It was found that gtk-vnc does not properly check boundaries of subrectangle-containing tiles. A malicious server can use this to overwrite parts of the client memory, potentially leading to code execution under privileges of the user running the VNC client. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=778048 Upstream patch: https://git.gnome.org/browse/gtk-vnc/commit/?id=ea0386933214c9178
Created gtk-vnc tracking bugs for this issue: Affects: fedora-all [bug 1418955]
Created mingw-gtk-vnc tracking bugs for this issue: Affects: fedora-all [bug 1418956]
CVE assignment: http://openwall.com/lists/oss-security/2017/02/05/5 CVE covers all issues mentioned in https://bugzilla.gnome.org/show_bug.cgi?id=778048#c1
Upstream fix in git master is commit ea0386933214c9178aaea9f2f85049ea3fa3e14a Author: Daniel P. Berrange <berrange> Date: Thu Feb 2 17:34:47 2017 +0000 Fix bounds checking for RRE, hextile & copyrect encodings While the client would bounds check the overall update region, it failed to bounds check the payload data parameters. Add a test case to validate bounds checking. https://bugzilla.gnome.org/show_bug.cgi?id=778048 CVE-2017-5884 Signed-off-by: Daniel P. Berrange <berrange>
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2258 https://access.redhat.com/errata/RHSA-2017:2258