From 17a271c1e7bc2a2720ac2d46dc266a555f3909a9 Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Mon, 22 Jan 2024 09:58:22 +0100 Subject: [PATCH] Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice Resolves: RHEL-20388 Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent Resolves: RHEL-20382 Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access Resolves: RHEL-20530 Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer Resolves: RHEL-21214 --- ...-pointer-position-for-floating-device.patch | 13 +++++++++++++ tigervnc.spec | 18 +++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 tigervnc-dont-get-pointer-position-for-floating-device.patch diff --git a/tigervnc-dont-get-pointer-position-for-floating-device.patch b/tigervnc-dont-get-pointer-position-for-floating-device.patch new file mode 100644 index 0000000..3bf7dda --- /dev/null +++ b/tigervnc-dont-get-pointer-position-for-floating-device.patch @@ -0,0 +1,13 @@ +diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c +index b3d0926d..d36a096f 100644 +--- a/unix/xserver/hw/vnc/vncInput.c ++++ b/unix/xserver/hw/vnc/vncInput.c +@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y) + + void vncGetPointerPos(int *x, int *y) + { +- if (vncPointerDev != NULL) { ++ if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) { + ScreenPtr ptrScreen; + + miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY); diff --git a/tigervnc.spec b/tigervnc.spec index 40e3565..d8e8451 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -5,7 +5,7 @@ Name: tigervnc Version: 1.13.1 -Release: 6%{?dist} +Release: 7%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -30,6 +30,9 @@ Patch3: tigervnc-dont-install-appstream-metadata-file.patch Patch50: tigervnc-support-username-alias-in-plainusers.patch Patch51: tigervnc-use-dup-to-get-available-fd-for-inetd.patch +# Upstreamable patches +Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch + # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg Patch100: tigervnc-xserver120.patch # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start @@ -193,6 +196,9 @@ popd %patch50 -p1 -b .support-username-alias-in-plainusers %patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd +# Upstreamable patches +%patch80 -p1 -b .dont-get-pointer-position-for-floating-device + %build %ifarch sparcv9 sparc64 s390 s390x export CFLAGS="$RPM_OPT_FLAGS -fPIC" @@ -346,6 +352,16 @@ fi %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Mon Jan 22 2024 Jan Grulich - 1.13.1-7 +- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice + Resolves: RHEL-20388 +- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent + Resolves: RHEL-20382 +- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access + Resolves: RHEL-20530 +- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer + Resolves: RHEL-21214 + * Mon Jan 08 2024 Jan Grulich - 1.13.1-6 - Use dup() to get available file descriptor when using -inetd option Resolves: RHEL-21000