From ${URL} : Description Trustwave SpiderLabs has reported a vulnerability in Vino, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the "vino_server_client_data_pending()" function (server/vino-server.c), which can be exploited to trigger an infinite loop via specially crafted packets. The vulnerability is reported in versions prior to 3.9.92. Solution: Update to version 3.9.92 or later. Provided and/or discovered by: Robert Foggia, TrustWave SpiderLabs. Original Advisory: Vino: https://mail.gnome.org/archives/gnome-announce-list/2013-September/msg00025.html TWSL2013-028: http://archives.neohapsis.com/archives/fulldisclosure/2013-09/0103.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
+*vino-2.32.2-r2 (01 Oct 2013) + + 01 Oct 2013; Alexandre Rostovtsev <tetromino@gentoo.org> + +vino-2.32.2-r2.ebuild, -vino-3.8.1.ebuild: + Fix DoS vulnerability and remove vulnerable version (CVE-2013-5745, bug + #486694, thanks to Agostino Sarubbo). Thanks, this had already been fixed in 3.8.1-r1, and I've now added 2.32.2-r2 to use the same patch. =net-misc/vino-2.32.2-r2 should be stabilized.
Arches, please test and mark stable: =net-misc/vino-2.32.2-r2 Target keywords : "alpha amd64 arm ia64 ppc ppc64 sparc x86"
amd64 stable
x86 stable
CVE-2013-5745 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5745): The vino_server_client_data_pending function in vino-server.c in GNOME Vino 2.26.1, 2.32.1, 3.7.3, and earlier, and 3.8 when encryption is disabled, does not properly clear client data when an error causes the connection to close during authentication, which allows remote attackers to cause a denial of service (infinite loop, CPU and disk consumption) via multiple crafted requests during authentication.
ia64 stable
alpha stable
ppc stable
arm stable
ppc64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
GLSA vote: no.
+ 17 Dec 2013; Pacho Ramos <pacho@gentoo.org> -vino-2.32.2-r1.ebuild: + Drop old +
Thanks for your work GLSA vote: no Closing as noglsa
