PatchSiren cyber security CVE debrief

CVE-2017-5884 Fedoraproject CVE debrief

CVE-2017-5884 is a boundary-check vulnerability in gtk-vnc's handling of subrectangle-containing tiles. According to the CVE record, crafted RRE, Hextile, or CopyRect tile data can cause improper bounds handling for source x/y coordinates and may allow arbitrary code execution. The issue was published on 2017-02-28, with upstream and vendor references in early February 2017 pointing to a fix and follow-on advisories.

Vendor: Fedoraproject
Product: CVE-2017-5884
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-28
Original CVE updated: 2026-05-13
Advisory published: 2017-02-28
Advisory updated: 2026-05-13

Who should care

Administrators and developers using gtk-vnc, especially in client applications that connect to untrusted or externally supplied VNC servers. Fedora/RPM-based environments and any software embedding gtk-vnc should verify whether they ship affected versions.

Technical summary

The flaw is tracked as CWE-118 and affects gtk-vnc versions before 0.7.0 per the description. NVD's CPE data also marks gtk-vnc through 0.6.0 as vulnerable. The bug is in parsing tile content for RRE, Hextile, and CopyRect updates: boundary checks for subrectangle coordinates were not performed correctly, which can lead to out-of-bounds behavior while processing server-controlled display data.

Defensive priority

High. This is a code-execution class issue in a client-side library with public advisories and a patch, so affected deployments should prioritize upgrading and validating package provenance.

Recommended defensive actions

Upgrade gtk-vnc to a fixed release at or above 0.7.0, or install the vendor/distro package that includes the published fix.
Apply the relevant distribution advisory or errata referenced in the corpus, such as RHSA-2017:2258, for packaged systems.
Inventory applications that embed gtk-vnc and confirm their shipped library version, including Fedora-based deployments noted in the CPE data.
Reduce exposure by limiting VNC connections to trusted servers and by reviewing any workflow that opens VNC sessions from untrusted sources.

Evidence notes

The vulnerability description in the CVE record states that gtk-vnc before 0.7.0 fails to properly check boundaries for subrectangle-containing tiles and can allow arbitrary code execution via crafted RRE, Hextile, or CopyRect data. The NVD record includes references to early February 2017 oss-security posts, a GNOME Bugzilla issue, a GTK-VNC patch commit, a Red Hat erratum, and a Fedora package announcement. NVD also lists the weakness as CWE-118. The NVD CPE data marks gtk-vnc versions through 0.6.0 as vulnerable, which should be read alongside the textual description that sets the fix threshold at 0.7.0.

Official resources

CVE-2017-5884 CVE record
CVE.org
CVE-2017-5884 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected] - Exploit, Issue Tracking
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
Source reference
[email protected]

CVE-2017-5884 was published on 2017-02-28. The corpus shows upstream and vendor references from early February 2017, including disclosure discussion, a patch commit, and packaging advisories.