Version in base suite: 0.9.11+dfsg-1.3
Version in overlay suite: 0.9.11+dfsg-1.3+deb10u1

Base version: libvncserver_0.9.11+dfsg-1.3+deb10u1
Target version: libvncserver_0.9.11+dfsg-1.3+deb10u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libv/libvncserver/libvncserver_0.9.11+dfsg-1.3+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libv/libvncserver/libvncserver_0.9.11+dfsg-1.3+deb10u2.dsc

 changelog                      |   10 ++++++++++
 patches/series                 |    3 +++
 patches/use-after-free/4.patch |   24 ++++++++++++++++++++++++
 patches/use-after-free/5.patch |   26 ++++++++++++++++++++++++++
 patches/use-after-free/6.patch |   30 ++++++++++++++++++++++++++++++
 5 files changed, 93 insertions(+)

diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog	2019-12-03 08:18:57.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/changelog	2020-01-08 07:22:51.000000000 +0000
@@ -1,3 +1,13 @@
+libvncserver (0.9.11+dfsg-1.3+deb10u2) buster; urgency=medium
+
+  * Regression update.
+
+  * debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from
+    upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes:
+    #905786).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Wed, 08 Jan 2020 08:22:51 +0100
+
 libvncserver (0.9.11+dfsg-1.3+deb10u1) buster; urgency=medium
 
   * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. (Closes:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series	2019-12-03 08:18:57.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/series	2020-01-08 07:22:34.000000000 +0000
@@ -25,4 +25,7 @@
 use-after-free/1.patch
 use-after-free/2.patch
 use-after-free/3.patch
+use-after-free/4.patch
+use-after-free/5.patch
+use-after-free/6.patch
 0002-set-true-color-flag-to-1.patch
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch	2020-01-08 07:22:51.000000000 +0000
@@ -0,0 +1,24 @@
+From 7e63df224aa45a8b541cd63a870594454aba7526 Mon Sep 17 00:00:00 2001
+From: Andrzej Szombierski <qq@kuku.eu.org>
+Date: Tue, 28 May 2019 10:56:47 +0200
+Subject: [PATCH] rfbserver: don't close fd 0 accidentally
+
+pipe_notify_client_thread needs to be initialized to -1
+---
+ libvncserver/rfbserver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -462,6 +462,11 @@
+ 
+       cl->lastPtrX = -1;
+ 
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++      cl->pipe_notify_client_thread[0] = -1;
++      cl->pipe_notify_client_thread[1] = -1;
++#endif
++
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+       /*
+        * Wait a few ms for the client to send one of:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch	2020-01-08 07:22:51.000000000 +0000
@@ -0,0 +1,26 @@
+From d0a76539835d11c0f4723499f8be4bc9c7724eb9 Mon Sep 17 00:00:00 2001
+From: Rajesh Sahoo <rajesh.sahoo@lge.com>
+Date: Tue, 11 Jun 2019 15:13:04 +0530
+Subject: [PATCH] avoid pthread_join if backgroundLoop is FALSE
+
+client_thread is created depending upon backgroundLoop, but joining
+without checking for same condition. so we are trying to join a garbage
+thread_id.
+---
+ libvncserver/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/libvncserver/main.c
++++ b/libvncserver/main.c
+@@ -1095,9 +1095,11 @@
+       }
+ 
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++    if(currentCl->screen->backgroundLoop) {
+       // Notify the thread and join it
+       write(currentCl->pipe_notify_client_thread[1], "\x00", 1);
+       pthread_join(currentCl->client_thread, NULL);
++    }
+ #else
+       rfbClientConnectionGone(currentCl);
+ #endif
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch	2020-01-08 07:22:51.000000000 +0000
@@ -0,0 +1,30 @@
+From d3a4292aa9ade2a335e0915523506b73e94251d7 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 6 Jan 2019 19:34:04 +0100
+Subject: [PATCH] Move pipe_notify_client_thread to end of rfbClientRec
+
+in order to retain ABI compatibility.
+---
+ rfb/rfb.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/rfb/rfb.h
++++ b/rfb/rfb.h
+@@ -466,7 +466,6 @@
+     int protocolMinorVersion;
+ 
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
+-    int pipe_notify_client_thread[2];
+     pthread_t client_thread;
+ #endif
+ 
+@@ -696,6 +695,9 @@
+     wsCtx     *wsctx;
+     char *wspath;                          /* Requests path component */
+ #endif
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++    int pipe_notify_client_thread[2];
++#endif
+ } rfbClientRec, *rfbClientPtr;
+ 
+ /**