Version in base suite: 0.9.15+dfsg-1+deb13u1 Base version: libvncserver_0.9.15+dfsg-1+deb13u1 Target version: libvncserver_0.9.15+dfsg-1+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libv/libvncserver/libvncserver_0.9.15+dfsg-1+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libv/libvncserver/libvncserver_0.9.15+dfsg-1+deb13u2.dsc changelog | 11 ++++++ patches/0003_CVE-2026-44988.patch | 62 ++++++++++++++++++++++++++++++++++++++ patches/0004_CVE-2026-50538.patch | 31 +++++++++++++++++++ patches/series | 2 + 4 files changed, 106 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpko6rbh52/libvncserver_0.9.15+dfsg-1+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpko6rbh52/libvncserver_0.9.15+dfsg-1+deb13u2.dsc: no acceptable signature found diff -Nru libvncserver-0.9.15+dfsg/debian/changelog libvncserver-0.9.15+dfsg/debian/changelog --- libvncserver-0.9.15+dfsg/debian/changelog 2026-04-06 20:55:25.000000000 +0000 +++ libvncserver-0.9.15+dfsg/debian/changelog 2026-06-17 10:21:21.000000000 +0000 @@ -1,3 +1,14 @@ +libvncserver (0.9.15+dfsg-1+deb13u2) trixie; urgency=medium + + * Team upload. + * debian/patches: + + CVE-2026-44988: Add 0003_CVE-2026-44988.patch fixing Tight gradient + decoding overflow (Closes: #1138174). + + CVE-2026-50538: Add 0004_CVE-2026-50538.patch fixing attacker-controlled + heap out-of-bounds write (Closes: #1138253). + + -- Sven Geuer Wed, 17 Jun 2026 12:21:21 +0200 + libvncserver (0.9.15+dfsg-1+deb13u1) trixie; urgency=medium * Team upload. diff -Nru libvncserver-0.9.15+dfsg/debian/patches/0003_CVE-2026-44988.patch libvncserver-0.9.15+dfsg/debian/patches/0003_CVE-2026-44988.patch --- libvncserver-0.9.15+dfsg/debian/patches/0003_CVE-2026-44988.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvncserver-0.9.15+dfsg/debian/patches/0003_CVE-2026-44988.patch 2026-06-17 10:21:21.000000000 +0000 @@ -0,0 +1,62 @@ +Description: Fix CVE-2026-44988, fix Tight gradient decoding overflow + for details see + https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58 +Origin: upstream, https://github.com/LibVNC/libvncserver/commit/5b27054 +Bug-Debian: https://bugs.debian.org/1138174 +Forwarded: not-needed +Reviewed-by: Sven Geuer +Last-Update: 2026-05-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/include/rfb/rfbclient.h ++++ b/include/rfb/rfbclient.h +@@ -314,10 +314,11 @@ + rfbBool zlibStreamActive[4]; + + /* Filter stuff. Should be initialized by filter initialization code. */ ++#define TIGHT_GRADIENT_MAX_WIDTH 2048 + rfbBool cutZeros; + int rectWidth, rectColors; + char tightPalette[256*4]; +- uint8_t tightPrevRow[2048*3*sizeof(uint16_t)]; ++ uint8_t tightPrevRow[TIGHT_GRADIENT_MAX_WIDTH*3*sizeof(uint16_t)]; + + #ifdef LIBVNCSERVER_HAVE_LIBJPEG + /** JPEG decoder state (obsolete-- do not use). */ +--- a/src/libvncclient/tight.c ++++ b/src/libvncclient/tight.c +@@ -229,6 +229,11 @@ + bitsPixel = InitFilterPaletteBPP(client, rw, rh); + break; + case rfbTightFilterGradient: ++ if (rw > TIGHT_GRADIENT_MAX_WIDTH) { ++ rfbClientLog("Tight Gradient rectangle width %d exceeds maximum %d.\n", ++ rw, TIGHT_GRADIENT_MAX_WIDTH); ++ return FALSE; ++ } + filterFn = FilterGradientBPP; + bitsPixel = InitFilterGradientBPP(client, rw, rh); + break; +@@ -430,7 +435,7 @@ + CARDBPP *dst = + (CARDBPP *)&client->frameBuffer[(srcy * client->width + srcx) * BPP / 8]; + int x, y, c; +- uint8_t thisRow[2048*3]; ++ uint8_t thisRow[TIGHT_GRADIENT_MAX_WIDTH*3]; + uint8_t pix[3]; + int est[3]; + +@@ -473,7 +478,7 @@ + int x, y, c; + CARDBPP *src = (CARDBPP *)client->buffer; + uint16_t *thatRow = (uint16_t *)client->tightPrevRow; +- uint16_t thisRow[2048*3]; ++ uint16_t thisRow[TIGHT_GRADIENT_MAX_WIDTH*3]; + uint16_t pix[3]; + uint16_t max[3]; + int shift[3]; +@@ -705,4 +710,3 @@ + /* LIBVNCSERVER_HAVE_LIBZ and LIBVNCSERVER_HAVE_LIBJPEG */ + #endif + #endif +- diff -Nru libvncserver-0.9.15+dfsg/debian/patches/0004_CVE-2026-50538.patch libvncserver-0.9.15+dfsg/debian/patches/0004_CVE-2026-50538.patch --- libvncserver-0.9.15+dfsg/debian/patches/0004_CVE-2026-50538.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvncserver-0.9.15+dfsg/debian/patches/0004_CVE-2026-50538.patch 2026-06-17 10:21:21.000000000 +0000 @@ -0,0 +1,31 @@ +Description: Fix CVE-2026-50538, attacker-controlled heap out-of-bounds write + for details see + https://github.com/LibVNC/libvncserver/security/advisories/GHSA-v9pm-47h4-jcq8 +Origin: upstream, https://github.com/LibVNC/libvncserver/commit/540332b +Bug-Debian: https://bugs.debian.org/1138253 +Forwarded: not-needed +Reviewed-by: Sven Geuer +Last-Update: 2026-06-10 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/src/libvncclient/tight.c b/src/libvncclient/tight.c +index dad5514f..3ee0d5e0 100644 +--- a/src/libvncclient/tight.c ++++ b/src/libvncclient/tight.c +@@ -341,6 +341,16 @@ HandleTightBPP (rfbClient* client, int rx, int ry, int rw, int rh) + + numRows = (bufferSize - zs->avail_out) / rowSize; + ++ /* The decompressed stream is server-controlled and may yield more rows ++ than the rectangle's declared height. filterFn() writes directly into ++ client->frameBuffer, so clamp here before writing to avoid running past ++ the framebuffer (heap out-of-bounds write). The post-loop ++ "rowsProcessed != rh" check happens too late. */ ++ if (numRows > rh - rowsProcessed) { ++ rfbClientLog("Tight: too many scan lines after decompression.\n"); ++ return FALSE; ++ } ++ + filterFn(client, rx, ry+rowsProcessed, numRows); + + extraBytes = bufferSize - zs->avail_out - numRows * rowSize; diff -Nru libvncserver-0.9.15+dfsg/debian/patches/series libvncserver-0.9.15+dfsg/debian/patches/series --- libvncserver-0.9.15+dfsg/debian/patches/series 2026-04-06 20:55:25.000000000 +0000 +++ libvncserver-0.9.15+dfsg/debian/patches/series 2026-06-17 10:21:21.000000000 +0000 @@ -1,2 +1,4 @@ 0001_CVE-2026-32853.patch 0002_CVE-2026-32854.patch +0003_CVE-2026-44988.patch +0004_CVE-2026-50538.patch