import gnome-remote-desktop-40.0-7.el9

2022-01-11 12:50:20 -05:00 · 2022-01-11 12:50:20 -05:00 · 9b811b0b19
commit 9b811b0b19
parent 1c1969d31e
2 changed files with 105 additions and 10 deletions
--- a/SOURCES/0001-crypto-Don-t-compile-SHA1-support-when-Websockets-ar.patch
+++ b/SOURCES/0001-crypto-Don-t-compile-SHA1-support-when-Websockets-ar.patch
@ -0,0 +1,92 @@
+From fdc71dd25c8505b3580e70afd4b4213cad8f8ebb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonas=20=C3=85dahl?= <jadahl@gmail.com>
+Date: Mon, 25 Oct 2021 16:14:26 +0200
+Subject: [PATCH] crypto: Don't compile SHA1 support when Websockets are
+ disabled
+
+SHA1 is not ideal, security wise. Let's make sure we don't even have it
+compiled when nothing depends on it, e.g. Websockets.
+---
+ common/crypto.h           | 2 ++
+ common/crypto_included.c  | 2 ++
+ common/crypto_libgcrypt.c | 2 ++
+ common/crypto_openssl.c   | 2 ++
+ 4 files changed, 8 insertions(+)
+
+diff --git a/common/crypto.h b/common/crypto.h
+index 04be9304..c1f32194 100644
+--- a/common/crypto.h
+++ b/common/crypto.h
+@@ -11,7 +11,9 @@
+ int hash_md5(void *out, const void *in, const size_t in_len);
+ 
+ /* Generates an SHA1 hash of 'in' and writes it to 'out', which must be 20 bytes in size. */
+#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ int hash_sha1(void *out, const void *in, const size_t in_len);
+#endif
+ 
+ /* Fill 'out' with 'len' random bytes. */
+ void random_bytes(void *out, size_t len);
+diff --git a/common/crypto_included.c b/common/crypto_included.c
+index b359336f..cf8d43c2 100644
+--- a/common/crypto_included.c
+++ b/common/crypto_included.c
+@@ -33,6 +33,7 @@ int hash_md5(void *out, const void *in, const size_t in_len)
+     return 0;
+ }
+ 
+#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ int hash_sha1(void *out, const void *in, const size_t in_len)
+ {
+     SHA1Context sha1;
+@@ -45,6 +46,7 @@ int hash_sha1(void *out, const void *in, const size_t in_len)
+ 
+     return 1;
+ }
+#endif /* LIBVNCSERVER_WITH_WEBSOCKETS */
+ 
+ void random_bytes(void *out, size_t len)
+ {
+diff --git a/common/crypto_libgcrypt.c b/common/crypto_libgcrypt.c
+index 34d845b4..f62bdaf8 100644
+--- a/common/crypto_libgcrypt.c
+++ b/common/crypto_libgcrypt.c
+@@ -74,6 +74,7 @@ int hash_md5(void *out, const void *in, const size_t in_len)
+     return result;
+ }
+ 
+#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ int hash_sha1(void *out, const void *in, const size_t in_len)
+ {
+     int result = 0;
+@@ -98,6 +99,7 @@ int hash_sha1(void *out, const void *in, const size_t in_len)
+     gcry_md_close(sha1);
+     return result;
+ }
+#endif /* LIBVNCSERVER_WITH_WEBSOCKETS */
+ 
+ void random_bytes(void *out, size_t len)
+ {
+diff --git a/common/crypto_openssl.c b/common/crypto_openssl.c
+index 60d4bd4d..9816eb04 100644
+--- a/common/crypto_openssl.c
+++ b/common/crypto_openssl.c
+@@ -49,6 +49,7 @@ int hash_md5(void *out, const void *in, const size_t in_len)
+     return 1;
+ }
+ 
+#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ int hash_sha1(void *out, const void *in, const size_t in_len)
+ {
+     SHA_CTX sha1;
+@@ -60,6 +61,7 @@ int hash_sha1(void *out, const void *in, const size_t in_len)
+ 	return 0;
+     return 1;
+ }
+#endif /* LIBVNCSERVER_WITH_WEBSOCKETS */
+ 
+ void random_bytes(void *out, size_t len)
+ {
+-- 
+2.31.1
+
--- a/SPECS/gnome-remote-desktop.spec
+++ b/SPECS/gnome-remote-desktop.spec
@ -4,26 +4,24 @@

 %if 0%{?rhel} >= 9
 %global bundle_libvncserver 1
-%global libvncserver_name LibVNCServer
-%global libvncserver_version 0.9.13
 %global enable_rdp 0
 %else
 %global bundle_libvncserver 0
 %global enable_rdp 1
 %endif

+%global libvncserver_name LibVNCServer
+%global libvncserver_version 0.9.13

 Name:           gnome-remote-desktop
 Version:        40.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        GNOME Remote Desktop screen share service

 License:        GPLv2+
 URL:            https://gitlab.gnome.org/jadahl/gnome-remote-desktop
 Source0:        https://download.gnome.org/sources/gnome-remote-desktop/40/%{name}-%{tarball_version}.tar.xz
-%if 0%{?bundle_libvncserver}
 Source1:        https://github.com/LibVNC/libvncserver/archive/refs/tags/%{libvncserver_name}-%{libvncserver_version}.tar.gz
-%endif

 ### gnome-remote-desktop patches
 # Adds encryption support (requires patched LibVNCServer)
@ -32,11 +30,9 @@ Patch0:         gnutls-anontls.patch
 # Backport upstream leak fix (rhbz#1951129)
 Patch1:         0001-pipewire-stream-Don-t-leak-GSource-s.patch

-%if 0%{?bundle_libvncserver}
+## LibVNCServer patches required for bundling
 Patch100:       0001-build-Set-rpath-on-executable.patch
-%endif

-%if 0%{?bundle_libvncserver}
 ### LibVNCServer patches
 ## TLS security type enablement patches
 # https://github.com/LibVNC/libvncserver/pull/234
@ -55,7 +51,9 @@ Patch1004: 0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch

 ## downstream patches
 Patch2000: libvncserver-LibVNCServer-0.9.13-system-crypto-policy.patch
-%endif
+
+## Don't compile SHA1 support
+Patch2100: 0001-crypto-Don-t-compile-SHA1-support-when-Websockets-ar.patch


 BuildRequires:  git
@ -146,7 +144,8 @@ mkdir -p %{_builddir}/libvncserver/
  -DLIB_INSTALL_DIR:PATH=%{libvncserver_install_dir}/%{_lib} \
  -DSYSCONF_INSTALL_DIR=%{libvncserver_install_dir}/etc \
  -DWITH_FFMPEG=OFF -DWITH_GTK=OFF -DWITH_OPENSSL=OFF -DWITH_GNUTLS=ON \
-  -DWITH_SDL=OFF -DWITH_X11=OFF -DWITH_WEBSOCKETS=OFF
+  -DWITH_SDL=OFF -DWITH_X11=OFF -DWITH_WEBSOCKETS=OFF \
+  -DLIBVNCSERVER_WITH_WEBSOCKETS=OFF
 %cmake_build
 %__cmake --install "%{__cmake_builddir}"
 popd
@ -208,6 +207,10 @@ popd


 %changelog
+* Mon Oct 25 2021 Jonas Ådahl <jadahl@redhat.com> - 40.0-7
+- Don't compile in SHA1 support
+  Resolves: #1936594
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 40.0-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688