VNC Viewer Vulnerability CVE-2008-4770
Mike Miller
mbmiller "at" taxa.epi.umn.edu
Wed Nov 26 20:28:01 2008
On Wed, 26 Nov 2008, jnw "at" realvnc.com wrote:
> A vulnerability has been reported in a core VNC Viewer component's
> validation of server-supplied RFB protocol data. This issue only affects
> the VNC Viewer component, VNC Servers are not affected.
>
> VNC Free Edition Viewer users should upgrade to version 4.1.3, and
> providers of software based on the VNC Free Edition open-source codebase
> should patch it to version 4.1.3.
>
> For more information please visit
> http://www.realvnc.com/products/upgrade.html
Then to get my hands on 4.1.3 I went here...
http://www.realvnc.com/cgi-bin/download.cgi
...and I installed the Linux GZipped tar file on my Unbuntu 8.10 system.
Here's the problem:
$ ldd /usr/local/bin/vncviewer | grep "not found"
libstdc++-libc6.2-2.so.3 => not found
It turns out that the library is in this package:
libstdc++2.10-glibc2.2
Which is available for i386:
http://packages.debian.org/etch/libstdc++2.10-glibc2.2
But I am using x86_64 and gdebi refuses to install it the .deb package:
$ sudo gdebi libstdc++2.10-glibc2.2_2.95.4-24_i386.deb
Reading package lists: Done
Reading state information: Done
Reading state information: Done
Reading state information: Done
This package is uninstallable
Wrong architecture 'i386'
I guess this means that I either have to run the 4.1.1, which is available
in an Ubuntu package, or I have to try to compile 4.1.3 from source.
Or maybe there is a way to get the needed file and make it work.
Or maybe we will get lucky and the generous VNC developers will make
something for x86_64!
Mike