From 2c398aeaacbf0adc242ea8cca8ce90e9bc76a91a Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 15 Sep 2025 12:52:54 +0000 Subject: [PATCH] import CS tigervnc-1.15.0-5.el9 --- .gitignore | 2 +- .tigervnc.metadata | 2 +- ...add-clipboard-support-to-x0vncserver.patch | 543 ------------------ ...-to-connect-only-user-owning-session.patch | 61 +- ...lowing-access-to-proc-sys-fs-nr-open.patch | 27 + ...-allowing-create-dirs-under-root-dir.patch | 47 ++ ...sswords-longer-than-eight-characters.patch | 14 + ...c-avoid-invalid-xfree-for-xclasshint.patch | 24 - ...el-window-setup-for-selection-window.patch | 22 - ...pointer-position-for-floating-device.patch | 13 - ...rint-xvnc-banner-before-parsing-args.patch | 47 ++ ...e-existing-log-to-log-old-if-present.patch | 94 --- SOURCES/tigervnc-xserver120.patch | 138 ----- SOURCES/xorg-CVE-2025-26594-2.patch | 46 -- SOURCES/xorg-CVE-2025-26594.patch | 52 -- SOURCES/xorg-CVE-2025-26595.patch | 60 -- SOURCES/xorg-CVE-2025-26596.patch | 44 -- SOURCES/xorg-CVE-2025-26597.patch | 41 -- SOURCES/xorg-CVE-2025-26598.patch | 115 ---- SOURCES/xorg-CVE-2025-26599-2.patch | 124 ---- SOURCES/xorg-CVE-2025-26599.patch | 62 -- SOURCES/xorg-CVE-2025-26600.patch | 64 --- SOURCES/xorg-CVE-2025-26601-2.patch | 80 --- SOURCES/xorg-CVE-2025-26601-3.patch | 47 -- SOURCES/xorg-CVE-2025-26601-4.patch | 128 ----- SOURCES/xorg-CVE-2025-26601.patch | 66 --- SPECS/tigervnc.spec | 118 ++-- 27 files changed, 247 insertions(+), 1834 deletions(-) delete mode 100644 SOURCES/tigervnc-add-clipboard-support-to-x0vncserver.patch create mode 100644 SOURCES/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch create mode 100644 SOURCES/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch create mode 100644 SOURCES/tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch delete mode 100644 SOURCES/tigervnc-avoid-invalid-xfree-for-xclasshint.patch delete mode 100644 SOURCES/tigervnc-do-proper-toplevel-window-setup-for-selection-window.patch delete mode 100644 SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch create mode 100644 SOURCES/tigervnc-dont-print-xvnc-banner-before-parsing-args.patch delete mode 100644 SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch delete mode 100644 SOURCES/tigervnc-xserver120.patch delete mode 100644 SOURCES/xorg-CVE-2025-26594-2.patch delete mode 100644 SOURCES/xorg-CVE-2025-26594.patch delete mode 100644 SOURCES/xorg-CVE-2025-26595.patch delete mode 100644 SOURCES/xorg-CVE-2025-26596.patch delete mode 100644 SOURCES/xorg-CVE-2025-26597.patch delete mode 100644 SOURCES/xorg-CVE-2025-26598.patch delete mode 100644 SOURCES/xorg-CVE-2025-26599-2.patch delete mode 100644 SOURCES/xorg-CVE-2025-26599.patch delete mode 100644 SOURCES/xorg-CVE-2025-26600.patch delete mode 100644 SOURCES/xorg-CVE-2025-26601-2.patch delete mode 100644 SOURCES/xorg-CVE-2025-26601-3.patch delete mode 100644 SOURCES/xorg-CVE-2025-26601-4.patch delete mode 100644 SOURCES/xorg-CVE-2025-26601.patch diff --git a/.gitignore b/.gitignore index 909656d..a76e6b4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tigervnc-1.14.1.tar.gz +SOURCES/tigervnc-1.15.0.tar.gz diff --git a/.tigervnc.metadata b/.tigervnc.metadata index 6633de2..c8fffb7 100644 --- a/.tigervnc.metadata +++ b/.tigervnc.metadata @@ -1 +1 @@ -bc3c8bc9f454eb307011cd5965251f4a28040a25 SOURCES/tigervnc-1.14.1.tar.gz +fec424f110bdf5032cd5eb4df2596b8251d2e1ed SOURCES/tigervnc-1.15.0.tar.gz diff --git a/SOURCES/tigervnc-add-clipboard-support-to-x0vncserver.patch b/SOURCES/tigervnc-add-clipboard-support-to-x0vncserver.patch deleted file mode 100644 index 671b798..0000000 --- a/SOURCES/tigervnc-add-clipboard-support-to-x0vncserver.patch +++ /dev/null @@ -1,543 +0,0 @@ -From c23be952f50ba34c49134b6280ce503f154dc9bc Mon Sep 17 00:00:00 2001 -From: Gaurav Ujjwal -Date: Wed, 25 Sep 2024 21:21:26 +0530 -Subject: [PATCH] Add clipboard support to x0vncserver - ---- - unix/tx/TXWindow.cxx | 13 ++- - unix/tx/TXWindow.h | 3 +- - unix/x0vncserver/CMakeLists.txt | 1 + - unix/x0vncserver/XDesktop.cxx | 49 +++++++- - unix/x0vncserver/XDesktop.h | 13 ++- - unix/x0vncserver/XSelection.cxx | 195 +++++++++++++++++++++++++++++++ - unix/x0vncserver/XSelection.h | 58 +++++++++ - unix/x0vncserver/x0vncserver.cxx | 5 - - unix/x0vncserver/x0vncserver.man | 21 ++++ - 9 files changed, 344 insertions(+), 14 deletions(-) - create mode 100644 unix/x0vncserver/XSelection.cxx - create mode 100644 unix/x0vncserver/XSelection.h - -diff --git a/unix/tx/TXWindow.cxx b/unix/tx/TXWindow.cxx -index ee097e4..b10ed84 100644 ---- a/unix/tx/TXWindow.cxx -+++ b/unix/tx/TXWindow.cxx -@@ -36,7 +36,7 @@ std::list windows; - - Atom wmProtocols, wmDeleteWindow, wmTakeFocus; - Atom xaTIMESTAMP, xaTARGETS, xaSELECTION_TIME, xaSELECTION_STRING; --Atom xaCLIPBOARD; -+Atom xaCLIPBOARD, xaUTF8_STRING, xaINCR; - unsigned long TXWindow::black, TXWindow::white; - unsigned long TXWindow::defaultFg, TXWindow::defaultBg; - unsigned long TXWindow::lightBg, TXWindow::darkBg; -@@ -65,6 +65,8 @@ void TXWindow::init(Display* dpy, const char* defaultWindowClass_) - xaSELECTION_TIME = XInternAtom(dpy, "SELECTION_TIME", False); - xaSELECTION_STRING = XInternAtom(dpy, "SELECTION_STRING", False); - xaCLIPBOARD = XInternAtom(dpy, "CLIPBOARD", False); -+ xaUTF8_STRING = XInternAtom(dpy, "UTF8_STRING", False); -+ xaINCR = XInternAtom(dpy, "INCR", False); - XColor cols[6]; - cols[0].red = cols[0].green = cols[0].blue = 0x0000; - cols[1].red = cols[1].green = cols[1].blue = 0xbbbb; -@@ -462,17 +464,18 @@ void TXWindow::handleXEvent(XEvent* ev) - } else { - se.property = ev->xselectionrequest.property; - if (se.target == xaTARGETS) { -- Atom targets[2]; -+ Atom targets[3]; - targets[0] = xaTIMESTAMP; - targets[1] = XA_STRING; -+ targets[2] = xaUTF8_STRING; - XChangeProperty(dpy, se.requestor, se.property, XA_ATOM, 32, -- PropModeReplace, (unsigned char*)targets, 2); -+ PropModeReplace, (unsigned char*)targets, 3); - } else if (se.target == xaTIMESTAMP) { - Time t = selectionOwnTime[se.selection]; - XChangeProperty(dpy, se.requestor, se.property, XA_INTEGER, 32, - PropModeReplace, (unsigned char*)&t, 1); -- } else if (se.target == XA_STRING) { -- if (!selectionRequest(se.requestor, se.selection, se.property)) -+ } else if (se.target == XA_STRING || se.target == xaUTF8_STRING) { -+ if (!selectionRequest(se.requestor, se.selection, se.target, se.property)) - se.property = None; - } else { - se.property = None; -diff --git a/unix/tx/TXWindow.h b/unix/tx/TXWindow.h -index 223c07a..32ae9a3 100644 ---- a/unix/tx/TXWindow.h -+++ b/unix/tx/TXWindow.h -@@ -155,6 +155,7 @@ public: - // returning true if successful, false otherwise. - virtual bool selectionRequest(Window /*requestor*/, - Atom /*selection*/, -+ Atom /*target*/, - Atom /*property*/) { return false;} - - // Static methods -@@ -224,6 +225,6 @@ private: - - extern Atom wmProtocols, wmDeleteWindow, wmTakeFocus; - extern Atom xaTIMESTAMP, xaTARGETS, xaSELECTION_TIME, xaSELECTION_STRING; --extern Atom xaCLIPBOARD; -+extern Atom xaCLIPBOARD, xaUTF8_STRING, xaINCR; - - #endif -diff --git a/unix/x0vncserver/CMakeLists.txt b/unix/x0vncserver/CMakeLists.txt -index 5ce9577..9d6d213 100644 ---- a/unix/x0vncserver/CMakeLists.txt -+++ b/unix/x0vncserver/CMakeLists.txt -@@ -11,6 +11,7 @@ add_executable(x0vncserver - XPixelBuffer.cxx - XDesktop.cxx - RandrGlue.c -+ XSelection.cxx - ../vncconfig/QueryConnectDialog.cxx - ) - -diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx -index 1e52987..db5b6ae 100644 ---- a/unix/x0vncserver/XDesktop.cxx -+++ b/unix/x0vncserver/XDesktop.cxx -@@ -43,6 +43,7 @@ - #endif - #ifdef HAVE_XFIXES - #include -+#include - #endif - #ifdef HAVE_XRANDR - #include -@@ -81,7 +82,7 @@ static const char * ledNames[XDESKTOP_N_LEDS] = { - - XDesktop::XDesktop(Display* dpy_, Geometry *geometry_) - : dpy(dpy_), geometry(geometry_), pb(0), server(0), -- queryConnectDialog(0), queryConnectSock(0), -+ queryConnectDialog(0), queryConnectSock(0), selection(dpy_, this), - oldButtonMask(0), haveXtest(false), haveDamage(false), - maxButtons(0), running(false), ledMasks(), ledState(0), - codeMap(0), codeMapLen(0) -@@ -179,10 +180,15 @@ XDesktop::XDesktop(Display* dpy_, Geometry *geometry_) - if (XFixesQueryExtension(dpy, &xfixesEventBase, &xfixesErrorBase)) { - XFixesSelectCursorInput(dpy, DefaultRootWindow(dpy), - XFixesDisplayCursorNotifyMask); -+ -+ XFixesSelectSelectionInput(dpy, DefaultRootWindow(dpy), XA_PRIMARY, -+ XFixesSetSelectionOwnerNotifyMask); -+ XFixesSelectSelectionInput(dpy, DefaultRootWindow(dpy), xaCLIPBOARD, -+ XFixesSetSelectionOwnerNotifyMask); - } else { - #endif - vlog.info("XFIXES extension not present"); -- vlog.info("Will not be able to display cursors"); -+ vlog.info("Will not be able to display cursors or monitor clipboard"); - #ifdef HAVE_XFIXES - } - #endif -@@ -892,6 +898,20 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) { - return false; - - return setCursor(); -+ } -+ else if (ev->type == xfixesEventBase + XFixesSelectionNotify) { -+ XFixesSelectionNotifyEvent* sev = (XFixesSelectionNotifyEvent*)ev; -+ -+ if (!running) -+ return true; -+ -+ if (sev->subtype != XFixesSetSelectionOwnerNotify) -+ return false; -+ -+ selection.handleSelectionOwnerChange(sev->owner, sev->selection, -+ sev->timestamp); -+ -+ return true; - #endif - #ifdef HAVE_XRANDR - } else if (ev->type == Expose) { -@@ -1039,3 +1059,28 @@ bool XDesktop::setCursor() - return true; - } - #endif -+ -+// X selection availability changed, let VNC clients know -+void XDesktop::handleXSelectionAnnounce(bool available) { -+ server->announceClipboard(available); -+} -+ -+// A VNC client wants data, send request to selection owner -+void XDesktop::handleClipboardRequest() { -+ selection.requestSelectionData(); -+} -+ -+// Data is available, send