[meta-oe,scarthgap,RFC,00/14] TigerVNC CVEs

Message ID	20260127130116.1902238-1-skandigraun@gmail.com
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.221.44, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][RFC PATCH 00/14] TigerVNC CVEs Date: Tue, 27 Jan 2026 14:01:00 +0100 Message-ID: <20260127130116.1902238-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	TigerVNC CVEs \| expand [meta-oe,scarthgap,RFC,00/14] TigerVNC CVEs [meta-oe,scarthgap,RFC,01/14] tigervnc: upgrade xorg-server component [meta-oe,scarthgap,RFC,02/14] tigervnc: ignore CVE-2014-8241 [meta-oe,scarthgap,RFC,03/14] tigervnc: patch CVE-2023-6377 [meta-oe,scarthgap,RFC,04/14] tigervnc: patch CVE-2023-6478 [meta-oe,scarthgap,RFC,05/14] tigervnc: patch CVE-2024-0408 [meta-oe,scarthgap,RFC,06/14] tigervnc: patch CVE-2024-0409 [meta-oe,scarthgap,RFC,07/14] tigervnc: patch CVE-2025-26594 [meta-oe,scarthgap,RFC,08/14] tigervnc: patch CVE-2025-26595 [meta-oe,scarthgap,RFC,09/14] tigervnc: patch CVE-2025-26596 [meta-oe,scarthgap,RFC,10/14] tigervnc: patch CVE-2025-26597 [meta-oe,scarthgap,RFC,11/14] tigervnc: patch CVE-2025-26598 [meta-oe,scarthgap,RFC,12/14] tigervnc: patch CVE-2025-26599 [meta-oe,scarthgap,RFC,13/14] tigervnc: patch CVE-2025-26600 [meta-oe,scarthgap,RFC,14/14] tigervnc: patch CVE-2025-26601

Message ID

20260127130116.1902238-1-skandigraun@gmail.com

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][scarthgap][RFC PATCH 00/14] TigerVNC CVEs
Date: Tue, 27 Jan 2026 14:01:00 +0100
Message-ID: <20260127130116.1902238-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

TigerVNC CVEs | expand

Message

Gyorgy Sarvari Jan. 27, 2026, 1:01 p.m. UTC

This patch-series looks straightforward, but unfortunately this is not the case,
at least policy-wise.

Trying to be short. TigerVNC compiles its own Xserver, not the one from oe-core.

This series:
-Update xserver to latest dot release of 1.20.x series
-Add patches to all outstanding CVEs that are associated with TigerVNC
-There are unpatched CVEs which are not associated with TigerVNC
-This xserver version is different from the one in oe-core
-Complies with stable-branch policy

Alternative:
-Cherry-Pick some patches from master[1]
-The xserver version jump would be a major one (1.20.x -> 21.x)
-It would get TigerVNC's xserver in sync with oe-core's xserver
-Have all known xserver fixes without carrying patches
-One might argue that this ship has sailed when Scarthgap was branched off

The same problem is present in Kirkstone also - whatever happens in Scarthgap 
will be cherry-picked in Kirkstone also.

Anyone has any input on this? I'm especially hoping that some TigerVNC users 
will see this, but I'm happy for all feedback.

Thank you

[1]: https://git.openembedded.org/meta-openembedded/log/meta-oe/recipes-graphics/tigervnc - patches between 2025-11-24 and 2025-12-25

--
Gyorgy Sarvari (14):
  tigervnc: upgrade xorg-server component
  tigervnc: ignore CVE-2014-8241
  tigervnc: patch CVE-2023-6377
  tigervnc: patch CVE-2023-6478
  tigervnc: patch CVE-2024-0408
  tigervnc: patch CVE-2024-0409
  tigervnc: patch CVE-2025-26594
  tigervnc: patch CVE-2025-26595
  tigervnc: patch CVE-2025-26596
  tigervnc: patch CVE-2025-26597
  tigervnc: patch CVE-2025-26598
  tigervnc: patch CVE-2025-26599
  tigervnc: patch CVE-2025-26600
  tigervnc: patch CVE-2025-26601

 .../tigervnc/files/CVE-2023-6377.patch        |  80 +++++++++++
 .../tigervnc/files/CVE-2023-6478.patch        |  65 +++++++++
 .../tigervnc/files/CVE-2024-0408.patch        |  65 +++++++++
 .../tigervnc/files/CVE-2024-0409.patch        |  47 ++++++
 .../tigervnc/files/CVE-2025-26594-1.patch     |  60 ++++++++
 .../tigervnc/files/CVE-2025-26594-2.patch     |  53 +++++++
 .../tigervnc/files/CVE-2025-26595.patch       |  67 +++++++++
 .../tigervnc/files/CVE-2025-26596.patch       |  51 +++++++
 .../tigervnc/files/CVE-2025-26597.patch       |  48 +++++++
 .../tigervnc/files/CVE-2025-26598.patch       | 122 ++++++++++++++++
 .../tigervnc/files/CVE-2025-26599-1.patch     |  69 +++++++++
 .../tigervnc/files/CVE-2025-26599-2.patch     | 131 +++++++++++++++++
 .../tigervnc/files/CVE-2025-26600.patch       |  70 +++++++++
 .../tigervnc/files/CVE-2025-26601-1.patch     |  73 ++++++++++
 .../tigervnc/files/CVE-2025-26601-2.patch     |  87 ++++++++++++
 .../tigervnc/files/CVE-2025-26601-3.patch     |  54 +++++++
 .../tigervnc/files/CVE-2025-26601-4.patch     | 134 ++++++++++++++++++
 .../tigervnc/tigervnc_1.11.0.bb               |  27 +++-
 18 files changed, 1299 insertions(+), 4 deletions(-)
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6377.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2023-6478.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0408.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2024-0409.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26594-1.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26594-2.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26595.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26596.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26597.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26598.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26599-1.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26599-2.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26600.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-1.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-2.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-3.patch
 create mode 100644 meta-oe/recipes-graphics/tigervnc/files/CVE-2025-26601-4.patch

Comments

Anuj Mittal Jan. 29, 2026, 7:09 a.m. UTC | #1

On Tue, Jan 27, 2026 at 9:01 PM Gyorgy Sarvari via
lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org>
wrote:
>
>
> This patch-series looks straightforward, but unfortunately this is not the case,
> at least policy-wise.
>
> Trying to be short. TigerVNC compiles its own Xserver, not the one from oe-core.
>
> This series:
> -Update xserver to latest dot release of 1.20.x series
> -Add patches to all outstanding CVEs that are associated with TigerVNC
> -There are unpatched CVEs which are not associated with TigerVNC
> -This xserver version is different from the one in oe-core
> -Complies with stable-branch policy
>
> Alternative:
> -Cherry-Pick some patches from master[1]
> -The xserver version jump would be a major one (1.20.x -> 21.x)
> -It would get TigerVNC's xserver in sync with oe-core's xserver
> -Have all known xserver fixes without carrying patches
> -One might argue that this ship has sailed when Scarthgap was branched off
>
> The same problem is present in Kirkstone also - whatever happens in Scarthgap
> will be cherry-picked in Kirkstone also.
>
> Anyone has any input on this? I'm especially hoping that some TigerVNC users
> will see this, but I'm happy for all feedback.

I think it should use the same version so it works. It should be
considered as a bug in the recipe.

Thanks,

Anuj