Summary: | <=net-misc/tightvnc-1.3.9 heap corruption and application crash (CVE-2009-0388) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | major | CC: | armin76 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://vnc-tight.svn.sourceforge.net/viewvc/vnc-tight?view=rev&revision=3564 | ||
Whiteboard: | B1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2009-02-06 21:57:31 UTC
Only affects windows and we don't have that tightvnc version. We have net-misc/tightvnc-1.3.9 or do you mean that we do not have the windows version?!? Where did you find information that only windows is affected? I didn't search too much (that's why the bug's state is still "NEW" and not "ASSIGNED"), because I'm currently very short on time, sorry... (In reply to comment #2) > We have net-misc/tightvnc-1.3.9 or do you mean that we do not have the windows > version?!? > Where did you find information that only windows is affected? I didn't search > too much (that's why the bug's state is still "NEW" and not "ASSIGNED"), > because I'm currently very short on time, sorry... > Oh, sorry, didn't saw the 1.3.9 thing. Anyway, it says it affects tightvnc and ultravnc. Ultravnc is windows-only, and i think tightvnc's windows version is based on ultravnc. The URL you posted: http://vnc-tight.svn.sourceforge.net/viewvc/vnc-tight?view=rev&revision=3564 , also only has changes on the windows part. Someone who has enough time could try the exploit to see if we are vulnerable =) http://www.milw0rm.com/exploits/8024 - The directory of the commit is ".../vnc_winsrc/..." - We don't have a ClientConnection.cpp - The exploits crash rather than TightVNC -> NFU |