it to clients -+void XDesktop::handleXSelectionData(const char* data) { -+ server->sendClipboardData(data); -+} -+ -+// When a client says it has clipboard data, request it -+void XDesktop::handleClipboardAnnounce(bool available) { -+ if(available) server->requestClipboard(); -+} -+ -+// Client has sent the data -+void XDesktop::handleClipboardData(const char* data) { -+ if (data) selection.handleClientClipboardData(data); -+} -diff --git a/unix/x0vncserver/XDesktop.h b/unix/x0vncserver/XDesktop.h -index 4777a65..bc8d2a9 100644 ---- a/unix/x0vncserver/XDesktop.h -+++ b/unix/x0vncserver/XDesktop.h -@@ -32,6 +32,8 @@ - - #include - -+#include "XSelection.h" -+ - class Geometry; - class XPixelBuffer; - -@@ -46,7 +48,8 @@ struct AddedKeySym - - class XDesktop : public rfb::SDesktop, - public TXGlobalEventHandler, -- public QueryResultCallback -+ public QueryResultCallback, -+ public XSelectionHandler - { - public: - XDesktop(Display* dpy_, Geometry *geometry); -@@ -65,6 +68,13 @@ public: - virtual void clientCutText(const char* str); - virtual unsigned int setScreenLayout(int fb_width, int fb_height, - const rfb::ScreenSet& layout); -+ void handleClipboardRequest() override; -+ void handleClipboardAnnounce(bool available) override; -+ void handleClipboardData(const char* data) override; -+ -+ // -=- XSelectionHandler interface -+ void handleXSelectionAnnounce(bool available) override; -+ void handleXSelectionData(const char* data) override; - - // -=- TXGlobalEventHandler interface - virtual bool handleGlobalEvent(XEvent* ev); -@@ -80,6 +90,7 @@ protected: - rfb::VNCServer* server; - QueryConnectDialog* queryConnectDialog; - network::Socket* queryConnectSock; -+ XSelection selection; - int oldButtonMask; - bool haveXtest; - bool haveDamage; -diff --git a/unix/x0vncserver/XSelection.cxx b/unix/x0vncserver/XSelection.cxx -new file mode 100644 -index 0000000..72dd537 ---- /dev/null -+++ b/unix/x0vncserver/XSelection.cxx -@@ -0,0 +1,195 @@ -+/* Copyright (C) 2024 Gaurav Ujjwal. All Rights Reserved. -+ * -+ * This is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This software is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this software; if not, write to the Free Software -+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -+ * USA. -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+rfb::BoolParameter setPrimary("SetPrimary", -+ "Set the PRIMARY as well as the CLIPBOARD selection", -+ true); -+rfb::BoolParameter sendPrimary("SendPrimary", -+ "Send the PRIMARY as well as the CLIPBOARD selection", -+ true); -+ -+static rfb::LogWriter vlog("XSelection"); -+ -+XSelection::XSelection(Display* dpy_, XSelectionHandler* handler_) -+ : TXWindow(dpy_, 1, 1, nullptr), handler(handler_), announcedSelection(None) -+{ -+ probeProperty = XInternAtom(dpy, "TigerVNC_ProbeProperty", False); -+ transferProperty = XInternAtom(dpy, "TigerVNC_TransferProperty", False); -+ timestampProperty = XInternAtom(dpy, "TigerVNC_TimestampProperty", False); -+ setName("TigerVNC Clipboard (x0vncserver)"); -+ addEventMask(PropertyChangeMask); // Required for PropertyNotify events -+} -+ -+static Bool PropertyEventMatcher(Display* /* dpy */, XEvent* ev, XPointer prop) -+{ -+ if (ev->type == PropertyNotify && ev->xproperty.atom == *((Atom*)prop)) -+ return True; -+ else -+ return False; -+} -+ -+Time XSelection::getXServerTime() -+{ -+ XEvent ev; -+ uint8_t data = 0; -+ -+ // Trigger a PropertyNotify event to extract server time -+ XChangeProperty(dpy, win(), timestampProperty, XA_STRING, 8, PropModeReplace, -+ &data, sizeof(data)); -+ XIfEvent(dpy, &ev, &PropertyEventMatcher, (XPointer)×tampProperty); -+ return ev.xproperty.time; -+} -+ -+// Takes ownership of selections, backed by given data. -+void XSelection::handleClientClipboardData(const char* data) -+{ -+ vlog.debug("Received client clipboard data, taking selection ownership"); -+ -+ Time time = getXServerTime(); -+ ownSelection(xaCLIPBOARD, time); -+ if (!selectionOwner(xaCLIPBOARD)) -+ vlog.error("Unable to own CLIPBOARD selection"); -+ -+ if (setPrimary) { -+ ownSelection(XA_PRIMARY, time); -+ if (!selectionOwner(XA_PRIMARY)) -+ vlog.error("Unable to own PRIMARY selection"); -+ } -+ -+ if (selectionOwner(xaCLIPBOARD) || selectionOwner(XA_PRIMARY)) -+ clientData = data; -+} -+ -+// We own the selection and another X app has asked for data -+bool XSelection::selectionRequest(Window requestor, Atom selection, Atom target, -+ Atom property) -+{ -+ if (clientData.empty() || requestor == win() || !selectionOwner(selection)) -+ return false; -+ -+ if (target == XA_STRING) { -+ std::string latin1 = rfb::utf8ToLatin1(clientData.data(), clientData.length()); -+ XChangeProperty(dpy, requestor, property, XA_STRING, 8, PropModeReplace, -+ (unsigned char*)latin1.data(), latin1.length()); -+ return true; -+ } -+ -+ if (target == xaUTF8_STRING) { -+ XChangeProperty(dpy, requestor, property, xaUTF8_STRING, 8, PropModeReplace, -+ (unsigned char*)clientData.data(), clientData.length()); -+ return true; -+ } -+ -+ return false; -+} -+ -+// Selection-owner change implies a change in selection data. -+void XSelection::handleSelectionOwnerChange(Window owner, Atom selection, Time time) -+{ -+ if (selection != XA_PRIMARY && selection != xaCLIPBOARD) -+ return; -+ if (selection == XA_PRIMARY && !sendPrimary) -+ return; -+ -+ if (selection == announcedSelection) -+ announceSelection(None); -+ -+ if (owner == None || owner == win()) -+ return; -+ -+ if (!selectionOwner(XA_PRIMARY) && !selectionOwner(xaCLIPBOARD)) -+ clientData = ""; -+ -+ XConvertSelection(dpy, selection, xaTARGETS, probeProperty, win(), time); -+} -+ -+void XSelection::announceSelection(Atom selection) -+{ -+ announcedSelection = selection; -+ handler->handleXSelectionAnnounce(selection != None); -+} -+ -+void XSelection::requestSelectionData() -+{ -+ if (announcedSelection != None) -+ XConvertSelection(dpy, announcedSelection, xaTARGETS, transferProperty, win(), -+ CurrentTime); -+} -+ -+// Some information about selection is received from current owner -+void XSelection::selectionNotify(XSelectionEvent* ev, Atom type, int format, -+ int nitems, void* data) -+{ -+ if (!ev || !data || type == None) -+ return; -+ -+ if (ev->target == xaTARGETS) { -+ if (format != 32 || type != XA_ATOM) -+ return; -+ -+ Atom* targets = (Atom*)data; -+ bool utf8Supported = false; -+ bool stringSupported = false; -+ -+ for (int i = 0; i < nitems; i++) { -+ if (targets[i] == xaUTF8_STRING) -+ utf8Supported = true; -+ else if (targets[i] == XA_STRING) -+ stringSupported = true; -+ } -+ -+ if (ev->property == probeProperty) { -+ // Only probing for now, will issue real request when client asks for data -+ if (stringSupported || utf8Supported) -+ announceSelection(ev->selection); -+ return; -+ } -+ -+ // Prefer UTF-8 if available -+ if (utf8Supported) -+ XConvertSelection(dpy, ev->selection, xaUTF8_STRING, transferProperty, win(), -+ ev->time); -+ else if (stringSupported) -+ XConvertSelection(dpy, ev->selection, XA_STRING, transferProperty, win(), -+ ev->time); -+ } else if (ev->target == xaUTF8_STRING || ev->target == XA_STRING) { -+ if (type == xaINCR) { -+ // Incremental transfer is not supported -+ vlog.debug("Selected data is too big!"); -+ return; -+ } -+ -+ if (format != 8) -+ return; -+ -+ if (type == xaUTF8_STRING) { -+ std::string result = rfb::convertLF((char*)data, nitems); -+ handler->handleXSelectionData(result.c_str()); -+ } else if (type == XA_STRING) { -+ std::string result = rfb::convertLF((char*)data, nitems); -+ result = rfb::latin1ToUTF8(result.data(), result.length()); -+ handler->handleXSelectionData(result.c_str()); -+ } -+ } -+} -\ No newline at end of file -diff --git a/unix/x0vncserver/XSelection.h b/unix/x0vncserver/XSelection.h -new file mode 100644 -index 0000000..fbe1f29 ---- /dev/null -+++ b/unix/x0vncserver/XSelection.h -@@ -0,0 +1,58 @@ -+/* Copyright (C) 2024 Gaurav Ujjwal. All Rights Reserved. -+ * -+ * This is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This software is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this software; if not, write to the Free Software -+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, -+ * USA. -+ */ -+ -+#ifndef __XSELECTION_H__ -+#define __XSELECTION_H__ -+ -+#include -+#include -+ -+class XSelectionHandler -+{ -+public: -+ virtual void handleXSelectionAnnounce(bool available) = 0; -+ virtual void handleXSelectionData(const char* data) = 0; -+}; -+ -+class XSelection : TXWindow -+{ -+public: -+ XSelection(Display* dpy_, XSelectionHandler* handler_); -+ -+ void handleSelectionOwnerChange(Window owner, Atom selection, Time time); -+ void requestSelectionData(); -+ void handleClientClipboardData(const char* data); -+ -+private: -+ XSelectionHandler* handler; -+ Atom probeProperty; -+ Atom transferProperty; -+ Atom timestampProperty; -+ Atom announcedSelection; -+ std::string clientData; // Always in UTF-8 -+ -+ Time getXServerTime(); -+ void announceSelection(Atom selection); -+ -+ bool selectionRequest(Window requestor, Atom selection, Atom target, -+ Atom property) override; -+ void selectionNotify(XSelectionEvent* ev, Atom type, int format, int nitems, -+ void* data) override; -+}; -+ -+#endif -diff --git a/unix/x0vncserver/x0vncserver.cxx b/unix/x0vncserver/x0vncserver.cxx -index d2999e2..b31450b 100644 ---- a/unix/x0vncserver/x0vncserver.cxx -+++ b/unix/x0vncserver/x0vncserver.cxx -@@ -281,11 +281,6 @@ int main(int argc, char** argv) - - Configuration::enableServerParams(); - -- // FIXME: We don't support clipboard yet -- Configuration::removeParam("AcceptCutText"); -- Configuration::removeParam("SendCutText"); -- Configuration::removeParam("MaxCutText"); -- - // Assume different defaults when socket activated - if (hasSystemdListeners()) - rfbport.setParam(-1); -diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man -index 347e50e..5bc8807 100644 ---- a/unix/x0vncserver/x0vncserver.man -+++ b/unix/x0vncserver/x0vncserver.man -@@ -222,6 +222,27 @@ Accept pointer movement and button events from clients. Default is on. - Accept requests to resize the size of the desktop. Default is on. - . - .TP -+.B \-AcceptCutText -+Accept clipboard updates from clients. Default is on. -+. -+.TP -+.B \-SetPrimary -+Set the PRIMARY as well as the CLIPBOARD selection. Default is on. -+. -+.TP -+.B \-MaxCutText \fIbytes\fP -+The maximum permitted size of an incoming clipboard update. -+Default is \fB262144\fP. -+. -+.TP -+.B \-SendCutText -+Send clipboard changes to clients. Default is on. -+. -+.TP -+.B \-SendPrimary -+Send the PRIMARY as well as the CLIPBOARD selection to clients. Default is on. -+. -+.TP - .B \-RemapKeys \fImapping - Sets up a keyboard mapping. - .I mapping diff --git a/SOURCES/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch b/SOURCES/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch index 4f8a3c2..371c700 100644 --- a/SOURCES/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch +++ b/SOURCES/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch @@ -1,4 +1,4 @@ -From 8ac9bf0c061666d89d345a3d7149e1ef9c771655 Mon Sep 17 00:00:00 2001 +From 69b0fd6d77ea5968bd815188ee2bda3d282ebc60 Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Mon, 29 Jul 2024 14:31:14 +0200 Subject: [PATCH] Add option allowing to connect only the user owning the @@ -10,33 +10,61 @@ This is expected to be used with 'plain' security type in combination with 'PlainUsers=*' option allowing everyone to connect to the session. --- common/rfb/VNCServerST.cxx | 7 -- - unix/xserver/hw/vnc/XserverDesktop.cc | 120 +++++++++++++++++++++++++- + unix/x0vncserver/XDesktop.cxx | 8 ++ + unix/xserver/hw/vnc/XserverDesktop.cc | 137 ++++++++++++++++++++++++++ unix/xserver/hw/vnc/XserverDesktop.h | 7 ++ - 3 files changed, 126 insertions(+), 8 deletions(-) + unix/xserver/hw/vnc/Xvnc.man | 7 ++ + 5 files changed, 159 insertions(+), 7 deletions(-) diff --git a/common/rfb/VNCServerST.cxx b/common/rfb/VNCServerST.cxx -index 3831812..736a563 100644 +index b99d33b..aa8d53e 100644 --- a/common/rfb/VNCServerST.cxx +++ b/common/rfb/VNCServerST.cxx -@@ -696,13 +696,6 @@ void VNCServerST::queryConnection(VNCSConnectionST* client, +@@ -682,13 +682,6 @@ void VNCServerST::queryConnection(VNCSConnectionST* client, return; } - // - Are we configured to do queries? - if (!rfb::Server::queryConnect && - !client->getSock()->requiresQuery()) { -- approveConnection(client->getSock(), true, NULL); +- approveConnection(client->getSock(), true, nullptr); - return; - } - // - Does the client have the right to bypass the query? if (client->accessCheck(AccessNoQuery)) { +diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx +index b43e3f7..3d00e23 100644 +--- a/unix/x0vncserver/XDesktop.cxx ++++ b/unix/x0vncserver/XDesktop.cxx +@@ -31,6 +31,7 @@ + #include + + #include ++#include + + #include + +@@ -320,6 +321,13 @@ void XDesktop::queryConnection(network::Socket* sock, + { + assert(isRunning()); + ++ // - Are we configured to do queries? ++ if (!rfb::Server::queryConnect && ++ !sock->requiresQuery()) { ++ server->approveConnection(sock, true, nullptr); ++ return; ++ } ++ + // Someone already querying? + if (queryConnectSock) { + std::list sockets; diff --git a/unix/xserver/hw/vnc/XserverDesktop.cc b/unix/xserver/hw/vnc/XserverDesktop.cc -index d4ee16b..fe86d36 100644 +index 260ed3a..c8741f6 100644 --- a/unix/xserver/hw/vnc/XserverDesktop.cc +++ b/unix/xserver/hw/vnc/XserverDesktop.cc -@@ -52,6 +52,11 @@ +@@ -51,6 +51,11 @@ #include "XorgGlue.h" #include "vncInput.h" @@ -48,11 +76,10 @@ index d4ee16b..fe86d36 100644 extern "C" { void vncSetGlueContext(int screenIndex); void vncPresentMscEvent(uint64_t id, uint64_t msc); -@@ -71,7 +76,15 @@ IntParameter queryConnectTimeout("QueryConnectTimeout", - "Accept Connection dialog before " +@@ -71,6 +76,15 @@ IntParameter queryConnectTimeout("QueryConnectTimeout", "rejecting the connection", 10); -- + +#ifdef HAVE_SYSTEMD_DAEMON +BoolParameter approveLoggedUserOnly +("ApproveLoggedUserOnly", @@ -65,7 +92,7 @@ index d4ee16b..fe86d36 100644 XserverDesktop::XserverDesktop(int screenIndex_, std::list listeners_, -@@ -168,11 +181,134 @@ void XserverDesktop::init(rfb::VNCServer* vs) +@@ -164,11 +178,134 @@ void XserverDesktop::init(rfb::VNCServer* vs) // ready state } @@ -201,11 +228,11 @@ index d4ee16b..fe86d36 100644 server->approveConnection(sock, false, "Another connection is currently being queried."); return; diff --git a/unix/xserver/hw/vnc/XserverDesktop.h b/unix/xserver/hw/vnc/XserverDesktop.h -index e604295..aed188e 100644 +index 8c543db..8d6bde4 100644 --- a/unix/xserver/hw/vnc/XserverDesktop.h +++ b/unix/xserver/hw/vnc/XserverDesktop.h @@ -108,6 +108,13 @@ public: - virtual void grabRegion(const rfb::Region& r); + void grabRegion(const rfb::Region& r) override; protected: +#ifdef HAVE_SYSTEMD_DAEMON @@ -219,11 +246,11 @@ index e604295..aed188e 100644 std::list* sockets, rfb::VNCServer* sockserv); diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man -index b9c429f..e4822f6 100644 +index d6b1664..24384df 100644 --- a/unix/xserver/hw/vnc/Xvnc.man +++ b/unix/xserver/hw/vnc/Xvnc.man -@@ -204,6 +204,13 @@ to allow any user to authenticate using this security type. Specify \fB%u\fP - to allow the user of the server process. Default is to deny all users. +@@ -200,6 +200,13 @@ Never treat incoming connections as shared, regardless of the client-specified + setting. Default is off. . .TP +.B \-ApproveLoggedUserOnly diff --git a/SOURCES/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch b/SOURCES/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch new file mode 100644 index 0000000..46f9bca --- /dev/null +++ b/SOURCES/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch @@ -0,0 +1,27 @@ +From 313200978926cc7b7521c0d645918391b7609681 Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Thu, 27 Feb 2025 13:49:02 +0100 +Subject: [PATCH] Add SELinux policy rules allowing to access + /proc/sys/fs/nr_open + +This is needed when the nofile limit is set to unlimited, otherwise we +will fail to start a VNC session. +--- + unix/vncserver/selinux/vncsession.te | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index d92f1bd..2ce4fc8 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -37,6 +37,10 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms; + allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; + files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) + ++# Allow access to /proc/sys/fs/nr_open ++# Needed when the nofile limit is set to unlimited. ++kernel_read_fs_sysctls(vnc_session_t) ++ + # Allowed to create ~/.local + optional_policy(` + gnome_filetrans_home_content(vnc_session_t) diff --git a/SOURCES/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch b/SOURCES/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch new file mode 100644 index 0000000..a3b4c18 --- /dev/null +++ b/SOURCES/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch @@ -0,0 +1,47 @@ +From e652f06940f84fd8e19d7b674ae8c6000530fb40 Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Fri, 7 Feb 2025 15:32:49 +0100 +Subject: [PATCH] Add SELinux policy rules allowing to create directories under + /root + +We have policy that allows to create ~/.local or ~/.config, but we don't +have rule that allows the same under /root directory, where we fail in +case any of these directories doesn't exist. +--- + unix/vncserver/selinux/vncsession.te | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index d92f1bda7d..2f49717077 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -48,6 +48,14 @@ optional_policy(` + create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t) + ') + ++# Allowed to create /root/.local ++optional_policy(` ++ gen_require(` ++ type admin_home_t; ++ ') ++ create_dirs_pattern(vnc_session_t, admin_home_t, admin_home_t) ++') ++ + # Manage TigerVNC files (mainly ~/.local/state/*.log) + create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t) + manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) +@@ -88,6 +96,7 @@ optional_policy(` + gen_require(` + attribute userdomain; + type gconf_home_t; ++ type admin_home_t; + ') + userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc") + userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc") +@@ -95,5 +104,6 @@ optional_policy(` + gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc") + gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc") + filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc") ++ filetrans_pattern(vnc_session_t, admin_home_t, vnc_home_t, dir, "tigervnc") + filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc") + ') diff --git a/SOURCES/tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch b/SOURCES/tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch new file mode 100644 index 0000000..108a3c0 --- /dev/null +++ b/SOURCES/tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch @@ -0,0 +1,14 @@ +diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx +index 466aa1a2..197d60dc 100644 +--- a/unix/vncpasswd/vncpasswd.cxx ++++ b/unix/vncpasswd/vncpasswd.cxx +@@ -147,8 +147,7 @@ static std::vector readpassword() { + } + + if (first.size() > 8) { +- fprintf(stderr,"Password should not be greater than 8 characters\nBecause only 8 valid characters are used - try again\n"); +- continue; ++ fprintf(stderr,"Password should not be greater than 8 characters\nBecause only 8 valid characters are used\n"); + } + + #ifdef HAVE_PWQUALITY diff --git a/SOURCES/tigervnc-avoid-invalid-xfree-for-xclasshint.patch b/SOURCES/tigervnc-avoid-invalid-xfree-for-xclasshint.patch deleted file mode 100644 index bf43d09..0000000 --- a/SOURCES/tigervnc-avoid-invalid-xfree-for-xclasshint.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 6c8387018b130eb4ef69ea377e9154ba04f0fd50 Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Tue, 22 Oct 2024 09:58:27 +0200 -Subject: [PATCH] Avoid invalid XFree for XClassHint - -It seems XGetClassHint() doesn't set the pointers to NULL if there is no -name, so we need to make sure it is cleared beforehand. Otherwise we can -get an invalid pointer given to XFree(). ---- - unix/tx/TXWindow.cxx | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/unix/tx/TXWindow.cxx b/unix/tx/TXWindow.cxx -index b6a29d679..639c13827 100644 ---- a/unix/tx/TXWindow.cxx -+++ b/unix/tx/TXWindow.cxx -@@ -313,6 +313,7 @@ void TXWindow::toplevel(const char* name, TXDeleteWindowCallback* dwc_, - void TXWindow::setName(const char* name) - { - XClassHint classHint; -+ memset(&classHint, 0, sizeof(classHint)); - XGetClassHint(dpy, win(), &classHint); - XFree(classHint.res_name); - classHint.res_name = (char*)name; diff --git a/SOURCES/tigervnc-do-proper-toplevel-window-setup-for-selection-window.patch b/SOURCES/tigervnc-do-proper-toplevel-window-setup-for-selection-window.patch deleted file mode 100644 index edc285e..0000000 --- a/SOURCES/tigervnc-do-proper-toplevel-window-setup-for-selection-window.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 9e15952d02e01b8e19e7459bcabcd47dc63a1726 Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Tue, 22 Oct 2024 09:59:30 +0200 -Subject: [PATCH] Do proper top level window setup for selection window - ---- - unix/x0vncserver/XSelection.cxx | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/unix/x0vncserver/XSelection.cxx b/unix/x0vncserver/XSelection.cxx -index 72dd537f4..c724d2ac4 100644 ---- a/unix/x0vncserver/XSelection.cxx -+++ b/unix/x0vncserver/XSelection.cxx -@@ -37,7 +37,7 @@ XSelection::XSelection(Display* dpy_, XSelectionHandler* handler_) - probeProperty = XInternAtom(dpy, "TigerVNC_ProbeProperty", False); - transferProperty = XInternAtom(dpy, "TigerVNC_TransferProperty", False); - timestampProperty = XInternAtom(dpy, "TigerVNC_TimestampProperty", False); -- setName("TigerVNC Clipboard (x0vncserver)"); -+ toplevel("TigerVNC Clipboard (x0vncserver)"); - addEventMask(PropertyChangeMask); // Required for PropertyNotify events - } - diff --git a/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch b/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch deleted file mode 100644 index 3bf7dda..0000000 --- a/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c -index b3d0926d..d36a096f 100644 ---- a/unix/xserver/hw/vnc/vncInput.c -+++ b/unix/xserver/hw/vnc/vncInput.c -@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y) - - void vncGetPointerPos(int *x, int *y) - { -- if (vncPointerDev != NULL) { -+ if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) { - ScreenPtr ptrScreen; - - miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY); diff --git a/SOURCES/tigervnc-dont-print-xvnc-banner-before-parsing-args.patch b/SOURCES/tigervnc-dont-print-xvnc-banner-before-parsing-args.patch new file mode 100644 index 0000000..5d7ec9f --- /dev/null +++ b/SOURCES/tigervnc-dont-print-xvnc-banner-before-parsing-args.patch @@ -0,0 +1,47 @@ +From 1f1aaca09a1f9919f5169caea9c396b14c2af765 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Tue, 8 Apr 2025 14:41:04 +0200 +Subject: [PATCH] Don't print Xvnc banner before parsing args + +If we'll be running in inetd mode, then stdout and stderr will be a +client socket and not an appropriate place for logging. + +Mimic what Xorg does instead. +--- + unix/xserver/hw/vnc/xvnc.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c +index ddb249937..a13168c47 100644 +--- a/unix/xserver/hw/vnc/xvnc.c ++++ b/unix/xserver/hw/vnc/xvnc.c +@@ -446,7 +446,7 @@ ddxProcessArgument(int argc, char *argv[], int i) + } + + if (!strcmp(argv[i], "-showconfig") || !strcmp(argv[i], "-version")) { +- /* Already shown at start */ ++ vncPrintBanner(); + exit(0); + } + +@@ -1171,8 +1171,11 @@ InitOutput(ScreenInfo * scrInfo, int argc, char **argv) + int i; + int NumFormats = 0; + +- if (serverGeneration == 1) ++ if (serverGeneration == 1) { ++ vncPrintBanner(); ++ + LoadExtensionList(vncExtensions, ARRAY_SIZE(vncExtensions), TRUE); ++ } + + #if XORG_AT_LEAST(1, 20, 0) + xorgGlxCreateVendor(); +@@ -1266,7 +1269,5 @@ vncClientGone(int fd) + int + main(int argc, char *argv[], char *envp[]) + { +- vncPrintBanner(); +- + return dix_main(argc, argv, envp); + } diff --git a/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch b/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch deleted file mode 100644 index 9a1ae26..0000000 --- a/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch +++ /dev/null @@ -1,94 +0,0 @@ -From e26bc65b92d1e43570619deadf20b965e0952fef Mon Sep 17 00:00:00 2001 -From: Pat Riehecky -Date: Wed, 31 Jul 2024 14:43:46 -0500 -Subject: [PATCH] vncsession: Move existing log to log.old if present - ---- - unix/vncserver/vncsession.c | 47 ++++++++++++++++++++++++++++--------- - 1 file changed, 36 insertions(+), 11 deletions(-) - -diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c -index 98a0432aa..a10e0789e 100644 ---- a/unix/vncserver/vncsession.c -+++ b/unix/vncserver/vncsession.c -@@ -393,8 +393,9 @@ redir_stdio(const char *homedir, const char *display, char **envp) - int fd; - long hostlen; - char* hostname = NULL, *xdgstate; -- char logfile[PATH_MAX], legacy[PATH_MAX]; -+ char logdir[PATH_MAX], logfile[PATH_MAX], logfile_old[PATH_MAX], legacy[PATH_MAX]; - struct stat st; -+ size_t fmt_len; - - fd = open("/dev/null", O_RDONLY); - if (fd == -1) { -@@ -408,15 +409,24 @@ redir_stdio(const char *homedir, const char *display, char **envp) - close(fd); - - xdgstate = getenvp("XDG_STATE_HOME", envp); -- if (xdgstate != NULL && xdgstate[0] == '/') -- snprintf(logfile, sizeof(logfile), "%s/tigervnc", xdgstate); -- else -- snprintf(logfile, sizeof(logfile), "%s/.local/state/tigervnc", homedir); -+ if (xdgstate != NULL && xdgstate[0] == '/') { -+ fmt_len = snprintf(logdir, sizeof(logdir), "%s/tigervnc", xdgstate); -+ if (fmt_len >= sizeof(logdir)) { -+ syslog(LOG_CRIT, "Log dir path too long"); -+ _exit(EX_OSERR); -+ } -+ } else { -+ fmt_len = snprintf(logdir, sizeof(logdir), "%s/.local/state/tigervnc", homedir); -+ if (fmt_len >= sizeof(logdir)) { -+ syslog(LOG_CRIT, "Log dir path too long"); -+ _exit(EX_OSERR); -+ } -+ } - - snprintf(legacy, sizeof(legacy), "%s/.vnc", homedir); -- if (stat(logfile, &st) != 0 && stat(legacy, &st) == 0) { -+ if (stat(logdir, &st) != 0 && stat(legacy, &st) == 0) { - syslog(LOG_WARNING, "~/.vnc is deprecated, please consult 'man vncsession' for paths to migrate to."); -- strcpy(logfile, legacy); -+ strcpy(logdir, legacy); - - #ifdef HAVE_SELINUX - /* this is only needed to handle historical type changes for the legacy dir */ -@@ -431,9 +441,9 @@ redir_stdio(const char *homedir, const char *display, char **envp) - #endif - } - -- if (mkdir_p(logfile, 0755) == -1) { -+ if (mkdir_p(logdir, 0755) == -1) { - if (errno != EEXIST) { -- syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno)); -+ syslog(LOG_CRIT, "Failure creating \"%s\": %s", logdir, strerror(errno)); - _exit(EX_OSERR); - } - } -@@ -450,9 +460,24 @@ redir_stdio(const char *homedir, const char *display, char **envp) - _exit(EX_OSERR); - } - -- snprintf(logfile + strlen(logfile), sizeof(logfile) - strlen(logfile), "/%s%s.log", -- hostname, display); -+ fmt_len = snprintf(logfile, sizeof(logfile), "/%s/%s%s.log", logdir, hostname, display); -+ if (fmt_len >= sizeof(logfile)) { -+ syslog(LOG_CRIT, "Log path too long"); -+ _exit(EX_OSERR); -+ } -+ fmt_len = snprintf(logfile_old, sizeof(logfile_old), "/%s/%s%s.log.old", logdir, hostname, display); -+ if (fmt_len >= sizeof(logfile)) { -+ syslog(LOG_CRIT, "Log.old path too long"); -+ _exit(EX_OSERR); -+ } - free(hostname); -+ -+ if (stat(logfile, &st) == 0) { -+ if (rename(logfile, logfile_old) != 0) { -+ syslog(LOG_CRIT, "Failure renaming log file \"%s\" to \"%s\": %s", logfile, logfile_old, strerror(errno)); -+ _exit(EX_OSERR); -+ } -+ } - fd = open(logfile, O_CREAT | O_WRONLY | O_TRUNC, 0644); - if (fd == -1) { - syslog(LOG_CRIT, "Failure creating log file \"%s\": %s", logfile, strerror(errno)); diff --git a/SOURCES/tigervnc-xserver120.patch b/SOURCES/tigervnc-xserver120.patch deleted file mode 100644 index 9bc5182..0000000 --- a/SOURCES/tigervnc-xserver120.patch +++ /dev/null @@ -1,138 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index 0909cc5b4..c01873200 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -74,6 +74,7 @@ dnl forcing an entire recompile.x - AC_CONFIG_HEADERS(include/version-config.h) - - AM_PROG_AS -+AC_PROG_CXX - AC_PROG_LN_S - LT_PREREQ([2.2]) - LT_INIT([disable-static win32-dll]) -@@ -1735,6 +1736,14 @@ if test "x$XVFB" = xyes; then - AC_SUBST([XVFB_SYS_LIBS]) - fi - -+dnl Xvnc DDX -+AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"]) -+AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"]) -+ -+PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no]) -+if test "x$GBM" = xyes; then -+ AC_DEFINE(HAVE_GBM, 1, [Have GBM support]) -+fi - - dnl Xnest DDX - -@@ -2058,7 +2067,6 @@ if test "x$GLAMOR" = xyes; then - [AC_DEFINE(GLAMOR_HAS_EGL_QUERY_DRIVER, 1, [Have GLAMOR_HAS_EGL_QUERY_DRIVER])], - []) - -- PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no]) - if test "x$GBM" = xyes; then - AC_DEFINE(GLAMOR_HAS_GBM, 1, - [Build glamor with GBM-based EGL support]) -@@ -2523,6 +2531,7 @@ hw/dmx/Makefile - hw/dmx/man/Makefile - hw/vfb/Makefile - hw/vfb/man/Makefile -+hw/vnc/Makefile - hw/xnest/Makefile - hw/xnest/man/Makefile - hw/xwin/Makefile -diff --git a/dri3/Makefile.am b/dri3/Makefile.am -index e47a734e0..99c3718a5 100644 ---- a/dri3/Makefile.am -+++ b/dri3/Makefile.am -@@ -1,7 +1,7 @@ - noinst_LTLIBRARIES = libdri3.la - AM_CFLAGS = \ -- -DHAVE_XORG_CONFIG_H \ -- @DIX_CFLAGS@ @XORG_CFLAGS@ -+ @DIX_CFLAGS@ \ -+ @LIBDRM_CFLAGS@ - - libdri3_la_SOURCES = \ - dri3.h \ -diff --git a/dri3/dri3.c b/dri3/dri3.c -index ba32facd7..191252969 100644 ---- a/dri3/dri3.c -+++ b/dri3/dri3.c -@@ -20,10 +20,6 @@ - * OF THIS SOFTWARE. - */ - --#ifdef HAVE_XORG_CONFIG_H --#include --#endif -- - #include "dri3_priv.h" - - #include -diff --git a/dri3/dri3_priv.h b/dri3/dri3_priv.h -index b087a9529..f319d1770 100644 ---- a/dri3/dri3_priv.h -+++ b/dri3/dri3_priv.h -@@ -23,6 +23,7 @@ - #ifndef _DRI3PRIV_H_ - #define _DRI3PRIV_H_ - -+#include "dix-config.h" - #include - #include "scrnintstr.h" - #include "misc.h" -diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c -index 958877efa..687168930 100644 ---- a/dri3/dri3_request.c -+++ b/dri3/dri3_request.c -@@ -20,10 +20,6 @@ - * OF THIS SOFTWARE. - */ - --#ifdef HAVE_XORG_CONFIG_H --#include --#endif -- - #include "dri3_priv.h" - #include - #include -diff --git a/dri3/dri3_screen.c b/dri3/dri3_screen.c -index b98259753..3c7e5bf60 100644 ---- a/dri3/dri3_screen.c -+++ b/dri3/dri3_screen.c -@@ -20,10 +20,6 @@ - * OF THIS SOFTWARE. - */ - --#ifdef HAVE_XORG_CONFIG_H --#include --#endif -- - #include "dri3_priv.h" - #include - #include -diff --git a/hw/Makefile.am b/hw/Makefile.am -index 19895dc77..3ecfa8b7a 100644 ---- a/hw/Makefile.am -+++ b/hw/Makefile.am -@@ -44,3 +44,5 @@ DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland - - relink: - $(AM_V_at)for i in $(SUBDIRS) ; do $(MAKE) -C $$i relink || exit 1 ; done -+ -+SUBDIRS += vnc -diff --git a/include/dix-config.h.in b/include/dix-config.h.in -index f8fc67067..d53c4e72f 100644 ---- a/include/dix-config.h.in -+++ b/include/dix-config.h.in -@@ -83,6 +83,9 @@ - /* Define to 1 if you have the header file. */ - #undef HAVE_FCNTL_H - -+/* Have GBM support */ -+#undef HAVE_GBM -+ - /* Define to 1 if you have the `getdtablesize' function. */ - #undef HAVE_GETDTABLESIZE - diff --git a/SOURCES/xorg-CVE-2025-26594-2.patch b/SOURCES/xorg-CVE-2025-26594-2.patch deleted file mode 100644 index 4c1be3c..0000000 --- a/SOURCES/xorg-CVE-2025-26594-2.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ded614e74e7175927dd2bc5ef69accaf2de29939 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Wed, 4 Dec 2024 15:49:43 +1000 -Subject: [PATCH xserver 2/2] dix: keep a ref to the rootCursor - -CreateCursor returns a cursor with refcount 1 - that refcount is used by -the resource system, any caller needs to call RefCursor to get their own -reference. That happens correctly for normal cursors but for our -rootCursor we keep a variable to the cursor despite not having a ref for -ourselves. - -Fix this by reffing/unreffing the rootCursor to ensure our pointer is -valid. - -Related to CVE-2025-26594, ZDI-CAN-25544 - -Reviewed-by: Olivier Fourdan ---- - dix/main.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/dix/main.c b/dix/main.c -index aa7b020b2..0c57ba605 100644 ---- a/dix/main.c -+++ b/dix/main.c -@@ -235,6 +235,8 @@ dix_main(int argc, char *argv[], char *envp[]) - defaultCursorFont); - } - -+ rootCursor = RefCursor(rootCursor); -+ - #ifdef PANORAMIX - /* - * Consolidate window and colourmap information for each screen -@@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *envp[]) - - Dispatch(); - -+ UnrefCursor(rootCursor); -+ - UndisplayDevices(); - DisableAllDevices(); - --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26594.patch b/SOURCES/xorg-CVE-2025-26594.patch deleted file mode 100644 index 46bbc62..0000000 --- a/SOURCES/xorg-CVE-2025-26594.patch +++ /dev/null @@ -1,52 +0,0 @@ -From efca605c45ff51b57f136222b966ce1d610ebc33 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 27 Nov 2024 11:27:05 +0100 -Subject: [PATCH xserver 1/2] Cursor: Refuse to free the root cursor -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a cursor reference count drops to 0, the cursor is freed. - -The root cursor however is referenced with a specific global variable, -and when the root cursor is freed, the global variable may still point -to freed memory. - -Make sure to prevent the rootCursor from being explicitly freed by a -client. - -CVE-2025-26594, ZDI-CAN-25544 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer -) -v3: Return BadCursor instead of BadValue (Michel Dänzer -) - -Signed-off-by: Olivier Fourdan -Suggested-by: Peter Hutterer -Reviewed-by: Peter Hutterer ---- - dix/dispatch.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/dix/dispatch.c b/dix/dispatch.c -index 5f7cfe02d..d1241fa96 100644 ---- a/dix/dispatch.c -+++ b/dix/dispatch.c -@@ -3039,6 +3039,10 @@ ProcFreeCursor(ClientPtr client) - rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, - client, DixDestroyAccess); - if (rc == Success) { -+ if (pCursor == rootCursor) { -+ client->errorValue = stuff->id; -+ return BadCursor; -+ } - FreeResource(stuff->id, RT_NONE); - return Success; - } --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26595.patch b/SOURCES/xorg-CVE-2025-26595.patch deleted file mode 100644 index 31ef84f..0000000 --- a/SOURCES/xorg-CVE-2025-26595.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 98602942c143075ab7464f917e0fc5d31ce28c3f Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Wed, 27 Nov 2024 14:41:45 +0100 -Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbVModMaskText() - -The code in XkbVModMaskText() allocates a fixed sized buffer on the -stack and copies the virtual mod name. - -There's actually two issues in the code that can lead to a buffer -overflow. - -First, the bound check mixes pointers and integers using misplaced -parenthesis, defeating the bound check. - -But even though, if the check fails, the data is still copied, so the -stack overflow will occur regardless. - -Change the logic to skip the copy entirely if the bound check fails. - -CVE-2025-26595, ZDI-CAN-25545 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer ---- - xkb/xkbtext.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c -index 018466420..93262528b 100644 ---- a/xkb/xkbtext.c -+++ b/xkb/xkbtext.c -@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb, - len = strlen(tmp) + 1 + (str == buf ? 0 : 1); - if (format == XkbCFile) - len += 4; -- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { -- if (str != buf) { -- if (format == XkbCFile) -- *str++ = '|'; -- else -- *str++ = '+'; -- len--; -- } -+ if ((str - buf) + len > VMOD_BUFFER_SIZE) -+ continue; /* Skip */ -+ if (str != buf) { -+ if (format == XkbCFile) -+ *str++ = '|'; -+ else -+ *str++ = '+'; -+ len--; - } - if (format == XkbCFile) - sprintf(str, "%sMask", tmp); --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26596.patch b/SOURCES/xorg-CVE-2025-26596.patch deleted file mode 100644 index a7e76d5..0000000 --- a/SOURCES/xorg-CVE-2025-26596.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b41f6fce201e77a174550935330e2f7772d4adf9 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Thu, 28 Nov 2024 11:49:34 +0100 -Subject: [PATCH xserver] xkb: Fix computation of XkbSizeKeySyms - -The computation of the length in XkbSizeKeySyms() differs from what is -actually written in XkbWriteKeySyms(), leading to a heap overflow. - -Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() -does. - -CVE-2025-26596, ZDI-CAN-25543 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer ---- - xkb/xkb.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/xkb/xkb.c b/xkb/xkb.c -index 85659382d..744dba63d 100644 ---- a/xkb/xkb.c -+++ b/xkb/xkb.c -@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep) - len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); - symMap = &xkb->map->key_sym_map[rep->firstKeySym]; - for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { -- if (symMap->offset != 0) { -- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; -- nSyms += nSymsThisKey; -- } -+ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; -+ if (nSymsThisKey == 0) -+ continue; -+ nSyms += nSymsThisKey; - } - len += nSyms * 4; - rep->totalSyms = nSyms; --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26597.patch b/SOURCES/xorg-CVE-2025-26597.patch deleted file mode 100644 index 30f677b..0000000 --- a/SOURCES/xorg-CVE-2025-26597.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c5114475db18f29d639537d60e135bdfc11a5d3a Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Thu, 28 Nov 2024 14:09:04 +0100 -Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbChangeTypesOfKey() - -If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the -key syms to 0 but leave the key actions unchanged. - -If later, the same function is called with a non-zero value for nGroups, -this will cause a buffer overflow because the key actions are of the wrong -size. - -To avoid the issue, make sure to resize both the key syms and key actions -when nGroups is 0. - -CVE-2025-26597, ZDI-CAN-25683 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer ---- - xkb/XKBMisc.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c -index abbfed90e..fd180fad2 100644 ---- a/xkb/XKBMisc.c -+++ b/xkb/XKBMisc.c -@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb, - i = XkbSetNumGroups(i, 0); - xkb->map->key_sym_map[key].group_info = i; - XkbResizeKeySyms(xkb, key, 0); -+ XkbResizeKeyActions(xkb, key, 0); - return Success; - } - --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26598.patch b/SOURCES/xorg-CVE-2025-26598.patch deleted file mode 100644 index 2a0d88c..0000000 --- a/SOURCES/xorg-CVE-2025-26598.