Debian Security Advisory

DLA-380-1 libvncserver -- LTS security update

Date Reported:
04 Jan 2016
Affected Packages:
libvncserver
Vulnerable:
Yes
Security database references:
No other external database security references currently available.
More information:

An issue had been discovered and resolved by the libvncserver upstream developer Karl Runge addressing thread-safety in libvncserver when libvncserver is used for handling multiple VNC connections [1].

Unfortunately, it is not trivially feasible (because of ABI breakage) to backport the related patch to libvncserver 0.9.7 as shipped in Debian squeeze(-lts).

However, the thread-safety patch discussed resolved a related issue of memory corruption caused by freeing global variables without nullifying them when reusing them in another thread, especially occurring when libvncserver is used for handling multiple VNC connections

The described issue has been resolved with this version of libvncserver and users of VNC are recommended to upgrade to this version of the package.