It was found that vnc_connection_server_message() and vnc_color_map_set() functions do not check for integer overflow properly, leading to a malicious server being able to overwrite parts of the client memory, possibly leading to remote code execution under privileges of user running the VNC client. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=778050 Upstream patch: https://git.gnome.org/browse/gtk-vnc/commit/?id=c8583fd3783c5b811590
Created gtk-vnc tracking bugs for this issue: Affects: fedora-all [bug 1418955]
Created mingw-gtk-vnc tracking bugs for this issue: Affects: fedora-all [bug 1418956]
CVE assignment: http://openwall.com/lists/oss-security/2017/02/05/5
Upstream fix in git master is commit c8583fd3783c5b811590fcb7bae4ce6e7344963e Author: Daniel P. Berrange <berrange> Date: Thu Feb 2 18:18:48 2017 +0000 Correctly validate color map range indexes The color map index could wrap around to zero causing negative array index accesses. https://bugzilla.gnome.org/show_bug.cgi?id=778050 CVE-2017-5885 Signed-off-by: Daniel P. Berrange <berrange>
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2258 https://access.redhat.com/errata/RHSA-2017:2258