commit LibVNCServer for openSUSE:Factory

Source-Sync Sat, 30 May 2026 13:56:56 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package LibVNCServer for openSUSE:Factory 
checked in at 2026-05-30 22:55:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/LibVNCServer (Old)
 and      /work/SRC/openSUSE:Factory/.LibVNCServer.new.1937 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "LibVNCServer"

Sat May 30 22:55:02 2026 rev:50 rq:1355889 version:0.9.15

Changes:
--------
--- /work/SRC/openSUSE:Factory/LibVNCServer/LibVNCServer.changes        
2026-03-27 06:35:33.347478099 +0100
+++ /work/SRC/openSUSE:Factory/.LibVNCServer.new.1937/LibVNCServer.changes      
2026-05-30 22:56:00.919053938 +0200
@@ -1,0 +2,7 @@
+Fri May 29 12:50:18 UTC 2026 - Petr Gajdos <[email protected]>
+
+- added patches
+  CVE-2026-44988: missing validation of rectangle width in tight gradient 
decoding can lead to server-triggered out-of-bounds write [bsc#1266459]
+  * LibVNCServer-CVE-2026-44988.patch
+
+-------------------------------------------------------------------

New:
----
  LibVNCServer-CVE-2026-44988.patch

----------(New B)----------
  New:  CVE-2026-44988: missing validation of rectangle width in tight gradient 
decoding can lead to server-triggered out-of-bounds write [bsc#1266459]
  * LibVNCServer-CVE-2026-44988.patch
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ LibVNCServer.spec ++++++
--- /var/tmp/diff_new_pack.k52xML/_old  2026-05-30 22:56:01.779089226 +0200
+++ /var/tmp/diff_new_pack.k52xML/_new  2026-05-30 22:56:01.783089390 +0200
@@ -38,6 +38,8 @@
 Patch12:        LibVNCServer-CVE-2026-32854.patch
 # CVE-2026-32853 [bsc#1260431], crafted FramebufferUpdate message can lead to 
information disclosure or denial of service
 Patch13:        LibVNCServer-CVE-2026-32853.patch
+# CVE-2026-44988: missing validation of rectangle width in tight gradient 
decoding can lead to server-triggered out-of-bounds write [bsc#1266459]
+Patch14:        LibVNCServer-CVE-2026-44988.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  libavahi-devel

++++++ LibVNCServer-CVE-2026-44988.patch ++++++
>From 5b270544b85233668b98161323297d418a8f5fd1 Mon Sep 17 00:00:00 2001
From: Kang Hee chan <[email protected]>
Date: Wed, 6 May 2026 21:48:54 +0900
Subject: [PATCH] libvncclient: fix Tight gradient decoding overflow

---
 include/rfb/rfbclient.h  |  3 ++-
 src/libvncclient/tight.c | 10 +++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

Index: libvncserver-LibVNCServer-0.9.15/include/rfb/rfbclient.h
===================================================================
--- libvncserver-LibVNCServer-0.9.15.orig/include/rfb/rfbclient.h
+++ libvncserver-LibVNCServer-0.9.15/include/rfb/rfbclient.h
@@ -314,10 +314,11 @@ typedef struct _rfbClient {
        rfbBool zlibStreamActive[4];
 
        /* Filter stuff. Should be initialized by filter initialization code. */
+#define TIGHT_GRADIENT_MAX_WIDTH 2048
        rfbBool cutZeros;
        int rectWidth, rectColors;
        char tightPalette[256*4];
-       uint8_t tightPrevRow[2048*3*sizeof(uint16_t)];
+       uint8_t tightPrevRow[TIGHT_GRADIENT_MAX_WIDTH*3*sizeof(uint16_t)];
 
 #ifdef LIBVNCSERVER_HAVE_LIBJPEG
        /** JPEG decoder state (obsolete-- do not use). */
Index: libvncserver-LibVNCServer-0.9.15/src/libvncclient/tight.c
===================================================================
--- libvncserver-LibVNCServer-0.9.15.orig/src/libvncclient/tight.c
+++ libvncserver-LibVNCServer-0.9.15/src/libvncclient/tight.c
@@ -229,6 +229,11 @@ HandleTightBPP (rfbClient* client, int r
       bitsPixel = InitFilterPaletteBPP(client, rw, rh);
       break;
     case rfbTightFilterGradient:
+      if (rw > TIGHT_GRADIENT_MAX_WIDTH) {
+       rfbClientLog("Tight Gradient rectangle width %d exceeds maximum %d.\n",
+                    rw, TIGHT_GRADIENT_MAX_WIDTH);
+       return FALSE;
+      }
       filterFn = FilterGradientBPP;
       bitsPixel = InitFilterGradientBPP(client, rw, rh);
       break;
@@ -430,7 +435,7 @@ FilterGradient24 (rfbClient* client, int
   CARDBPP *dst =
     (CARDBPP *)&client->frameBuffer[(srcy * client->width + srcx) * BPP / 8];
   int x, y, c;
-  uint8_t thisRow[2048*3];
+  uint8_t thisRow[TIGHT_GRADIENT_MAX_WIDTH*3];
   uint8_t pix[3];
   int est[3];
 
@@ -473,7 +478,7 @@ FilterGradientBPP (rfbClient* client, in
   int x, y, c;
   CARDBPP *src = (CARDBPP *)client->buffer;
   uint16_t *thatRow = (uint16_t *)client->tightPrevRow;
-  uint16_t thisRow[2048*3];
+  uint16_t thisRow[TIGHT_GRADIENT_MAX_WIDTH*3];
   uint16_t pix[3];
   uint16_t max[3];
   int shift[3];
@@ -705,4 +710,3 @@ ReadCompactLen (rfbClient* client)
 /* LIBVNCSERVER_HAVE_LIBZ and LIBVNCSERVER_HAVE_LIBJPEG */
 #endif
 #endif
-

commit LibVNCServer for openSUSE:Factory

Reply via email to