Fabre

#1140224 trixie-pu: package libvncserver/0.9.15+dfsg-1+deb13u2 #1140224

Package:: release.debian.org

Source:: release.debian.org

Submitter:: Sven Geuer

Date:: 2026-06-17 12:23:03 UTC

Severity:: normal

Tags:

#1140224#5

Date:: 2026-06-17 12:22:21 UTC

From:

To:

Dear Release Managers,

I would like to close these bugs regarding trixie through p-u:
https://bugs.debian.org/1138174
https://bugs.debian.org/1138253

[ Reason ]
This fixes CVE-2026-44988 and CVE-2026-50538 for trixie.

[ Impact ]
CVE-2026-44988: A malicious VNC server can send a crafted
FramebufferUpdate rectangle which makes the client write beyond fixed-
size Gradient buffers.
CVE-2026-50538: A malicious VNC server can  force a connecting
libvncclient to write attacker-controlled data past the end of its
framebuffer without the need of authentication.

[ Tests ]
Build test and autopkgtest locally and on debusine.d.n:
https://debusine.debian.net/debian/developers/work-request/844164/

[ Risks ]
I consider the risks low as the fix consists exactly of upstream's
commits:
https://github.com/LibVNC/libvncserver/commit/5b27054
https://github.com/LibVNC/libvncserver/commit/540332b

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

#1140224 trixie-pu: package libvncserver/0.9.15+dfsg-1+deb13u2 #1140224

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)