[3.5] gtk-vnc: two input validation flaws (CVE-2017-5884, CVE-2017-5885)
CVE-2017-5884: Improper check of framebuffer boundaries when processing a tile
gtk-vnc before 0.7.0 does not properly check boundaries of
subrectangle-containing tiles, which allows remote servers
to execute arbitrary code via the src x, y coordinates in a crafted (1)
rre, (2) hextile, or (3) copyrect tile.
References:
http://openwall.com/lists/oss-security/2017/02/05/5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5884
Patch:
https://git.gnome.org/browse/gtk-vnc/commit/?id=ea0386933214c9178
CVE-2017-5885: Integer overflow when processing SetColorMapEntries
Multiple integer overflows in the (1) vnc_connection_server_message
and (2) vnc_color_map_set functions in gtk-vnc before 0.7.0 allow
remote servers to cause a denial of service (crash) or possibly execute
arbitrary code via vectors involving SetColorMapEntries, which triggers
a buffer overflow.
References:
http://openwall.com/lists/oss-security/2017/02/05/5
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5885
Patch:
https://git.gnome.org/browse/gtk-vnc/commit/?id=c8583fd3783c5b811590
(from redmine: issue id 7035, created on 2017-03-17, closed on 2017-03-20)
- Relations:
- parent #7033 (closed)
- Changesets:
- Revision d7ba0e18 by Sergei Lukin on 2017-03-20T11:37:17Z:
community/gtk-vnc: security upgrade to 0.7.0 - fixes #7035
CVE-2017-5884
CVE-2017-5885
https://security-tracker.debian.org/tracker/CVE-2017-5884
https://security-tracker.debian.org/tracker/CVE-2017-5885