Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package LibVNCServer for openSUSE:Factory checked in at 2026-03-26 21:07:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/LibVNCServer (Old) and /work/SRC/openSUSE:Factory/.LibVNCServer.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "LibVNCServer" Thu Mar 26 21:07:39 2026 rev:49 rq:1342447 version:0.9.15 Changes: -------- --- /work/SRC/openSUSE:Factory/LibVNCServer/LibVNCServer.changes 2025-06-27 23:00:40.135682259 +0200 +++ /work/SRC/openSUSE:Factory/.LibVNCServer.new.8177/LibVNCServer.changes 2026-03-27 06:35:33.347478099 +0100 @@ -1,0 +2,10 @@ +Wed Mar 25 11:33:10 UTC 2026 - Petr Gajdos <[email protected]> + +- security update +- added patches + CVE-2026-32853 [bsc#1260431], crafted FramebufferUpdate message can lead to information disclosure or denial of service + * LibVNCServer-CVE-2026-32853.patch + CVE-2026-32854 [bsc#1260429], crafted HTTP requests can cause a denial of service + * LibVNCServer-CVE-2026-32854.patch + +------------------------------------------------------------------- New: ---- LibVNCServer-CVE-2026-32853.patch LibVNCServer-CVE-2026-32854.patch ----------(New B)---------- New: CVE-2026-32853 [bsc#1260431], crafted FramebufferUpdate message can lead to information disclosure or denial of service * LibVNCServer-CVE-2026-32853.patch CVE-2026-32854 [bsc#1260429], crafted HTTP requests can cause a denial of service New: CVE-2026-32854 [bsc#1260429], crafted HTTP requests can cause a denial of service * LibVNCServer-CVE-2026-32854.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ LibVNCServer.spec ++++++ --- /var/tmp/diff_new_pack.rZ2ywV/_old 2026-03-27 06:35:33.887500356 +0100 +++ /var/tmp/diff_new_pack.rZ2ywV/_new 2026-03-27 06:35:33.891500521 +0100 @@ -1,7 +1,7 @@ # # spec file for package LibVNCServer # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,6 +34,10 @@ #PATCH-FEATURE-UPSTREAM TLS security type enablement patches gh#LibVNC/libvncserver!234 Patch10: 0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch Patch11: 0002-libvncserver-Add-channel-security-handlers.patch +# CVE-2026-32854 [bsc#1260429], crafted HTTP requests can cause a denial of service +Patch12: LibVNCServer-CVE-2026-32854.patch +# CVE-2026-32853 [bsc#1260431], crafted FramebufferUpdate message can lead to information disclosure or denial of service +Patch13: LibVNCServer-CVE-2026-32853.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: libavahi-devel ++++++ LibVNCServer-CVE-2026-32853.patch ++++++ >From 009008e2f4d5a54dd71f422070df3af7b3dbc931 Mon Sep 17 00:00:00 2001 From: Kazuma Matsumoto <[email protected]> Date: Sun, 22 Mar 2026 20:35:49 +0100 Subject: [PATCH] libvncclient: add bounds checks to UltraZip subrectangle parsing HandleUltraZipBPP() iterates over sub-rectangles using numCacheRects (derived from the attacker-controlled rect.r.x) without validating that the pointer stays within the decompressed data buffer. A malicious server can set a large numCacheRects value, causing heap out-of-bounds reads via the memcpy calls in the parsing loop. Add bounds checks before reading the 12-byte subrect header and before advancing the pointer by the raw pixel data size. Use uint64_t for the raw data size calculation to prevent integer overflow on 32-bit platforms. --- src/libvncclient/ultra.