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 0f5ea9d269ac6225bcb302a1ec0f58878114da9f Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 16 Dec 2024 11:25:11 +0100 -Subject: [PATCH xserver] Xi: Fix barrier device search - -The function GetBarrierDevice() would search for the pointer device -based on its device id and return the matching value, or supposedly NULL -if no match was found. - -Unfortunately, as written, it would return the last element of the list -if no matching device id was found which can lead to out of bounds -memory access. - -Fix the search function to return NULL if not matching device is found, -and adjust the callers to handle the case where the device cannot be -found. - -CVE-2025-26598, ZDI-CAN-25740 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer ---- - Xi/xibarriers.c | 27 +++++++++++++++++++++++---- - 1 file changed, 23 insertions(+), 4 deletions(-) - -diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c -index 80c4b5981..28bc0a24f 100644 ---- a/Xi/xibarriers.c -+++ b/Xi/xibarriers.c -@@ -131,14 +131,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c) - - static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) - { -- struct PointerBarrierDevice *pbd = NULL; -+ struct PointerBarrierDevice *p, *pbd = NULL; - -- xorg_list_for_each_entry(pbd, &c->per_device, entry) { -- if (pbd->deviceid == deviceid) -+ xorg_list_for_each_entry(p, &c->per_device, entry) { -+ if (p->deviceid == deviceid) { -+ pbd = p; - break; -+ } - } - -- BUG_WARN(!pbd); - return pbd; - } - -@@ -339,6 +340,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev, - double distance; - - pbd = GetBarrierDevice(c, dev->id); -+ if (!pbd) -+ continue; -+ - if (pbd->seen) - continue; - -@@ -447,6 +451,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, - nearest = &c->barrier; - - pbd = GetBarrierDevice(c, master->id); -+ if (!pbd) -+ continue; -+ - new_sequence = !pbd->hit; - - pbd->seen = TRUE; -@@ -487,6 +494,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, - int flags = 0; - - pbd = GetBarrierDevice(c, master->id); -+ if (!pbd) -+ continue; -+ - pbd->seen = FALSE; - if (!pbd->hit) - continue; -@@ -681,6 +691,9 @@ BarrierFreeBarrier(void *data, XID id) - continue; - - pbd = GetBarrierDevice(c, dev->id); -+ if (!pbd) -+ continue; -+ - if (!pbd->hit) - continue; - -@@ -740,6 +753,8 @@ static void remove_master_func(void *res, XID id, void *devid) - barrier = container_of(b, struct PointerBarrierClient, barrier); - - pbd = GetBarrierDevice(barrier, *deviceid); -+ if (!pbd) -+ return; - - if (pbd->hit) { - BarrierEvent ev = { -@@ -904,6 +919,10 @@ ProcXIBarrierReleasePointer(ClientPtr client) - barrier = container_of(b, struct PointerBarrierClient, barrier); - - pbd = GetBarrierDevice(barrier, dev->id); -+ if (!pbd) { -+ client->errorValue = dev->id; -+ return BadDevice; -+ } - - if (pbd->barrier_event_id == event_id) - pbd->release_event_id = event_id; --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26599-2.patch b/SOURCES/xorg-CVE-2025-26599-2.patch deleted file mode 100644 index 8c87667..0000000 --- a/SOURCES/xorg-CVE-2025-26599-2.patch +++ /dev/null @@ -1,124 +0,0 @@ -From f5ce639ff9d3af05e79efce6c51e084352d28ed1 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 13 Jan 2025 16:09:43 +0100 -Subject: [PATCH xserver 2/2] composite: initialize border clip even when - pixmap alloc fails - -If it fails to allocate the pixmap, the function compAllocPixmap() would -return early and leave the borderClip region uninitialized, which may -lead to the use of uninitialized value as reported by valgrind: - - Conditional jump or move depends on uninitialised value(s) - at 0x4F9B33: compClipNotify (compwindow.c:317) - by 0x484FC9: miComputeClips (mivaltree.c:476) - by 0x48559A: miValidateTree (mivaltree.c:679) - by 0x4F0685: MapWindow (window.c:2693) - by 0x4A344A: ProcMapWindow (dispatch.c:922) - by 0x4A25B5: Dispatch (dispatch.c:560) - by 0x4B082A: dix_main (main.c:282) - by 0x429233: main (stubmain.c:34) - Uninitialised value was created by a heap allocation - at 0x4841866: malloc (vg_replace_malloc.c:446) - by 0x4F47BC: compRedirectWindow (compalloc.c:171) - by 0x4FA8AD: compCreateWindow (compwindow.c:592) - by 0x4EBB89: CreateWindow (window.c:925) - by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) - by 0x4A25B5: Dispatch (dispatch.c:560) - by 0x4B082A: dix_main (main.c:282) - by 0x429233: main (stubmain.c:34) - - Conditional jump or move depends on uninitialised value(s) - at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) - by 0x4F9255: RegionTranslate (regionstr.h:312) - by 0x4F9B7E: compClipNotify (compwindow.c:319) - by 0x484FC9: miComputeClips (mivaltree.c:476) - by 0x48559A: miValidateTree (mivaltree.c:679) - by 0x4F0685: MapWindow (window.c:2693) - by 0x4A344A: ProcMapWindow (dispatch.c:922) - by 0x4A25B5: Dispatch (dispatch.c:560) - by 0x4B082A: dix_main (main.c:282) - by 0x429233: main (stubmain.c:34) - Uninitialised value was created by a heap allocation - at 0x4841866: malloc (vg_replace_malloc.c:446) - by 0x4F47BC: compRedirectWindow (compalloc.c:171) - by 0x4FA8AD: compCreateWindow (compwindow.c:592) - by 0x4EBB89: CreateWindow (window.c:925) - by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) - by 0x4A25B5: Dispatch (dispatch.c:560) - by 0x4B082A: dix_main (main.c:282) - by 0x429233: main (stubmain.c:34) - - Conditional jump or move depends on uninitialised value(s) - at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) - by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) - by 0x4F9255: RegionTranslate (regionstr.h:312) - by 0x4F9B7E: compClipNotify (compwindow.c:319) - by 0x484FC9: miComputeClips (mivaltree.c:476) - by 0x48559A: miValidateTree (mivaltree.c:679) - by 0x4F0685: MapWindow (window.c:2693) - by 0x4A344A: ProcMapWindow (dispatch.c:922) - by 0x4A25B5: Dispatch (dispatch.c:560) - by 0x4B082A: dix_main (main.c:282) - by 0x429233: main (stubmain.c:34) - Uninitialised value was created by a heap allocation - at 0x4841866: malloc (vg_replace_malloc.c:446) - by 0x4F47BC: compRedirectWindow (compalloc.c:171) - by 0x4FA8AD: compCreateWindow (compwindow.c:592) - by 0x4EBB89: CreateWindow (window.c:925) - by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) - by 0x4A25B5: Dispatch (dispatch.c:560) - by 0x4B082A: dix_main (main.c:282) - by 0x429233: main (stubmain.c:34) - -Fix compAllocPixmap() to initialize the border clip even if the creation -of the backing pixmap has failed, to avoid depending later on -uninitialized border clip values. - -Related to CVE-2025-26599, ZDI-CAN-25851 - -Signed-off-by: Olivier Fourdan -Acked-by: Peter Hutterer ---- - composite/compalloc.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/composite/compalloc.c b/composite/compalloc.c -index ecb1b6147..d1342799b 100644 ---- a/composite/compalloc.c -+++ b/composite/compalloc.c -@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin) - int h = pWin->drawable.height + (bw << 1); - PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); - CompWindowPtr cw = GetCompWindow(pWin); -+ Bool status; - -- if (!pPixmap) -- return FALSE; -+ if (!pPixmap) { -+ status = FALSE; -+ goto out; -+ } - if (cw->update == CompositeRedirectAutomatic) - pWin->redirectDraw = RedirectDrawAutomatic; - else -@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin) - DamageRegister(&pWin->drawable, cw->damage); - cw->damageRegistered = TRUE; - } -+ status = TRUE; - -+out: - /* Make sure our borderClip is up to date */ - RegionUninit(&cw->borderClip); - RegionCopy(&cw->borderClip, &pWin->borderClip); - cw->borderClipX = pWin->drawable.x; - cw->borderClipY = pWin->drawable.y; - -- return TRUE; -+ return status; - } - - void --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26599.patch b/SOURCES/xorg-CVE-2025-26599.patch deleted file mode 100644 index 9030374..0000000 --- a/SOURCES/xorg-CVE-2025-26599.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 10a24e364ac15983051d0bb90817c88bbe107036 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Tue, 17 Dec 2024 15:19:45 +0100 -Subject: [PATCH xserver 1/2] composite: Handle failure to redirect in - compRedirectWindow() - -The function compCheckRedirect() may fail if it cannot allocate the -backing pixmap. - -In that case, compRedirectWindow() will return a BadAlloc error. - -However that failure code path will shortcut the validation of the -window tree marked just before, which leaves the validate data partly -initialized. - -That causes a use of uninitialized pointer later. - -The fix is to not shortcut the call to compHandleMarkedWindows() even in -the case of compCheckRedirect() returning an error. - -CVE-2025-26599, ZDI-CAN-25851 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Acked-by: Peter Hutterer ---- - composite/compalloc.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/composite/compalloc.c b/composite/compalloc.c -index e52c009bd..ecb1b6147 100644 ---- a/composite/compalloc.c -+++ b/composite/compalloc.c -@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) - CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); - WindowPtr pLayerWin; - Bool anyMarked = FALSE; -+ int status = Success; - - if (pWin == cs->pOverlayWin) { - return Success; -@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) - - if (!compCheckRedirect(pWin)) { - FreeResource(ccw->id, RT_NONE); -- return BadAlloc; -+ status = BadAlloc; - } - - if (anyMarked) - compHandleMarkedWindows(pWin, pLayerWin); - -- return Success; -+ return status; - } - - void --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26600.patch b/SOURCES/xorg-CVE-2025-26600.patch deleted file mode 100644 index c6abc3e..0000000 --- a/SOURCES/xorg-CVE-2025-26600.