--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libvncserver
User: [email protected]
Usertags: pu
Dear Release Managers,
I would like to close these bugs regarding trixie through p-u:
https://bugs.debian.org/1132016
https://bugs.debian.org/1132017
[ Reason ]
This fixes CVE-2026-32853 and CVE-2026-32854.
[ Impact ]
CVE-2026-32853: A malicious VNC server can cause information disclosure
or application crash to the client.
CVE-2026-32854: Attackers can crash the server when httpd and proxy
features are enabled.
[ Tests ]
Build tests and autopkgstest locally and on debusine.d.n:
https://debusine.debian.net/debian/developers/work-request/556022/
[ Risks ]
I consider the risks low as the fix consists exactly of upstream's
commits:
https://github.com/LibVNC/libvncserver/commit/009008e
https://github.com/LibVNC/libvncserver/commit/dc78dee
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
--
GPG Fingerprint
3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
diff -Nru libvncserver-0.9.15+dfsg/debian/changelog libvncserver-0.9.15+dfsg/debian/changelog
--- libvncserver-0.9.15+dfsg/debian/changelog 2025-04-10 12:51:42.000000000 +0200
+++ libvncserver-0.9.15+dfsg/debian/changelog 2026-04-03 21:45:50.000000000 +0200
@@ -1,3 +1,14 @@
+libvncserver (0.9.15+dfsg-1+deb13u1) UNRELEASED; urgency=medium
+
+ * Team upload.
+ * debian/patches:
+ + CVE-2026-32853: Add 0001_CVE-2026-32853.patch fixing a heap out-of-bounds
+ read (Closes: #1132016).
+ + CVE-2026-32854: Add 0002_CVE-2026-32854.patch fixing NULL pointer
+ dereferences in httpd proxy handlers (Closes: #1132017).
+
+ -- Sven Geuer <[email protected]> Fri, 03 Apr 2026 21:45:50 +0200
+
libvncserver (0.9.15+dfsg-1) unstable; urgency=medium
* New upstream release.
diff -Nru libvncserver-0.9.15+dfsg/debian/patches/0001_CVE-2026-32853.patch libvncserver-0.9.15+dfsg/debian/patches/0001_CVE-2026-32853.patch
--- libvncserver-0.9.15+dfsg/debian/patches/0001_CVE-2026-32853.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.15+dfsg/debian/patches/0001_CVE-2026-32853.patch 2026-04-03 21:45:50.000000000 +0200
@@ -0,0 +1,61 @@
+Description: Fix CVE-2026-32853, Heap Out-of-Bounds Read in HandleUltraZipBPP
+ For details see
+ https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj
+Origin: upstream, https://github.com/LibVNC/libvncserver/commit/009008e
+Bug-Debian: https://bugs.debian.org/1132016
+Forwarded: not-needed
+Reviewed-by: Sven Geuer <[email protected]>
+Last-Update: 2026-04-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/src/libvncclient/ultra.c b/src/libvncclient/ultra.c
+index 1d3aaba6..5633b8cb 100644
+--- a/src/libvncclient/ultra.c
++++ b/src/libvncclient/ultra.c
+@@ -126,6 +126,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+ int toRead=0;
+ int inflateResult=0;
+ unsigned char *ptr=NULL;
++ unsigned char *ptr_end=NULL;
+ lzo_uint uncompressedBytes = ry + (rw * 65535);
+ unsigned int numCacheRects = rx;
+
+@@ -194,11 +195,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+
+ /* Put the uncompressed contents of the update on the screen. */
+ ptr = (unsigned char *)client->raw_buffer;
++ ptr_end = ptr + uncompressedBytes;
+ for (i=0; i<numCacheRects; i++)
+ {
+ unsigned short sx, sy, sw, sh;
+ unsigned int se;
+
++ /* subrect header: sx(2) + sy(2) + sw(2) + sh(2) + se(4) = 12 bytes */
++ if (ptr + 12 > ptr_end) {
++ rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i);
++ return FALSE;
++ }
++
+ memcpy((char *)&sx, ptr, 2); ptr += 2;
+ memcpy((char *)&sy, ptr, 2); ptr += 2;
+ memcpy((char *)&sw, ptr, 2); ptr += 2;
+@@ -213,8 +221,13 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+
+ if (se == rfbEncodingRaw)
+ {
++ uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8);
++ if (rawBytes > (size_t)(ptr_end - ptr)) {
++ rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i);
++ return FALSE;
++ }
+ client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh);
+- ptr += ((sw * sh) * (BPP / 8));
++ ptr += (size_t)rawBytes;
+ }
+ }
+
+@@ -222,3 +235,4 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+ }
+
+ #undef CARDBPP
++
diff -Nru libvncserver-0.9.15+dfsg/debian/patches/0002_CVE-2026-32854.patch libvncserver-0.9.15+dfsg/debian/patches/0002_CVE-2026-32854.patch
--- libvncserver-0.9.15+dfsg/debian/patches/0002_CVE-2026-32854.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.15+dfsg/debian/patches/0002_CVE-2026-32854.patch 2026-04-03 21:45:50.000000000 +0200
@@ -0,0 +1,54 @@
+Description: Fix CVE-2026-32854, NULL pointer derefs in httpd proxy handlers
+ For details see
+ https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x
+Origin: upstream, https://github.com/LibVNC/libvncserver/commit/dc78dee
+Bug-Debian: https://bugs.debian.org/1132017
+Forwarded: not-needed
+Reviewed-by: Sven Geuer <[email protected]>
+Last-Update: 2026-04-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/src/libvncserver/httpd.c b/src/libvncserver/httpd.c
+index f4fe51c9..7cefadc4 100644
+--- a/src/libvncserver/httpd.c
++++ b/src/libvncserver/httpd.c
+@@ -353,10 +353,11 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
+
+
+ /* Process the request. */
+- if(rfbScreen->httpEnableProxyConnect) {
++if(rfbScreen->httpEnableProxyConnect) {
+ const static char* PROXY_OK_STR = "HTTP/1.0 200 OK\r\nContent-Type: octet-stream\r\nPragma: no-cache\r\n\r\n";
+ if(!strncmp(buf, "CONNECT ", 8)) {
+- if(atoi(strchr(buf, ':')+1)!=rfbScreen->port) {
++ char *colon = strchr(buf, ':');
++ if(colon == NULL || atoi(colon+1)!=rfbScreen->port) {
+ rfbErr("httpd: CONNECT format invalid.\n");
+ rfbWriteExact(&cl,INVALID_REQUEST_STR, strlen(INVALID_REQUEST_STR));
+ httpCloseSock(rfbScreen);
+@@ -369,14 +370,17 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
+ rfbScreen->httpSock = RFB_INVALID_SOCKET;
+ return;
+ }
+- if (!strncmp(buf, "GET ",4) && !strncmp(strchr(buf,'/'),"/proxied.connection HTTP/1.", 27)) {
+- /* proxy connection */
+- rfbLog("httpd: client asked for /proxied.connection\n");
+- rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
+- rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
+- rfbScreen->httpSock = RFB_INVALID_SOCKET;
+- return;
+- }
++ if (!strncmp(buf, "GET ",4)) {
++ char *slash = strchr(buf, '/');
++ if (slash != NULL && !strncmp(slash,"/proxied.connection HTTP/1.", 27)) {
++ /* proxy connection */
++ rfbLog("httpd: client asked for /proxied.connection\n");
++ rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
++ rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
++ rfbScreen->httpSock = RFB_INVALID_SOCKET;
++ return;
++ }
++ }
+ }
+
+ if (strncmp(buf, "GET ", 4)) {
diff -Nru libvncserver-0.9.15+dfsg/debian/patches/series libvncserver-0.9.15+dfsg/debian/patches/series
--- libvncserver-0.9.15+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.15+dfsg/debian/patches/series 2026-04-03 21:45:50.000000000 +0200
@@ -0,0 +1,2 @@
+0001_CVE-2026-32853.patch
+0002_CVE-2026-32854.patch
signature.asc
Description: This is a digitally signed message part
--- End Message ---
