TigerVNC ZRLE decoding bounds checking issue

2014.03.19

Credit: Tomas Hoger

Risk: High

Local: Yes

Remote: No

CVE: CVE-2014-0011

CWE: CWE-787

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

TigerVNC 1.3.1 fixes ZRLE decoding bounds checking issue
New release of TigerVNC fixes an issue with boundary checks in the ZRLE
decoding. Boundary checks existed in the code in form of assert()s,
which were removed in builds with NDEBUG defined. That is default for
release builds done by cmake, which is used by TigerVNC. This could
possibly allow malicious server to compromise vncviewer.
The same problem may affect related *VNC implementations if built with
NDEBUG.
CVE-2014-0011 was assigned to the issue.
References:
http://sourceforge.net/p/tigervnc/mailman/message/32120476/
http://sourceforge.net/p/tigervnc/code/5163
http://sourceforge.net/p/tigervnc/code/5164
https://bugzilla.redhat.com/show_bug.cgi?id=1050928

References:

http://sourceforge.net/p/tigervnc/mailman/message/32120476/

http://sourceforge.net/p/tigervnc/code/5163

http://sourceforge.net/p/tigervnc/code/5164

https://bugzilla.redhat.com/show_bug.cgi?id=1050928

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

TigerVNC ZRLE decoding bounds checking issue

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.