Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 614742 (CVE-2017-7392, CVE-2017-7393, CVE-2017-7394, CVE-2017-7395, CVE-2017-7396) - <net-misc/tigervnc-1.8.0: multiple vulnerabilities
Summary: <net-misc/tigervnc-1.8.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-7392, CVE-2017-7393, CVE-2017-7394, CVE-2017-7395, CVE-2017-7396
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
: 634788 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-04-05 10:35 UTC by Agostino Sarubbo
Modified: 2018-01-11 23:00 UTC (History)
3 users (show)

See Also:
Package list:
net-misc/tigervnc-1.8.0
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-04-29 05:50:44 UTC 
    CVE ID: CVE-2017-7392
   Summary: In TigerVNC 1.7.1 (SSecurityVeNCrypt.cxx SSecurityVeNCrypt::SSecurityVeNCrypt), an unauthenticated client can cause a small memory leak in the server.
 Published: 2017-04-01T02:59:00.000Z

______________________________

    CVE ID: CVE-2017-7393
   Summary: In TigerVNC 1.7.1 (VNCSConnectionST.cxx VNCSConnectionST::fence), an authenticated client can cause a double free, leading to denial of service or potentially code execution.
 Published: 2017-04-01T02:59:00.000Z

______________________________

CVE ID: CVE-2017-7394
   Summary: In TigerVNC 1.7.1 (SSecurityPlain.cxx SSecurityPlain::processMsg), unauthenticated users can crash the server by sending long usernames.
 Published: 2017-04-01T02:59:00.000Z

______________________________

CVE ID: CVE-2017-7395
   Summary: In TigerVNC 1.7.1 (SMsgReader.cxx SMsgReader::readClientCutText), by causing an integer overflow, an authenticated client can crash the server.
 Published: 2017-04-01T02:59:00.000Z

______________________________

CVE ID: CVE-2017-7396
   Summary: In TigerVNC 1.7.1 (CConnection.cxx CConnection::CConnection), an unauthenticated client can cause a small memory leak in the server.
 Published: 2017-04-01T02:59:00.000Z
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2017-05-19 09:53:57 UTC 
1.8.0 is out.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-06 17:03:17 UTC 
@ Arches,

please test and mark stable: =net-misc/tigervnc-1.8.0
Comment 4 Markus Meier gentoo-dev 2017-06-08 05:06:31 UTC 
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-08 10:17:04 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-09 10:20:25 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-10 13:46:01 UTC 
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-06-10 15:14:18 UTC 
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-06-13 12:32:20 UTC 
ppc64 stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-20 14:59:02 UTC 
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2017-06-21 11:58:21 UTC 
ppc stable
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2017-07-02 01:51:11 UTC 
Bing hppa for stabilization.
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-24 22:10:11 UTC 
hppa stable
Comment 14 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-24 22:28:41 UTC 
New GLSA Request filed.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2018-01-09 00:41:19 UTC 
*** Bug 634788 has been marked as a duplicate of this bug. ***
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2018-01-11 23:00:22 UTC 
This issue was resolved and addressed in
 GLSA 201801-13 at https://security.gentoo.org/glsa/201801-13
by GLSA coordinator Thomas Deutschmann (whissi).