CVEs have been assigned for two security issues in gtk-vnc:
Fixes appear to be in progress.
Mageia 5 may also be affected.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Updated package uploaded and built for cauldron.
I could not find any previous test procedures for this package but did find that the vinagre VNC client uses some of these packages. That would probably be a good place to start testing if you have (or can set up) a VNC server you can connect to.
Updated package uploaded for Mageia 5.
Updated gtk-vnc package fixes security vulnerabilities:
It was found that gtk-vnc code does not properly check boundaries of subrectangle-containing tiles. A malicious server can use this to overwrite parts of the client memory (CVE-2017-5884).
In addition, the vnc_connection_server_message() and vnc_color_map_set() functions do not check for integer overflow properly, leading to a malicious server being able to overwrite parts of the client memory (CVE-2017-5885).
Updated packages in core/updates_testing:
Fedora has issued an advisory for this on February 10:
MGA5-32 on Asus A6000VM Xfce
No installation issues
Installed vinagre to test at CLI
$ strace -o vnc.txt vinagre
and found: open("/lib/libgtk-vnc-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
Started vncserver on one system, setting a password.
Used gvncviewer to connect to that system ok from the system testing the update.
Validating the update
advisory MGA5-32-OK =>
advisory MGA5-32-OK MGA5-64-OKCC:
An update for this issue has been pushed to the Mageia Updates repository.