Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1332-1 libvncserver

Debian Security Advisory

DLA-1332-1 libvncserver -- LTS security update

Date Reported:

30 Mar 2018

Affected Packages:

libvncserver

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 894045.
In Mitre's CVE dictionary: CVE-2018-7225.

More information:

libvncserver version through 0.9.11. does not sanitize msg.cct.length which may result in access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.

For Debian 7 Wheezy, these problems have been fixed in version 0.9.9+dfsg-1+deb7u3.

We recommend that you upgrade your libvncserver packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS