vinagre upstream released new upstream versions 0.5.2 and 2.24.2 fixing format string issue in vinagre_utils_show_error() in src/vinagre-utils.c. Upstream commits: Gnome 2.22 branch (0.5.x): http://svn.gnome.org/viewvc/vinagre?view=revision&revision=528 Gnome 2.24 branch (2.24.x): http://svn.gnome.org/viewvc/vinagre?view=revision&revision=525
vinagre-0.5.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
vinagre-0.4-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
vinagre-2.24.2-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Further details and PoC in CORE-2008-1127: http://www.coresecurity.com/content/vinagre-format-string
CVE id CVE-2008-5660 was assigned to this issue: Format string vulnerability in the vinagre_utils_show_error function (src/vinagre-utils.c) in Vinagre 0.5.x before 0.5.2 and 2.x before 2.24.2 might allow remote attackers to execute arbitrary code via a crafted URI or VNC server response.
Updates pushed to stable Fedora versions via: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-10941 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10932 https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10956