Headline
CVE-2019-15691: Release TigerVNC 1.10.1 · TigerVNC/tigervnc
TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side.
No working exploit is known at this time, and the issues require the peer to first be authenticated. We still urge users to upgrade when possible.
Binaries are available from SourceForge:
https://sourceforge.net/projects/tigervnc/files/stable/1.10.1/
Regards
The TigerVNC Developers
Related news
Gentoo Linux Security Advisory 202407-14 - Multiple vulnerabilities have been discovered in TigerVNC, the worst of which could lead to remote code execution. Versions greater than or equal to 1.12.0-r2 are affected.