PublicDateAtUSN: 2017-02-07
Candidate: CVE-2017-5884
PublicDate: 2017-02-28 18:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5884
 http://openwall.com/lists/oss-security/2017/02/05/5
 https://ubuntu.com/security/notices/USN-3203-1
Description:
 gtk-vnc before 0.7.0 does not properly check boundaries of
 subrectangle-containing tiles, which allows remote servers to execute
 arbitrary code via the src x, y coordinates in a crafted (1) rre, (2)
 hextile, or (3) copyrect tile.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854450
 https://bugzilla.gnome.org/show_bug.cgi?id=778048
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_gtk-vnc:
 upstream: https://git.gnome.org/browse/gtk-vnc/commit/?id=ea0386933214c9178aaea9f2f85049ea3fa3e14a
upstream_gtk-vnc: released (0.6.0-3)
precise_gtk-vnc: released (0.5.0-1ubuntu1.1)
trusty_gtk-vnc: released (0.5.3-0ubuntu2.1)
trusty/esm_gtk-vnc: DNE (trusty was released [0.5.3-0ubuntu2.1])
vivid/stable-phone-overlay_gtk-vnc: DNE
vivid/ubuntu-core_gtk-vnc: DNE
xenial_gtk-vnc: released (0.5.3-1.3ubuntu2.1)
yakkety_gtk-vnc: released (0.6.0-1ubuntu1.1)
devel_gtk-vnc: not-affected (0.6.0-3)