CVE-2019-20788

Name	CVE-2019-20788
Description	libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
References	DLA-2146-1
Debian Bugs	954163

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libvncserver (PTS)	buster	0.9.11+dfsg-1.3+deb10u4	fixed
	buster (security)	0.9.11+dfsg-1.3+deb10u5	fixed
	bullseye	0.9.13+dfsg-2+deb11u1	fixed
	bookworm	0.9.13+dfsg-5	fixed
	sid	0.9.14+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
libvncserver	source	jessie	0.9.9+dfsg2-6.1+deb8u7	DLA-2146-1
libvncserver	source	stretch	0.9.11+dfsg-1.3~deb9u4
libvncserver	source	buster	0.9.11+dfsg-1.3+deb10u3
libvncserver	source	(unstable)	0.9.12+dfsg-9		954163

https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed