ID CVE-2014-8241
Summary XRegion in TigerVNC allows remote VNC servers to cause a denial of service (NULL pointer dereference) by leveraging failure to check a malloc return value, a similar issue to CVE-2014-6052.
References
Vulnerable Configurations
  • cpe:2.3:a:tigervnc:tigervnc:-:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:-:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 20-12-2016 - 02:59)
Impact:
Exploitability:
CWE CWE-476
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1199453
title Re-base to tigervnc-1.3.x
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 7 is installed
      oval oval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • comment tigervnc is earlier than 0:1.3.1-3.el7
          oval oval:com.redhat.rhsa:tst:20152233001
        • comment tigervnc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110871002
      • AND
        • comment tigervnc-icons is earlier than 0:1.3.1-3.el7
          oval oval:com.redhat.rhsa:tst:20152233003
        • comment tigervnc-icons is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152233004
      • AND
        • comment tigervnc-license is earlier than 0:1.3.1-3.el7
          oval oval:com.redhat.rhsa:tst:20152233005
        • comment tigervnc-license is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152233006
      • AND
        • comment tigervnc-server is earlier than 0:1.3.1-3.el7
          oval oval:com.redhat.rhsa:tst:20152233007
        • comment tigervnc-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110871004
      • AND
        • comment tigervnc-server-applet is earlier than 0:1.3.1-3.el7
          oval oval:com.redhat.rhsa:tst:20152233009
        • comment tigervnc-server-applet is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110871006
      • AND
        • comment tigervnc-server-minimal is earlier than 0:1.3.1-3.el7
          oval oval:com.redhat.rhsa:tst:20152233011
        • comment tigervnc-server-minimal is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152233012
      • AND
        • comment tigervnc-server-module is earlier than 0:1.3.1-3.el7
          oval oval:com.redhat.rhsa:tst:20152233013
        • comment tigervnc-server-module is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110871008
rhsa
id RHSA-2015:2233
released 2015-11-19
severity Moderate
title RHSA-2015:2233: tigervnc security, bug fix, and enhancement update (Moderate)
rpms
  • tigervnc-0:1.3.1-3.el7
  • tigervnc-debuginfo-0:1.3.1-3.el7
  • tigervnc-icons-0:1.3.1-3.el7
  • tigervnc-license-0:1.3.1-3.el7
  • tigervnc-server-0:1.3.1-3.el7
  • tigervnc-server-applet-0:1.3.1-3.el7
  • tigervnc-server-minimal-0:1.3.1-3.el7
  • tigervnc-server-module-0:1.3.1-3.el7
refmap via4
bid 70390
confirm
mlist
  • [oss-security] 20141010 Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver
  • [oss-security] 20141011 Re: Request for CVE assignment for tigervnc affected by similar flaws as in CVE-2014-6051 and CVE-2014-6052 of libvncserver
Last major update 20-12-2016 - 02:59
Published 14-12-2016 - 22:59
Last modified 20-12-2016 - 02:59
Back to Top