It can be that a client sends a VNC_MSG_CLIENT_CUT_TEXT message before sending a VNC_MSG_CLIENT_SET_ENCODINGS message with VNC_ENCODING_CLIPBOARD_EXT for configuring the clipboard extension. This means that qemu_clipboard_request() can be reached (via vnc_client_cut_text_ext()) before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer. In that case, info->owner->request is NULL instead of a function and so attempting to call it in qemu_clipboard_request() results in a segfault. In particular, this can happen when using the KRDC (22.12.3) VNC client on Wayland. A malicious or misbehaving VNC client can crash QEMU - only after successful authentication.
Red Hat Product Security would like to thank Markus Frank (Proxmox) and Fiona Ebner (Proxmox) for reporting this issue.
Upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg02382.html
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 2258118]
Upstream commit: https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2135