Source: tigervnc Version: 1.7.0+dfsg-6 Severity: grave Tags: patch security upstream Justification: user security hole
Hi, the following vulnerabilities were published for tigervnc. CVE-2017-7392[0]: | In TigerVNC 1.7.1 (SSecurityVeNCrypt.cxx | SSecurityVeNCrypt::SSecurityVeNCrypt), an unauthenticated client can | cause a small memory leak in the server. CVE-2017-7393[1]: | In TigerVNC 1.7.1 (VNCSConnectionST.cxx VNCSConnectionST::fence), an | authenticated client can cause a double free, leading to denial of | service or potentially code execution. CVE-2017-7394[2]: | In TigerVNC 1.7.1 (SSecurityPlain.cxx SSecurityPlain::processMsg), | unauthenticated users can crash the server by sending long usernames. CVE-2017-7395[3]: | In TigerVNC 1.7.1 (SMsgReader.cxx SMsgReader::readClientCutText), by | causing an integer overflow, an authenticated client can crash the | server. CVE-2017-7396[4]: | In TigerVNC 1.7.1 (CConnection.cxx CConnection::CConnection), an | unauthenticated client can cause a small memory leak in the server. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7392 [1] https://security-tracker.debian.org/tracker/CVE-2017-7393 [2] https://security-tracker.debian.org/tracker/CVE-2017-7394 [3] https://security-tracker.debian.org/tracker/CVE-2017-7395 [4] https://security-tracker.debian.org/tracker/CVE-2017-7396 Regards, Salvatore