CVE-2019-8287: 
NixOS vulnerability analysis and mitigation

TightVNC code version 1.3.10 contains a global buffer overflow vulnerability in the HandleCoRREBBP macro function (CVE-2019-8287). The vulnerability was discovered in 2019 and affects TightVNC software version 1.3.10. This vulnerability is present in the core functionality of TightVNC's remote control software package (OpenWall, CISA).

The vulnerability exists due to a global buffer overflow in the HandleCoRREBBP macro function, which fails to perform proper size checking. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating it can be exploited remotely with no privileges or user interaction required (CISA).

If successfully exploited, this vulnerability could potentially result in code execution on the affected system. The high CVSS score indicates that successful exploitation could lead to a complete compromise of the system's confidentiality, integrity, and availability (CISA).

For Debian 8 'Jessie', this vulnerability has been fixed in version 1.3.9-6.5+deb8u1. Users are recommended to upgrade their TightVNC packages to the latest version. Additionally, organizations should protect network access to devices with appropriate mechanisms and configure their environment according to security guidelines (Debian, CISA).

GlavSoft, the company behind TightVNC, initially declined to patch the 1.X version of TightVNC software, stating it doesn't bring any income to the company as they are focusing on developing TightVNC 2.X. This led to package maintainers having to patch these vulnerabilities independently (OpenWall).