-free.patch	2019-12-03 08:18:57.000000000 +0000
@@ -17,11 +17,9 @@
  libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c | 2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-index c511eed17fcd..0473783164f2 100644
 --- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
 +++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
-@@ -585,6 +585,8 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl, rfbTightClientPtr rtcp)
+@@ -575,6 +575,8 @@
  					"FileDownloadCancelMsg\n", __FILE__, __FUNCTION__);
  		
  	    rfbCloseClient(cl);
@@ -30,6 +28,3 @@
  	}
  
  	rfbLog("File [%s]: Method [%s]: File Download Cancel Request received:"
--- 
-2.20.1
-
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch	2019-12-03 08:18:57.000000000 +0000
@@ -0,0 +1,21 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+---
+ libvncserver/rfbserver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -3529,6 +3529,8 @@
+     rfbServerCutTextMsg sct;
+     rfbClientIteratorPtr iterator;
+ 
++    memset((char *)&sct, 0, sizeof(sct));
++
+     iterator = rfbGetClientIterator(rfbScreen);
+     while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
+         sct.type = rfbServerCutText;
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series	2019-01-30 21:39:15.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/series	2019-12-03 08:18:57.000000000 +0000
@@ -21,3 +21,8 @@
 CVE-2018-20748/0004-LibVNCClient-remove-now-useless-cast.patch
 CVE-2018-20749/0001-Error-out-in-rfbProcessFileTransferReadBuffer-if-len.patch
 CVE-2018-20750/0001-Limit-lenght-to-INT_MAX-bytes-in-rfbProcessFileTrans.patch
+CVE-2019-15681/0001-rfbserver-don-t-leak-stack-memory-to-the-remote.patch
+use-after-free/1.patch
+use-after-free/2.patch
+use-after-free/3.patch
+0002-set-true-color-flag-to-1.patch
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/1.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/1.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/1.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/1.patch	2019-12-03 08:18:57.000000000 +0000
@@ -0,0 +1,39 @@
+From 96e163bdae65aa2c68e4301cf9ebe29e9f53f3d9 Mon Sep 17 00:00:00 2001
+From: Quentin BUATHIER <qbuathier@tetrane.com>
+Date: Wed, 8 Aug 2018 16:14:39 +0200
+Subject: [PATCH] Fix use-after-free
+
+---
+ libvncserver/main.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/libvncserver/main.c
++++ b/libvncserver/main.c
+@@ -1064,15 +1064,21 @@
+ 
+ void rfbShutdownServer(rfbScreenInfoPtr screen,rfbBool disconnectClients) {
+   if(disconnectClients) {
+-    rfbClientPtr cl;
+     rfbClientIteratorPtr iter = rfbGetClientIterator(screen);
+-    while( (cl = rfbClientIteratorNext(iter)) ) {
+-      if (cl->sock > -1) {
+-       /* we don't care about maxfd here, because the server goes away */
+-       rfbCloseClient(cl);
+-       rfbClientConnectionGone(cl);
++    rfbClientPtr nextCl, currentCl = rfbClientIteratorNext(iter);
++
++    while(currentCl) {
++      nextCl = rfbClientIteratorNext(iter);
++      if (currentCl->sock > -1) {
++        /* we don't care about maxfd here, because the server goes away */
++        rfbCloseClient(currentCl);
+       }
++
++      rfbClientConnectionGone(currentCl);
++
++      currentCl = nextCl;
+     }
++
+     rfbReleaseClientIterator(iter);
+   }
+ 
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/2.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/2.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/2.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/2.patch	2019-12-03 08:18:57.000000000 +0000
@@ -0,0 +1,112 @@
+From cedae6e6f97b14f5df3ea7c5f7efd59f2bc9ad82 Mon Sep 17 00:00:00 2001
+From: Quentin BUATHIER <qbuathier@tetrane.com>
+Date: Thu, 9 Aug 2018 09:33:59 +0200
+Subject: [PATCH] Fix the concurrent issue hapenning between the freeing of the
+ client and the clientOutput thread
+
+---
+ libvncserver/main.c      | 29 ++++++++++++++++++++++++++---
+ libvncserver/rfbserver.c |  5 +++++
