CVE-2013-5745

NameCVE-2013-5745
DescriptionThe vino_server_client_data_pending function in vino-server.c in GNOME Vino 2.26.1, 2.32.1, 3.7.3, and earlier, and 3.8 when encryption is disabled, does not properly clear client data when an error causes the connection to close during authentication, which allows remote attackers to cause a denial of service (infinite loop, CPU and disk consumption) via multiple crafted requests during authentication.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs724545

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vino (PTS)jessie3.14.0-2fixed
jessie (security)3.14.0-2+deb8u1fixed
stretch3.22.0-1fixed
bullseye, sid, buster3.22.0-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
vinosource(unstable)3.10.1-1low724545

Notes

[wheezy] - vino <no-dsa> (Minor issue)
[squeeze] - vino <no-dsa> (Minor issue)
http://seclists.org/fulldisclosure/2013/Sep/105

Search for package or bug name: Reporting problems