diff --git a/.gitignore b/.gitignore index 0e92072..1255eb6 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,4 @@ tigervnc-1.0.90-20100721svn4113.tar.bz2 /tigervnc-1.14.0.tar.gz /tigervnc-1.14.1.tar.gz /tigervnc-1.15.0.tar.gz +/tigervnc-1.16.2.tar.gz diff --git a/sources b/sources index eaa4b26..100d710 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (tigervnc-1.15.0.tar.gz) = 0b550296b5bd06ac9d63ce10861ff54d24e79b6ac1551d80e9b81845fa873d85bfd684112c66d86188c9c61fdffb9421ea8696c1c7fd15a24fb1bf6bfe6a5e05 +SHA512 (tigervnc-1.16.2.tar.gz) = acc2a380b3dc7237d9cc1500cd55cc9a6a295ef0aba21678f53d23673b44610717d3d462377ab32e9ea0f5ca9f4959335bf8645c442a8205a7ed62696de927cc diff --git a/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch b/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch index 371c700..8c6cc24 100644 --- a/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch +++ b/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch @@ -1,6 +1,6 @@ -From 69b0fd6d77ea5968bd815188ee2bda3d282ebc60 Mon Sep 17 00:00:00 2001 +From ec9712985a1bbc5a408d8a032892d9a04b6fe2b9 Mon Sep 17 00:00:00 2001 From: Jan Grulich -Date: Mon, 29 Jul 2024 14:31:14 +0200 +Date: Thu, 9 Apr 2026 11:07:16 +0200 Subject: [PATCH] Add option allowing to connect only the user owning the running session @@ -10,17 +10,17 @@ This is expected to be used with 'plain' security type in combination with 'PlainUsers=*' option allowing everyone to connect to the session. --- common/rfb/VNCServerST.cxx | 7 -- - unix/x0vncserver/XDesktop.cxx | 8 ++ + unix/x0vncserver/XDesktop.cxx | 9 ++ unix/xserver/hw/vnc/XserverDesktop.cc | 137 ++++++++++++++++++++++++++ unix/xserver/hw/vnc/XserverDesktop.h | 7 ++ unix/xserver/hw/vnc/Xvnc.man | 7 ++ - 5 files changed, 159 insertions(+), 7 deletions(-) + 5 files changed, 160 insertions(+), 7 deletions(-) diff --git a/common/rfb/VNCServerST.cxx b/common/rfb/VNCServerST.cxx -index b99d33b..aa8d53e 100644 +index a7d68d7..0d9e965 100644 --- a/common/rfb/VNCServerST.cxx +++ b/common/rfb/VNCServerST.cxx -@@ -682,13 +682,6 @@ void VNCServerST::queryConnection(VNCSConnectionST* client, +@@ -769,13 +769,6 @@ void VNCServerST::queryConnection(VNCSConnectionST* client, return; } @@ -35,18 +35,19 @@ index b99d33b..aa8d53e 100644 if (client->accessCheck(AccessNoQuery)) { diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx -index b43e3f7..3d00e23 100644 +index b52b20e..9685d0a 100644 --- a/unix/x0vncserver/XDesktop.cxx +++ b/unix/x0vncserver/XDesktop.cxx -@@ -31,6 +31,7 @@ +@@ -32,6 +32,8 @@ + #include - #include +#include ++ + #include #include - -@@ -320,6 +321,13 @@ void XDesktop::queryConnection(network::Socket* sock, +@@ -324,6 +326,13 @@ void XDesktop::queryConnection(network::Socket* sock, { assert(isRunning()); @@ -61,10 +62,10 @@ index b43e3f7..3d00e23 100644 if (queryConnectSock) { std::list sockets; diff --git a/unix/xserver/hw/vnc/XserverDesktop.cc b/unix/xserver/hw/vnc/XserverDesktop.cc -index 260ed3a..c8741f6 100644 +index 1a7a06d..4dc65f6 100644 --- a/unix/xserver/hw/vnc/XserverDesktop.cc +++ b/unix/xserver/hw/vnc/XserverDesktop.cc -@@ -51,6 +51,11 @@ +@@ -56,6 +56,11 @@ #include "XorgGlue.h" #include "vncInput.h" @@ -76,12 +77,12 @@ index 260ed3a..c8741f6 100644 extern "C" { void vncSetGlueContext(int screenIndex); void vncPresentMscEvent(uint64_t id, uint64_t msc); -@@ -71,6 +76,15 @@ IntParameter queryConnectTimeout("QueryConnectTimeout", - "rejecting the connection", - 10); +@@ -73,6 +78,15 @@ core::IntParameter + "connection' dialog before rejecting the " + "connection", 10, 0, INT_MAX); +#ifdef HAVE_SYSTEMD_DAEMON -+BoolParameter approveLoggedUserOnly ++core::BoolParameter approveLoggedUserOnly +("ApproveLoggedUserOnly", + "Approve only the user who is currently logged into the session." + "This is expected to be combined with 'plain' security type and with " @@ -92,7 +93,7 @@ index 260ed3a..c8741f6 100644 XserverDesktop::XserverDesktop(int screenIndex_, std::list listeners_, -@@ -164,11 +178,134 @@ void XserverDesktop::init(rfb::VNCServer* vs) +@@ -166,11 +180,134 @@ void XserverDesktop::init(rfb::VNCServer* vs) // ready state } @@ -228,11 +229,11 @@ index 260ed3a..c8741f6 100644 server->approveConnection(sock, false, "Another connection is currently being queried."); return; diff --git a/unix/xserver/hw/vnc/XserverDesktop.h b/unix/xserver/hw/vnc/XserverDesktop.h -index 8c543db..8d6bde4 100644 +index 37f5b1b..7d49d3b 100644 --- a/unix/xserver/hw/vnc/XserverDesktop.h +++ b/unix/xserver/hw/vnc/XserverDesktop.h -@@ -108,6 +108,13 @@ public: - void grabRegion(const rfb::Region& r) override; +@@ -111,6 +111,13 @@ public: + void grabRegion(const core::Region& r) override; protected: +#ifdef HAVE_SYSTEMD_DAEMON @@ -246,7 +247,7 @@ index 8c543db..8d6bde4 100644 std::list* sockets, rfb::VNCServer* sockserv); diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man -index d6b1664..24384df 100644 +index d6b1664..07b74bb 100644 --- a/unix/xserver/hw/vnc/Xvnc.man +++ b/unix/xserver/hw/vnc/Xvnc.man @@ -200,6 +200,13 @@ Never treat incoming connections as shared, regardless of the client-specified @@ -263,3 +264,6 @@ index d6b1664..24384df 100644 .B \-pam_service \fIname\fP, \-PAMService \fIname\fP PAM service name to use when authentication users using any of the "Plain" security types. Default is \fBvnc\fP. +-- +2.53.0 + diff --git a/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch b/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch deleted file mode 100644 index 46f9bca..0000000 --- a/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 313200978926cc7b7521c0d645918391b7609681 Mon Sep 17 00:00:00 2001 -From: Jan Grulich -Date: Thu, 27 Feb 2025 13:49:02 +0100 -Subject: [PATCH] Add SELinux policy rules allowing to access - /proc/sys/fs/nr_open - -This is needed when the nofile limit is set to unlimited, otherwise we -will fail to start a VNC session. ---- - unix/vncserver/selinux/vncsession.te | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te -index d92f1bd..2ce4fc8 100644 ---- a/unix/vncserver/selinux/vncsession.te -+++ b/unix/vncserver/selinux/vncsession.te -@@ -37,6 +37,10 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms; - allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; - files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) - -+# Allow access to /proc/sys/fs/nr_open -+# Needed when the nofile limit is set to unlimited. -+kernel_read_fs_sysctls(vnc_session_t) -+ - # Allowed to create ~/.local - optional_policy(` - gnome_filetrans_home_content(vnc_session_t) diff --git a/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch b/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch deleted file mode 100644 index a3b4c18..0000000 --- a/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch +++ /dev/null @@ -1,47 +0,0 @@ -From e652f06940f84fd8e19d7b674ae8c6000530fb40 Mon Sep 17 00:00:00 2001 -From: Jan Grulich -Date: Fri, 7 Feb 2025 15:32:49 +0100 -Subject: [PATCH] Add SELinux policy rules allowing to create directories under - /root - -We have policy that allows to create ~/.local or ~/.config, but we don't -have rule that allows the same under /root directory, where we fail in -case any of these