Your message dated Sat, 09 May 2026 14:53:03 +0000
with message-id <[email protected]>
and subject line Bug#1136009: fixed in deskflow 1.26.0+dfsg-2
has caused the Debian Bug report #1136009,
regarding deskflow: CVE-2026-41476
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136009
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: deskflow
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for deskflow.
CVE-2026-41476[0]:
| Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138,
| a remote memory-safety vulnerability in Deskflow's clipboard
| deserialization allows a connected peer to trigger an out-of-bounds
| read by sending a malformed clipboard update. The issue is in the
| implementation of src/lib/deskflow/IClipboard.cpp. This is reachable
| because ClipboardChunk::assemble() in
| src/lib/deskflow/ClipboardChunk.cpp validates only the outer
| clipboard transfer size. It does not validate the internal structure
| of the serialized clipboard blob, so malformed inner lengths reach
| IClipboard::unmarshall() unchanged. This vulnerability is fixed in
| 1.26.0.138.
https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41476
https://www.cve.org/CVERecord?id=CVE-2026-41476
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: deskflow
Source-Version: 1.26.0+dfsg-2
Done: Kentaro Hayashi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
deskflow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kentaro Hayashi <[email protected]> (supplier of updated deskflow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 09 May 2026 19:55:37 +0900
Source: deskflow
Architecture: source
Version: 1.26.0+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: HAYASHI Kentaro <[email protected]>
Changed-By: Kentaro Hayashi <[email protected]>
Closes: 1136009
Changes:
deskflow (1.26.0+dfsg-2) unstable; urgency=medium
.
* debian/patches/CVE-2026-41476.patch
- Apply patch for CVE-2026-41476 (Closes: #1136009)
Checksums-Sha1:
d701189e95d945b82c833217763888d02dc2bc46 2400 deskflow_1.26.0+dfsg-2.dsc
f920069f67afcb92c00841081e058d50acc9ba8a 6752
deskflow_1.26.0+dfsg-2.debian.tar.xz
e20e18f2dc68ea903860e7d4983c4942800936c8 17853
deskflow_1.26.0+dfsg-2_amd64.buildinfo
Checksums-Sha256:
df9201baeb76ca30b6bb60a4e9c851087bf93f165bcf7b3ebb1dc61ac818cc33 2400
deskflow_1.26.0+dfsg-2.dsc
34e2f54f80762b3aea4e427132bb32e64e1b22fc5ed14df0271e364ec52e0691 6752
deskflow_1.26.0+dfsg-2.debian.tar.xz
8c3e2bc972e959a7128bdf268dc7da90f0957398889172bda4fde7b6436013a7 17853
deskflow_1.26.0+dfsg-2_amd64.buildinfo
Files:
cc0d8d3de98571849d316d2000390ebe 2400 x11 optional deskflow_1.26.0+dfsg-2.dsc
812638717130b0a013772ba8c9f95976 6752 x11 optional
deskflow_1.26.0+dfsg-2.debian.tar.xz
246506b483adad1375c15d9d45f598d0 17853 x11 optional
deskflow_1.26.0+dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcZ6y2T2+nE0h+6Bk9/t1xWbtIOMFAmn/KkAACgkQ9/t1xWbt
IOOZuxAAoVbvLqIgLAM9G15cXUh/fSW2xcrZKcjpxpZoMDSjNXMhxeEA/PoBGOYx
3OI5SavhRIGnuVPLYsy5rsr9GzOjWWJGcVb+B5V5RAegLAFZuUx/chutsRXBngOP
t2XVM0xsEkv+xzPWuvXlps5ogCLoEUEBmM0htGAY3nCgUn9PbhKcRSItQb8byMhB
SIB3auwluggPE0S263iX/Q98XX5UATTaQEE3b82HPi3xGJbJKHIyGBO/h6LpbCkO
7VieJbWWzORBvrG4Cp0lgI4ob3ogBG3NQmyFiCVD9YUOQTikQtxpho0+E1uD7ToC
ggR2T4QZ2F8Bo3GUQcddaeUZIlW0usbG5awgnV1lKPyp/cYOZZYr+iGQJ/PdtrcY
aWJe+AyMdV7ZoejC8hbab1OYi64PrImZpmzIKCZrG51+mxuVbf36uCMTjWjUef87
VmF9bPABpF40gpjv3SM/fB56BdccU+cVM3bA85hXZuyexHC0Pl4BTORGjppN82nS
XRt5FrvfQa9KLS20GeDp+ghDuu9+Yx5bQoaKGLK7wyr9YZkGbJmrpVqh4MoLJOTf
+8IKRO8NeDVQgRyf7gvqP4fO3jGsLFddPlH+1LLM2LpKtag07/l9NiC6bfvnFmA/
het6FdQihkBcZx0R6x/6rzylW3N7dwv3CdiQ3K8zAY0SDfD9GM4=
=vNyf
-----END PGP SIGNATURE-----
pgpSJzuO2Pzqz.pgp
Description: PGP signature
--- End Message ---
