CVE-2017-5884

moderate-risk
Published 2017-02-28

gtk-vnc before 0.7.0 does not properly check boundaries of subrectangle-containing tiles, which allows remote servers to execute arbitrary code via the src x, y coordinates in a crafted (1) rre, (2) hextile, or (3) copyrect tile.

Do I need to act?

-
0.46% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (2)

Gtk-Vnc

Affected Vendors

Fedoraproject Gnome

References (14)

Mailing List http://www.openwall.com/lists/oss-security/2017/02/03/5
Mailing List http://www.openwall.com/lists/oss-security/2017/02/05/5
Third Party Advisory http://www.securityfocus.com/bid/96016
https://access.redhat.com/errata/RHSA-2017:2258
Exploit https://bugzilla.gnome.org/show_bug.cgi?id=778048
Patch https://git.gnome.org/browse/gtk-vnc/commit/?id=ea0386933214c9178aaea9f2f85049ea...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Mailing List http://www.openwall.com/lists/oss-security/2017/02/03/5
Mailing List http://www.openwall.com/lists/oss-security/2017/02/05/5
Third Party Advisory http://www.securityfocus.com/bid/96016
https://access.redhat.com/errata/RHSA-2017:2258
Exploit https://bugzilla.gnome.org/show_bug.cgi?id=778048
Patch https://git.gnome.org/browse/gtk-vnc/commit/?id=ea0386933214c9178aaea9f2f85049ea...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
33
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 2/34 · Minimal
Exposure 7/34 · Low