Update to 1.16.2

Resolves: RHEL-154351
2026-04-09 10:59:02 +02:00 · 2026-04-09 10:59:02 +02:00 · 08b797e4ce
commit 08b797e4ce
parent d815f4c4c9
8 changed files with 43 additions and 164 deletions
--- a/.gitignore
+++ b/.gitignore
@ -35,3 +35,4 @@ tigervnc-1.0.90-20100721svn4113.tar.bz2
 /tigervnc-1.14.0.tar.gz
 /tigervnc-1.14.1.tar.gz
 /tigervnc-1.15.0.tar.gz
+/tigervnc-1.16.2.tar.gz
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (tigervnc-1.15.0.tar.gz) = 0b550296b5bd06ac9d63ce10861ff54d24e79b6ac1551d80e9b81845fa873d85bfd684112c66d86188c9c61fdffb9421ea8696c1c7fd15a24fb1bf6bfe6a5e05
+SHA512 (tigervnc-1.16.2.tar.gz) = acc2a380b3dc7237d9cc1500cd55cc9a6a295ef0aba21678f53d23673b44610717d3d462377ab32e9ea0f5ca9f4959335bf8645c442a8205a7ed62696de927cc
--- a/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch
+++ b/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch
@ -1,6 +1,6 @@
-From 69b0fd6d77ea5968bd815188ee2bda3d282ebc60 Mon Sep 17 00:00:00 2001
+From ec9712985a1bbc5a408d8a032892d9a04b6fe2b9 Mon Sep 17 00:00:00 2001
 From: Jan Grulich <jgrulich@redhat.com>
-Date: Mon, 29 Jul 2024 14:31:14 +0200
+Date: Thu, 9 Apr 2026 11:07:16 +0200
 Subject: [PATCH] Add option allowing to connect only the user owning the
 running session

@ -10,17 +10,17 @@ This is expected to be used with 'plain' security type in combination
 with 'PlainUsers=*' option allowing everyone to connect to the session.
 ---
 common/rfb/VNCServerST.cxx            |   7 --
- unix/x0vncserver/XDesktop.cxx         |   8 ++
+ unix/x0vncserver/XDesktop.cxx         |   9 ++
 unix/xserver/hw/vnc/XserverDesktop.cc | 137 ++++++++++++++++++++++++++
 unix/xserver/hw/vnc/XserverDesktop.h  |   7 ++
 unix/xserver/hw/vnc/Xvnc.man          |   7 ++
- 5 files changed, 159 insertions(+), 7 deletions(-)
+ 5 files changed, 160 insertions(+), 7 deletions(-)

 diff --git a/common/rfb/VNCServerST.cxx b/common/rfb/VNCServerST.cxx
-index b99d33b..aa8d53e 100644
+index a7d68d7..0d9e965 100644
 --- a/common/rfb/VNCServerST.cxx
 +++ b/common/rfb/VNCServerST.cxx
-@@ -682,13 +682,6 @@ void VNCServerST::queryConnection(VNCSConnectionST* client,
+@@ -769,13 +769,6 @@ void VNCServerST::queryConnection(VNCSConnectionST* client,
     return;
   }
 
@ -35,18 +35,19 @@ index b99d33b..aa8d53e 100644
   if (client->accessCheck(AccessNoQuery))
   {
 diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
-index b43e3f7..3d00e23 100644
+index b52b20e..9685d0a 100644
 --- a/unix/x0vncserver/XDesktop.cxx
 +++ b/unix/x0vncserver/XDesktop.cxx
-@@ -31,6 +31,7 @@
+@@ -32,6 +32,8 @@
+ 
 #include <network/Socket.h>
 
- #include <rfb/LogWriter.h>
 +#include <rfb/ServerCore.h>
+
+ #include <rfb/ScreenSet.h>
 
 #include <x0vncserver/XDesktop.h>
- 
-@@ -320,6 +321,13 @@ void XDesktop::queryConnection(network::Socket* sock,
+@@ -324,6 +326,13 @@ void XDesktop::queryConnection(network::Socket* sock,
 {
   assert(isRunning());
 
