Lucene search

CentOS ProjectCESA-2020:3875

HistoryOct 20, 2020 - 7:03 p.m.

tigervnc security update

2020-10-2019:03:46

CentOS Project

lists.centos.org

125

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.006 Low

EPSS

Percentile

79.3%

JSON

CentOS Errata and Security Advisory CESA-2020:3875

Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients.

Security Fix(es):

tigervnc: Stack use-after-return due to incorrect usage of stack memory in ZRLEDecoder (CVE-2019-15691)
tigervnc: Heap buffer overflow triggered from CopyRectDecoder due to incorrect value checks (CVE-2019-15692)
tigervnc: Heap buffer overflow in TightDecoder::FilterGradient (CVE-2019-15693)
tigervnc: Heap buffer overflow in DecodeManager::decodeRect (CVE-2019-15694)
tigervnc: Stack buffer overflow in CMsgReader::readSetCursor (CVE-2019-15695)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2020-October/032922.html

Affected packages:
tigervnc
tigervnc-icons
tigervnc-license
tigervnc-server
tigervnc-server-applet
tigervnc-server-minimal
tigervnc-server-module

Upstream details at:
https://access.redhat.com/errata/RHSA-2020:3875

OSVersionArchitecturePackageVersionFilename
CentOS7x86_64tigervnc< 1.8.0-21.el7tigervnc-1.8.0-21.el7.x86_64.rpm
CentOS7noarchtigervnc-icons< 1.8.0-21.el7tigervnc-icons-1.8.0-21.el7.noarch.rpm
CentOS7noarchtigervnc-license< 1.8.0-21.el7tigervnc-license-1.8.0-21.el7.noarch.rpm
CentOS7x86_64tigervnc-server< 1.8.0-21.el7tigervnc-server-1.8.0-21.el7.x86_64.rpm
CentOS7noarchtigervnc-server-applet< 1.8.0-21.el7tigervnc-server-applet-1.8.0-21.el7.noarch.rpm
CentOS7x86_64tigervnc-server-minimal< 1.8.0-21.el7tigervnc-server-minimal-1.8.0-21.el7.x86_64.rpm
CentOS7x86_64tigervnc-server-module< 1.8.0-21.el7tigervnc-server-module-1.8.0-21.el7.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	7	x86_64	tigervnc	< 1.8.0-21.el7	tigervnc-1.8.0-21.el7.x86_64.rpm
CentOS	7	noarch	tigervnc-icons	< 1.8.0-21.el7	tigervnc-icons-1.8.0-21.el7.noarch.rpm
CentOS	7	noarch	tigervnc-license	< 1.8.0-21.el7	tigervnc-license-1.8.0-21.el7.noarch.rpm
CentOS	7	x86_64	tigervnc-server	< 1.8.0-21.el7	tigervnc-server-1.8.0-21.el7.x86_64.rpm
CentOS	7	noarch	tigervnc-server-applet	< 1.8.0-21.el7	tigervnc-server-applet-1.8.0-21.el7.noarch.rpm
CentOS	7	x86_64	tigervnc-server-minimal	< 1.8.0-21.el7	tigervnc-server-minimal-1.8.0-21.el7.x86_64.rpm
CentOS	7	x86_64	tigervnc-server-module	< 1.8.0-21.el7	tigervnc-server-module-1.8.0-21.el7.x86_64.rpm