Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534714 (CVE-2014-8240) - <net-misc/tigervnc-1.4.2: Integer overflow vulnerability (CVE-2014-8240)
Summary: <net-misc/tigervnc-1.4.2: Integer overflow vulnerability (CVE-2014-8240)
Status: RESOLVED FIXED
Alias: CVE-2014-8240
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
: 538416 (view as bug list)
Depends on: 539772 567324
Blocks:
  Show dependency tree
 
Reported: 2015-01-04 21:26 UTC by GLSAMaker/CVETool Bot
Modified: 2016-12-13 06:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 21:26:28 UTC
CVE-2014-8240 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8240):
  Integer overflow in TigerVNC allows remote VNC servers to cause a denial of
  service (crash) and possibly execute arbitrary code via vectors related to
  screen size handling, which triggers a heap-based buffer overflow, a similar
  issue to CVE-2014-6051.


Maintainer(s), this issue appears to be first fixed in 1.4.1.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-01 11:24:47 UTC
*** Bug 538416 has been marked as a duplicate of this bug. ***
Comment 2 Jan Sever 2015-02-06 12:26:27 UTC
Any progress? 1.4 solves also #480124.
Comment 3 Perfect Gentleman 2015-02-11 04:51:55 UTC
1.4.2 is out.
https://github.com/TigerVNC/tigervnc/releases
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2015-02-12 12:04:14 UTC
Added 1.3.1-r3, 1.3.1-r4.

-r3 should be the target. But -r3 can be skipped if -r4 is done with bug 530652.
Comment 5 Jan Sever 2015-02-12 12:50:23 UTC
Where? And I'd be happier if you added 1.4.2.
Comment 6 Jan Sever 2015-02-12 18:42:04 UTC
It's already there (it wasn't when I looked). 1.3.1-r3 builds fine, 1.3.1-r4 needs resolving the mentioned bug. Unfortunatelly it doesn't solve bug 480124. Could you add 1.4.2? As Perfect Gentleman in Comment 3 mentioned, it's out.

Many thanks in advance.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2015-02-13 08:14:01 UTC
(In reply to Jan Sever from comment #6)
> It's already there (it wasn't when I looked). 1.3.1-r3 builds fine, 1.3.1-r4
> needs resolving the mentioned bug. Unfortunatelly it doesn't solve bug
> 480124. Could you add 1.4.2? As Perfect Gentleman in Comment 3 mentioned,
> it's out.
> 
> Many thanks in advance.

The version bump is being handled in bug 539714
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 21:37:54 UTC
New GLSA created.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 06:50:12 UTC
This issue was resolved and addressed in
 GLSA 201612-36 at https://security.gentoo.org/glsa/201612-36
by GLSA coordinator Aaron Bauman (b-man).