CVE-2019-15693

NameCVE-2019-15693
DescriptionTigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which occurs in TightDecoder::FilterGradient. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs947428

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tigervnc (PTS)stretch1.7.0+dfsg-7vulnerable
buster1.9.0+dfsg-3vulnerable
bullseye, sid1.10.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tigervncsource(unstable)1.10.1+dfsg-1947428

Notes

[buster] - tigervnc <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release)
https://www.openwall.com/lists/oss-security/2019/12/20/2
https://github.com/TigerVNC/tigervnc/commit/b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 (master)
https://github.com/TigerVNC/tigervnc/commit/46c081926efd83c90a45c0a96b1b5bc1927e1346 (v1.10.1)

Search for package or bug name: Reporting problems