Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice

Resolves: RHEL-20388 Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent Resolves: RHEL-20382 Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access Resolves: RHEL-20530 Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer Resolves: RHEL-21214
2024-01-22 09:58:22 +01:00 · 2024-01-22 09:58:22 +01:00 · 17a271c1e7
commit 17a271c1e7
parent c32f5f2f67
2 changed files with 30 additions and 1 deletions
--- a/tigervnc-dont-get-pointer-position-for-floating-device.patch
+++ b/tigervnc-dont-get-pointer-position-for-floating-device.patch
@ -0,0 +1,13 @@
+diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c
+index b3d0926d..d36a096f 100644
+--- a/unix/xserver/hw/vnc/vncInput.c
+++ b/unix/xserver/hw/vnc/vncInput.c
+@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y)
+ 
+ void vncGetPointerPos(int *x, int *y)
+ {
+-	if (vncPointerDev != NULL) {
+	if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) {
+ 		ScreenPtr ptrScreen;
+ 
+ 		miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY);
--- a/tigervnc.spec
+++ b/tigervnc.spec
@ -5,7 +5,7 @@

 Name:           tigervnc
 Version:        1.13.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        A TigerVNC remote display system

 %global _hardened_build 1
@ -30,6 +30,9 @@ Patch3:         tigervnc-dont-install-appstream-metadata-file.patch
 Patch50:        tigervnc-support-username-alias-in-plainusers.patch
 Patch51:        tigervnc-use-dup-to-get-available-fd-for-inetd.patch

+# Upstreamable patches
+Patch80:        tigervnc-dont-get-pointer-position-for-floating-device.patch
+
 # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
 Patch100:       tigervnc-xserver120.patch
 # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
@ -193,6 +196,9 @@ popd
 %patch50 -p1 -b .support-username-alias-in-plainusers
 %patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd

+# Upstreamable patches
+%patch80 -p1 -b .dont-get-pointer-position-for-floating-device
+
 %build
 %ifarch sparcv9 sparc64 s390 s390x
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@ -346,6 +352,16 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

 %changelog
+* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
+- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
+  Resolves: RHEL-20388
+- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
+  Resolves: RHEL-20382
+- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
+  Resolves: RHEL-20530
+- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
+  Resolves: RHEL-21214
+
 * Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
 - Use dup() to get available file descriptor when using -inetd option
  Resolves: RHEL-21000