diff --git a/SOURCES/0001-crypto-Don-t-compile-SHA1-support-when-Websockets-ar.patch b/SOURCES/0001-crypto-Don-t-compile-SHA1-support-when-Websockets-ar.patch new file mode 100644 index 0000000..fddcb8b --- /dev/null +++ b/SOURCES/0001-crypto-Don-t-compile-SHA1-support-when-Websockets-ar.patch @@ -0,0 +1,92 @@ +From fdc71dd25c8505b3580e70afd4b4213cad8f8ebb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20=C3=85dahl?= +Date: Mon, 25 Oct 2021 16:14:26 +0200 +Subject: [PATCH] crypto: Don't compile SHA1 support when Websockets are + disabled + +SHA1 is not ideal, security wise. Let's make sure we don't even have it +compiled when nothing depends on it, e.g. Websockets. +--- + common/crypto.h | 2 ++ + common/crypto_included.c | 2 ++ + common/crypto_libgcrypt.c | 2 ++ + common/crypto_openssl.c | 2 ++ + 4 files changed, 8 insertions(+) + +diff --git a/common/crypto.h b/common/crypto.h +index 04be9304..c1f32194 100644 +--- a/common/crypto.h ++++ b/common/crypto.h +@@ -11,7 +11,9 @@ + int hash_md5(void *out, const void *in, const size_t in_len); + + /* Generates an SHA1 hash of 'in' and writes it to 'out', which must be 20 bytes in size. */ ++#ifdef LIBVNCSERVER_WITH_WEBSOCKETS + int hash_sha1(void *out, const void *in, const size_t in_len); ++#endif + + /* Fill 'out' with 'len' random bytes. */ + void random_bytes(void *out, size_t len); +diff --git a/common/crypto_included.c b/common/crypto_included.c +index b359336f..cf8d43c2 100644 +--- a/common/crypto_included.c ++++ b/common/crypto_included.c +@@ -33,6 +33,7 @@ int hash_md5(void *out, const void *in, const size_t in_len) + return 0; + } + ++#ifdef LIBVNCSERVER_WITH_WEBSOCKETS + int hash_sha1(void *out, const void *in, const size_t in_len) + { + SHA1Context sha1; +@@ -45,6 +46,7 @@ int hash_sha1(void *out, const void *in, const size_t in_len) + + return 1; + } ++#endif /* LIBVNCSERVER_WITH_WEBSOCKETS */ + + void random_bytes(void *out, size_t len) + { +diff --git a/common/crypto_libgcrypt.c b/common/crypto_libgcrypt.c +index 34d845b4..f62bdaf8 100644 +--- a/common/crypto_libgcrypt.c ++++ b/common/crypto_libgcrypt.c +@@ -74,6 +74,7 @@ int hash_md5(void *out, const void *in, const size_t in_len) + return result; + } + ++#ifdef LIBVNCSERVER_WITH_WEBSOCKETS + int hash_sha1(void *out, const void *in, const size_t in_len) + { + int result = 0; +@@ -98,6 +99,7 @@ int hash_sha1(void *out, const void *in, const size_t in_len) + gcry_md_close(sha1); + return result; + } ++#endif /* LIBVNCSERVER_WITH_WEBSOCKETS */ + + void random_bytes(void *out, size_t len) + { +diff --git a/common/crypto_openssl.c b/common/crypto_openssl.c +index 60d4bd4d..9816eb04 100644 +--- a/common/crypto_openssl.c ++++ b/common/crypto_openssl.c +@@ -49,6 +49,7 @@ int hash_md5(void *out, const void *in, const size_t in_len) + return 1; + } + ++#ifdef LIBVNCSERVER_WITH_WEBSOCKETS + int hash_sha1(void *out, const void *in, const size_t in_len) + { + SHA_CTX sha1; +@@ -60,6 +61,7 @@ int hash_sha1(void *out, const void *in, const size_t in_len) + return 0; + return 1; + } ++#endif /* LIBVNCSERVER_WITH_WEBSOCKETS */ + + void random_bytes(void *out, size_t len) + { +-- +2.31.1 + diff --git a/SPECS/gnome-remote-desktop.spec b/SPECS/gnome-remote-desktop.spec index af6041b..2913277 100644 --- a/SPECS/gnome-remote-desktop.spec +++ b/SPECS/gnome-remote-desktop.spec @@ -4,26 +4,24 @@ %if 0%{?rhel} >= 9 %global bundle_libvncserver 1 -%global libvncserver_name LibVNCServer -%global libvncserver_version 0.9.13 %global enable_rdp 0 %else %global bundle_libvncserver 0 %global enable_rdp 1 %endif +%global libvncserver_name LibVNCServer +%global libvncserver_version 0.9.13 Name: gnome-remote-desktop Version: 40.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: GNOME Remote Desktop screen share service License: GPLv2+ URL: https://gitlab.gnome.org/jadahl/gnome-remote-desktop Source0: https://download.gnome.org/sources/gnome-remote-desktop/40/%{name}-%{tarball_version}.tar.xz -%if 0%{?bundle_libvncserver} Source1: https://github.com/LibVNC/libvncserver/archive/refs/tags/%{libvncserver_name}-%{libvncserver_version}.tar.gz -%endif ### gnome-remote-desktop patches # Adds encryption support (requires patched LibVNCServer) @@ -32,11 +30,9 @@ Patch0: gnutls-anontls.patch # Backport upstream leak fix (rhbz#1951129) Patch1: 0001-pipewire-stream-Don-t-leak-GSource-s.patch -%if 0%{?bundle_libvncserver} +## LibVNCServer patches required for bundling Patch100: 0001-build-Set-rpath-on-executable.patch -%endif -%if 0%{?bundle_libvncserver} ### LibVNCServer patches ## TLS security type enablement patches # https://github.com/LibVNC/libvncserver/pull/234 @@ -55,7 +51,9 @@ Patch1004: 0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch ## downstream patches Patch2000: libvncserver-LibVNCServer-0.9.13-system-crypto-policy.patch -%endif + +## Don't compile SHA1 support +Patch2100: 0001-crypto-Don-t-compile-SHA1-support-when-Websockets-ar.patch BuildRequires: git @@ -146,7 +144,8 @@ mkdir -p %{_builddir}/libvncserver/ -DLIB_INSTALL_DIR:PATH=%{libvncserver_install_dir}/%{_lib} \ -DSYSCONF_INSTALL_DIR=%{libvncserver_install_dir}/etc \ -DWITH_FFMPEG=OFF -DWITH_GTK=OFF -DWITH_OPENSSL=OFF -DWITH_GNUTLS=ON \ - -DWITH_SDL=OFF -DWITH_X11=OFF -DWITH_WEBSOCKETS=OFF + -DWITH_SDL=OFF -DWITH_X11=OFF -DWITH_WEBSOCKETS=OFF \ + -DLIBVNCSERVER_WITH_WEBSOCKETS=OFF %cmake_build %__cmake --install "%{__cmake_builddir}" popd @@ -208,6 +207,10 @@ popd %changelog +* Mon Oct 25 2021 Jonas Ã…dahl - 40.0-7 +- Don't compile in SHA1 support + Resolves: #1936594 + * Mon Aug 09 2021 Mohan Boddu - 40.0-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688