Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package neatvnc for openSUSE:Factory checked in at 2026-04-28 11:57:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/neatvnc (Old) and /work/SRC/openSUSE:Factory/.neatvnc.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "neatvnc" Tue Apr 28 11:57:16 2026 rev:19 rq:1349492 version:0.9.6 Changes: -------- --- /work/SRC/openSUSE:Factory/neatvnc/neatvnc.changes 2025-07-30 11:45:43.911604271 +0200 +++ /work/SRC/openSUSE:Factory/.neatvnc.new.11940/neatvnc.changes 2026-04-28 12:01:06.049306056 +0200 @@ -1,0 +2,7 @@ +Mon Apr 27 06:29:24 UTC 2026 - Michael Vetter <[email protected]> + +- Update to 0.9.6: + * Fix a buffer overflow vulnerability in RSA-AES authentication + * Add earlier rejection of overly long credentials in VeNCrypt authentication + +------------------------------------------------------------------- Old: ---- neatvnc-0.9.5.tar.xz New: ---- neatvnc-0.9.6.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ neatvnc.spec ++++++ --- /var/tmp/diff_new_pack.2hhlcj/_old 2026-04-28 12:01:06.533326100 +0200 +++ /var/tmp/diff_new_pack.2hhlcj/_new 2026-04-28 12:01:06.537326266 +0200 @@ -1,7 +1,7 @@ # # spec file for package neatvnc # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define libsoname libneatvnc0 Name: neatvnc -Version: 0.9.5 +Version: 0.9.6 Release: 0 Summary: A VNC server library License: ISC ++++++ _service ++++++ --- /var/tmp/diff_new_pack.2hhlcj/_old 2026-04-28 12:01:06.569327591 +0200 +++ /var/tmp/diff_new_pack.2hhlcj/_new 2026-04-28 12:01:06.573327756 +0200 @@ -3,8 +3,8 @@ <service name="obs_scm" mode="manual"> <param name="scm">git</param> <param name="url">https://github.com/any1/neatvnc.git</param> - <param name="revision">af5811b75e63f53d1d1f1f3f337387553a96786a</param> - <param name="versionformat">0.9.5</param> + <param name="revision">3295c11b934a83dbcb44beabf3f21a8b885a2d11</param> + <param name="versionformat">0.9.6</param> </service> <service name="tar" mode="manual"/> <service name="recompress" mode="manual"> ++++++ neatvnc-0.9.5.tar.xz -> neatvnc-0.9.6.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/neatvnc-0.9.5/meson.build new/neatvnc-0.9.6/meson.build --- old/neatvnc-0.9.5/meson.build 2025-02-23 10:52:50.000000000 +0100 +++ new/neatvnc-0.9.6/meson.build 2026-04-24 16:11:38.000000000 +0200 @@ -1,7 +1,7 @@ project( 'neatvnc', 'c', - version: '0.9.3', + version: '0.9.6', license: 'ISC', default_options: [ 'c_std=gnu11', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/neatvnc-0.9.5/src/auth/rsa-aes.c new/neatvnc-0.9.6/src/auth/rsa-aes.c --- old/neatvnc-0.9.5/src/auth/rsa-aes.c 2025-02-23 10:52:50.000000000 +0100 +++ new/neatvnc-0.9.6/src/auth/rsa-aes.c 2026-04-24 16:11:38.000000000 +0200 @@ -19,6 +19,8 @@ #include "auth/auth.h" #include "auth/rsa-aes.h" +#define MAX_PUB_KEY_SIZE 1000000 + #define UDIV_UP(a, b) (((a) + (b) - 1) / (b)) int rsa_aes_send_public_key(struct nvnc_client* client) @@ -61,16 +63,17 @@ { crypto_random(client->rsa.challenge, client->rsa.challenge_len); - uint8_t buffer[1024]; - struct rfb_rsa_aes_challenge_msg *msg = - (struct rfb_rsa_aes_challenge_msg*)buffer; + struct rfb_rsa_aes_challenge_msg* msg; + size_t key_len = crypto_rsa_pub_key_length(client->rsa.pub); + size_t msg_size = sizeof(*msg) + key_len; + msg = calloc(1, msg_size); + assert(msg); - ssize_t len = crypto_rsa_encrypt(pub, msg->challenge, - crypto_rsa_pub_key_length(client->rsa.pub), + crypto_rsa_encrypt(pub, msg->challenge, key_len, client->rsa.challenge, client->rsa.challenge_len); - msg->length = htons(len); + msg->length = htons(key_len); - stream_write(client->net_stream, buffer, sizeof(*msg) + len, NULL, NULL); + stream_send(client->net_stream, rcbuf_new(msg, msg_size), NULL, NULL); return 0; } @@ -89,6 +92,12 @@ sizeof(*msg) + byte_length * 2) return 0; + if (byte_length > MAX_PUB_KEY_SIZE) { + nvnc_log(NVNC_LOG_ERROR, "Client sent a ridiculously large public key. This can't be right."); + nvnc_client_close(client); + return -1; + } + const uint8_t* modulus = msg->modulus_and_exponent; const uint8_t* exponent = msg->modulus_and_exponent + byte_length; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/neatvnc-0.9.5/src/auth/vencrypt.c new/neatvnc-0.9.6/src/auth/vencrypt.c --- old/neatvnc-0.9.5/src/auth/vencrypt.c 2025-02-23 10:52:50.000000000 +0100 +++ new/neatvnc-0.9.6/src/auth/vencrypt.c 2026-04-24 16:11:38.000000000 +0200 @@ -21,6 +21,9 @@ #include <sys/param.h> +#define MAX_USERNAME_LENGTH 256 +#define MAX_PASSWORD_LENGTH 256 + static int send_byte(struct nvnc_client* client, uint8_t value) { return stream_write(client->net_stream, &value, 1, NULL, NULL); @@ -112,11 +115,17 @@ uint32_t ulen = ntohl(msg->username_len); uint32_t plen = ntohl(msg->password_len); + if (ulen > MAX_USERNAME_LENGTH || plen > MAX_PASSWORD_LENGTH) { + nvnc_log(NVNC_LOG_ERROR, "Client sent too long username/password"); + nvnc_client_close(client); + return -1; + } + if (client->buffer_len - client->buffer_index < sizeof(*msg) + ulen + plen) return 0; - char username[256]; - char password[256]; + char username[MAX_USERNAME_LENGTH]; + char password[MAX_PASSWORD_LENGTH]; memcpy(username, msg->text, MIN(ulen, sizeof(username) - 1)); memcpy(password, msg->text + ulen, MIN(plen, sizeof(password) - 1)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/neatvnc-0.9.5/src/cursor.c new/neatvnc-0.9.6/src/cursor.c --- old/neatvnc-0.9.5/src/cursor.c 2025-02-23 10:52:50.000000000 +0100 +++ new/neatvnc-0.9.6/src/cursor.c 2026-04-24 16:11:38.000000000 +0200 @@ -64,11 +64,11 @@ return encode_rect_head(dst, RFB_ENCODING_CURSOR, 0, 0, 0, 0); nvnc_transform_dimensions(image->transform, &width, &height); - nvnc_transform_dimensions(image->transform, &hotspot_x, &hotspot_y); if (nvnc_fb_map(image) < 0) - goto failure; + return -1; + // This returns a new image that needs to be unreferenced later image = apply_transform(image); assert(width <= image->width); @@ -87,7 +87,7 @@ int bpp = pixfmt->bits_per_pixel / 8; size_t size = width * height; - rc = vec_reserve(dst, dst->len + size * bpp + UDIV_UP(size, 8)); + rc = vec_reserve(dst, dst->len + size * bpp + UDIV_UP(width, 8) * height); if (rc < 0) goto failure; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/neatvnc-0.9.5/src/enc/tight.c new/neatvnc-0.9.6/src/enc/tight.c --- old/neatvnc-0.9.5/src/enc/tight.c 2025-02-23 10:52:50.000000000 +0100 +++ new/neatvnc-0.9.6/src/enc/tight.c 2026-04-24 16:11:38.000000000 +0200 @@ -448,6 +448,7 @@ if (--self->n_jobs == 0) { nvnc_fb_release(self->fb); nvnc_fb_unref(self->fb); + self->fb = NULL; schedule_tight_finish(self); } @@ -615,6 +616,7 @@ if (tight_schedule_encoding_jobs(self) < 0) { nvnc_fb_release(self->fb); nvnc_fb_unref(self->fb); + self->fb = NULL; vec_destroy(&self->dst); return -1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/neatvnc-0.9.5/src/server.c new/neatvnc-0.9.6/src/server.c --- old/neatvnc-0.9.5/src/server.c 2025-02-23 10:52:50.000000000 +0100 +++ new/neatvnc-0.9.6/src/server.c 2026-04-24 16:11:38.000000000 +0200 @@ -210,24 +210,23 @@ free(client); } -static void do_deferred_client_close(void *obj) +static void do_deferred_client_close(void* obj) { - struct nvnc_client* client = obj; - if (client->close_task) - client_close(client); -} + struct aml_idle* idle = obj; + struct nvnc_client* client = aml_get_userdata(idle); + client->close_task = NULL; + aml_stop(aml_get_default(), idle); + aml_unref(idle); -static void stop_self(void* obj) -{ - aml_stop(aml_get_default(), obj); + client_close(client); } static void defer_client_close(struct nvnc_client* client) { if (client->close_task) return; - client->close_task = aml_idle_new(stop_self, client, - do_deferred_client_close); + client->close_task = aml_idle_new(do_deferred_client_close, client, + NULL); aml_start(aml_get_default(), client->close_task); } @@ -364,7 +363,7 @@ if (!is_allowed_security_type(client->server, type)) { security_handshake_failed(client, NULL, "Illegal security type"); - return sizeof(type); + return -1; } update_min_rtt(client); @@ -403,7 +402,7 @@ default: security_handshake_failed(client, NULL, "Unsupported security type"); - break; + return -1; } return sizeof(type); @@ -2320,6 +2319,7 @@ nvnc_fb_release(self->cursor.buffer); nvnc_fb_unref(self->cursor.buffer); + self->cursor.buffer = NULL; // The stream is closed first to stop all communication and to make sure // that encoding of new frames does not start. ++++++ neatvnc.obsinfo ++++++ --- /var/tmp/diff_new_pack.2hhlcj/_old 2026-04-28 12:01:06.861339684 +0200 +++ /var/tmp/diff_new_pack.2hhlcj/_new 2026-04-28 12:01:06.865339849 +0200 @@ -1,5 +1,5 @@ name: neatvnc -version: 0.9.5 -mtime: 1740304370 -commit: af5811b75e63f53d1d1f1f3f337387553a96786a +version: 0.9.6 +mtime: 1777039898 +commit: 3295c11b934a83dbcb44beabf3f21a8b885a2d11
