Synopsis: Moderate: tigervnc and fltk security, bug fix, and
Advisory ID: SLSA-2017:2000-1
Issue Date: 2017-08-01
CVE Numbers: CVE-2017-5581
CVE-2016-10207
CVE-2017-7392
CVE-2017-7393
CVE-2017-7394
CVE-2017-7395
CVE-2017-7396
—
FLTK (pronounced “fulltick”) is a cross-platform C++ GUI toolkit. It
provides modern GUI functionality without the bloat, and supports 3D
graphics via OpenGL and its built-in GLUT emulation.
The following packages have been upgraded to a later upstream version:
tigervnc (1.8.0), fltk (1.3.4).
Security Fix(es):
* A denial of service flaw was found in the TigerVNC’s Xvnc server. A
remote unauthenticated attacker could use this flaw to make Xvnc crash by
terminating the TLS handshake process early. (CVE-2016-10207)
* A double free flaw was found in the way TigerVNC handled ClientFence
messages. A remote, authenticated attacker could use this flaw to make
Xvnc crash by sending specially crafted ClientFence messages, resulting in
denial of service. (CVE-2017-7393)
* A missing input sanitization flaw was found in the way TigerVNC handled
credentials. A remote unauthenticated attacker could use this flaw to make
Xvnc crash by sending specially crafted usernames, resulting in denial of
service. (CVE-2017-7394)
* An integer overflow flaw was found in the way TigerVNC handled
ClientCutText messages. A remote, authenticated attacker could use this
flaw to make Xvnc crash by sending specially crafted ClientCutText
messages, resulting in denial of service. (CVE-2017-7395)
* A buffer overflow flaw, leading to memory corruption, was found in
TigerVNC viewer. A remote malicious VNC server could use this flaw to
crash the client vncviewer process resulting in denial of service.
(CVE-2017-5581)
* A memory leak flaw was found in the way TigerVNC handled termination of
VeNCrypt connections. A remote unauthenticated attacker could repeatedly
send connection requests to the Xvnc server, causing it to consume large
amounts of memory resources over time, and ultimately leading to a denial
of service due to memory exhaustion. (CVE-2017-7392)
* A memory leak flaw was found in the way TigerVNC handled client
connections. A remote unauthenticated attacker could repeatedly send
connection requests to the Xvnc server, causing it to consume large
amounts of memory resources over time, and ultimately leading to a denial
of service due to memory exhaustion. (CVE-2017-7396)
—
SL7
x86_64
fltk-1.3.4-1.el7.i686.rpm
fltk-1.3.4-1.el7.x86_64.rpm
fltk-debuginfo-1.3.4-1.el7.i686.rpm
fltk-debuginfo-1.3.4-1.el7.x86_64.rpm
tigervnc-1.8.0-1.el7.x86_64.rpm
tigervnc-debuginfo-1.8.0-1.el7.x86_64.rpm
tigervnc-server-1.8.0-1.el7.x86_64.rpm
tigervnc-server-minimal-1.8.0-1.el7.x86_64.rpm
fltk-devel-1.3.4-1.el7.i686.rpm
fltk-devel-1.3.4-1.el7.x86_64.rpm
fltk-fluid-1.3.4-1.el7.x86_64.rpm
fltk-static-1.3.4-1.el7.i686.rpm
fltk-static-1.3.4-1.el7.x86_64.rpm
tigervnc-server-module-1.8.0-1.el7.x86_64.rpm
noarch
tigervnc-icons-1.8.0-1.el7.noarch.rpm
tigervnc-license-1.8.0-1.el7.noarch.rpm
tigervnc-server-applet-1.8.0-1.el7.noarch.rpm
– Scientific Linux Development Team
