[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 777-1] libvncserver security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : libvncserver
Version        : 0.9.9+dfsg-1+deb7u2
CVE IDs        : CVE-2016-9941, CVE-2016-9942
Debian Bugs    : #850007, #850008

It was discovered that there were two vulnerabilities in libvncserver, a
library to create/embed a VNC server:

* CVE-2016-9941: Fix a heap-based buffer overflow that allows remote servers
  to cause a denial of service via a crafted FramebufferUpdate message
  containing a subrectangle outside of the drawing area.

* CVE-2016-9942: Fix a heap-based buffer overflow that allow remote servers
  to cause a denial of service via a crafted FramebufferUpdate message with
  the "Ultra" type tile such that the LZO decompressed payload exceeds the
  size of the tile dimensions.

For Debian 7 "Wheezy", these issues have been fixed in libvncserver version
0.9.9+dfsg-1+deb7u2.

We recommend that you upgrade your libvncserver packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlhryEoACgkQHpU+J9Qx
Hlge/Q/9FJGmPEThhYq8oxq8Ow+v1NiXn7AwtfR4bHwkn60PT3u7YaH1nJhh42zm
J/kq1wxXygiQwrFuXck95gJRlXbxv5JhhSTt4aAKdn4yg9wpWUVC2phqgUdAAXoj
a+852KfmenvkyUU55tsrQJQ0djjfG6pcVd5DKKvPrj6EJy2Y45A1cqPVFKvtlHty
lB+UJGc2GiPG+N6VWDU7QDB2Q1TZfj4e3kb398/kcXVPBN5WO4mdyIkxrA2q8lDh
L1YSj8LKERe3uSA8gO+4nnUJCZwx6nKgSikM4roD/7o87WOlB5ZVdZbWy9mEOBCy
d6t9ykA+us/slceqQWXVVjFLWLqkUz5w5r0HOs8KcyS/MY3xbVn4bBZhqvBRstHJ
YjF0HtgFeepGLhD2iom+WmxU9dlH4oGyfU7s8gwuzfWKfO1GtVcZ9fBK6kl3H9lC
XDKgRfp2RkX20f3Xf1ijNKRN5fz4jSoFlmLlj28ATuBxmmJcGvqUWd3kN6bl2VgD
9DQ2aZQ3jKK/JtFZ9vuqqYDlxq/7upGC0hlvX5eNPc6mkop2N+w98N9G6rc9cTL6
HfdMK7EvvKhRcYY5Qa2Jr5Za5ImG3tVHbhgivz9DNMINozaej/LT8MFRZmbGJFts
NyO95vc1wN069lokqLNXhS2i0443ZjX19UkrN412FseZp4HHbuk=
=fzqS
-----END PGP SIGNATURE-----


Reply to: