RedHatRHSA-2017:2000(RHSA-2017:2000) Moderate: tigervnc and fltk security, bug fix, and enhancement update
0.011 Low
EPSS
Percentile
84.3%
Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients which allows users to connect to other desktops running a VNC server.
FLTK (pronounced “fulltick”) is a cross-platform C++ GUI toolkit. It provides modern GUI functionality without the bloat, and supports 3D graphics via OpenGL and its built-in GLUT emulation.
The following packages have been upgraded to a later upstream version: tigervnc (1.8.0), fltk (1.3.4). (BZ#1388620, BZ#1413598)
Security Fix(es):
-
A denial of service flaw was found in the TigerVNC’s Xvnc server. A remote unauthenticated attacker could use this flaw to make Xvnc crash by terminating the TLS handshake process early. (CVE-2016-10207)
-
A double free flaw was found in the way TigerVNC handled ClientFence messages. A remote, authenticated attacker could use this flaw to make Xvnc crash by sending specially crafted ClientFence messages, resulting in denial of service. (CVE-2017-7393)
-
A missing input sanitization flaw was found in the way TigerVNC handled credentials. A remote unauthenticated attacker could use this flaw to make Xvnc crash by sending specially crafted usernames, resulting in denial of service. (CVE-2017-7394)
-
An integer overflow flaw was found in the way TigerVNC handled ClientCutText messages. A remote, authenticated attacker could use this flaw to make Xvnc crash by sending specially crafted ClientCutText messages, resulting in denial of service. (CVE-2017-7395)
-
A buffer overflow flaw, leading to memory corruption, was found in TigerVNC viewer. A remote malicious VNC server could use this flaw to crash the client vncviewer process resulting in denial of service. (CVE-2017-5581)
-
A memory leak flaw was found in the way TigerVNC handled termination of VeNCrypt connections. A remote unauthenticated attacker could repeatedly send connection requests to the Xvnc server, causing it to consume large amounts of memory resources over time, and ultimately leading to a denial of service due to memory exhaustion. (CVE-2017-7392)
-
A memory leak flaw was found in the way TigerVNC handled client connections. A remote unauthenticated attacker could repeatedly send connection requests to the Xvnc server, causing it to consume large amounts of memory resources over time, and ultimately leading to a denial of service due to memory exhaustion. (CVE-2017-7396)
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| RedHat | 7 | i686 | fltk | < 1.3.4-1.el7 | fltk-1.3.4-1.el7.i686.rpm |
| RedHat | 7 | s390x | tigervnc-debuginfo | < 1.8.0-1.el7 | tigervnc-debuginfo-1.8.0-1.el7.s390x.rpm |
| RedHat | 7 | s390x | fltk-devel | < 1.3.4-1.el7 | fltk-devel-1.3.4-1.el7.s390x.rpm |
| RedHat | 7 | x86_64 | tigervnc | < 1.8.0-1.el7 | tigervnc-1.8.0-1.el7.x86_64.rpm |
| RedHat | 7 | ppc64 | fltk-devel | < 1.3.4-1.el7 | fltk-devel-1.3.4-1.el7.ppc64.rpm |
| RedHat | 7 | ppc64le | fltk-devel | < 1.3.4-1.el7 | fltk-devel-1.3.4-1.el7.ppc64le.rpm |
| RedHat | 7 | i686 | fltk-devel | < 1.3.4-1.el7 | fltk-devel-1.3.4-1.el7.i686.rpm |
| RedHat | 7 | s390x | tigervnc-server-minimal | < 1.8.0-1.el7 | tigervnc-server-minimal-1.8.0-1.el7.s390x.rpm |
| RedHat | 7 | i686 | fltk-debuginfo | < 1.3.4-1.el7 | fltk-debuginfo-1.3.4-1.el7.i686.rpm |
| RedHat | 7 | x86_64 | tigervnc-server | < 1.8.0-1.el7 | tigervnc-server-1.8.0-1.el7.x86_64.rpm |
Related
