Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 250314 - net-misc/vinagre < 0.5.2 or < 2.24.2 vinagre_utils_show_error() execution of arbitrary code (CVE-2008-5660)
Summary: net-misc/vinagre < 0.5.2 or < 2.24.2 vinagre_utils_show_error() execution of ...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2008-12-08 19:39 UTC by stupendoussteve
Modified: 2009-03-06 22:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description stupendoussteve 2008-12-08 19:39:53 UTC
A vulnerability has been discovered in Vinagre, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a format string error within the "vinagre_utils_show_error()" function in src/vinagre-utils.c. This can be exploited by e.g. tricking a user into opening a specially crafted .vnc file.

Successful exploitation may allow the execution of arbitrary code.

The vulnerability is confirmed in version 2.24.0. Other versions may also be affected.


Reproducible: Always
Comment 1 Mart Raudsepp gentoo-dev 2008-12-10 03:14:11 UTC
vinagre 0.5.2 and 2.24.2 are in portage tree now - they contain the obvious fix.

Arches, please stabilize net-misc/vinagre-0.5.2
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-10 17:27:37 UTC
amd64 stable
Comment 3 Markus Meier gentoo-dev 2008-12-10 22:18:09 UTC
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-11 17:57:03 UTC
Stable for HPPA. Looks like 2.24.1 can be removed immediately.
Comment 5 Brent Baude (RETIRED) gentoo-dev 2008-12-11 21:24:18 UTC
ppc64 done
Comment 6 Friedrich Oslage (RETIRED) gentoo-dev 2008-12-13 11:03:41 UTC
sparc stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-13 13:48:44 UTC
ppc stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-12-13 17:30:58 UTC
alpha/ia64 stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-13 20:31:13 UTC
GLSA request filed.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-12-18 16:33:27 UTC
CVE-2008-5660 (
  Format string vulnerability in the vinagre_utils_show_error function
  (src/vinagre-utils.c) in Vinagre 0.5.x before 0.5.2 and 2.x before
  2.24.2 might allow remote attackers to execute arbitrary code via a
  crafted URI or VNC server response.

Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-06 22:05:06 UTC
GLSA 200903-01