Nortel Response to Sun Alert 248526 - Solaris vncviewer(1) RFB Protocol Validation
| Description: |
Sun Microsystems has recently released Sun Alert 248526 - A Security Vulnerability in the vncviewer(1) RFB Protocol Validation May Allow Execution of Arbitrary Code and Lead to a Denial of Service (DoS). According to Sun, the VNC viewer for X (vncviewer(1)) contains a security vulnerability within the validation function for the server-supplied RFB protocol data that may allow a remote unprivileged user to execute arbitrary code with the privileges of the local user and crash the viewer. The ability to crash the VNC viewer is a type of Denial of Service (DoS). Some Nortel products contain this software as a component and thus are potentially affected by the vulnerabilities addressed. This bulletin provides a multi-product consolidated response for the Nortel products which are potentially affected. Sun Alert 248526 is available at: http://sunsolve.sun.com/search/document.do?assetkey=1-66-248526-1 This bulletin addresses the following CVE: 1. CVE-2008-4770 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4770) The CMsgReader::readRect function in the VNC Viewer component in RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0 through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote VNC servers to execute arbitrary code via crafted RFB protocol data, related to "encoding type." Before taking any action please ensure that you are viewing the latest official version of this security advisory by referencing http://www.nortel.com/securityadvisories |
| Type: |
Security Advisories |
| Number: |
2009009313, Rev 1 |
| Status: |
Retired |
| Date: |
2009-08-27 |
