vinagre -- format string vulnerability

CORE Security Technologies reports:

A format string error has been found on the
vinagre_utils_show_error() function that can be exploited via
commands issued from a malicious server containing format
string specifiers on the VNC name.
In a web based attack scenario, the user would be required
to connect to a malicious server. Successful exploitation
would then allow the attacker to execute arbitrary code with
the privileges of the Vinagre user.