An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way screen sizes were handled by LibVNCServer. A malicious VNC server could use this flaw to cause a client to crash or, potentially, execute arbitrary code on the client. Upstream commit: https://github.com/newsoft/libvncserver/commit/045a044e8ae79db9244593fbce154cdf6e843273
Acknowledgements: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Nicolas RUFF as the original reporter.
Public now: http://seclists.org/oss-sec/2014/q3/639
Created libvncserver tracking bugs for this issue: Affects: fedora-all [bug 1145878] Affects: epel-5 [bug 1145879] Affects: epel-7 [bug 1145880]
Created krfb tracking bugs for this issue: Affects: fedora-all [bug 1145883]
krfb advisory: http://www.kde.org/info/security/advisory-20140923-1.txt
libvncserver-0.9.10-0.6.20140718git9453be42.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
libvncserver-0.9.10-0.6.20140718git9453be42.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libvncserver-0.9.10-0.6.20140718git9453be42.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
krfb-4.11.5-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
libvncserver-0.9.10-0.6.20140718git9453be42.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way screen sizes were handled by LibVNCServer. A malicious VNC server could use this flaw to cause a client to crash or, potentially, execute arbitrary code in the client.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1826 https://rhn.redhat.com/errata/RHSA-2014-1826.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2015:0113 https://rhn.redhat.com/errata/RHSA-2015-0113.html