Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 505170 (CVE-2014-0011)

Summary: <net-misc/tigervnc-1.3.1: "ZRLE_DECODE()" Two Buffer Overflow Vulnerabilities (CVE-2014-0011)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: armin76, gentoo2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 500368    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2014-03-20 13:36:28 UTC
From ${URL} :


Two vulnerabilities have been reported in TigerVNC, which can be exploited by malicious people to 
potentially compromise a user's system.

The vulnerabilities are caused due to two boundary errors in the "ZRLE_DECODE()" function 
(common/rfb/zrleDecode.h), which can be exploited to cause buffer overflows.

Successful exploitation may allow execution of arbitrary code, but requires tricking a user into 
connecting to a malicious VNC server.

The vulnerabilities are reported in versions prior to 1.3.1.

Update to version 1.3.1.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Raúl Porcel (RETIRED) gentoo-dev 2014-03-20 19:12:35 UTC
=net-misc/tigervnc-1.2.80_p5065-r1 should be the one to stabilize
Comment 2 Agostino Sarubbo gentoo-dev 2014-03-22 19:32:36 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-03-23 14:48:52 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-03-23 14:49:24 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-03-23 14:55:42 UTC
ppc stable
Comment 6 Jeroen Roovers gentoo-dev 2014-03-24 00:33:53 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2014-03-24 14:27:52 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-03-24 14:30:39 UTC
ppc64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2014-03-25 22:16:10 UTC
Arches please stabilize =net-misc/tigervnc-1.3.1 instead due to bug 505562.

Comment 10 Agostino Sarubbo gentoo-dev 2014-03-26 06:13:18 UTC
(In reply to Raúl Porcel from comment #9)
> Arches please stabilize =net-misc/tigervnc-1.3.1 instead due to bug 505562.
> Thanks

this is not reproducible here btw..
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2014-03-26 10:41:25 UTC
(In reply to Agostino Sarubbo from comment #10)
> (In reply to Raúl Porcel from comment #9)
> > Arches please stabilize =net-misc/tigervnc-1.3.1 instead due to bug 505562.
> > 
> > Thanks
> this is not reproducible here btw..

Should happen if built with USE="server"
Comment 12 Jeroen Roovers gentoo-dev 2014-03-28 03:25:28 UTC
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2014-03-28 18:26:31 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-04-13 11:08:13 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-04-21 10:50:43 UTC
alpha stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-05-11 08:10:18 UTC
ppc64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2014-05-13 15:22:53 UTC
ia64 stable
Comment 18 Agostino Sarubbo gentoo-dev 2014-05-13 15:23:07 UTC
sparc stable
Comment 19 Agostino Sarubbo gentoo-dev 2014-06-08 10:36:44 UTC
arm stable
Comment 20 Sean Amoss gentoo-dev Security 2014-09-26 21:50:34 UTC
A GLSA has been drafted for this issue.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-11-06 00:20:44 UTC
This issue was resolved and addressed in
 GLSA 201411-03 at
by GLSA coordinator Sean Amoss (ackle).