Vinagre: User-assisted execution of arbitrary code — GLSA 200903-01

A format string error in Vinagre may allow for the execution of arbitrary code.

Affected Packages

net-misc/vinagre on all architectures
Affected versions < 0.5.2
Unaffected versions >= 0.5.2

Background

Vinagre is a VNC Client for the GNOME Desktop.

Description

Alfredo Ortega (Core Security Technologies) reported a format string error in the vinagre_utils_show_error() function in src/vinagre-utils.c.

Impact

A remote attacker could entice a user into opening a specially crafted .vnc file or connecting to a malicious server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application.

Workaround

There is no known workaround at this time.

Resolution

All Vinagre users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/vinagre-0.5.2"

References

Release Date
March 06, 2009

Latest Revision
March 06, 2009: 01

Severity
normal

Exploitable
remote

Bugzilla entries