From 457c8a00f9768c04acedd5f443445d20d6f0e95d Mon Sep 17 00:00:00 2001 From: pkgagent Date: Thu, 16 Apr 2026 11:14:53 +0800 Subject: [PATCH] fix CVE-2026-32853 --- libvncserver-0.9.13-CVE-2026-32853.patch | 73 ++++++++++++++++++++++++ libvncserver.spec | 7 ++- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 libvncserver-0.9.13-CVE-2026-32853.patch diff --git a/libvncserver-0.9.13-CVE-2026-32853.patch b/libvncserver-0.9.13-CVE-2026-32853.patch new file mode 100644 index 0000000..f487825 --- /dev/null +++ b/libvncserver-0.9.13-CVE-2026-32853.patch @@ -0,0 +1,73 @@ +From 009008e2f4d5a54dd71f422070df3af7b3dbc931 Mon Sep 17 00:00:00 2001 +From: Kazuma Matsumoto <269371721+y637F9QQ2x@users.noreply.github.com> +Date: Sun, 22 Mar 2026 20:35:49 +0100 +Subject: [PATCH] libvncclient: add bounds checks to UltraZip subrectangle + parsing + +HandleUltraZipBPP() iterates over sub-rectangles using numCacheRects +(derived from the attacker-controlled rect.r.x) without validating +that the pointer stays within the decompressed data buffer. A malicious +server can set a large numCacheRects value, causing heap out-of-bounds +reads via the memcpy calls in the parsing loop. + +Add bounds checks before reading the 12-byte subrect header and before +advancing the pointer by the raw pixel data size. Use uint64_t for the +raw data size calculation to prevent integer overflow on 32-bit platforms. + +Adapted-by: PkgAgent (modified to adapt to opencloudos-stream) + +--- + libvncclient/ultra.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c +index a287526..56e2cd6 100644 +--- a/libvncclient/ultra.c ++++ b/libvncclient/ultra.c +@@ -121,6 +121,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + int toRead=0; + int inflateResult=0; + unsigned char *ptr=NULL; ++ unsigned char *ptr_end=NULL; + lzo_uint uncompressedBytes = ry + (rw * 65535); + unsigned int numCacheRects = rx; + +@@ -184,11 +185,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + + /* Put the uncompressed contents of the update on the screen. */ + ptr = (unsigned char *)client->raw_buffer; ++ ptr_end = ptr + uncompressedBytes; + for (i=0; i ptr_end) { ++ rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i); ++ return FALSE; ++ } ++ + memcpy((char *)&sx, ptr, 2); ptr += 2; + memcpy((char *)&sy, ptr, 2); ptr += 2; + memcpy((char *)&sw, ptr, 2); ptr += 2; +@@ -203,8 +211,13 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + + if (se == rfbEncodingRaw) + { ++ uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8); ++ if (rawBytes > (size_t)(ptr_end - ptr)) { ++ rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i); ++ return FALSE; ++ } + client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh); +- ptr += ((sw * sh) * (BPP / 8)); ++ ptr += (size_t)rawBytes; + } + } + +@@ -212,3 +225,4 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + } + + #undef CARDBPP ++ diff --git a/libvncserver.spec b/libvncserver.spec index 7c331ff..ab0d1e7 100644 --- a/libvncserver.spec +++ b/libvncserver.spec @@ -3,12 +3,13 @@ Summary: Library to make writing a VNC server easy Name: libvncserver Version: 0.9.13 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ URL: http://libvnc.github.io/ Source0: https://github.com/LibVNC/libvncserver/archive/LibVNCServer-%{version}.tar.gz Patch0001: CVE-2020-29260.patch +Patch0002: libvncserver-0.9.13-CVE-2026-32853.patch Patch3000: 0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch Patch3001: 0002-libvncserver-Add-channel-security-handlers.patch @@ -64,6 +65,10 @@ rm -fv common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c %{_libdir}/pkgconfig/libvncserver.pc %changelog +* Thu Apr 16 2026 PkgAgent Robot - 0.9.13-9 +- [Type] security +- [DESC] Fix CVE-2026-32853 vulnerability + * Wed May 14 2025 cunshunxia - 0.9.13-8 - fix CVE-2020-29260 -- Gitee