mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

libvncserver: fix CVE-2026-32854

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32854

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Ankur Tyagi
2026-04-09 23:22:02 +12:00
committed by Anuj Mittal
parent c56964fcf2
commit 39924b5b88
2 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32854.patch
+66
View File
@@ -0,0 +1,66 @@
From df092d3a89460be3b14a2a07859493a7afafcd1d Mon Sep 17 00:00:00 2001
From: Kazuma Matsumoto <269371721+y637F9QQ2x@users.noreply.github.com>
Date: Thu, 19 Mar 2026 17:42:00 +0900
Subject: [PATCH] libvncserver: fix NULL pointer dereferences in httpd proxy
handlers
httpProcessInput() passes the return value of strchr() to atoi()
and strncmp() without checking for NULL. If a CONNECT request
contains no colon, or a GET request contains no slash, strchr()
returns NULL, leading to a segmentation fault.
Add NULL checks before using the strchr() return values.
(cherry picked from commit dc78dee51a7e270e537a541a17befdf2073f5314)
CVE: CVE-2026-32854
Upstream-Status: Backport [https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
libvncserver/httpd.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c
index 96a6eb2b..c066de47 100644
--- a/libvncserver/httpd.c
+++ b/libvncserver/httpd.c
@@ -331,10 +331,11 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
/* Process the request. */
- if(rfbScreen->httpEnableProxyConnect) {
+if(rfbScreen->httpEnableProxyConnect) {
const static char* PROXY_OK_STR = "HTTP/1.0 200 OK\r\nContent-Type: octet-stream\r\nPragma: no-cache\r\n\r\n";
if(!strncmp(buf, "CONNECT ", 8)) {
- if(atoi(strchr(buf, ':')+1)!=rfbScreen->port) {
+ char *colon = strchr(buf, ':');
+ if(colon == NULL || atoi(colon+1)!=rfbScreen->port) {
rfbErr("httpd: CONNECT format invalid.\n");
rfbWriteExact(&cl,INVALID_REQUEST_STR, strlen(INVALID_REQUEST_STR));
httpCloseSock(rfbScreen);
@@ -347,14 +348,17 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
rfbScreen->httpSock = RFB_INVALID_SOCKET;
return;
}
- if (!strncmp(buf, "GET ",4) && !strncmp(strchr(buf,'/'),"/proxied.connection HTTP/1.", 27)) {
- /* proxy connection */
- rfbLog("httpd: client asked for /proxied.connection\n");
- rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
- rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
- rfbScreen->httpSock = RFB_INVALID_SOCKET;
- return;
- }
+ if (!strncmp(buf, "GET ",4)) {
+ char *slash = strchr(buf, '/');
+ if (slash != NULL && !strncmp(slash,"/proxied.connection HTTP/1.", 27)) {
+ /* proxy connection */
+ rfbLog("httpd: client asked for /proxied.connection\n");
+ rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
+ rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
+ rfbScreen->httpSock = RFB_INVALID_SOCKET;
+ return;
+ }
+ }
}
if (strncmp(buf, "GET ", 4)) {
meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
+1
View File
@@ -46,6 +46,7 @@ inherit cmake pkgconfig
SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https \
file://CVE-2026-32853.patch \
file://CVE-2026-32854.patch \
"
SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028"