diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32854.patch b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32854.patch new file mode 100644 index 0000000000..a89026951b --- /dev/null +++ b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32854.patch @@ -0,0 +1,66 @@ +From df092d3a89460be3b14a2a07859493a7afafcd1d Mon Sep 17 00:00:00 2001 +From: Kazuma Matsumoto <269371721+y637F9QQ2x@users.noreply.github.com> +Date: Thu, 19 Mar 2026 17:42:00 +0900 +Subject: [PATCH] libvncserver: fix NULL pointer dereferences in httpd proxy + handlers + +httpProcessInput() passes the return value of strchr() to atoi() +and strncmp() without checking for NULL. If a CONNECT request +contains no colon, or a GET request contains no slash, strchr() +returns NULL, leading to a segmentation fault. + +Add NULL checks before using the strchr() return values. + +(cherry picked from commit dc78dee51a7e270e537a541a17befdf2073f5314) + +CVE: CVE-2026-32854 +Upstream-Status: Backport [https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314] +Signed-off-by: Ankur Tyagi +--- + libvncserver/httpd.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c +index 96a6eb2b..c066de47 100644 +--- a/libvncserver/httpd.c ++++ b/libvncserver/httpd.c +@@ -331,10 +331,11 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen) + + + /* Process the request. */ +- if(rfbScreen->httpEnableProxyConnect) { ++if(rfbScreen->httpEnableProxyConnect) { + const static char* PROXY_OK_STR = "HTTP/1.0 200 OK\r\nContent-Type: octet-stream\r\nPragma: no-cache\r\n\r\n"; + if(!strncmp(buf, "CONNECT ", 8)) { +- if(atoi(strchr(buf, ':')+1)!=rfbScreen->port) { ++ char *colon = strchr(buf, ':'); ++ if(colon == NULL || atoi(colon+1)!=rfbScreen->port) { + rfbErr("httpd: CONNECT format invalid.\n"); + rfbWriteExact(&cl,INVALID_REQUEST_STR, strlen(INVALID_REQUEST_STR)); + httpCloseSock(rfbScreen); +@@ -347,14 +348,17 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen) + rfbScreen->httpSock = RFB_INVALID_SOCKET; + return; + } +- if (!strncmp(buf, "GET ",4) && !strncmp(strchr(buf,'/'),"/proxied.connection HTTP/1.", 27)) { +- /* proxy connection */ +- rfbLog("httpd: client asked for /proxied.connection\n"); +- rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR)); +- rfbNewClientConnection(rfbScreen,rfbScreen->httpSock); +- rfbScreen->httpSock = RFB_INVALID_SOCKET; +- return; +- } ++ if (!strncmp(buf, "GET ",4)) { ++ char *slash = strchr(buf, '/'); ++ if (slash != NULL && !strncmp(slash,"/proxied.connection HTTP/1.", 27)) { ++ /* proxy connection */ ++ rfbLog("httpd: client asked for /proxied.connection\n"); ++ rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR)); ++ rfbNewClientConnection(rfbScreen,rfbScreen->httpSock); ++ rfbScreen->httpSock = RFB_INVALID_SOCKET; ++ return; ++ } ++ } + } + + if (strncmp(buf, "GET ", 4)) { diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb index 11efd7cc0f..6ef10b5037 100644 --- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb +++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb @@ -46,6 +46,7 @@ inherit cmake pkgconfig SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https \ file://CVE-2026-32853.patch \ + file://CVE-2026-32854.patch \ " SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028"