Project

General

Profile

Bug #6638

Bug #6636: libvncserver: heap buffer overflows (CVE-2016-9941, CVE-2016-9942)

[3.5] libvncserver: heap buffer overflows (CVE-2016-9941, CVE-2016-9942)

Added by Alicha CH over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
Start date:
01/06/2017
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:

Description

CVE-2016-9941: Heap-based buffer overflow in rfbproto.c

Heap-based buffer overflow in rfbproto.c was found in LibVNCClient in LibVNCServer before 0.9.11 that allows remote servers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.

Fixed In Version:

libvncserver 0.9.11

Reference:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9941

Patch:

https://github.com/LibVNC/libvncserver/commit/5418e8007c248bf9668d22a8c1fa9528149b69f2

CVE-2016-9942: Heap-based buffer overflow in ultra.c

Heap-based buffer overflow was found in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 that allows remote servers to cause a denial of service (application crash)
or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions.

Fixed In Version:

libvncserver 0.9.11

Reference:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9942

Patch:

https://github.com/LibVNC/libvncserver/commit/5fff4353f66427b467eb29e5fdc1da4f2be028bb

Associated revisions

Revision 09e18065 (diff)
Added by Sergei Lukin over 2 years ago

main/libvncserver: security fixes #6638

CVE-2016-9941: Heap-based buffer overflow in rfbproto.c
CVE-2016-9942: Heap-based buffer overflow in ultra.c

History

#1 Updated by Sergei Lukin over 2 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Natanael Copa over 2 years ago

  • Target version changed from 3.5.0 to 3.5.1

#3 Updated by Alicha CH over 2 years ago

  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF