Control: tags 1136644 + patch Control: tags 1136644 + pending Dear maintainer,
I've prepared an NMU for neatvnc (versioned as 0.9.1+dfsg-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should cancel it. cu Adrian
diffstat for neatvnc-0.9.1+dfsg neatvnc-0.9.1+dfsg changelog | 9 + patches/0001-Add-nvnc_assert-macro.patch | 27 +++ patches/0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch | 68 ++++++++++ patches/0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch | 46 ++++++ patches/series | 3 5 files changed, 153 insertions(+) diff -Nru neatvnc-0.9.1+dfsg/debian/changelog neatvnc-0.9.1+dfsg/debian/changelog --- neatvnc-0.9.1+dfsg/debian/changelog 2024-11-21 10:04:16.000000000 +0200 +++ neatvnc-0.9.1+dfsg/debian/changelog 2026-07-06 20:56:40.000000000 +0300 @@ -1,3 +1,12 @@ +neatvnc (0.9.1+dfsg-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2026-42859: Buffer overflow with oversized RSA public keys + (Closes: #1136644) + * auth: vencrypt: Reject excessively long usernames and passwords + + -- Adrian Bunk <[email protected]> Mon, 06 Jul 2026 20:56:40 +0300 + neatvnc (0.9.1+dfsg-1) unstable; urgency=medium * New upstream release. diff -Nru neatvnc-0.9.1+dfsg/debian/patches/0001-Add-nvnc_assert-macro.patch neatvnc-0.9.1+dfsg/debian/patches/0001-Add-nvnc_assert-macro.patch --- neatvnc-0.9.1+dfsg/debian/patches/0001-Add-nvnc_assert-macro.patch 1970-01-01 02:00:00.000000000 +0200 +++ neatvnc-0.9.1+dfsg/debian/patches/0001-Add-nvnc_assert-macro.patch 2026-07-06 20:56:40.000000000 +0300 @@ -0,0 +1,27 @@ +From 6f98d047bee6b4f1a165a45d7b7c62efe8f6905d Mon Sep 17 00:00:00 2001 +From: Andri Yngvason <[email protected]> +Date: Thu, 23 Oct 2025 23:03:14 +0000 +Subject: Add nvnc_assert macro + +--- + include/neatvnc.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/include/neatvnc.h b/include/neatvnc.h +index 78d9f97..3917af6 100644 +--- a/include/neatvnc.h ++++ b/include/neatvnc.h +@@ -49,6 +49,10 @@ + #define nvnc_trace(...) + #endif + ++#define nvnc_assert(statement, fmt, ...) \ ++ if (!(statement)) \ ++ nvnc_log(NVNC_LOG_PANIC, fmt, ## __VA_ARGS__) ++ + struct nvnc; + struct nvnc_client; + struct nvnc_desktop_layout; +-- +2.47.3 + diff -Nru neatvnc-0.9.1+dfsg/debian/patches/0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch neatvnc-0.9.1+dfsg/debian/patches/0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch --- neatvnc-0.9.1+dfsg/debian/patches/0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch 1970-01-01 02:00:00.000000000 +0200 +++ neatvnc-0.9.1+dfsg/debian/patches/0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch 2026-07-06 20:56:40.000000000 +0300 @@ -0,0 +1,68 @@ +From 66e14e25c4b151ab7187e8d60e63de544ca3513b Mon Sep 17 00:00:00 2001 +From: Andri Yngvason <[email protected]> +Date: Fri, 24 Apr 2026 12:29:14 +0000 +Subject: auth: rsa-aes: Fix potential buffer overflow + +If a client sends a large public key, it can overflow the stack buffer +used for storing the challenge message from the server to the client. + +This fixes the overflow by using a dynamic allocation and guarding +againts ridiculously large public keys. +--- + src/auth/rsa-aes.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/src/auth/rsa-aes.c b/src/auth/rsa-aes.c +index 66f10cb..37d0ea6 100644 +--- a/src/auth/rsa-aes.c ++++ b/src/auth/rsa-aes.c +@@ -19,6 +19,8 @@ + #include "auth/auth.h" + #include "auth/rsa-aes.h" + ++#define MAX_PUB_KEY_SIZE 1000000 ++ + #define UDIV_UP(a, b) (((a) + (b) - 1) / (b)) + + int rsa_aes_send_public_key(struct nvnc_client* client) +@@ -61,16 +63,17 @@ static int rsa_aes_send_challenge(struct nvnc_client* client, + { + crypto_random(client->rsa.challenge, client->rsa.challenge_len); + +- uint8_t buffer[1024]; +- struct rfb_rsa_aes_challenge_msg *msg = +- (struct rfb_rsa_aes_challenge_msg*)buffer; ++ struct rfb_rsa_aes_challenge_msg* msg; ++ size_t key_len = crypto_rsa_pub_key_length(client->rsa.pub); ++ size_t msg_size = sizeof(*msg) + key_len; ++ msg = calloc(1, msg_size); ++ nvnc_assert(msg, "OOM"); + +- ssize_t len = crypto_rsa_encrypt(pub, msg->challenge, +- crypto_rsa_pub_key_length(client->rsa.pub), ++ crypto_rsa_encrypt(pub, msg->challenge, key_len, + client->rsa.challenge, client->rsa.challenge_len); +- msg->length = htons(len); ++ msg->length = htons(key_len); + +- stream_write(client->net_stream, buffer, sizeof(*msg) + len, NULL, NULL); ++ stream_send(client->net_stream, rcbuf_new(msg, msg_size), NULL, NULL); + return 0; + } + +@@ -89,6 +92,12 @@ static int on_rsa_aes_public_key(struct nvnc_client* client) + sizeof(*msg) + byte_length * 2) + return 0; + ++ if (byte_length > MAX_PUB_KEY_SIZE) { ++ nvnc_log(NVNC_LOG_ERROR, "Client sent a ridiculously large public key. This can't be right."); ++ nvnc_client_close(client); ++ return -1; ++ } ++ + const uint8_t* modulus = msg->modulus_and_exponent; + const uint8_t* exponent = msg->modulus_and_exponent + byte_length; + +-- +2.47.3 + diff -Nru neatvnc-0.9.1+dfsg/debian/patches/0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch neatvnc-0.9.1+dfsg/debian/patches/0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch --- neatvnc-0.9.1+dfsg/debian/patches/0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch 1970-01-01 02:00:00.000000000 +0200 +++ neatvnc-0.9.1+dfsg/debian/patches/0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch 2026-07-06 20:56:40.000000000 +0300 @@ -0,0 +1,46 @@ +From c2a401905d3be502af72773142b81efd87e499ff Mon Sep 17 00:00:00 2001 +From: Andri Yngvason <[email protected]> +Date: Fri, 24 Apr 2026 13:05:37 +0000 +Subject: auth: vencrypt: Reject excessively long usernames and passwords + +--- + src/auth/vencrypt.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/auth/vencrypt.c b/src/auth/vencrypt.c +index 4da61c8..43c6c91 100644 +--- a/src/auth/vencrypt.c ++++ b/src/auth/vencrypt.c +@@ -21,6 +21,9 @@ + + #include <sys/param.h> + ++#define MAX_USERNAME_LENGTH 256 ++#define MAX_PASSWORD_LENGTH 256 ++ + static int send_byte(struct nvnc_client* client, uint8_t value) + { + return stream_write(client->net_stream, &value, 1, NULL, NULL); +@@ -113,11 +116,17 @@ static int on_vencrypt_plain_auth_message(struct nvnc_client* client) + uint32_t ulen = ntohl(msg->username_len); + uint32_t plen = ntohl(msg->password_len); + ++ if (ulen > MAX_USERNAME_LENGTH || plen > MAX_PASSWORD_LENGTH) { ++ nvnc_log(NVNC_LOG_ERROR, "Client sent too long username/password"); ++ nvnc_client_close(client); ++ return -1; ++ } ++ + if (client->buffer_len - client->buffer_index < sizeof(*msg) + ulen + plen) + return 0; + +- char username[256]; +- char password[256]; ++ char username[MAX_USERNAME_LENGTH]; ++ char password[MAX_PASSWORD_LENGTH]; + + memcpy(username, msg->text, MIN(ulen, sizeof(username) - 1)); + memcpy(password, msg->text + ulen, MIN(plen, sizeof(password) - 1)); +-- +2.47.3 + diff -Nru neatvnc-0.9.1+dfsg/debian/patches/series neatvnc-0.9.1+dfsg/debian/patches/series --- neatvnc-0.9.1+dfsg/debian/patches/series 1970-01-01 02:00:00.000000000 +0200 +++ neatvnc-0.9.1+dfsg/debian/patches/series 2026-07-06 20:56:40.000000000 +0300 @@ -0,0 +1,3 @@ +0001-Add-nvnc_assert-macro.patch +0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch +0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch

