Debian DLA-380-1 : libvncserver security update

high Nessus Plugin ID 87729

Synopsis

The remote Debian host is missing a security update.

Description

An issue had been discovered and resolved by the libvncserver upstream developer Karl Runge addressing thread-safety in libvncserver when libvncserver is used for handling multiple VNC connections [1].

Unfortunately, it is not trivially feasible (because of ABI breakage) to backport the related patch to libvncserver 0.9.7 as shipped in Debian squeeze(-lts).

However, the thread-safety patch discussed resolved a related issue of memory corruption caused by freeing global variables without nullifying them when reusing them in another 'thread', especially occurring when libvncserver is used for handling multiple VNC connections

The described issue has been resolved with this version of libvncserver and users of VNC are recommended to upgrade to this version of the package.

[1] https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca84 4f5d89b58b50b0c6

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

http://www.nessus.org/u?b268757e

https://lists.debian.org/debian-lts-announce/2016/01/msg00003.html

https://packages.debian.org/source/squeeze-lts/libvncserver

Plugin Details

Severity: High

ID: 87729

File Name: debian_DLA-380.nasl

Version: 2.3

Type: local

Agent: unix

Published: 1/5/2016

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libvncserver-dev, p-cpe:/a:debian:debian_linux:libvncserver0, p-cpe:/a:debian:debian_linux:libvncserver0-dbg, p-cpe:/a:debian:debian_linux:linuxvnc, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 1/4/2016