CVE-2014-8240 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8240): Integer overflow in TigerVNC allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to screen size handling, which triggers a heap-based buffer overflow, a similar issue to CVE-2014-6051. Maintainer(s), this issue appears to be first fixed in 1.4.1.
*** Bug 538416 has been marked as a duplicate of this bug. ***
Any progress? 1.4 solves also #480124.
1.4.2 is out. https://github.com/TigerVNC/tigervnc/releases
Added 1.3.1-r3, 1.3.1-r4. -r3 should be the target. But -r3 can be skipped if -r4 is done with bug 530652.
Where? And I'd be happier if you added 1.4.2.
It's already there (it wasn't when I looked). 1.3.1-r3 builds fine, 1.3.1-r4 needs resolving the mentioned bug. Unfortunatelly it doesn't solve bug 480124. Could you add 1.4.2? As Perfect Gentleman in Comment 3 mentioned, it's out. Many thanks in advance.
(In reply to Jan Sever from comment #6) > It's already there (it wasn't when I looked). 1.3.1-r3 builds fine, 1.3.1-r4 > needs resolving the mentioned bug. Unfortunatelly it doesn't solve bug > 480124. Could you add 1.4.2? As Perfect Gentleman in Comment 3 mentioned, > it's out. > > Many thanks in advance. The version bump is being handled in bug 539714
New GLSA created.
This issue was resolved and addressed in GLSA 201612-36 at https://security.gentoo.org/glsa/201612-36 by GLSA coordinator Aaron Bauman (b-man).