Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 496
Alerts This Week
Warning Icon 1 496

Ubuntu 14.04 LTS USN-2365-1 Critical: LibVNCServer Denial Of Service

ubuntu
Calendar Grey September 29, 2014
Scroller Ubuntu
Multiple vulnerabilities in LibVNCServer addressed in recent Ubuntu updates; imperative to upgrade systems to mitigate potential threats.
Several security issues were fixed in LibVNCServer.

Summary

Several security issues were fixed in LibVNCServer.

Software Description:

- libvncserver: vnc server library

Details:

Nicolas Ruff discovered that LibVNCServer incorrectly handled memory when

being advertised large screen sizes by the server. If a user were tricked

into connecting to a malicious server, an attacker could use this issue to

cause a denial of service, or possibly execute arbitrary code.

(CVE-2014-6051, CVE-2014-6052)

Nicolas Ruff discovered that LibVNCServer incorrectly handled large

ClientCutText messages. A remote attacker could use this issue to cause a

server to crash, resulting in a denial of service. (CVE-2014-6053)

Nicolas Ruff discovered that LibVNCServer incorrectly handled zero scaling

factor values. A remote attacker could use this issue to cause a server to

crash, resulting in a denial of service. (CVE-2014-6054)

Nicolas Ruff discovered that LibVNCServer incorrectly handled memory in the

file transfer feature. A remote attacker...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
  libvncserver0                   0.9.9+dfsg-1ubuntu1.1

Ubuntu 12.04 LTS:
  libvncserver0                   0.9.8.2-2ubuntu1.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2365-1

CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054,

CVE-2014-6055

Severity
critical
Lowest
Low
Medium
High
Critical

September 29, 2014

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.