USN-2365-1: LibVNCServer vulnerabilities
29 September 2014
Several security issues were fixed in LibVNCServer.
Releases
Packages
- libvncserver - vnc server library
Details
Nicolas Ruff discovered that LibVNCServer incorrectly handled memory when
being advertised large screen sizes by the server. If a user were tricked
into connecting to a malicious server, an attacker could use this issue to
cause a denial of service, or possibly execute arbitrary code.
(CVE-2014-6051, CVE-2014-6052)
Nicolas Ruff discovered that LibVNCServer incorrectly handled large
ClientCutText messages. A remote attacker could use this issue to cause a
server to crash, resulting in a denial of service. (CVE-2014-6053)
Nicolas Ruff discovered that LibVNCServer incorrectly handled zero scaling
factor values. A remote attacker could use this issue to cause a server to
crash, resulting in a denial of service. (CVE-2014-6054)
Nicolas Ruff discovered that LibVNCServer incorrectly handled memory in the
file transfer feature. A remote attacker could use this issue to cause a
server to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2014-6055)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 14.04
Ubuntu 12.04
In general, a standard system update will make all the necessary changes.
Related notices
- USN-4587-1: italc-master, italc, italc-client, italc-management-console, libitalccore
- USN-4573-1: vino