Security update for LibVNCServer SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:0875-1 Final 1 1 2018-04-05T15:24:15Z current 2018-04-05T15:24:15Z 2018-04-05T15:24:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for LibVNCServer This update for LibVNCServer fixes the following issues: - CVE-2018-7225: Missing input sanitization inside rfbserver.c rfbProcessClientNormalMessage() (bsc#1081493). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-LibVNCServer-13550,slessp4-LibVNCServer-13550 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20180875-1/ Link for SUSE-SU-2018:0875-1 https://lists.suse.com/pipermail/sle-security-updates/2018-April/003871.html E-Mail link for SUSE-SU-2018:0875-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1081493 SUSE Bug 1081493 https://www.suse.com/security/cve/CVE-2018-7225/ SUSE CVE CVE-2018-7225 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 LibVNCServer-devel-0.9.1-160.3.1 LibVNCServer-0.9.1-160.3.1 LibVNCServer-0.9.1-160.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 LibVNCServer-0.9.1-160.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 LibVNCServer-devel-0.9.1-160.3.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. CVE-2018-7225 SUSE Linux Enterprise Server 11 SP4:LibVNCServer-0.9.1-160.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:LibVNCServer-0.9.1-160.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:LibVNCServer-devel-0.9.1-160.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180875-1/ https://www.suse.com/security/cve/CVE-2018-7225.html CVE-2018-7225 https://bugzilla.suse.com/1081493 SUSE Bug 1081493 https://bugzilla.suse.com/1090647 SUSE Bug 1090647