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/libvncclient/ultra.c b/src/libvncclient/ultra.c index 1d3aaba6a..5633b8cbb 100644 --- a/src/libvncclient/ultra.c +++ b/src/libvncclient/ultra.c @@ -126,6 +126,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) int toRead=0; int inflateResult=0; unsigned char *ptr=NULL; + unsigned char *ptr_end=NULL; lzo_uint uncompressedBytes = ry + (rw * 65535); unsigned int numCacheRects = rx; @@ -194,11 +195,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) /* Put the uncompressed contents of the update on the screen. */ ptr = (unsigned char *)client->raw_buffer; + ptr_end = ptr + uncompressedBytes; for (i=0; i<numCacheRects; i++) { unsigned short sx, sy, sw, sh; unsigned int se; + /* subrect header: sx(2) + sy(2) + sw(2) + sh(2) + se(4) = 12 bytes */ + if (ptr + 12 > ptr_end) { + rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i); + return FALSE; + } + memcpy((char *)&sx, ptr, 2); ptr += 2; memcpy((char *)&sy, ptr, 2); ptr += 2; memcpy((char *)&sw, ptr, 2); ptr += 2; @@ -213,8 +221,13 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) if (se == rfbEncodingRaw) { + uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8); + if (rawBytes > (size_t)(ptr_end - ptr)) { + rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i); + return FALSE; + } client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh); - ptr += ((sw * sh) * (BPP / 8)); + ptr += (size_t)rawBytes; } } @@ -222,3 +235,4 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) } #undef CARDBPP + ++++++ LibVNCServer-CVE-2026-32854.patch ++++++ >From dc78dee51a7e270e537a541a17befdf2073f5314 Mon Sep 17 00:00:00 2001 From: Kazuma Matsumoto <[email protected]> Date: Thu, 19 Mar 2026 17:42:00 +0900 Subject: [PATCH] libvncserver: fix NULL pointer dereferences in httpd proxy handlers httpProcessInput() passes the return value of strchr() to atoi() and strncmp() without checking for NULL. If a CONNECT request contains no colon, or a GET request contains no slash, strchr() returns NULL, leading to a segmentation fault. Add NULL checks before using the strchr() return values. --- src/libvncserver/httpd.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) Index: libvncserver-LibVNCServer-0.9.15/src/libvncserver/httpd.c =================================================================== --- libvncserver-LibVNCServer-0.9.15.orig/src/libvncserver/httpd.c +++ libvncserver-LibVNCServer-0.9.15/src/libvncserver/httpd.c @@ -337,10 +337,11 @@ httpProcessInput(rfbScreenInfoPtr rfbScr /* Process the request. */ - if(rfbScreen->httpEnableProxyConnect) { +if(rfbScreen->httpEnableProxyConnect) { const static char* PROXY_OK_STR = "HTTP/1.0 200 OK\r\nContent-Type: octet-stream\r\nPragma: no-cache\r\n\r\n"; if(!strncmp(buf, "CONNECT ", 8)) { - if(atoi(strchr(buf, ':')+1)!=rfbScreen->port) { + char *colon = strchr(buf, ':'); + if(colon == NULL || atoi(colon+1)!=rfbScreen->port) { rfbErr("httpd: CONNECT format invalid.\n"); rfbWriteExact(&cl,INVALID_REQUEST_STR, strlen(INVALID_REQUEST_STR)); httpCloseSock(rfbScreen); @@ -353,14 +354,17 @@ httpProcessInput(rfbScreenInfoPtr rfbScr rfbScreen->httpSock = RFB_INVALID_SOCKET; return; } - if (!strncmp(buf, "GET ",4) && !strncmp(strchr(buf,'/'),"/proxied.connection HTTP/1.", 27)) { - /* proxy connection */ - rfbLog("httpd: client asked for /proxied.connection\n"); - rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR)); - rfbNewClientConnection(rfbScreen,rfbScreen->httpSock); - rfbScreen->httpSock = RFB_INVALID_SOCKET; - return; - } + if (!strncmp(buf, "GET ",4)) { + char *slash = strchr(buf, '/'); + if (slash != NULL && !strncmp(slash,"/proxied.connection HTTP/1.", 27)) { + /* proxy connection */ + rfbLog("httpd: client asked for /proxied.connection\n"); + rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR)); + rfbNewClientConnection(rfbScreen,rfbScreen->httpSock); + rfbScreen->httpSock = RFB_INVALID_SOCKET; + return; + } + } } if (strncmp(buf, "GET ", 4)) {
