Version in base suite: 1.15.0+dfsg-2 Base version: tigervnc_1.15.0+dfsg-2 Target version: tigervnc_1.15.0+dfsg-2.1~deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tigervnc/tigervnc_1.15.0+dfsg-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tigervnc/tigervnc_1.15.0+dfsg-2.1~deb13u1.dsc changelog | 15 +++++ patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch | 28 ++++++++++ patches/series | 1 3 files changed, 44 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp6q1lrxzs/tigervnc_1.15.0+dfsg-2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp6q1lrxzs/tigervnc_1.15.0+dfsg-2.1~deb13u1.dsc: no acceptable signature found diff -Nru tigervnc-1.15.0+dfsg/debian/changelog tigervnc-1.15.0+dfsg/debian/changelog --- tigervnc-1.15.0+dfsg/debian/changelog 2025-05-05 22:30:59.000000000 +0000 +++ tigervnc-1.15.0+dfsg/debian/changelog 2026-07-03 16:13:02.000000000 +0000 @@ -1,3 +1,18 @@ +tigervnc (1.15.0+dfsg-2.1~deb13u1) trixie; urgency=medium + + * Non-maintainer upload. + * Rebuild for trixie. + + -- Adrian Bunk Fri, 03 Jul 2026 19:13:02 +0300 + +tigervnc (1.15.0+dfsg-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2026-34352: Prevent other users reading x0vncserver screen + (Closes: #1132166) + + -- Adrian Bunk Wed, 01 Jul 2026 11:47:57 +0300 + tigervnc (1.15.0+dfsg-2) unstable; urgency=medium [ Stephan Springl ] diff -Nru tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch --- tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch 1970-01-01 00:00:00.000000000 +0000 +++ tigervnc-1.15.0+dfsg/debian/patches/0001-Prevent-other-users-reading-x0vncserver-screen.patch 2026-07-01 08:47:08.000000000 +0000 @@ -0,0 +1,28 @@ +From 8010762320e95f56152af4e327b3fe19b27e6d37 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Tue, 24 Mar 2026 09:52:01 +0100 +Subject: Prevent other users reading x0vncserver screen + +Prevent other users from observing the screen, or modifying what is sent +to the client. Malicious attackers can even crash x0vncserver if they +time the modifications right. +--- + unix/x0vncserver/Image.cxx | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx +index bfe5e730..77554ea3 100644 +--- a/unix/x0vncserver/Image.cxx ++++ b/unix/x0vncserver/Image.cxx +@@ -287,7 +287,7 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo) + + shminfo->shmid = shmget(IPC_PRIVATE, + xim->bytes_per_line * xim->height, +- IPC_CREAT|0777); ++ IPC_CREAT|0600); + if (shminfo->shmid == -1) { + perror("shmget"); + vlog.error("shmget() failed (%d bytes requested)", +-- +2.47.3 + diff -Nru tigervnc-1.15.0+dfsg/debian/patches/series tigervnc-1.15.0+dfsg/debian/patches/series --- tigervnc-1.15.0+dfsg/debian/patches/series 2025-05-05 22:30:32.000000000 +0000 +++ tigervnc-1.15.0+dfsg/debian/patches/series 2026-07-01 08:47:56.000000000 +0000 @@ -39,3 +39,4 @@ # The following patches are security fixes CVE-2014-8240-849479.patch +0001-Prevent-other-users-reading-x0vncserver-screen.patch