CVE-2014-6053 – libvncserver: server NULL pointer dereference flaw in ClientCutText message handling
https://notcve.org/view.php?id=CVE-2014-6053
The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier does not properly handle attempts to send a large amount of ClientCutText data, which allows remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that is processed by using a single unchecked malloc. La función rfbProcessClientNormalMessage en libvncserver/rfbserver.c en LibVNCServer 0.9.9 y anteriores no maneja correctamente los intentos de enviar una cantidad grande de datos ClientCutText, lo que permite a atacantes remotos causar una denegación de servicio (consumo de memoria o caída del demonio) a través de un mensaje manipulado que está procesado mediante el uso de un único malloc no comprobado. A NULL pointer dereference flaw was found in the way LibVNCServer handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client. • http://lists.opensuse.org/opensuse-updates/2015-12/msg00022.html http://seclists.org/oss-sec/2014/q3/639 http://secunia.com/advisories/61506 http://secunia.com/advisories/61682 http://ubuntu.com/usn/usn-2365-1 http://www.debian.org/security/2014/dsa-3081 http://www.ocert.org/advisories/ocert-2014-007.html http://www.openwall.com/lists/oss-security/2014/09/25/11 https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 https://lists.debian.org • CWE-19: Data Processing Errors CWE-476: NULL Pointer Dereference •
CVE-2014-6051 – libvncserver: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling
https://notcve.org/view.php?id=CVE-2014-6051
Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer overflow. Desbordamiento de enteros en la función MallocFrameBuffer en vncviewer.c en LibVNCServer 0.9.9 y anteriores permite a servidores remotos VNC causar una denegación de servicio (caída) y posiblemente ejecutar código arbitrario a través de un anuncio para un tamaño grande de pantalla, lo que provoca un desbordamiento de buffer basado en memoria dinámica. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way screen sizes were handled by LibVNCServer. A malicious VNC server could use this flaw to cause a client to crash or, potentially, execute arbitrary code in the client. • http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139654.html http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139445.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00022.html http://rhn.redhat.com/errata/RHSA-2015-0113.html http://seclists.org/oss-sec/2014/q3/639 http://secunia.com/advisories/61506 http://www.debian.org/security/2014/dsa-3081 http://www.ocert.org/advisories/ocert-2014-007.html http://www.openwall.com/lists& • CWE-122: Heap-based Buffer Overflow CWE-189: Numeric Errors •
CVE-2014-6054 – libvncserver: server divide-by-zero flaw in scaling factor handling
https://notcve.org/view.php?id=CVE-2014-6054
The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier allows remote attackers to cause a denial of service (divide-by-zero error and server crash) via a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or (2) SetScale message. La función rfbProcessClientNormalMessage en libvncserver/rfbserver.c en LibVNCServer 0.9.9 y anteriores permite a atacantes remotos causar una denegación de servicio (error de la división por cero y caída del servidor) a través de un valor cero en el factor de escalado en un mensaje (1) PalmVNCSetScaleFactor o (2) SetScale. A divide-by-zero flaw was found in the way LibVNCServer handled the scaling factor when it was set to "0". A remote attacker could use this flaw to crash the VNC server using a malicious VNC client. • http://lists.opensuse.org/opensuse-updates/2015-12/msg00022.html http://seclists.org/oss-sec/2014/q3/639 http://secunia.com/advisories/61506 http://secunia.com/advisories/61682 http://www.debian.org/security/2014/dsa-3081 http://www.ocert.org/advisories/ocert-2014-007.html http://www.openwall.com/lists/oss-security/2014/09/25/11 http://www.securityfocus.com/bid/70094 http://www.ubuntu.com/usn/USN-2365-1 https://github.com/newsoft/libvncserver/commit/05a9bd41a8ec • CWE-189: Numeric Errors CWE-369: Divide By Zero •
CVE-2006-2450
https://notcve.org/view.php?id=CVE-2006-2450
auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, a different issue than CVE-2006-2369. auth.c en LibVNCServer 0.7.1 permite a atacantes remotos evitar la validación a través de una respuesta en la cual el cliente especifica un tipo de seguridad insegura como por ejemplo "Tipo 1 - None", el cual es aceptado siempre aunque no es ofrecida por el servidor, un asunto diferente que CVE-2006-2369. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=376824 http://libvncserver.cvs.sourceforge.net/libvncserver/libvncserver/libvncserver/auth.c?r1=1.11&r2=1.14&diff_format=u http://seclists.org/fulldisclosure/2022/May/29 http://secunia.com/advisories/20940 http://secunia.com/advisories/21179 http://secunia.com/advisories/21349 http://secunia.com/advisories/21393 http://secunia.com/advisories/21405 http://secunia.com/advisories/24525 http://security.gentoo.org/glsa/glsa-200608-05 •