Version in base suite: 0.9.14+dfsg-1

Base version: libvncserver_0.9.14+dfsg-1
Target version: libvncserver_0.9.14+dfsg-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libv/libvncserver/libvncserver_0.9.14+dfsg-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libv/libvncserver/libvncserver_0.9.14+dfsg-1+deb12u1.dsc

 changelog                         |   11 ++++++
 patches/0001_CVE-2026-32853.patch |   61 ++++++++++++++++++++++++++++++++++++++
 patches/0002_CVE-2026-32854.patch |   54 +++++++++++++++++++++++++++++++++
 patches/series                    |    2 +
 4 files changed, 128 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpskp1mq9h/libvncserver_0.9.14+dfsg-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpskp1mq9h/libvncserver_0.9.14+dfsg-1+deb12u1.dsc: no acceptable signature found
diff -Nru libvncserver-0.9.14+dfsg/debian/changelog libvncserver-0.9.14+dfsg/debian/changelog
--- libvncserver-0.9.14+dfsg/debian/changelog	2023-02-06 16:38:46.000000000 +0000
+++ libvncserver-0.9.14+dfsg/debian/changelog	2026-04-06 20:58:49.000000000 +0000
@@ -1,3 +1,14 @@
+libvncserver (0.9.14+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * debian/patches:
+    + CVE-2026-32853: Add 0001_CVE-2026-32853.patch fixing a heap out-of-bounds
+      read (Closes: #1132016).
+    + CVE-2026-32854: Add 0002_CVE-2026-32854.patch fixing NULL pointer
+      dereferences in httpd proxy handlers (Closes: #1132017).
+
+ -- Sven Geuer <sge@debian.org>  Mon, 06 Apr 2026 22:58:49 +0200
+
 libvncserver (0.9.14+dfsg-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libvncserver-0.9.14+dfsg/debian/patches/0001_CVE-2026-32853.patch libvncserver-0.9.14+dfsg/debian/patches/0001_CVE-2026-32853.patch
--- libvncserver-0.9.14+dfsg/debian/patches/0001_CVE-2026-32853.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.14+dfsg/debian/patches/0001_CVE-2026-32853.patch	2026-04-06 20:58:49.000000000 +0000
@@ -0,0 +1,61 @@
+Description: Fix CVE-2026-32853, Heap Out-of-Bounds Read in HandleUltraZipBPP 
+ For details see
+ https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj
+Origin: upstream, https://github.com/LibVNC/libvncserver/commit/009008e
+Bug-Debian: https://bugs.debian.org/1132016
+Forwarded: not-needed
+Reviewed-by: Sven Geuer <sge@debian.org>
+Last-Update: 2026-04-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c
+index 1d3aaba6..5633b8cb 100644
+--- a/libvncclient/ultra.c
++++ b/libvncclient/ultra.c
+@@ -126,6 +126,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+   int toRead=0;
+   int inflateResult=0;
+   unsigned char *ptr=NULL;
++  unsigned char *ptr_end=NULL;
+   lzo_uint uncompressedBytes = ry + (rw * 65535);
+   unsigned int numCacheRects = rx;
+ 
+@@ -194,11 +195,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+   
+   /* Put the uncompressed contents of the update on the screen. */
+   ptr = (unsigned char *)client->raw_buffer;
++  ptr_end = ptr + uncompressedBytes;
+   for (i=0; i<numCacheRects; i++)
+   {
+     unsigned short sx, sy, sw, sh;
+     unsigned int se;
+ 
++    /* subrect header: sx(2) + sy(2) + sw(2) + sh(2) + se(4) = 12 bytes */
++    if (ptr + 12 > ptr_end) {
++      rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i);
++      return FALSE;
++    }
++
+     memcpy((char *)&sx, ptr, 2); ptr += 2;
+     memcpy((char *)&sy, ptr, 2); ptr += 2;
+     memcpy((char *)&sw, ptr, 2); ptr += 2;
+@@ -213,8 +221,13 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+ 
