386291 – net-misc/tigervnc: improper verification of certificates (CVE-2011-1775)

Bug 386291 - net-misc/tigervnc: improper verification of certificates (CVE-2011-1775)

Summary: net-misc/tigervnc: improper verification of certificates (CVE-2011-1775)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-10-08 13:34 UTC by GLSAMaker/CVETool Bot
Modified:	2012-12-19 03:08 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 13:34:03 UTC

CVE-2011-1775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1775):
  The CSecurityTLS::processMsg function in common/rfb/CSecurityTLS.cxx in the
  vncviewer component in TigerVNC 1.1beta1 does not properly verify the
  server's X.509 certificate, which allows man-in-the-middle attackers to
  spoof a TLS VNC server via an arbitrary certificate.

Comment 1 Raúl Porcel (RETIRED) gentoo-dev

2011-10-08 17:40:42 UTC

No version of tigervnc in the tree is affected by this bug. Current stable version already has the fix.

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2011-10-08 17:50:16 UTC

Sorry, the Whiteboard was wrong. 

GLSA vote: NO.

Comment 3 Tobias Heinlein (RETIRED) gentoo-dev

2011-10-08 21:02:40 UTC

NO too, closing.