Control: tags 1136644 + patch
Control: tags 1136644 + pending

Dear maintainer,

I've prepared an NMU for neatvnc (versioned as 0.9.1+dfsg-1.1) and 
uploaded it to DELAYED/5. Please feel free to tell me if I should
cancel it.

cu
Adrian
diffstat for neatvnc-0.9.1+dfsg neatvnc-0.9.1+dfsg

 changelog                                                               |    9 +
 patches/0001-Add-nvnc_assert-macro.patch                                |   27 +++
 patches/0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch           |   68 ++++++++++
 patches/0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch |   46 ++++++
 patches/series                                                          |    3 
 5 files changed, 153 insertions(+)

diff -Nru neatvnc-0.9.1+dfsg/debian/changelog neatvnc-0.9.1+dfsg/debian/changelog
--- neatvnc-0.9.1+dfsg/debian/changelog	2024-11-21 10:04:16.000000000 +0200
+++ neatvnc-0.9.1+dfsg/debian/changelog	2026-07-06 20:56:40.000000000 +0300
@@ -1,3 +1,12 @@
+neatvnc (0.9.1+dfsg-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-42859: Buffer overflow with oversized RSA public keys
+    (Closes: #1136644)
+  * auth: vencrypt: Reject excessively long usernames and passwords
+
+ -- Adrian Bunk <[email protected]>  Mon, 06 Jul 2026 20:56:40 +0300
+
 neatvnc (0.9.1+dfsg-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru neatvnc-0.9.1+dfsg/debian/patches/0001-Add-nvnc_assert-macro.patch neatvnc-0.9.1+dfsg/debian/patches/0001-Add-nvnc_assert-macro.patch
--- neatvnc-0.9.1+dfsg/debian/patches/0001-Add-nvnc_assert-macro.patch	1970-01-01 02:00:00.000000000 +0200
+++ neatvnc-0.9.1+dfsg/debian/patches/0001-Add-nvnc_assert-macro.patch	2026-07-06 20:56:40.000000000 +0300
@@ -0,0 +1,27 @@
+From 6f98d047bee6b4f1a165a45d7b7c62efe8f6905d Mon Sep 17 00:00:00 2001
+From: Andri Yngvason <[email protected]>
+Date: Thu, 23 Oct 2025 23:03:14 +0000
+Subject: Add nvnc_assert macro
+
+---
+ include/neatvnc.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/include/neatvnc.h b/include/neatvnc.h
+index 78d9f97..3917af6 100644
+--- a/include/neatvnc.h
++++ b/include/neatvnc.h
+@@ -49,6 +49,10 @@
+ #define nvnc_trace(...)
+ #endif
+ 
++#define nvnc_assert(statement, fmt, ...) \
++	if (!(statement)) \
++		nvnc_log(NVNC_LOG_PANIC, fmt, ## __VA_ARGS__)
++
+ struct nvnc;
+ struct nvnc_client;
+ struct nvnc_desktop_layout;
+-- 
+2.47.3
+
diff -Nru neatvnc-0.9.1+dfsg/debian/patches/0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch neatvnc-0.9.1+dfsg/debian/patches/0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch
--- neatvnc-0.9.1+dfsg/debian/patches/0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch	1970-01-01 02:00:00.000000000 +0200
+++ neatvnc-0.9.1+dfsg/debian/patches/0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch	2026-07-06 20:56:40.000000000 +0300
@@ -0,0 +1,68 @@
+From 66e14e25c4b151ab7187e8d60e63de544ca3513b Mon Sep 17 00:00:00 2001
+From: Andri Yngvason <[email protected]>
+Date: Fri, 24 Apr 2026 12:29:14 +0000
+Subject: auth: rsa-aes: Fix potential buffer overflow
+
+If a client sends a large public key, it can overflow the stack buffer
+used for storing the challenge message from the server to the client.
+
+This fixes the overflow by using a dynamic allocation and guarding
+againts ridiculously large public keys.
+---
+ src/auth/rsa-aes.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/src/auth/rsa-aes.c b/src/auth/rsa-aes.c
+index 66f10cb..37d0ea6 100644
+--- a/src/auth/rsa-aes.c
++++ b/src/auth/rsa-aes.c
+@@ -19,6 +19,8 @@
+ #include "auth/auth.h"
+ #include "auth/rsa-aes.h"
+ 
++#define MAX_PUB_KEY_SIZE 1000000
++
+ #define UDIV_UP(a, b) (((a) + (b) - 1) / (b))
+ 
+ int rsa_aes_send_public_key(struct nvnc_client* client)