+     if (se == rfbEncodingRaw)
+     {
++        uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8);
++        if (rawBytes > (size_t)(ptr_end - ptr)) {
++          rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i);
++          return FALSE;
++        }
+         client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh);
+-        ptr += ((sw * sh) * (BPP / 8));
++        ptr += (size_t)rawBytes;
+     }
+   }  
+ 
+@@ -222,3 +235,4 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+ }
+ 
+ #undef CARDBPP
++
diff -Nru libvncserver-0.9.14+dfsg/debian/patches/0002_CVE-2026-32854.patch libvncserver-0.9.14+dfsg/debian/patches/0002_CVE-2026-32854.patch
--- libvncserver-0.9.14+dfsg/debian/patches/0002_CVE-2026-32854.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.14+dfsg/debian/patches/0002_CVE-2026-32854.patch	2026-04-06 20:58:49.000000000 +0000
@@ -0,0 +1,54 @@
+Description: Fix CVE-2026-32854, NULL pointer derefs in httpd proxy handlers
+ For details see
+ https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x
+Origin: upstream, https://github.com/LibVNC/libvncserver/commit/dc78dee
+Bug-Debian: https://bugs.debian.org/1132017
+Forwarded: not-needed
+Reviewed-by: Sven Geuer <sge@debian.org>
+Last-Update: 2026-04-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c
+index f4fe51c9..7cefadc4 100644
+--- a/libvncserver/httpd.c
++++ b/libvncserver/httpd.c
+@@ -353,10 +353,11 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
+ 
+ 
+     /* Process the request. */
+-    if(rfbScreen->httpEnableProxyConnect) {
++if(rfbScreen->httpEnableProxyConnect) {
+ 	const static char* PROXY_OK_STR = "HTTP/1.0 200 OK\r\nContent-Type: octet-stream\r\nPragma: no-cache\r\n\r\n";
+ 	if(!strncmp(buf, "CONNECT ", 8)) {
+-	    if(atoi(strchr(buf, ':')+1)!=rfbScreen->port) {
++	    char *colon = strchr(buf, ':');
++	    if(colon == NULL || atoi(colon+1)!=rfbScreen->port) {
+ 		rfbErr("httpd: CONNECT format invalid.\n");
+ 		rfbWriteExact(&cl,INVALID_REQUEST_STR, strlen(INVALID_REQUEST_STR));
+ 		httpCloseSock(rfbScreen);
+@@ -369,14 +370,17 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
+ 	    rfbScreen->httpSock = RFB_INVALID_SOCKET;
+ 	    return;
+ 	}
+-	if (!strncmp(buf, "GET ",4) && !strncmp(strchr(buf,'/'),"/proxied.connection HTTP/1.", 27)) {
+-	    /* proxy connection */
+-	    rfbLog("httpd: client asked for /proxied.connection\n");
+-	    rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
+-	    rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
+-	    rfbScreen->httpSock = RFB_INVALID_SOCKET;
+-	    return;
+-	}	   
++	if (!strncmp(buf, "GET ",4)) {
++	    char *slash = strchr(buf, '/');
++	    if (slash != NULL && !strncmp(slash,"/proxied.connection HTTP/1.", 27)) {
++		/* proxy connection */
++		rfbLog("httpd: client asked for /proxied.connection\n");
++		rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
++		rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
++		rfbScreen->httpSock = RFB_INVALID_SOCKET;
++		return;
++	    }
++	}
+     }
+ 
+     if (strncmp(buf, "GET ", 4)) {
diff -Nru libvncserver-0.9.14+dfsg/debian/patches/series libvncserver-0.9.14+dfsg/debian/patches/series
--- libvncserver-0.9.14+dfsg/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libvncserver-0.9.14+dfsg/debian/patches/series	2026-04-06 20:58:49.000000000 +0000
@@ -0,0 +1,2 @@
+0001_CVE-2026-32853.patch
+0002_CVE-2026-32854.patch