Your message dated Sat, 11 Jul 2026 10:42:31 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1140225,
regarding bookworm-pu: package libvncserver/0.9.14+dfsg-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140225: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140225
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libvncserver
User: [email protected]
Usertags: pu

Dear Release Managers,

I would like to close these bugs regarding bookworm through p-u:
https://bugs.debian.org/1138174
https://bugs.debian.org/1138253

[ Reason ]
This fixes CVE-2026-44988 and CVE-2026-50538 for bookworm.

[ Impact ]
CVE-2026-44988: A malicious VNC server can send a crafted
FramebufferUpdate rectangle which makes the client write beyond fixed-
size Gradient buffers.
CVE-2026-50538: A malicious VNC server can  force a connecting
libvncclient to write attacker-controlled data past the end of its
framebuffer without the need of authentication.

[ Tests ]
Build test and autopkgtest locally and on debusine.d.n:
https://debusine.debian.net/debian/developers/work-request/844226/

[ Risks ]
I consider the risks low as the fix consists exactly of upstream's
commits:
https://github.com/LibVNC/libvncserver/commit/5b27054
https://github.com/LibVNC/libvncserver/commit/540332b

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable


-- 
GPG Fingerprint
3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
diff -Nru libvncserver-0.9.14+dfsg/debian/changelog libvncserver-0.9.14+dfsg/debian/changelog
--- libvncserver-0.9.14+dfsg/debian/changelog	2026-04-06 22:58:49.000000000 +0200
+++ libvncserver-0.9.14+dfsg/debian/changelog	2026-06-17 12:51:14.000000000 +0200
@@ -1,3 +1,14 @@
+libvncserver (0.9.14+dfsg-1+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * debian/patches:
+    + CVE-2026-44988: Add 0003_CVE-2026-44988.patch fixing Tight gradient
+      decoding overflow (Closes: #1138174).
+    + CVE-2026-50538: Add 0004_CVE-2026-50538.patch fixing attacker-controlled
+      heap out-of-bounds write (Closes: #1138253).
+
+ -- Sven Geuer <[email protected]>  Wed, 17 Jun 2026 12:51:14 +0200
+
 libvncserver (0.9.14+dfsg-1+deb12u1) bookworm; urgency=medium
 