+@@ -61,16 +63,17 @@ static int rsa_aes_send_challenge(struct nvnc_client* client,
+ {
+ 	crypto_random(client->rsa.challenge, client->rsa.challenge_len);
+ 
+-	uint8_t buffer[1024];
+-	struct rfb_rsa_aes_challenge_msg *msg =
+-		(struct rfb_rsa_aes_challenge_msg*)buffer;
++	struct rfb_rsa_aes_challenge_msg* msg;
++	size_t key_len = crypto_rsa_pub_key_length(client->rsa.pub);
++	size_t msg_size = sizeof(*msg) + key_len;
++	msg = calloc(1, msg_size);
++	nvnc_assert(msg, "OOM");
+ 
+-	ssize_t len = crypto_rsa_encrypt(pub, msg->challenge,
+-			crypto_rsa_pub_key_length(client->rsa.pub),
++	crypto_rsa_encrypt(pub, msg->challenge, key_len,
+ 			client->rsa.challenge, client->rsa.challenge_len);
+-	msg->length = htons(len);
++	msg->length = htons(key_len);
+ 
+-	stream_write(client->net_stream, buffer, sizeof(*msg) + len, NULL, NULL);
++	stream_send(client->net_stream, rcbuf_new(msg, msg_size), NULL, NULL);
+ 	return 0;
+ }
+ 
+@@ -89,6 +92,12 @@ static int on_rsa_aes_public_key(struct nvnc_client* client)
+ 			sizeof(*msg) + byte_length * 2)
+ 		return 0;
+ 
++	if (byte_length > MAX_PUB_KEY_SIZE) {
++		nvnc_log(NVNC_LOG_ERROR, "Client sent a ridiculously large public key. This can't be right.");
++		nvnc_client_close(client);
++		return -1;
++	}
++
+ 	const uint8_t* modulus = msg->modulus_and_exponent;
+ 	const uint8_t* exponent = msg->modulus_and_exponent + byte_length;
+ 
+-- 
+2.47.3
+
diff -Nru neatvnc-0.9.1+dfsg/debian/patches/0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch neatvnc-0.9.1+dfsg/debian/patches/0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch
--- neatvnc-0.9.1+dfsg/debian/patches/0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch	1970-01-01 02:00:00.000000000 +0200
+++ neatvnc-0.9.1+dfsg/debian/patches/0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch	2026-07-06 20:56:40.000000000 +0300
@@ -0,0 +1,46 @@
+From c2a401905d3be502af72773142b81efd87e499ff Mon Sep 17 00:00:00 2001
+From: Andri Yngvason <[email protected]>
+Date: Fri, 24 Apr 2026 13:05:37 +0000
+Subject: auth: vencrypt: Reject excessively long usernames and passwords
+
+---
+ src/auth/vencrypt.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/auth/vencrypt.c b/src/auth/vencrypt.c
+index 4da61c8..43c6c91 100644
+--- a/src/auth/vencrypt.c
++++ b/src/auth/vencrypt.c
+@@ -21,6 +21,9 @@
+ 
+ #include <sys/param.h>
+ 
++#define MAX_USERNAME_LENGTH 256
++#define MAX_PASSWORD_LENGTH 256
++
+ static int send_byte(struct nvnc_client* client, uint8_t value)
+ {
+ 	return stream_write(client->net_stream, &value, 1, NULL, NULL);
+@@ -113,11 +116,17 @@ static int on_vencrypt_plain_auth_message(struct nvnc_client* client)
+ 	uint32_t ulen = ntohl(msg->username_len);
+ 	uint32_t plen = ntohl(msg->password_len);
+ 
++	if (ulen > MAX_USERNAME_LENGTH || plen > MAX_PASSWORD_LENGTH) {
++		nvnc_log(NVNC_LOG_ERROR, "Client sent too long username/password");
++		nvnc_client_close(client);
++		return -1;
++	}
++
+ 	if (client->buffer_len - client->buffer_index < sizeof(*msg) + ulen + plen)
+ 		return 0;
+ 
+-	char username[256];
+-	char password[256];
++	char username[MAX_USERNAME_LENGTH];
++	char password[MAX_PASSWORD_LENGTH];
+ 
+ 	memcpy(username, msg->text, MIN(ulen, sizeof(username) - 1));
+ 	memcpy(password, msg->text + ulen, MIN(plen, sizeof(password) - 1));
+-- 
+2.47.3
+
diff -Nru neatvnc-0.9.1+dfsg/debian/patches/series neatvnc-0.9.1+dfsg/debian/patches/series
--- neatvnc-0.9.1+dfsg/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ neatvnc-0.9.1+dfsg/debian/patches/series	2026-07-06 20:56:40.000000000 +0300
@@ -0,0 +1,3 @@
+0001-Add-nvnc_assert-macro.patch
+0002-auth-rsa-aes-Fix-potential-buffer-overflow.patch
+0003-auth-vencrypt-Reject-excessively-long-usernames-and-.patch

Reply via email to