Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:libvncserver User: [email protected] Usertags: pu
Dear Release Managers, I would like to close these bugs regarding bookworm through p-u: https://bugs.debian.org/1138174 https://bugs.debian.org/1138253 [ Reason ] This fixes CVE-2026-44988 and CVE-2026-50538 for bookworm. [ Impact ] CVE-2026-44988: A malicious VNC server can send a crafted FramebufferUpdate rectangle which makes the client write beyond fixed- size Gradient buffers. CVE-2026-50538: A malicious VNC server can force a connecting libvncclient to write attacker-controlled data past the end of its framebuffer without the need of authentication. [ Tests ] Build test and autopkgtest locally and on debusine.d.n: https://debusine.debian.net/debian/developers/work-request/844226/ [ Risks ] I consider the risks low as the fix consists exactly of upstream's commits: https://github.com/LibVNC/libvncserver/commit/5b27054 https://github.com/LibVNC/libvncserver/commit/540332b [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
diff -Nru libvncserver-0.9.14+dfsg/debian/changelog libvncserver-0.9.14+dfsg/debian/changelog --- libvncserver-0.9.14+dfsg/debian/changelog 2026-04-06 22:58:49.000000000 +0200 +++ libvncserver-0.9.14+dfsg/debian/changelog 2026-06-17 12:51:14.000000000 +0200 @@ -1,3 +1,14 @@ +libvncserver (0.9.14+dfsg-1+deb12u2) bookworm; urgency=medium + + * Team upload. + * debian/patches: + + CVE-2026-44988: Add 0003_CVE-2026-44988.patch fixing Tight gradient + decoding overflow (Closes: #1138174). + + CVE-2026-50538: Add 0004_CVE-2026-50538.patch fixing attacker-controlled + heap out-of-bounds write (Closes: #1138253). + + -- Sven Geuer <[email protected]> Wed, 17 Jun 2026 12:51:14 +0200 + libvncserver (0.9.14+dfsg-1+deb12u1) bookworm; urgency=medium * Team upload. diff -Nru libvncserver-0.9.14+dfsg/debian/patches/0003_CVE-2026-44988.patch libvncserver-0.9.14+dfsg/debian/patches/0003_CVE-2026-44988.patch --- libvncserver-0.9.14+dfsg/debian/patches/0003_CVE-2026-44988.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.14+dfsg/debian/patches/0003_CVE-2026-44988.patch 2026-06-17 12:51:14.000000000 +0200 @@ -0,0 +1,62 @@ +Description: Fix CVE-2026-44988, fix Tight gradient decoding overflow + for details see + https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58 +Origin: upstream, https://github.com/LibVNC/libvncserver/commit/5b27054 +Bug-Debian: https://bugs.debian.org/1138174 +Forwarded: not-needed +Reviewed-by: Sven Geuer <[email protected]> +Last-Update: 2026-05-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/rfb/rfbclient.h ++++ b/rfb/rfbclient.h +@@ -313,10 +313,11 @@ + rfbBool zlibStreamActive[4]; + + /* Filter stuff. Should be initialized by filter initialization code. */ ++#define TIGHT_GRADIENT_MAX_WIDTH 2048 + rfbBool cutZeros; + int rectWidth, rectColors; + char tightPalette[256*4]; +- uint8_t tightPrevRow[2048*3*sizeof(uint16_t)]; ++ uint8_t tightPrevRow[TIGHT_GRADIENT_MAX_WIDTH*3*sizeof(uint16_t)]; + + #ifdef LIBVNCSERVER_HAVE_LIBJPEG + /** JPEG decoder state (obsolete-- do not use). */ +--- a/libvncclient/tight.c ++++ b/libvncclient/tight.c +@@ -191,6 +191,11 @@ + bitsPixel = InitFilterPaletteBPP(client, rw, rh); + break; + case rfbTightFilterGradient: ++ if (rw > TIGHT_GRADIENT_MAX_WIDTH) { ++ rfbClientLog("Tight Gradient rectangle width %d exceeds maximum %d.\n", ++ rw, TIGHT_GRADIENT_MAX_WIDTH); ++ return FALSE; ++ } + filterFn = FilterGradientBPP; + bitsPixel = InitFilterGradientBPP(client, rw, rh); + break; +@@ -392,7 +397,7 @@ + CARDBPP *dst = + (CARDBPP *)&client->frameBuffer[(srcy * client->width + srcx) * BPP / 8]; + int x, y, c; +- uint8_t thisRow[2048*3]; ++ uint8_t thisRow[TIGHT_GRADIENT_MAX_WIDTH*3]; + uint8_t pix[3]; + int est[3]; + +@@ -435,7 +440,7 @@ + int x, y, c; + CARDBPP *src = (CARDBPP *)client->buffer; + uint16_t *thatRow = (uint16_t *)client->tightPrevRow; +- uint16_t thisRow[2048*3]; ++ uint16_t thisRow[TIGHT_GRADIENT_MAX_WIDTH*3]; + uint16_t pix[3]; + uint16_t max[3]; + int shift[3]; +@@ -667,4 +672,3 @@ + /* LIBVNCSERVER_HAVE_LIBZ and LIBVNCSERVER_HAVE_LIBJPEG */ + #endif + #endif +- diff -Nru libvncserver-0.9.14+dfsg/debian/patches/0004_CVE-2026-50538.patch libvncserver-0.9.14+dfsg/debian/patches/0004_CVE-2026-50538.patch --- libvncserver-0.9.14+dfsg/debian/patches/0004_CVE-2026-50538.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvncserver-0.9.14+dfsg/debian/patches/0004_CVE-2026-50538.patch 2026-06-17 12:51:14.000000000 +0200 @@ -0,0 +1,29 @@ +Description: Fix CVE-2026-50538, attacker-controlled heap out-of-bounds write + for details see + https://github.com/LibVNC/libvncserver/security/advisories/GHSA-v9pm-47h4-jcq8 +Origin: upstream, https://github.com/LibVNC/libvncserver/commit/540332b +Bug-Debian: https://bugs.debian.org/1138253 +Forwarded: not-needed +Reviewed-by: Sven Geuer <[email protected]> +Last-Update: 2026-06-10 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/libvncclient/tight.c ++++ b/libvncclient/tight.c +@@ -303,6 +303,16 @@ + + numRows = (bufferSize - zs->avail_out) / rowSize; + ++ /* The decompressed stream is server-controlled and may yield more rows ++ than the rectangle's declared height. filterFn() writes directly into ++ client->frameBuffer, so clamp here before writing to avoid running past ++ the framebuffer (heap out-of-bounds write). The post-loop ++ "rowsProcessed != rh" check happens too late. */ ++ if (numRows > rh - rowsProcessed) { ++ rfbClientLog("Tight: too many scan lines after decompression.\n"); ++ return FALSE; ++ } ++ + filterFn(client, rx, ry+rowsProcessed, numRows); + + extraBytes = bufferSize - zs->avail_out - numRows * rowSize; diff -Nru libvncserver-0.9.14+dfsg/debian/patches/series libvncserver-0.9.14+dfsg/debian/patches/series --- libvncserver-0.9.14+dfsg/debian/patches/series 2026-04-06 22:58:49.000000000 +0200 +++ libvncserver-0.9.14+dfsg/debian/patches/series 2026-06-17 12:51:14.000000000 +0200 @@ -1,2 +1,4 @@ 0001_CVE-2026-32853.patch 0002_CVE-2026-32854.patch +0003_CVE-2026-44988.patch +0004_CVE-2026-50538.patch
signature.asc
Description: This is a digitally signed message part
