Debian LTS: DLA-2014-1: vino security update

    Date 28 Nov 2019
    Posted By LinuxSecurity Advisories
    Several vulnerabilities have been identified in the VNC code of vino, a desktop sharing utility for the GNOME desktop environment.
    Package        : vino
    Version        : 3.14.0-2+deb8u1
    CVE ID         : CVE-2014-6053 CVE-2018-7225 CVE-2019-15681
    Debian Bug     : 945784
    Several vulnerabilities have been identified in the VNC code of vino, a
    desktop sharing utility for the GNOME desktop environment.
    The vulnerabilities referenced below are issues that have originally been
    reported against Debian source package libvncserver. The vino source
    package in Debian ships a custom-patched and stripped down variant of
    libvncserver, thus some of libvncserver's security fixes required porting
        The rfbProcessClientNormalMessage function in
        libvncserver/rfbserver.c in LibVNCServer did not properly handle
        attempts to send a large amount of ClientCutText data, which allowed
        remote attackers to cause a denial of service (memory consumption or
        daemon crash) via a crafted message that was processed by using a
        single unchecked malloc.
        An issue was discovered in LibVNCServer.
        rfbProcessClientNormalMessage() in rfbserver.c did not sanitize
        msg.cct.length, leading to access to uninitialized and potentially
        sensitive data or possibly unspecified other impact (e.g., an integer
        overflow) via specially crafted VNC packets.
        LibVNC contained a memory leak (CWE-655) in VNC server code, which
        allowed an attacker to read stack memory and could be abused for
        information disclosure. Combined with another vulnerability, it could
        be used to leak stack memory and bypass ASLR. This attack appeared to
        be exploitable via network connectivity.
    For Debian 8 "Jessie", these problems have been fixed in version
    We recommend that you upgrade your vino packages.
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at:
    mike gabriel aka sunweaver (Debian Developer)
    fon: +49 (1520) 1976 148
    GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
    mail: This email address is being protected from spambots. You need JavaScript enabled to view it.,

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"3","type":"x","order":"1","pct":42.86,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"2","type":"x","order":"2","pct":28.57,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"2","type":"x","order":"3","pct":28.57,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.