I’m pleased to announce a new release of GTK-VNC, vesion 0.7.0. The release focus is on bug fixing and includes fixes for two publically reported security bugs which allow a malicious server to exploit the client. Similar bugs were recently reported & fixed in other common VNC clients too.
- CVE-2017-5884 – fix bounds checking for RRE, hextile and copyrect encodings
- CVE-2017-5885 – fix color map index bounds checking
- Add API to allow smooth scaling to be disabled
- Workaround to help SPICE servers quickly drop VNC clients which mistakenly connect, by sending “RFB ” signature bytes early
- Don’t accept color map entries for true-color pixel formats
- Add missing vala .deps files for gvnc & gvncpulse
- Avoid crash if host/port is NULL
- Add precondition checks to some public APIs
- Fix link to home page in README file
- Fix misc memory leaks
- Clamp cursor hot-pixel to within cursor region
Thanks to all those who reported bugs and provides patches that went into this new release.