Description: A vulnerability has been discovered in Vinagre, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a format string error within the "vinagre_utils_show_error()" function in src/vinagre-utils.c. This can be exploited by e.g. tricking a user into opening a specially crafted .vnc file. Successful exploitation may allow the execution of arbitrary code. The vulnerability is confirmed in version 2.24.0. Other versions may also be affected. Ref: http://ftp.gnome.org/pub/GNOME/sources/vinagre/0.5/vinagre-0.5.2.changes http://ftp.gnome.org/pub/GNOME/sources/vinagre/2.24/vinagre-2.24.2.changes Reproducible: Always
vinagre 0.5.2 and 2.24.2 are in portage tree now - they contain the obvious fix. Arches, please stabilize net-misc/vinagre-0.5.2
amd64 stable
x86 stable
Stable for HPPA. Looks like 2.24.1 can be removed immediately.
ppc64 done
sparc stable
ppc stable
alpha/ia64 stable
GLSA request filed.
CVE-2008-5660 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5660): Format string vulnerability in the vinagre_utils_show_error function (src/vinagre-utils.c) in Vinagre 0.5.x before 0.5.2 and 2.x before 2.24.2 might allow remote attackers to execute arbitrary code via a crafted URI or VNC server response.
GLSA 200903-01