   * Team upload.
diff -Nru libvncserver-0.9.14+dfsg/debian/patches/0003_CVE-2026-44988.patch libvncserver-0.9.14+dfsg/debian/patches/0003_CVE-2026-44988.patch
--- libvncserver-0.9.14+dfsg/debian/patches/0003_CVE-2026-44988.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.14+dfsg/debian/patches/0003_CVE-2026-44988.patch	2026-06-17 12:51:14.000000000 +0200
@@ -0,0 +1,62 @@
+Description: Fix CVE-2026-44988, fix Tight gradient decoding overflow
+ for details see
+ https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58
+Origin: upstream, https://github.com/LibVNC/libvncserver/commit/5b27054
+Bug-Debian: https://bugs.debian.org/1138174
+Forwarded: not-needed
+Reviewed-by: Sven Geuer <[email protected]>
+Last-Update: 2026-05-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/rfb/rfbclient.h
++++ b/rfb/rfbclient.h
+@@ -313,10 +313,11 @@
+ 	rfbBool zlibStreamActive[4];
+ 
+ 	/* Filter stuff. Should be initialized by filter initialization code. */
++#define TIGHT_GRADIENT_MAX_WIDTH 2048
+ 	rfbBool cutZeros;
+ 	int rectWidth, rectColors;
+ 	char tightPalette[256*4];
+-	uint8_t tightPrevRow[2048*3*sizeof(uint16_t)];
++	uint8_t tightPrevRow[TIGHT_GRADIENT_MAX_WIDTH*3*sizeof(uint16_t)];
+ 
+ #ifdef LIBVNCSERVER_HAVE_LIBJPEG
+ 	/** JPEG decoder state (obsolete-- do not use). */
+--- a/libvncclient/tight.c
++++ b/libvncclient/tight.c
+@@ -191,6 +191,11 @@
+       bitsPixel = InitFilterPaletteBPP(client, rw, rh);
+       break;
+     case rfbTightFilterGradient:
++      if (rw > TIGHT_GRADIENT_MAX_WIDTH) {
++	rfbClientLog("Tight Gradient rectangle width %d exceeds maximum %d.\n",
++		     rw, TIGHT_GRADIENT_MAX_WIDTH);
++	return FALSE;
++      }
+       filterFn = FilterGradientBPP;
+       bitsPixel = InitFilterGradientBPP(client, rw, rh);
+       break;
+@@ -392,7 +397,7 @@
+   CARDBPP *dst =
+     (CARDBPP *)&client->frameBuffer[(srcy * client->width + srcx) * BPP / 8];
+   int x, y, c;
+-  uint8_t thisRow[2048*3];
++  uint8_t thisRow[TIGHT_GRADIENT_MAX_WIDTH*3];
+   uint8_t pix[3];
+   int est[3];
+ 
+@@ -435,7 +440,7 @@
+   int x, y, c;
+   CARDBPP *src = (CARDBPP *)client->buffer;
+   uint16_t *thatRow = (uint16_t *)client->tightPrevRow;
+-  uint16_t thisRow[2048*3];
++  uint16_t thisRow[TIGHT_GRADIENT_MAX_WIDTH*3];
+   uint16_t pix[3];
+   uint16_t max[3];
+   int shift[3];
+@@ -667,4 +672,3 @@
+ /* LIBVNCSERVER_HAVE_LIBZ and LIBVNCSERVER_HAVE_LIBJPEG */
+ #endif
+ #endif
+-
diff -Nru libvncserver-0.9.14+dfsg/debian/patches/0004_CVE-2026-50538.patch libvncserver-0.9.14+dfsg/debian/patches/0004_CVE-2026-50538.patch
--- libvncserver-0.9.14+dfsg/debian/patches/0004_CVE-2026-50538.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.14+dfsg/debian/patches/0004_CVE-2026-50538.patch	2026-06-17 12:51:14.000000000 +0200
@@ -0,0 +1,29 @@
+Description: Fix CVE-2026-50538, attacker-controlled heap out-of-bounds write
+ for details see
+ https://github.com/LibVNC/libvncserver/security/advisories/GHSA-v9pm-47h4-jcq8
+Origin: upstream, https://github.com/LibVNC/libvncserver/commit/540332b
+Bug-Debian: https://bugs.debian.org/1138253
+Forwarded: not-needed
+Reviewed-by: Sven Geuer <[email protected]>
+Last-Update: 2026-06-10
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/libvncclient/tight.c
++++ b/libvncclient/tight.c
+@@ -303,6 +303,16 @@
+ 
+       numRows = (bufferSize - zs->avail_out) / rowSize;
+ 
++      /* The decompressed stream is server-controlled and may yield more rows
++         than the rectangle's declared height.  filterFn() writes directly into
++         client->frameBuffer, so clamp here before writing to avoid running past
++         the framebuffer (heap out-of-bounds write).  The post-loop
++         "rowsProcessed != rh" check happens too late. */
++      if (numRows > rh - rowsProcessed) {
++	rfbClientLog("Tight: too many scan lines after decompression.\n");
++	return FALSE;
++      }
++
+       filterFn(client, rx, ry+rowsProcessed, numRows);
+ 
+       extraBytes = bufferSize - zs->avail_out - numRows * rowSize;
diff -Nru libvncserver-0.9.14+dfsg/debian/patches/series libvncserver-0.9.14+dfsg/debian/patches/series
--- libvncserver-0.9.14+dfsg/debian/patches/series	2026-04-06 22:58:49.000000000 +0200
+++ libvncserver-0.9.14+dfsg/debian/patches/series	2026-06-17 12:51:14.000000000 +0200
@@ -1,2 +1,4 @@
 0001_CVE-2026-32853.patch
 0002_CVE-2026-32854.patch
+0003_CVE-2026-44988.patch
+0004_CVE-2026-50538.patch

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to