Mandriva Linux Security Advisory : libvncserver (MDVSA-2014:168)

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

An integer overflow in liblzo before 2.07 allows attackers to cause a
denial of service or possibly code execution in applications using
performing LZO decompression on a compressed payload from the attacker
(CVE-2014-4607).

The libvncserver library is built with a bundled copy of minilzo,
which is a part of liblzo containing the vulnerable code.

The x11vnc packages is now build against the system libvncserver
library to avoid security issues in the bundled copy.

The icecream packages is built with a bundled copy of minilzo, which
is a part of liblzo containing the vulnerable code.

See also :

http://advisories.mageia.org/MGASA-2014-0356.html
http://advisories.mageia.org/MGASA-2014-0357.html
http://advisories.mageia.org/MGASA-2014-0361.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 4.4
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Mandriva Local Security Checks

Nessus Plugin ID: 77647 ()

Bugtraq ID: 68213

CVE ID: CVE-2014-4607

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now