An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.
Gentoo Security Padawan
An issue was discovered in vcSetXCutTextProc() in VNConsole.c in LinuxVNC and VNCommand from the LibVNC/vncterm distribution through 0.9.10. Missing sanitization of the client-specified message length may cause integer overflow or possibly have unspecified other impact via a specially crafted VNC packet.
The bug has been referenced in the following commit(s):
Author: Sven Wegener <firstname.lastname@example.org>
AuthorDate: 2019-01-15 21:40:20 +0000
Commit: Sven Wegener <email@example.com>
CommitDate: 2019-01-17 21:21:30 +0000
net-libs/libvncserver: Version bump, security bug #659560 and #673508
Signed-off-by: Sven Wegener <firstname.lastname@example.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
net-libs/libvncserver/Manifest | 1 +
.../files/libvncserver-0.9.12-cmake-libdir.patch | 22 +++++++
net-libs/libvncserver/libvncserver-0.9.12.ebuild | 72 ++++++++++++++++++++++
3 files changed, 95 insertions(+)
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Cleanup done in 61a66db5451e859c3cc01853ba5a5737c2157147
This issue was resolved and addressed in
GLSA 201908-05 at https://security.gentoo.org/glsa/201908-05
by GLSA coordinator Aaron Bauman (b-man).