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 70ad5d36ae80f6e5a436eabfee642c2c013e51cc Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 16 Dec 2024 16:18:04 +0100 -Subject: [PATCH xserver] dix: Dequeue pending events on frozen device on - removal - -When a device is removed while still frozen, the events queued for that -device remain while the device itself is freed. - -As a result, replaying the events will cause a use after free. - -To avoid the issue, make sure to dequeue and free any pending events on -a frozen device when removed. - -CVE-2025-26600, ZDI-CAN-25871 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer ---- - dix/devices.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/dix/devices.c b/dix/devices.c -index 969819534..740390207 100644 ---- a/dix/devices.c -+++ b/dix/devices.c -@@ -966,6 +966,23 @@ FreeAllDeviceClasses(ClassesPtr classes) - - } - -+static void -+FreePendingFrozenDeviceEvents(DeviceIntPtr dev) -+{ -+ QdEventPtr qe, tmp; -+ -+ if (!dev->deviceGrab.sync.frozen) -+ return; -+ -+ /* Dequeue any frozen pending events */ -+ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { -+ if (qe->device == dev) { -+ xorg_list_del(&qe->next); -+ free(qe); -+ } -+ } -+} -+ - /** - * Close down a device and free all resources. - * Once closed down, the driver will probably not expect you that you'll ever -@@ -1030,6 +1047,7 @@ CloseDevice(DeviceIntPtr dev) - free(dev->last.touches[j].valuators); - free(dev->last.touches); - dev->config_info = NULL; -+ FreePendingFrozenDeviceEvents(dev); - dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); - free(dev); - } --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26601-2.patch b/SOURCES/xorg-CVE-2025-26601-2.patch deleted file mode 100644 index 8468238..0000000 --- a/SOURCES/xorg-CVE-2025-26601-2.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 7dc3f11abb51cad8a59ecbff5278c8c8a318df41 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 20 Jan 2025 16:54:30 +0100 -Subject: [PATCH xserver 2/4] sync: Check values before applying changes - -In SyncInitTrigger(), we would set the CheckTrigger function before -validating the counter value. - -As a result, if the counter value overflowed, we would leave the -function SyncInitTrigger() with the CheckTrigger applied but without -updating the trigger object. - -To avoid that issue, move the portion of code checking for the trigger -check value before updating the CheckTrigger function. - -Related to CVE-2025-26601, ZDI-CAN-25870 - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer ---- - Xext/sync.c | 36 ++++++++++++++++++------------------ - 1 file changed, 18 insertions(+), 18 deletions(-) - -diff --git a/Xext/sync.c b/Xext/sync.c -index 4267d3af6..4eab5a6ac 100644 ---- a/Xext/sync.c -+++ b/Xext/sync.c -@@ -351,6 +351,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, - } - } - -+ if (changes & (XSyncCAValueType | XSyncCAValue)) { -+ if (pTrigger->value_type == XSyncAbsolute) -+ pTrigger->test_value = pTrigger->wait_value; -+ else { /* relative */ -+ Bool overflow; -+ -+ if (pCounter == NULL) -+ return BadMatch; -+ -+ overflow = checked_int64_add(&pTrigger->test_value, -+ pCounter->value, pTrigger->wait_value); -+ if (overflow) { -+ client->errorValue = pTrigger->wait_value >> 32; -+ return BadValue; -+ } -+ } -+ } -+ - if (changes & XSyncCATestType) { - - if (pSync && SYNC_FENCE == pSync->type) { -@@ -379,24 +397,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, - } - } - -- if (changes & (XSyncCAValueType | XSyncCAValue)) { -- if (pTrigger->value_type == XSyncAbsolute) -- pTrigger->test_value = pTrigger->wait_value; -- else { /* relative */ -- Bool overflow; -- -- if (pCounter == NULL) -- return BadMatch; -- -- overflow = checked_int64_add(&pTrigger->test_value, -- pCounter->value, pTrigger->wait_value); -- if (overflow) { -- client->errorValue = pTrigger->wait_value >> 32; -- return BadValue; -- } -- } -- } -- - if (changes & XSyncCACounter) { - if (pSync != pTrigger->pSync) { /* new counter for trigger */ - SyncDeleteTriggerFromSyncObject(pTrigger); --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26601-3.patch b/SOURCES/xorg-CVE-2025-26601-3.patch deleted file mode 100644 index 4f6a1f3..0000000 --- a/SOURCES/xorg-CVE-2025-26601-3.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4ccaa5134482b6be9c9a7f0b66cd221ef325d082 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 20 Jan 2025 17:06:07 +0100 -Subject: [PATCH xserver 3/4] sync: Do not fail SyncAddTriggerToSyncObject() - -We do not want to return a failure at the very last step in -SyncInitTrigger() after having all changes applied. - -SyncAddTriggerToSyncObject() must not fail on memory allocation, if the -allocation of the SyncTriggerList fails, trigger a FatalError() instead. - -Related to CVE-2025-26601, ZDI-CAN-25870 - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer ---- - Xext/sync.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/Xext/sync.c b/Xext/sync.c -index 4eab5a6ac..c36de1a2e 100644 ---- a/Xext/sync.c -+++ b/Xext/sync.c -@@ -200,8 +200,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) - return Success; - } - -- if (!(pCur = malloc(sizeof(SyncTriggerList)))) -- return BadAlloc; -+ /* Failure is not an option, it's succeed or burst! */ -+ pCur = XNFalloc(sizeof(SyncTriggerList)); - - pCur->pTrigger = pTrigger; - pCur->next = pTrigger->pSync->pTriglist; -@@ -409,8 +409,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, - * a new counter on a trigger - */ - if (newSyncObject) { -- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) -- return rc; -+ SyncAddTriggerToSyncObject(pTrigger); - } - else if (pCounter && IsSystemCounter(pCounter)) { - SyncComputeBracketValues(pCounter); --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26601-4.patch b/SOURCES/xorg-CVE-2025-26601-4.patch deleted file mode 100644 index a558e0a..0000000 --- a/SOURCES/xorg-CVE-2025-26601-4.patch +++ /dev/null @@ -1,128 +0,0 @@ -From f0984082067f79b45383fa1eb889c6a901667331 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 20 Jan 2025 17:10:31 +0100 -Subject: [PATCH xserver 4/4] sync: Apply changes last in - SyncChangeAlarmAttributes() - -SyncChangeAlarmAttributes() would apply the various changes while -checking for errors. - -If one of the changes triggers an error, the changes for the trigger, -counter or delta value would remain, possibly leading to inconsistent -changes. - -Postpone the actual changes until we're sure nothing else can go wrong. - -Related to CVE-2025-26601, ZDI-CAN-25870 - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer ---- - Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- - 1 file changed, 27 insertions(+), 15 deletions(-) - -diff --git a/Xext/sync.c b/Xext/sync.c -index c36de1a2e..e282e6657 100644 ---- a/Xext/sync.c -+++ b/Xext/sync.c -@@ -800,8 +800,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, - int status; - XSyncCounter counter; - Mask origmask = mask; -+ SyncTrigger trigger; -+ Bool select_events_changed = FALSE; -+ Bool select_events_value; -+ int64_t delta; - -- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None; -+ trigger = pAlarm->trigger; -+ delta = pAlarm->delta; -+ counter = trigger.pSync ? trigger.pSync->id : None; - - while (mask) { - int index2 = lowbit(mask); -@@ -817,24 +823,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, - case XSyncCAValueType: - mask &= ~XSyncCAValueType; - /* sanity check in SyncInitTrigger */ -- pAlarm->trigger.value_type = *values++; -+ trigger.value_type = *values++; - break; - - case XSyncCAValue: - mask &= ~XSyncCAValue; -- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; -+ trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; - values += 2; - break; - - case XSyncCATestType: - mask &= ~XSyncCATestType; - /* sanity check in SyncInitTrigger */ -- pAlarm->trigger.test_type = *values++; -+ trigger.test_type = *values++; - break; - - case XSyncCADelta: - mask &= ~XSyncCADelta; -- pAlarm->delta = ((int64_t)values[0] << 32) | values[1]; -+ delta = ((int64_t)values[0] << 32) | values[1]; - values += 2; - break; - -@@ -844,10 +850,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, - client->errorValue = *values; - return BadValue; - } -- status = SyncEventSelectForAlarm(pAlarm, client, -- (Bool) (*values++)); -- if (status != Success) -- return status; -+ select_events_value = (Bool) (*values++); -+ select_events_changed = TRUE; - break; - - default: -@@ -856,25 +860,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, - } - } - -+ if (select_events_changed) { -+ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value); -+ if (status != Success) -+ return status; -+ } -+ - /* "If the test-type is PositiveComparison or PositiveTransition - * and delta is less than zero, or if the test-type is - * NegativeComparison or NegativeTransition and delta is - * greater than zero, a Match error is generated." - */ - if (origmask & (XSyncCADelta | XSyncCATestType)) { -- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) || -- (pAlarm->trigger.test_type == XSyncPositiveTransition)) -- && pAlarm->delta < 0) -+ if ((((trigger.test_type == XSyncPositiveComparison) || -+ (trigger.test_type == XSyncPositiveTransition)) -+ && delta < 0) - || -- (((pAlarm->trigger.test_type == XSyncNegativeComparison) || -- (pAlarm->trigger.test_type == XSyncNegativeTransition)) -- && pAlarm->delta > 0) -+ (((trigger.test_type == XSyncNegativeComparison) || -+ (trigger.test_type == XSyncNegativeTransition)) -+ && delta > 0) - ) { - return BadMatch; - } - } - - /* postpone this until now, when we're sure nothing else can go wrong */ -+ pAlarm->delta = delta; -+ pAlarm->trigger = trigger; - if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, - origmask & XSyncCAAllTrigger)) != Success) - return status; --- -2.48.1 - diff --git a/SOURCES/xorg-CVE-2025-26601.patch b/SOURCES/xorg-CVE-2025-26601.patch deleted file mode 100644 index debbd17..0000000 --- a/SOURCES/xorg-CVE-2025-26601.