directories doesn't exist. ---- - unix/vncserver/selinux/vncsession.te | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te -index d92f1bda7d..2f49717077 100644 ---- a/unix/vncserver/selinux/vncsession.te -+++ b/unix/vncserver/selinux/vncsession.te -@@ -48,6 +48,14 @@ optional_policy(` - create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t) - ') - -+# Allowed to create /root/.local -+optional_policy(` -+ gen_require(` -+ type admin_home_t; -+ ') -+ create_dirs_pattern(vnc_session_t, admin_home_t, admin_home_t) -+') -+ - # Manage TigerVNC files (mainly ~/.local/state/*.log) - create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t) - manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) -@@ -88,6 +96,7 @@ optional_policy(` - gen_require(` - attribute userdomain; - type gconf_home_t; -+ type admin_home_t; - ') - userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc") - userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc") -@@ -95,5 +104,6 @@ optional_policy(` - gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc") - gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc") - filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc") -+ filetrans_pattern(vnc_session_t, admin_home_t, vnc_home_t, dir, "tigervnc") - filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc") - ') diff --git a/tigervnc-dont-print-xvnc-banner-before-parsing-args.patch b/tigervnc-dont-print-xvnc-banner-before-parsing-args.patch deleted file mode 100644 index 5d7ec9f..0000000 --- a/tigervnc-dont-print-xvnc-banner-before-parsing-args.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 1f1aaca09a1f9919f5169caea9c396b14c2af765 Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Tue, 8 Apr 2025 14:41:04 +0200 -Subject: [PATCH] Don't print Xvnc banner before parsing args - -If we'll be running in inetd mode, then stdout and stderr will be a -client socket and not an appropriate place for logging. - -Mimic what Xorg does instead. ---- - unix/xserver/hw/vnc/xvnc.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c -index ddb249937..a13168c47 100644 ---- a/unix/xserver/hw/vnc/xvnc.c -+++ b/unix/xserver/hw/vnc/xvnc.c -@@ -446,7 +446,7 @@ ddxProcessArgument(int argc, char *argv[], int i) - } - - if (!strcmp(argv[i], "-showconfig") || !strcmp(argv[i], "-version")) { -- /* Already shown at start */ -+ vncPrintBanner(); - exit(0); - } - -@@ -1171,8 +1171,11 @@ InitOutput(ScreenInfo * scrInfo, int argc, char **argv) - int i; - int NumFormats = 0; - -- if (serverGeneration == 1) -+ if (serverGeneration == 1) { -+ vncPrintBanner(); -+ - LoadExtensionList(vncExtensions, ARRAY_SIZE(vncExtensions), TRUE); -+ } - - #if XORG_AT_LEAST(1, 20, 0) - xorgGlxCreateVendor(); -@@ -1266,7 +1269,5 @@ vncClientGone(int fd) - int - main(int argc, char *argv[], char *envp[]) - { -- vncPrintBanner(); -- - return dix_main(argc, argv, envp); - } diff --git a/tigervnc-vncsession-restore-script-systemd-service.patch b/tigervnc-vncsession-restore-script-systemd-service.patch index cea1824..720d207 100644 --- a/tigervnc-vncsession-restore-script-systemd-service.patch +++ b/tigervnc-vncsession-restore-script-systemd-service.patch @@ -8,28 +8,28 @@ for systemd service file in order to properly start the session in case the policy is updated (e.g. after Tigervnc update). diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt -index ae69dc09..04eb6fc4 100644 +index ed259c2..96a9750 100644 --- a/unix/vncserver/CMakeLists.txt +++ b/unix/vncserver/CMakeLists.txt -@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c) - target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS}) +@@ -5,6 +5,7 @@ target_link_libraries(vncsession ${PAM_LIBRARIES}) + target_link_libraries(vncsession ${SELINUX_LIBRARIES}) configure_file(vncserver@.service.in vncserver@.service @ONLY) +configure_file(vncsession-restore.in vncsession-restore @ONLY) configure_file(vncsession-start.in vncsession-start @ONLY) configure_file(vncserver.in vncserver @ONLY) configure_file(vncsession.man.in vncsession.man @ONLY) -@@ -20,4 +21,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR}) +@@ -23,4 +24,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR}) if(INSTALL_SYSTEMD_UNITS) install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR}) install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR}) + install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR}) endif() diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in -index 39f81b73..a83e05a3 100644 +index 336498a..060b903 100644 --- a/unix/vncserver/vncserver@.service.in +++ b/unix/vncserver/vncserver@.service.in -@@ -35,6 +35,7 @@ After=syslog.target network.target +@@ -35,6 +35,7 @@ After=network.target systemd-user-sessions.service [Service] Type=forking @@ -37,6 +37,7 @@ index 39f81b73..a83e05a3 100644 ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i PIDFile=/run/vncsession-%i.pid SELinuxContext=system_u:system_r:vnc_session_t:s0 + diff --git a/unix/vncserver/vncsession-restore.in b/unix/vncserver/vncsession-restore.in new file mode 100644 index 00000000..d3abc57d diff --git a/tigervnc.spec b/tigervnc.spec index 6cea7e1..dbb1449 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -4,8 +4,8 @@ %global modulename vncsession Name: tigervnc -Version: 1.15.0 -Release: 7%{?dist} +Version: 1.16.2 +Release: 1%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -31,9 +31,6 @@ Patch3: tigervnc-add-option-allowing-to-connect-only-user-owning-session Patch4: tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch # Upstream patches -Patch50: tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch -Patch51: tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch -Patch52: tigervnc-dont-print-xvnc-banner-before-parsing-args.patch # Upstreamable patches @@ -212,9 +209,6 @@ popd %patch -P4 -p1 -b .allow-use-of-passwords-longer-than-eight-characters # Upstream patches -%patch -P50 -p1 -b .add-selinux-policy-rules-allowing-create-dirs-under-root-dir -%patch -P51 -p1 -b .add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open -%patch -P52 -p1 -b .dont-print-xvnc-banner-before-parsing-args # Upstreamable patches @@ -236,10 +230,6 @@ mkdir -p %{%__cmake_builddir} pushd unix/xserver -%if 0%{?fedora} > 32 || 0%{?rhel} >= 9 -sed -i 's@TIGERVNC_BUILDDIR=${top_builddir}/\.\./\.\.@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am -%endif - autoreconf -fiv %configure \ --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \ @@ -257,7 +247,7 @@ autoreconf -fiv --enable-systemd-logind \ --enable-config-udev -make %{?_smp_mflags} +make TIGERVNC_BUILDDIR="`pwd`/../../%{__cmake_builddir}" %{?_smp_mflags} popd # Build icons @@ -279,7 +269,7 @@ popd rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT} pushd unix/xserver/hw/vnc -%make_install +%make_install TIGERVNC_BUILDDIR="`pwd`/../../../../%{__cmake_builddir}" popd # Install systemd unit file @@ -398,6 +388,10 @@ fi %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Thu Apr 09 2026 Jan Grulich - 1.16.2-1 +- Update to 1.16.2 + Resolves: RHEL-154351 + * Fri Oct 31 2025 Jan Grulich - 1.15.0-7 - Fix CVE-2025-62229: xorg-x11-server: Use-after-free in XPresentNotify structures creation Resolves: RHEL-119989