@ -61,10 +62,10 @@ index b43e3f7..3d00e23 100644
   if (queryConnectSock) {
     std::list<network::Socket*> sockets;
 diff --git a/unix/xserver/hw/vnc/XserverDesktop.cc b/unix/xserver/hw/vnc/XserverDesktop.cc
-index 260ed3a..c8741f6 100644
+index 1a7a06d..4dc65f6 100644
 --- a/unix/xserver/hw/vnc/XserverDesktop.cc
 +++ b/unix/xserver/hw/vnc/XserverDesktop.cc
-@@ -51,6 +51,11 @@
+@@ -56,6 +56,11 @@
 #include "XorgGlue.h"
 #include "vncInput.h"
 
@ -76,12 +77,12 @@ index 260ed3a..c8741f6 100644
 extern "C" {
 void vncSetGlueContext(int screenIndex);
 void vncPresentMscEvent(uint64_t id, uint64_t msc);
-@@ -71,6 +76,15 @@ IntParameter queryConnectTimeout("QueryConnectTimeout",
-                                  "rejecting the connection",
-                                  10);
+@@ -73,6 +78,15 @@ core::IntParameter
+                       "connection' dialog before rejecting the "
+                       "connection", 10, 0, INT_MAX);
 
 +#ifdef HAVE_SYSTEMD_DAEMON
-+BoolParameter approveLoggedUserOnly
+core::BoolParameter approveLoggedUserOnly
 +("ApproveLoggedUserOnly",
 + "Approve only the user who is currently logged into the session."
 + "This is expected to be combined with 'plain' security type and with "
@ -92,7 +93,7 @@ index 260ed3a..c8741f6 100644
 
 XserverDesktop::XserverDesktop(int screenIndex_,
                                std::list<network::SocketListener*> listeners_,
-@@ -164,11 +178,134 @@ void XserverDesktop::init(rfb::VNCServer* vs)
+@@ -166,11 +180,134 @@ void XserverDesktop::init(rfb::VNCServer* vs)
   // ready state
 }
 
@ -228,11 +229,11 @@ index 260ed3a..c8741f6 100644
     server->approveConnection(sock, false, "Another connection is currently being queried.");
     return;
 diff --git a/unix/xserver/hw/vnc/XserverDesktop.h b/unix/xserver/hw/vnc/XserverDesktop.h
-index 8c543db..8d6bde4 100644
+index 37f5b1b..7d49d3b 100644
 --- a/unix/xserver/hw/vnc/XserverDesktop.h
 +++ b/unix/xserver/hw/vnc/XserverDesktop.h
-@@ -108,6 +108,13 @@ public:
-   void grabRegion(const rfb::Region& r) override;
+@@ -111,6 +111,13 @@ public:
+   void grabRegion(const core::Region& r) override;
 