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 573a2265aacfeaddcc1bb001905a6f7d4fa15ee6 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 20 Jan 2025 16:52:01 +0100 -Subject: [PATCH xserver 1/4] sync: Do not let sync objects uninitialized - -When changing an alarm, the change mask values are evaluated one after -the other, changing the trigger values as requested and eventually, -SyncInitTrigger() is called. - -SyncInitTrigger() will evaluate the XSyncCACounter first and may free -the existing sync object. - -Other changes are then evaluated and may trigger an error and an early -return, not adding the new sync object. - -This can be used to cause a use after free when the alarm eventually -triggers. - -To avoid the issue, delete the existing sync object as late as possible -only once we are sure that no further error will cause an early exit. - -CVE-2025-26601, ZDI-CAN-25870 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer ---- - Xext/sync.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/Xext/sync.c b/Xext/sync.c -index b6417b3b0..4267d3af6 100644 ---- a/Xext/sync.c -+++ b/Xext/sync.c -@@ -330,11 +330,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, - client->errorValue = syncObject; - return rc; - } -- if (pSync != pTrigger->pSync) { /* new counter for trigger */ -- SyncDeleteTriggerFromSyncObject(pTrigger); -- pTrigger->pSync = pSync; -- newSyncObject = TRUE; -- } - } - - /* if system counter, ask it what the current value is */ -@@ -402,6 +397,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, - } - } - -+ if (changes & XSyncCACounter) { -+ if (pSync != pTrigger->pSync) { /* new counter for trigger */ -+ SyncDeleteTriggerFromSyncObject(pTrigger); -+ pTrigger->pSync = pSync; -+ newSyncObject = TRUE; -+ } -+ } -+ - /* we wait until we're sure there are no errors before registering - * a new counter on a trigger - */ --- -2.48.1 - diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec index 0d5b834..717d8d2 100644 --- a/SPECS/tigervnc.spec +++ b/SPECS/tigervnc.spec @@ -4,7 +4,7 @@ %global modulename vncsession Name: tigervnc -Version: 1.14.1 +Version: 1.15.0 Release: 5%{?dist} Summary: A TigerVNC remote display system @@ -13,7 +13,7 @@ Summary: A TigerVNC remote display system License: GPL-2.0-or-later URL: http://www.tigervnc.com -Source0: %{name}-%{version}.tar.gz +Source0: https://github.com/TigerVNC/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: xvnc.service Source2: xvnc.socket Source3: 10-libvnc.conf @@ -27,35 +27,21 @@ Patch1: tigervnc-use-gnome-as-default-session.patch Patch2: tigervnc-vncsession-restore-script-systemd-service.patch # https://github.com/TigerVNC/tigervnc/pull/1792 Patch3: tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch +# Only warn about passwords longer than 8 characters, but allow them to be used as in the past +Patch4: tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch # Upstream patches -Patch50: tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch -Patch51: tigervnc-add-clipboard-support-to-x0vncserver.patch -Patch52: tigervnc-do-proper-toplevel-window-setup-for-selection-window.patch -Patch53: tigervnc-avoid-invalid-xfree-for-xclasshint.patch +Patch50: tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch +Patch51: tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch +Patch52: tigervnc-dont-print-xvnc-banner-before-parsing-args.patch # Upstreamable patches -Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch -# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg -Patch100: tigervnc-xserver120.patch # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start -Patch101: 0001-rpath-hack.patch +Patch100: 0001-rpath-hack.patch # XServer patches -Patch200: xorg-CVE-2025-26594.patch -Patch201: xorg-CVE-2025-26594-2.patch -Patch202: xorg-CVE-2025-26595.patch -Patch203: xorg-CVE-2025-26596.patch -Patch204: xorg-CVE-2025-26597.patch -Patch205: xorg-CVE-2025-26598.patch -Patch206: xorg-CVE-2025-26599.patch -Patch207: xorg-CVE-2025-26599-2.patch -Patch208: xorg-CVE-2025-26600.patch -Patch209: xorg-CVE-2025-26601.patch -Patch210: xorg-CVE-2025-26601-2.patch -Patch211: xorg-CVE-2025-26601-3.patch -Patch212: xorg-CVE-2025-26601-4.patch + BuildRequires: make BuildRequires: gcc-c++ @@ -119,6 +105,7 @@ Requires(postun):coreutils Requires: hicolor-icon-theme Requires: tigervnc-license Requires: tigervnc-icons +Requires: which %description Virtual Network Computing (VNC) is a remote display system which @@ -154,8 +141,11 @@ Requires(preun): systemd Requires(postun): systemd Requires(post): systemd -Requires: mesa-dri-drivers, xkeyboard-config, xkbcomp -Requires: tigervnc-license, dbus-x11 +Requires: dbus-x11 +Requires: mesa-dri-drivers +Requires: tigervnc-license +Requires: xkbcomp +Requires: xkeyboard-config %description server-minimal The VNC system allows you to access the same desktop from a wide @@ -211,38 +201,22 @@ pushd unix/xserver for all in `find . -type f -perm -001`; do chmod -x "$all" done -# Xorg patches -%patch -P100 -p1 -b .xserver120-rebased -%patch -P101 -p1 -b .rpath - -%patch -P200 -p1 -b .xorg-CVE-2025-26594 -%patch -P201 -p1 -b .xorg-CVE-2025-26594-2 -%patch -P202 -p1 -b .xorg-CVE-2025-26595 -%patch -P203 -p1 -b .xorg-CVE-2025-26596 -%patch -P204 -p1 -b .xorg-CVE-2025-26597 -%patch -P205 -p1 -b .xorg-CVE-2025-26598 -%patch -P206 -p1 -b .xorg-CVE-2025-26599 -%patch -P207 -p1 -b .xorg-CVE-2025-26599-2 -%patch -P208 -p1 -b .xorg-CVE-2025-26600 -%patch -P209 -p1 -b .xorg-CVE-2025-26601 -%patch -P210 -p1 -b .xorg-CVE-2025-26601-2 -%patch -P211 -p1 -b .xorg-CVE-2025-26601-3 -%patch -P212 -p1 -b .xorg-CVE-2025-26601-4 +%patch -P100 -p1 -b .rpath +cat ../xserver120.patch | patch -p1 popd # Tigervnc patches %patch -P1 -p1 -b .use-gnome-as-default-session %patch -P2 -p1 -b .vncsession-restore-script-systemd-service %patch -P3 -p1 -b .add-option-allowing-to-connect-only-user-owning-session +%patch -P4 -p1 -b .allow-use-of-passwords-longer-than-eight-characters # Upstream patches -%patch -P50 -p1 -b .vncsession-move-existing-log-to-log-old-if-present -%patch -P51 -p1 -b .add-clipboard-support-to-x0vncserver -%patch -P52 -p1 -b .do-proper-toplevel-window-setup-for-selection-window -%patch -P53 -p1 -b .avoid-invalid-xfree-for-xclasshint +%patch -P50 -p1 -b .add-selinux-policy-rules-allowing-create-dirs-under-root-dir +%patch -P51 -p1 -b .add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open +%patch -P52 -p1 -b .dont-print-xvnc-banner-before-parsing-args # Upstreamable patches -%patch -P80 -p1 -b .dont-get-pointer-position-for-floating-device %build %ifarch sparcv9 sparc64 s390 s390x @@ -263,7 +237,7 @@ mkdir -p %{%__cmake_builddir} pushd unix/xserver %if 0%{?fedora} > 32 || 0%{?rhel} >= 9 -sed -i 's@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am +sed -i 's@TIGERVNC_BUILDDIR=${top_builddir}/\.\./\.\.@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am %endif autoreconf -fiv @@ -271,10 +245,8 @@ autoreconf -fiv --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \ --disable-xwin --disable-xephyr --disable-kdrive --disable-xwayland \ --with-pic --disable-static \ - --with-default-font-path="catalogue:%{_sysconfdir}/X11/fontpath.d,built-ins" \ - --with-fontdir=%{_datadir}/X11/fonts \ + --with-default-font-path="catalogue:/etc/X11/fontpath.d,built-ins" \ --with-xkb-output=%{_localstatedir}/lib/xkb \ - --enable-install-libxf86config \ --enable-glx --disable-dri --enable-dri2 --enable-dri3 \ --disable-unit-tests \ --disable-config-hal \ @@ -426,15 +398,57 @@ fi %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog -* Tue Apr 01 2025 Eduard Abdullin - 1.14.1-5 +* Mon Jun 23 2025 Jan Grulich - 1.15.0-5 +- Fix CVE-2025-49175: xorg-x11-server: Out-of-Bounds Read in X Rendering Extension Animated Cursors + Resolves: RHEL-97284 + +- Fix CVE-2025-49176: xorg-x11-server: Integer Overflow in Big Requests Extension + Resolves: RHEL-97303 + +- Fix CVE-2025-49178: xorg-x11-server: Unprocessed Client Request Due to Bytes to Ignore + Resolves: RHEL-97379 + +- Fix CVE-2025-49179: xorg-x11-server: Integer overflow in X Record extension + Resolves: RHEL-97414 + +- Fix CVE-2025-49180: xorg-x11-server: Integer Overflow in X Resize, Rotate and Reflect (RandR) Extension + Resolves: RHEL-97429 + +* Tue May 27 2025 Jan Grulich - 1.15.0-4 +- Fix broken authentication with x0vncserver + Resolves: RHEL-93573 + +* Wed Apr 30 2025 Jan Grulich - 1.15.0-3 +- Only warn about 8 characters limit, but let it proceed + Resolves: RHEL-89432 + +* Wed Apr 16 2025 Jan Grulich - 1.15.0-2 +- Fix inetd mode not working + Resolves: RHEL-86511 + +* Fri Mar 07 2025 Jan Grulich - 1.15.0-1 +- 1.15.0 + Resolves: RHEL-78617 +- Add SELinux policy rules allowing to access /proc/sys/fs/nr_open + Resolves: RHEL-77973 +- Add SELinux policy rules allowing to create directories under /root + Resolves: RHEL-77975 - Fix CVE-2025-26594 xorg-x11-server Use-after-free of the root cursor + Resolves: RHEL-80208 - Fix CVE-2025-26595 xorg-x11-server Buffer overflow in XkbVModMaskText() + Resolves: RHEL-80189 - Fix CVE-2025-26596 xorg-x11-server Heap overflow in XkbWriteKeySyms() + Resolves: RHEL-80194 - Fix CVE-2025-26597 xorg-x11-server Buffer overflow in XkbChangeTypesOfKey() + Resolves: RHEL-80196 - Fix CVE-2025-26598 xorg-x11-server Out-of-bounds write in CreatePointerBarrierClient() + Resolves: RHEL-80197 - Fix CVE-2025-26599 xorg-x11-server Use of uninitialized pointer in compRedirectWindow() + Resolves: RHEL-80206 - Fix CVE-2025-26600 xorg-x11-server Use-after-free in PlayReleasedEvents() + Resolves: RHEL-80205 - Fix CVE-2025-26601 xorg-x11-server Use-after-free in SyncInitTrigger() + Resolves: RHEL-80209 * Tue Jan 21 2025 Jan Grulich - 1.14.1-4 - Fix crash in clipboard support in x0vncserver