Version in base suite: 0.9.11+dfsg-1.3+deb10u2

Base version: libvncserver_0.9.11+dfsg-1.3+deb10u2
Target version: libvncserver_0.9.11+dfsg-1.3+deb10u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libv/libvncserver/libvncserver_0.9.11+dfsg-1.3+deb10u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libv/libvncserver/libvncserver_0.9.11+dfsg-1.3+deb10u3.dsc

 changelog                                              |   10 +++++
 patches/CVE-2019-15690/0001-heap-buffer-overflow.patch |   34 +++++++++++++++++
 patches/series                                         |    1 
 3 files changed, 45 insertions(+)

diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog	2020-01-08 07:22:51.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/changelog	2020-03-31 05:05:57.000000000 +0000
@@ -1,3 +1,13 @@
+libvncserver (0.9.11+dfsg-1.3+deb10u3) buster; urgency=medium
+
+  [ Antoni Villalonga ]
+  * debian/patches:
+    + Add CVE-2019-15690 patch. libvncclient/cursor: limit
+      width/height input values. Avoids a possible heap overflow reported
+      by Pavel Cheremushkin. (Closes: #954163).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Tue, 31 Mar 2020 07:05:57 +0200
+
 libvncserver (0.9.11+dfsg-1.3+deb10u2) buster; urgency=medium
 
   * Regression update.
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch
--- libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch	2020-03-31 05:04:43.000000000 +0000
@@ -0,0 +1,34 @@
+Commit: 54220248886b5001fbbb9fa73c4e1a2cb9413fed
+Author: Christian Beier <dontmind@freeshell.org>
+Date:   Sun Nov 17 17:18:35 2019 +0100
+
+    libvncclient/cursor: limit width/height input values
+    
+    Avoids a possible heap overflow reported by Pavel Cheremushkin
+    <Pavel.Cheremushkin@kaspersky.com>.
+    
+    re #275
+
+diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
+index 67f4572..40ffb3b 100644
+--- a/libvncclient/cursor.c
++++ b/libvncclient/cursor.c
+@@ -28,6 +28,8 @@
+ #define OPER_SAVE     0
+ #define OPER_RESTORE  1
+ 
++#define MAX_CURSOR_SIZE 1024
++
+ #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
+    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255             \
+     << client->format.redShift |                                              \
+@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
+   if (width * height == 0)
+     return TRUE;
+ 
++  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
++    return FALSE;
++
+   /* Allocate memory for pixel data and temporary mask data. */
+   if(client->rcSource)
+     free(client->rcSource);
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series	2020-01-08 07:22:34.000000000 +0000
+++ libvncserver-0.9.11+dfsg/debian/patches/series	2020-03-31 05:05:57.000000000 +0000
@@ -29,3 +29,4 @@
 use-after-free/5.patch
 use-after-free/6.patch
 0002-set-true-color-flag-to-1.patch
+CVE-2019-15690/0001-heap-buffer-overflow.patch