ID CVE-2014-8241
Summary XRegion in TigerVNC allows remote VNC servers to cause a denial of service (NULL pointer dereference) by leveraging failure to check a malloc return value, a similar issue to CVE-2014-6052.
References
Vulnerable Configurations
  • cpe:2.3:a:tigervnc:tigervnc:-:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:-:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 20-12-2016 - 02:59)
Impact:
Exploitability:
CWE CWE-476
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1199453
title Re-base to tigervnc-1.3.x
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
  • OR
    • AND
      • comment tigervnc is earlier than 0:1.3.1-3.el7
        oval oval:com.redhat.rhsa:tst:20152233007
      • comment tigervnc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110871006
    • AND
      • comment tigervnc-icons is earlier than 0:1.3.1-3.el7
        oval oval:com.redhat.rhsa:tst:20152233013
      • comment tigervnc-icons is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20152233014
    • AND
      • comment tigervnc-license is earlier than 0:1.3.1-3.el7
        oval oval:com.redhat.rhsa:tst:20152233015
      • comment tigervnc-license is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20152233016
    • AND
      • comment tigervnc-server is earlier than 0:1.3.1-3.el7
        oval oval:com.redhat.rhsa:tst:20152233005
      • comment tigervnc-server is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110871012
    • AND
      • comment tigervnc-server-applet is earlier than 0:1.3.1-3.el7
        oval oval:com.redhat.rhsa:tst:20152233017
      • comment tigervnc-server-applet is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110871008
    • AND
      • comment tigervnc-server-minimal is earlier than 0:1.3.1-3.el7
        oval oval:com.redhat.rhsa:tst:20152233009
      • comment tigervnc-server-minimal is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20152233010
    • AND
      • comment tigervnc-server-module is earlier than 0:1.3.1-3.el7
        oval oval:com.redhat.rhsa:tst:20152233011
      • comment tigervnc-server-module is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110871010
rhsa
id RHSA-2015:2233
released 2015-11-19
severity Moderate
title RHSA-2015:2233: tigervnc security, bug fix, and enhancement update (Moderate)
rpms
  • tigervnc-0:1.3.1-3.el7
  • tigervnc-icons-0:1.3.1-3.el7
  • tigervnc-license-0:1.3.1-3.el7
  • tigervnc-server-0:1.3.1-3.el7
  • tigervnc-server-applet-0:1.3.1-3.el7
  • tigervnc-server-minimal-0:1.3.1-3.el7
  • tigervnc-server-module-0:1.3.1-3.el7
refmap via4
bid 70390
confirm
mlist
  • [oss-security] 20141010 Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver
  • [oss-security] 20141011 Re: Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver
Last major update 20-12-2016 - 02:59
Published 14-12-2016 - 22:59
Back to Top