Debian 8 Jessie: DLA-2264-1 Critical LibVNCServer Issues Fixed
debian lts
June 30, 2020
Several vulnerabilities have been discovered in libVNC (libvncserver Debian package), an implemenantation of the VNC server and client protocol
Summary
CVE-2019-20839
libvncclient/sockets.c in LibVNCServer had a buffer overflow via a
long socket filename.
CVE-2020-14397
libvncserver/rfbregion.c had a NULL pointer dereference.
CVE-2020-14399
Byte-aligned data was accessed through uint32_t pointers in
libvncclient/rfbproto.c.
CVE-2020-14400
Byte-aligned data was accessed through uint16_t pointers in
libvncserver/translate.c.
CVE-2020-14401
libvncserver/scale.c had a pixel_value integer overflow.
CVE-2020-14402
libvncserver/corre.c allowed out-of-bounds access via encodings.
CVE-2020-14403
libvncserver/hextile.c allowed out-of-bounds access via encodings.
CVE-2020-14404
libvncserver/rre.c allowed out-of-bounds access via encodings.
CVE-2020-14405
libvncclient/rfbproto.c does not limit TextChat size.
For Debian 8 "Jessie", these problems have been fixed in version
0.9.9+dfsg2-6.1+deb8u8.
We recommend that you upgrade your libvncserver packages.
Further information about Debian LTS security advisories, how to apply
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
<pre><font face="Courier">Package: libvncserver
Version: 0.9.9+dfsg2-6.1+deb8u8
CVE ID: CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400
Debian Bug:
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!