 protected:
 +#ifdef HAVE_SYSTEMD_DAEMON
@ -246,7 +247,7 @@ index 8c543db..8d6bde4 100644
                            std::list<network::SocketListener*>* sockets,
                            rfb::VNCServer* sockserv);
 diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
-index d6b1664..24384df 100644
+index d6b1664..07b74bb 100644
 --- a/unix/xserver/hw/vnc/Xvnc.man
 +++ b/unix/xserver/hw/vnc/Xvnc.man
@@ -200,6 +200,13 @@ Never treat incoming connections as shared, regardless of the client-specified
@ -263,3 +264,6 @@ index d6b1664..24384df 100644
 .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
 PAM service name to use when authentication users using any of the "Plain"
 security types. Default is \fBvnc\fP.
+-- 
+2.53.0
+
--- a/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch
+++ b/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch
@ -1,27 +0,0 @@
-From 313200978926cc7b7521c0d645918391b7609681 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Thu, 27 Feb 2025 13:49:02 +0100
-Subject: [PATCH] Add SELinux policy rules allowing to access
- /proc/sys/fs/nr_open
-
-This is needed when the nofile limit is set to unlimited, otherwise we
-will fail to start a VNC session.
---
- unix/vncserver/selinux/vncsession.te | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
-index d92f1bd..2ce4fc8 100644
--- a/unix/vncserver/selinux/vncsession.te
-+++ b/unix/vncserver/selinux/vncsession.te
-@@ -37,6 +37,10 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms;
- allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
- files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
- 
-+# Allow access to /proc/sys/fs/nr_open
-+# Needed when the nofile limit is set to unlimited.
-+kernel_read_fs_sysctls(vnc_session_t)
-+
- # Allowed to create ~/.local
- optional_policy(`
- 	gnome_filetrans_home_content(vnc_session_t)
--- a/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch
+++ b/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch
@ -1,47 +0,0 @@
-From e652f06940f84fd8e19d7b674ae8c6000530fb40 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Fri, 7 Feb 2025 15:32:49 +0100
-Subject: [PATCH] Add SELinux policy rules allowing to create directories under
- /root
-
-We have policy that allows to create ~/.local or ~/.config, but we don't
-have rule that allows the same under /root directory, where we fail in
-case any of these directories doesn't exist.
---
- unix/vncserver/selinux/vncsession.te | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
-index d92f1bda7d..2f49717077 100644
--- a/unix/vncserver/selinux/vncsession.te
-+++ b/unix/vncserver/selinux/vncsession.te
-@@ -48,6 +48,14 @@ optional_policy(`
- 	create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t)
- ')
- 
-+# Allowed to create /root/.local
-+optional_policy(`
-+	gen_require(`
-+		type admin_home_t;
-+	')
-+	create_dirs_pattern(vnc_session_t, admin_home_t, admin_home_t)
-+')
-+
- # Manage TigerVNC files (mainly ~/.local/state/*.log)
- create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
- manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
-@@ -88,6 +96,7 @@ optional_policy(`
- 	gen_require(`
- 		attribute userdomain;
- 		type gconf_home_t;
-+		type admin_home_t;
- 	')
- 	userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
- 	userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
-@@ -95,5 +104,6 @@ optional_policy(`
- 	gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
- 	gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
- 	filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc")
-+	filetrans_pattern(vnc_session_t, admin_home_t, vnc_home_t, dir, "tigervnc")
- 	filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc")
- ')
--- a/tigervnc-dont-print-xvnc-banner-before-parsing-args.patch
+++ b/tigervnc-dont-print-xvnc-banner-before-parsing-args.patch
@ -1,47 +0,0 @@
-From 1f1aaca09a1f9919f5169caea9c396b14c2af765 Mon Sep 17 00:00:00 2001
-From: Pierre Ossman <ossman@cendio.se>
-Date: Tue, 8 Apr 2025 14:41:04 +0200
-Subject: [PATCH] Don't print Xvnc banner before parsing args
-
-If we'll be running in inetd mode, then stdout and stderr will be a
-client socket and not an appropriate place for logging.
-
-Mimic what Xorg does instead.
---
- unix/xserver/hw/vnc/xvnc.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
-index ddb249937..a13168c47 100644
--- a/unix/xserver/hw/vnc/xvnc.c
-+++ b/unix/xserver/hw/vnc/xvnc.c
-@@ -446,7 +446,7 @@ ddxProcessArgument(int argc, char *argv[], int i)
-     }
- 
-     if (!strcmp(argv[i], "-showconfig") || !strcmp(argv[i], "-version")) {
-        /* Already shown at start */
-+        vncPrintBanner();
-         exit(0);
-     }
- 
-@@ -1171,8 +1171,11 @@ InitOutput(ScreenInfo * scrInfo, int argc, char **argv)
-     int i;
-     int NumFormats = 0;
- 
-    if (serverGeneration == 1)
-+    if (serverGeneration == 1) {
-+        vncPrintBanner();
-+
-         LoadExtensionList(vncExtensions, ARRAY_SIZE(vncExtensions), TRUE);
-+    }
- 
- #if XORG_AT_LEAST(1, 20, 0)
-     xorgGlxCreateVendor();
-@@ -1266,7 +1269,5 @@ vncClientGone(int fd)
- int
- main(int argc, char *argv[], char *envp[])
- {
-    vncPrintBanner();
-
-     return dix_main(argc, argv, envp);
- }
--- a/tigervnc-vncsession-restore-script-systemd-service.patch
+++ b/tigervnc-vncsession-restore-script-systemd-service.patch
@ -8,28 +8,28 @@ for systemd service file in order to properly start the session
 in case the policy is updated (e.g. after Tigervnc update).

 diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
-index ae69dc09..04eb6fc4 100644
+index ed259c2..96a9750 100644
 --- a/unix/vncserver/CMakeLists.txt
 +++ b/unix/vncserver/CMakeLists.txt
-@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c)
- target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
+@@ -5,6 +5,7 @@ target_link_libraries(vncsession ${PAM_LIBRARIES})
+ target_link_libraries(vncsession ${SELINUX_LIBRARIES})
 
 configure_file(vncserver@.service.in vncserver@.service @ONLY)
 +configure_file(vncsession-restore.in vncsession-restore @ONLY)
 configure_file(vncsession-start.in vncsession-start @ONLY)
 configure_file(vncserver.in vncserver @ONLY)
 configure_file(vncsession.man.in vncsession.man @ONLY)
-@@ -20,4 +21,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})
+@@ -23,4 +24,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})
 if(INSTALL_SYSTEMD_UNITS)
   install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR})
   install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
 +  install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
 endif()
 diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
-index 39f81b73..a83e05a3 100644
+index 336498a..060b903 100644
 --- a/unix/vncserver/vncserver@.service.in
 +++ b/unix/vncserver/vncserver@.service.in
-@@ -35,6 +35,7 @@ After=syslog.target network.target
+@@ -35,6 +35,7 @@ After=network.target systemd-user-sessions.service
 
 [Service]
 Type=forking
@ -37,6 +37,7 @@ index 39f81b73..a83e05a3 100644
 ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
 PIDFile=/run/vncsession-%i.pid
 SELinuxContext=system_u:system_r:vnc_session_t:s0
+
 diff --git a/unix/vncserver/vncsession-restore.in b/unix/vncserver/vncsession-restore.in
 new file mode 100644
 index 00000000..d3abc57d
--- a/tigervnc.spec
+++ b/tigervnc.spec
@ -4,8 +4,8 @@
 %global modulename vncsession

 Name:           tigervnc
-Version:        1.15.0
-Release:        7%{?dist}
+Version:        1.16.2
+Release:        1%{?dist}
 Summary:        A TigerVNC remote display system

 %global _hardened_build 1
@ -31,9 +31,6 @@ Patch3:         tigervnc-add-option-allowing-to-connect-only-user-owning-session
 Patch4:         tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch

 # Upstream patches
-Patch50:        tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch
-Patch51:        tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch
-Patch52:        tigervnc-dont-print-xvnc-banner-before-parsing-args.patch

 # Upstreamable patches

@ -212,9 +209,6 @@ popd
 %patch -P4 -p1 -b .allow-use-of-passwords-longer-than-eight-characters

 # Upstream patches
-%patch -P50 -p1 -b .add-selinux-policy-rules-allowing-create-dirs-under-root-dir
-%patch -P51 -p1 -b .add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open
-%patch -P52 -p1 -b .dont-print-xvnc-banner-before-parsing-args

 # Upstreamable patches

@ -236,10 +230,6 @@ mkdir -p %{%__cmake_builddir}

 pushd unix/xserver

-%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
-sed -i 's@TIGERVNC_BUILDDIR=${top_builddir}/\.\./\.\.@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am
-%endif
-
 autoreconf -fiv
 %configure \
        --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
@ -257,7 +247,7 @@ autoreconf -fiv
        --enable-systemd-logind \
        --enable-config-udev

-make %{?_smp_mflags}
+make TIGERVNC_BUILDDIR="`pwd`/../../%{__cmake_builddir}" %{?_smp_mflags}
 popd

 # Build icons
@ -279,7 +269,7 @@ popd
 rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT}

 pushd unix/xserver/hw/vnc
-%make_install
+%make_install TIGERVNC_BUILDDIR="`pwd`/../../../../%{__cmake_builddir}"
 popd

 # Install systemd unit file
@ -398,6 +388,10 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

 %changelog
+* Thu Apr 09 2026 Jan Grulich <jgrulich@redhat.com> - 1.16.2-1
+- Update to 1.16.2
+  Resolves: RHEL-154351
+
 * Fri Oct 31 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-7
 - Fix CVE-2025-62229: xorg-x11-server: Use-after-free in XPresentNotify structures creation
  Resolves: RHEL-119989