Closed wamserma closed 2 years ago
Comments on specific issues:
CVE-2016-9840, CVE-2016-9841, CVE-2016-9842: These issues affect the inflate*()
functions, which TurboVNC never uses directly. However, FreeType and libXfont2 do use those functions, so the issues may or may not affect the operation of those two libraries when building them from TurboVNC's in-tree source code (i.e. with TVNC_SYSTEMX11=0
and TVNC_SYSTEMLIBS=0
, which is the default.)
CVE-2016-9843: This issue affects the crc32()
function on big-endian machines, so it could only affect the TurboVNC Server if it is built from source code on one of those machines. However, the issue also only affects gzip streams, which TurboVNC never uses.
tl;dr The issues likely do not affect us, but I have integrated the fixes for all four issues regardless.
This is a quick and very solid response. Thumbs up.
TurboVNC currently ships with zlib 1.2.8 which has a number of known vulnerabilities (https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/GNU-Zlib.html). The bundled zlib (
common/zlib
) should be updated unless it can be verified that the affected functionality is not used in TurboVNC.