libvncserver: Memory leak in VNC server code (CVE-2019-15681)

LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity.

Affected Versions:

libvncserver 0.9.12 and earlier.

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-15681
https://security-tracker.debian.org/tracker/CVE-2019-15681

Patch:

https://github.com/LibVNC/libvncserver/commit/d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a

Affected branches:

Edited Nov 03, 2019 by Kevin Daudt

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information