LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1.
0.9.13-1.11:2.0.2+dfsg1-31:2.0.2+dfsg1-41:2.0.2+dfsg1-4ubuntu0.10.9.10+dfsg-30.9.10+dfsg-3build10.9.10+dfsg-3ubuntu0.16.04.10.9.10+dfsg-3ubuntu0.16.04.20.9.10+dfsg-3ubuntu0.16.04.30.9.10+dfsg-3ubuntu0.16.04.40.9.10+dfsg-3ubuntu0.16.04.50.9.10+dfsg-3ubuntu0.16.04.61.3.10-0ubuntu21.3.10-0ubuntu33.8.1-0ubuntu63.8.1-0ubuntu73.8.1-0ubuntu83.8.1-0ubuntu93.8.1-0ubuntu9.13.8.1-0ubuntu9.23.8.1-0ubuntu9.33.8.1-0ubuntu9.41:3.0.3+dfsg1-11:3.0.3+dfsg1-21:3.0.3+dfsg1-2build11:3.0.3+dfsg1-2ubuntu11:3.0.3+dfsg1-31:3.0.3+dfsg1-3ubuntu0.10.9.11+dfsg-10.9.11+dfsg-1ubuntu10.9.11+dfsg-1ubuntu1.10.9.11+dfsg-1ubuntu1.20.9.11+dfsg-1ubuntu1.30.9.11+dfsg-1ubuntu1.41.3.10-0ubuntu31.3.10-0ubuntu43.22.0-2ubuntu13.22.0-3ubuntu13.22.0-3ubuntu1.13.22.0-3ubuntu1.23.8.1-0ubuntu120.9.11+dfsg-1.30.9.12+dfsg-3ubuntu30.9.12+dfsg-60.9.12+dfsg-70.9.12+dfsg-80.9.12+dfsg-90.9.12+dfsg-9ubuntu0.10.9.12+dfsg-9ubuntu0.20.9.12+dfsg-9ubuntu0.3Exploitability
AV:NAC:LPR:NUI:RScope
S:UImpact
C:HI:HA:HCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H