A stack based buffer overflow flaw was found in guac client plug-in protocol handling functionality of libguac, a common library used by all C components of Guacamole. A remote attacker could provide a specially-crafted protocol specification to the guac client plug-in that, when processed would lead to guac client crash (denial of service). References: [1] http://www.openwall.com/lists/oss-security/2012/09/11/3 [2] http://www.openwall.com/lists/oss-security/2012/09/11/7 Upstream patch: [3] http://guac-dev.org/trac/changeset/7dcefa744b4a38825619c00ae8b47e5bae6e38c0/libguac
This issue affects the versions of the libguac package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue affects the version of the libguac package, as shipped with Fedora EPEL 6. Please schedule an update.
Created libguac tracking bugs for this issue Affects: fedora-all [bug 856746] Affects: epel-6 [bug 856747]
libguac-0.6.3-1.fc18, libguac-client-vnc-0.6.0-8.fc18, libguac-client-rdp-0.6.1-2.fc18, guacd-0.6.1-3.fc18, guacamole-common-0.6.1-2.fc18, guacamole-ext-0.6.1-2.fc18, guacamole-common-js-0.6.1-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
libguac-0.6.3-1.fc17, libguac-client-vnc-0.6.0-8.fc17, libguac-client-rdp-0.6.1-2.fc17, guacd-0.6.1-3.fc17, guacamole-common-0.6.1-2.fc17, guacamole-ext-0.6.1-2.fc17, guacamole-common-js-0.6.1-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
libguac-0.6.3-1.fc16, libguac-client-vnc-0.6.0-8.fc16, guacd-0.6.1-3.fc16, guacamole-common-0.6.1-2.fc16, guacamole-ext-0.6.1-2.fc16, guacamole-common-js-0.6.1-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.