Detections
Analytics

Mandriva Linux Security Advisory : libvncserver (MDVSA-2014:168)

medium Nessus Plugin ID 77647

Language:

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker (CVE-2014-4607).

The libvncserver library is built with a bundled copy of minilzo, which is a part of liblzo containing the vulnerable code.

The x11vnc packages is now build against the system libvncserver library to avoid security issues in the bundled copy.

The icecream packages is built with a bundled copy of minilzo, which is a part of liblzo containing the vulnerable code.

Solution

Update the affected packages.

See Also

http://advisories.mageia.org/MGASA-2014-0356.html

http://advisories.mageia.org/MGASA-2014-0357.html

http://advisories.mageia.org/MGASA-2014-0361.html

Plugin Details

Severity: Medium

ID: 77647

File Name: mandriva_MDVSA-2014-168.nasl

Version: 1.5

Type: local

Published: 9/12/2014

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:icecream, p-cpe:/a:mandriva:linux:icecream-devel, p-cpe:/a:mandriva:linux:icecream-scheduler, p-cpe:/a:mandriva:linux:lib64vncserver-devel, p-cpe:/a:mandriva:linux:lib64vncserver0, p-cpe:/a:mandriva:linux:linuxvnc, p-cpe:/a:mandriva:linux:x11vnc, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 9/2/2014

Reference Information

CVE: CVE-2014-4607

BID: 68213

MDVSA: 2014:168