+ rfb/rfb.h                |  1 +
+ 3 files changed, 32 insertions(+), 3 deletions(-)
+
+--- a/libvncserver/main.c
++++ b/libvncserver/main.c
+@@ -33,6 +33,7 @@
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <unistd.h>
++#include <fcntl.h>
+ #endif
+ 
+ #include <signal.h>
+@@ -524,6 +525,7 @@
+ 
+ 	FD_ZERO(&rfds);
+ 	FD_SET(cl->sock, &rfds);
++	FD_SET(cl->pipe_notify_client_thread[0], &rfds);
+ 	FD_ZERO(&efds);
+ 	FD_SET(cl->sock, &efds);
+ 
+@@ -532,9 +534,13 @@
+ 	if ((cl->fileTransfer.fd!=-1) && (cl->fileTransfer.sending==1))
+ 	    FD_SET(cl->sock, &wfds);
+ 
++	int nfds = cl->pipe_notify_client_thread[0] > cl->sock ? cl->pipe_notify_client_thread[0] : cl->sock;
++	
+ 	tv.tv_sec = 60; /* 1 minute */
+ 	tv.tv_usec = 0;
+-	n = select(cl->sock + 1, &rfds, &wfds, &efds, &tv);
++
++	n = select(nfds + 1, &rfds, &wfds, &efds, &tv);
++
+ 	if (n < 0) {
+ 	    rfbLogPerror("ReadExact: select");
+ 	    break;
+@@ -549,6 +555,13 @@
+         if (FD_ISSET(cl->sock, &wfds))
+             rfbSendFileTransferChunk(cl);
+ 
++	if (FD_ISSET(cl->pipe_notify_client_thread[0], &rfds))
++	{
++	    // Reset the pipe
++	    char buf;
++	    while (read(cl->pipe_notify_client_thread[0], &buf, sizeof(buf)) == sizeof(buf));
++	}
++
+         if (FD_ISSET(cl->sock, &rfds) || FD_ISSET(cl->sock, &efds))
+         {
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+@@ -619,8 +632,12 @@
+ {
+     cl->onHold = FALSE;
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
+-    if(cl->screen->backgroundLoop)
+-	pthread_create(&cl->client_thread, NULL, clientInput, (void *)cl);
++    if(cl->screen->backgroundLoop) {
++        pipe(cl->pipe_notify_client_thread);
++        fcntl(cl->pipe_notify_client_thread[0], F_SETFL, O_NONBLOCK);
++
++        pthread_create(&cl->client_thread, NULL, clientInput, (void *)cl);
++    }
+ #endif
+ }
+ 
+@@ -1074,7 +1091,13 @@
+         rfbCloseClient(currentCl);
+       }
+ 
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++      // Notify the thread and join it
++      write(currentCl->pipe_notify_client_thread[1], "\x00", 1);
++      pthread_join(currentCl->client_thread, NULL);
++#else
+       rfbClientConnectionGone(currentCl);
++#endif
+ 
+       currentCl = nextCl;
+     }
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -622,6 +622,11 @@
+     UNLOCK(cl->sendMutex);
+     TINI_MUTEX(cl->sendMutex);
+ 
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++    close(cl->pipe_notify_client_thread[0]);
++    close(cl->pipe_notify_client_thread[1]);
++#endif
++
+     rfbPrintStats(cl);
+     rfbResetStats(cl);
+ 
+--- a/rfb/rfb.h
++++ b/rfb/rfb.h
+@@ -466,6 +466,7 @@
+     int protocolMinorVersion;
+ 
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++    int pipe_notify_client_thread[2];
+     pthread_t client_thread;
+ #endif
+ 
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/3.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/3.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/3.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/3.patch	2019-12-03 08:18:57.000000000 +0000
@@ -0,0 +1,23 @@
+From 00bae113d54014bafcf20c9f4c8c296e3e91bde5 Mon Sep 17 00:00:00 2001
+From: Quentin BUATHIER <qbuathier@tetrane.com>
+Date: Thu, 6 Dec 2018 09:16:51 +0100
+Subject: [PATCH] Check the return code of pipe
+
+---
+ libvncserver/main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/libvncserver/main.c
++++ b/libvncserver/main.c
+@@ -633,7 +633,10 @@
+     cl->onHold = FALSE;
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
+     if(cl->screen->backgroundLoop) {
+-        pipe(cl->pipe_notify_client_thread);
++        if (pipe(cl->pipe_notify_client_thread) == -1) {
++            cl->pipe_notify_client_thread[0] = -1;
++            cl->pipe_notify_client_thread[1] = -1;
++        }
+         fcntl(cl->pipe_notify_client_thread[0], F_SETFL, O_NONBLOCK);
+ 
+         pthread_create(&cl->client_thread, NULL, clientInput, (void *)cl);