What Are You Looking For?

Sign Up
-------------------------------------------------------------------------Debian LTS Advisory DLA-2347-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Mike Gabriel
August 28, 2020                               https://wiki.debian.org/LTS
-------------------------------------------------------------------------Package        : libvncserver
Version        : 0.9.11+dfsg-1.3~deb9u5
CVE ID         : CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400 
                 CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404 
                 CVE-2020-14405

Several minor vulnerabilities have been discovered in libvncserver, a
server and client implementation of the VNC protocol.

CVE-2019-20839

    libvncclient/sockets.c in LibVNCServer had a buffer overflow via a
    long socket filename.

CVE-2020-14397

    libvncserver/rfbregion.c has a NULL pointer dereference.

CVE-2020-14399

    Byte-aligned data was accessed through uint32_t pointers in
    libvncclient/rfbproto.c.

    NOTE: This issue has been disputed by third parties; there is
    reportedly "no trust boundary crossed".

CVE-2020-14400

    Byte-aligned data was accessed through uint16_t pointers in
    libvncserver/translate.c.

    NOTE: This issue has been disputed by third parties. There is no
    known path of exploitation or cross of a trust boundary.

CVE-2020-14401

    libvncserver/scale.c had a pixel_value integer overflow.

CVE-2020-14402

    libvncserver/corre.c allowed out-of-bounds access via encodings.

CVE-2020-14403

    libvncserver/hextile.c allowed out-of-bounds access via encodings.

CVE-2020-14404

    libvncserver/rre.c allowed out-of-bounds access via encodings.

CVE-2020-14405

    libvncclient/rfbproto.c did not limit TextChat size.

For Debian 9 stretch, these problems have been fixed in version
0.9.11+dfsg-1.3~deb9u5.

We recommend that you upgrade your libvncserver packages.

For the detailed security status of libvncserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvncserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Debian LTS: DLA-2347-1: libvncserver security update

August 28, 2020
Several minor vulnerabilities have been discovered in libvncserver, a server and client implementation of the VNC protocol

Summary


Severity
-------------------------------------------------------------------------Package : libvncserver
Version : 0.9.11+dfsg-1.3~deb9u5
CVE ID : CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400

Related News

Krasue RAT Malware Hides on Linux Servers Using Embedded Rootkits

Dec 7, 2023

Ubuntu Server Security Best Practices

Oct 15, 2023

Widespread Xorg DoS, Privilege Escalation Vulns Fixed

Nov 13, 2023

Critical Exim RCE, Info Disclosure Bugs Fixed

Oct 8, 2023

News

Advisories

HOWTOs

Features

Password Guessing as an Attack Vector
Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management

About Us

Powered By

Footer Logo