CVE-2014-6053
tightvnc - security update
EPSS 7.6%
Description
The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier does not properly handle attempts to send a large amount of ClientCutText data, which allows remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that is processed by using a single unchecked malloc.
How to fix CVE-2014-6053
To remediate CVE-2014-6053, upgrade the affected package to a fixed version below.
- Debian/libvncserver—upgrade to 0.9.9+dfsg-6.1 or later
- Debian/tightvnc—upgrade to 1:1.3.9-9.1 or later
- —upgrade to 1.3.9-6.5+deb8u1 or later
- —upgrade to 3.22.0-6 or later
- —upgrade to 3.14.0-2+deb8u1 or later
Is CVE-2014-6053 being exploited?
Moderate — EPSS is 7.6%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (5)
- from 0, < 0.9.9+dfsg-6.1
- from 0, < 1:1.3.9-9.1
- from 0, < 1.3.9-6.5+deb8u1
- from 0, < 3.22.0-6
- from 0, < 3.14.0-2+deb8u1