Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:libvncserver User: [email protected] Usertags: pu
Dear Release Managers, I would like to close these bugs regarding trixie through p-u: https://bugs.debian.org/1132016 https://bugs.debian.org/1132017 [ Reason ] This fixes CVE-2026-32853 and CVE-2026-32854. [ Impact ] CVE-2026-32853: A malicious VNC server can cause information disclosure or application crash to the client. CVE-2026-32854: Attackers can crash the server when httpd and proxy features are enabled. [ Tests ] Build tests and autopkgstest locally and on debusine.d.n: https://debusine.debian.net/debian/developers/work-request/556022/ [ Risks ] I consider the risks low as the fix consists exactly of upstream's commits: https://github.com/LibVNC/libvncserver/commit/009008e https://github.com/LibVNC/libvncserver/commit/dc78dee [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
diff -Nru libvncserver-0.9.15+dfsg/debian/changelog libvncserver-0.9.15+dfsg/debian/changelog --- libvncserver-0.9.15+dfsg/debian/changelog 2025-04-10 12:51:42.000000000 +0200 +++ libvncserver-0.9.15+dfsg/debian/changelog 2026-04-03 21:45:50.000000000 +0200 @@ -1,3 +1,14 @@ +libvncserver (0.9.15+dfsg-1+deb13u1) UNRELEASED; urgency=medium + + * Team upload. + * debian/patches: + + CVE-2026-32853: Add 0001_CVE-2026-32853.patch fixing a heap out-of-bounds + read (Closes: #1132016). + + CVE-2026-32854: Add 0002_CVE-2026-32854.patch fixing NULL pointer + dereferences in httpd proxy handlers (Closes: #1132017). + + -- Sven Geuer <[email protected]> Fri, 03 Apr 2026 21:45:50 +0200 + libvncserver (0.9.15+dfsg-1) unstable; urgency=medium * New upstream release. diff -Nru libvncserver-0.9.15+dfsg/debian/patches/0001_CVE-2026-32853.patch libvncserver-0.9.15+dfsg/debian/patches/0001_CVE-2026-32853.patch --- libvncserver-0.9.15+dfsg/debian/patches/0001_CVE-2026-32853.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.15+dfsg/debian/patches/0001_CVE-2026-32853.patch 2026-04-03 21:45:50.000000000 +0200 @@ -0,0 +1,61 @@ +Description: Fix CVE-2026-32853, Heap Out-of-Bounds Read in HandleUltraZipBPP + For details see + https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj +Origin: upstream, https://github.com/LibVNC/libvncserver/commit/009008e +Bug-Debian: https://bugs.debian.org/1132016 +Forwarded: not-needed +Reviewed-by: Sven Geuer <[email protected]> +Last-Update: 2026-04-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/src/libvncclient/ultra.c b/src/libvncclient/ultra.c +index 1d3aaba6..5633b8cb 100644 +--- a/src/libvncclient/ultra.c ++++ b/src/libvncclient/ultra.c +@@ -126,6 +126,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + int toRead=0; + int inflateResult=0; + unsigned char *ptr=NULL; ++ unsigned char *ptr_end=NULL; + lzo_uint uncompressedBytes = ry + (rw * 65535); + unsigned int numCacheRects = rx; + +@@ -194,11 +195,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + + /* Put the uncompressed contents of the update on the screen. */ + ptr = (unsigned char *)client->raw_buffer; ++ ptr_end = ptr + uncompressedBytes; + for (i=0; i<numCacheRects; i++) + { + unsigned short sx, sy, sw, sh; + unsigned int se; + ++ /* subrect header: sx(2) + sy(2) + sw(2) + sh(2) + se(4) = 12 bytes */ ++ if (ptr + 12 > ptr_end) { ++ rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i); ++ return FALSE; ++ } ++ + memcpy((char *)&sx, ptr, 2); ptr += 2; + memcpy((char *)&sy, ptr, 2); ptr += 2; + memcpy((char *)&sw, ptr, 2); ptr += 2; +@@ -213,8 +221,13 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + + if (se == rfbEncodingRaw) + { ++ uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8); ++ if (rawBytes > (size_t)(ptr_end - ptr)) { ++ rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i); ++ return FALSE; ++ } + client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh); +- ptr += ((sw * sh) * (BPP / 8)); ++ ptr += (size_t)rawBytes; + } + } + +@@ -222,3 +235,4 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + } + + #undef CARDBPP ++ diff -Nru libvncserver-0.9.15+dfsg/debian/patches/0002_CVE-2026-32854.patch libvncserver-0.9.15+dfsg/debian/patches/0002_CVE-2026-32854.patch --- libvncserver-0.9.15+dfsg/debian/patches/0002_CVE-2026-32854.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.15+dfsg/debian/patches/0002_CVE-2026-32854.patch 2026-04-03 21:45:50.000000000 +0200 @@ -0,0 +1,54 @@ +Description: Fix CVE-2026-32854, NULL pointer derefs in httpd proxy handlers + For details see + https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x +Origin: upstream, https://github.com/LibVNC/libvncserver/commit/dc78dee +Bug-Debian: https://bugs.debian.org/1132017 +Forwarded: not-needed +Reviewed-by: Sven Geuer <[email protected]> +Last-Update: 2026-04-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/src/libvncserver/httpd.c b/src/libvncserver/httpd.c +index f4fe51c9..7cefadc4 100644 +--- a/src/libvncserver/httpd.c ++++ b/src/libvncserver/httpd.c +@@ -353,10 +353,11 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen) + + + /* Process the request. */ +- if(rfbScreen->httpEnableProxyConnect) { ++if(rfbScreen->httpEnableProxyConnect) { + const static char* PROXY_OK_STR = "HTTP/1.0 200 OK\r\nContent-Type: octet-stream\r\nPragma: no-cache\r\n\r\n"; + if(!strncmp(buf, "CONNECT ", 8)) { +- if(atoi(strchr(buf, ':')+1)!=rfbScreen->port) { ++ char *colon = strchr(buf, ':'); ++ if(colon == NULL || atoi(colon+1)!=rfbScreen->port) { + rfbErr("httpd: CONNECT format invalid.\n"); + rfbWriteExact(&cl,INVALID_REQUEST_STR, strlen(INVALID_REQUEST_STR)); + httpCloseSock(rfbScreen); +@@ -369,14 +370,17 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen) + rfbScreen->httpSock = RFB_INVALID_SOCKET; + return; + } +- if (!strncmp(buf, "GET ",4) && !strncmp(strchr(buf,'/'),"/proxied.connection HTTP/1.", 27)) { +- /* proxy connection */ +- rfbLog("httpd: client asked for /proxied.connection\n"); +- rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR)); +- rfbNewClientConnection(rfbScreen,rfbScreen->httpSock); +- rfbScreen->httpSock = RFB_INVALID_SOCKET; +- return; +- } ++ if (!strncmp(buf, "GET ",4)) { ++ char *slash = strchr(buf, '/'); ++ if (slash != NULL && !strncmp(slash,"/proxied.connection HTTP/1.", 27)) { ++ /* proxy connection */ ++ rfbLog("httpd: client asked for /proxied.connection\n"); ++ rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR)); ++ rfbNewClientConnection(rfbScreen,rfbScreen->httpSock); ++ rfbScreen->httpSock = RFB_INVALID_SOCKET; ++ return; ++ } ++ } + } + + if (strncmp(buf, "GET ", 4)) { diff -Nru libvncserver-0.9.15+dfsg/debian/patches/series libvncserver-0.9.15+dfsg/debian/patches/series --- libvncserver-0.9.15+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.15+dfsg/debian/patches/series 2026-04-03 21:45:50.000000000 +0200 @@ -0,0 +1,2 @@ +0001_CVE-2026-32853.patch +0002_CVE-2026-32854.patch
signature.asc
Description: This is a digitally signed message part
