CVE-2019-20788

libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.

References

Affected packages

Git / github.com/libvnc/libvncserver

Affected ranges

Type: GIT
Repo: https://github.com/libvnc/libvncserver
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

54220248886b5001fbbb9fa73c4e1a2cb9413fed

Affected versions

LibVNCServer-0.*

LibVNCServer-0.9.10

LibVNCServer-0.9.11

LibVNCServer-0.9.12

LibVNCServer-0.9.8

LibVNCServer-0.9.9

Other

X11VNC_0_9_10

X11VNC_0_9_11

X11VNC_0_9_12

X11VNC_0_9_7

X11VNC_0_9_8

X11VNC_0_9_9

X11VNC_REL_0_9_4

X11VNC_REL_0_9_5

X11VNC_REL_0_9_6

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/libvnc/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed",
        "target": {
            "function": "HandleCursorShape",
            "file": "libvncclient/cursor.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2019-20788-189abd97",
        "signature_type": "Function",
        "digest": {
            "function_hash": "166509097659370788785687778228924176187",
            "length": 2878.0
        }
    },
    {
        "source": "https://github.com/libvnc/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed",
        "target": {
            "file": "libvncclient/cursor.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2019-20788-36246abd",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "102057262279662452688778988803141241357",
                "175955773102106351237323041340518821685",
                "240545567691954465949188256110399956644",
                "204796747639085440341262894639991613085"
            ],
            "threshold": 0.9
        }
    }
]