Source: libvncserver Version: 0.9.15+dfsg-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
GHSA-v9pm-47h4-jcq8 (no CVE yet) describes: Attacker-controlled heap out-of-bounds write in libvncclient Tight decoder: | A malicious (or man-in-the-middle) VNC server can force a connecting | libvncclient to write attacker-controlled data past the end of its | framebuffer. This is an out-of-bounds heap write with attacker- | controlled length, contents, and offset. It needs no authentication | (the attacker is the server), works in a default build with default | settings, and fires from a single FramebufferUpdate the moment the | victim connects. It crashes any client unconditionally (denial of | service); we also demonstrated it overwriting an application callback | pointer and redirecting execution to attacker-chosen code (code | execution) under the default configuration. https://github.com/LibVNC/libvncserver/security/advisories/GHSA-v9pm-47h4-jcq8 Regards, Salvatore
