diff --git a/tigervnc-1.3.1-CVE-2014-8240.patch b/tigervnc-1.3.1-CVE-2014-8240.patch deleted file mode 100644 index 09217f1..0000000 --- a/tigervnc-1.3.1-CVE-2014-8240.patch +++ /dev/null @@ -1,74 +0,0 @@ -diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx -index f998c6a..fb9dbd4 100644 ---- a/unix/x0vncserver/Image.cxx -+++ b/unix/x0vncserver/Image.cxx -@@ -80,6 +80,14 @@ void Image::Init(int width, int height) - xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)), - ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0); - -+ if (xim->bytes_per_line <= 0 || -+ xim->height <= 0 || -+ xim->height >= INT_MAX / xim->bytes_per_line) { -+ vlog.error("Invalid display size"); -+ XDestroyImage(xim); -+ exit(1); -+ } -+ - xim->data = (char *)malloc(xim->bytes_per_line * xim->height); - if (xim->data == NULL) { - vlog.error("malloc() failed"); -@@ -256,6 +264,17 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo) - return; - } - -+ if (xim->bytes_per_line <= 0 || -+ xim->height <= 0 || -+ xim->height >= INT_MAX / xim->bytes_per_line) { -+ vlog.error("Invalid display size"); -+ XDestroyImage(xim); -+ xim = NULL; -+ delete shminfo; -+ shminfo = NULL; -+ return; -+ } -+ - shminfo->shmid = shmget(IPC_PRIVATE, - xim->bytes_per_line * xim->height, - IPC_CREAT|0777); -diff --git a/vncviewer/PlatformPixelBuffer.cxx b/vncviewer/PlatformPixelBuffer.cxx -index a2b506d..9266d9f 100644 ---- a/vncviewer/PlatformPixelBuffer.cxx -+++ b/vncviewer/PlatformPixelBuffer.cxx -@@ -49,6 +49,15 @@ PlatformPixelBuffer::PlatformPixelBuffer(int width, int height) : - if (!xim) - throw rdr::Exception("XCreateImage"); - -+ if (xim->bytes_per_line <= 0 || -+ xim->height <= 0 || -+ xim->height >= INT_MAX / xim->bytes_per_line) { -+ if (xim) -+ XDestroyImage(xim); -+ xim = NULL; -+ throw rdr::Exception("Invalid display size"); -+ } -+ - xim->data = (char*)malloc(xim->bytes_per_line * xim->height); - if (!xim->data) - throw rdr::Exception("malloc"); -@@ -152,6 +161,16 @@ bool PlatformPixelBuffer::setupShm() - if (!xim) - goto free_shminfo; - -+ if (xim->bytes_per_line <= 0 || -+ xim->height <= 0 || -+ xim->height >= INT_MAX / xim->bytes_per_line) { -+ XDestroyImage(xim); -+ xim = NULL; -+ delete shminfo; -+ shminfo = NULL; -+ throw rdr::Exception("Invalid display size"); -+ } -+ - shminfo->shmid = shmget(IPC_PRIVATE, - xim->bytes_per_line * xim->height, - IPC_CREAT|0600); diff --git a/tigervnc-covscan.patch b/tigervnc-covscan.patch deleted file mode 100644 index 803f71a..0000000 --- a/tigervnc-covscan.patch +++ /dev/null @@ -1,312 +0,0 @@ -diff --git a/common/network/TcpSocket.cxx b/common/network/TcpSocket.cxx -index 51d77c76..9e277cbb 100644 ---- a/common/network/TcpSocket.cxx -+++ b/common/network/TcpSocket.cxx -@@ -736,7 +736,7 @@ char* TcpFilter::patternToStr(const TcpFilter::Pattern& p) { - buffer + 1, sizeof (buffer) - 2, NULL, 0, NI_NUMERICHOST); - strcat(buffer, "]"); - addr.buf = rfb::strDup(buffer); -- } else if (p.address.u.sa.sa_family == AF_UNSPEC) -+ } else - addr.buf = rfb::strDup(""); - - char action; -diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx -index e1a31f78..d268202b 100644 ---- a/common/rfb/CSecurityTLS.cxx -+++ b/common/rfb/CSecurityTLS.cxx -@@ -95,9 +95,9 @@ void CSecurityTLS::setDefaults() - delete [] homeDir; - - if (!fileexists(caDefault.buf)) -- X509CA.setDefaultStr(strdup(caDefault.buf)); -+ X509CA.setDefaultStr(caDefault.buf); - if (!fileexists(crlDefault.buf)) -- X509CRL.setDefaultStr(strdup(crlDefault.buf)); -+ X509CRL.setDefaultStr(crlDefault.buf); - } - - void CSecurityTLS::shutdown(bool needbye) -diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx -index 6d48b65c..6f72432a 100644 ---- a/common/rfb/SSecurityPlain.cxx -+++ b/common/rfb/SSecurityPlain.cxx -@@ -41,7 +41,7 @@ StringParameter PasswordValidator::plainUsers - - bool PasswordValidator::validUser(const char* username) - { -- CharArray users(strDup(plainUsers.getValueStr())), user; -+ CharArray users(plainUsers.getValueStr()), user; - - while (users.buf) { - strSplit(users.buf, ',', &user.buf, &users.buf); -diff --git a/unix/tx/TXWindow.cxx b/unix/tx/TXWindow.cxx -index a6819179..6129840e 100644 ---- a/unix/tx/TXWindow.cxx -+++ b/unix/tx/TXWindow.cxx -@@ -24,6 +24,7 @@ - #include - #include - #include -+#include - #include - - std::list windows; -@@ -132,20 +133,20 @@ TXGlobalEventHandler* TXWindow::setGlobalEventHandler(TXGlobalEventHandler* h) - - void TXWindow::getColours(Display* dpy, XColor* cols, int nCols) - { -- bool* got = new bool[nCols]; -+ std::vector got; -+ - bool failed = false; - int i; - for (i = 0; i < nCols; i++) { - if (XAllocColor(dpy, cmap, &cols[i])) { -- got[i] = true; -+ got.push_back(true); - } else { -- got[i] = false; -+ got.push_back(false); - failed = true; - } - } - - if (!failed) { -- delete [] got; - return; - } - -@@ -168,12 +169,13 @@ void TXWindow::getColours(Display* dpy, XColor* cols, int nCols) - int cmapSize = DisplayCells(dpy,DefaultScreen(dpy)); - - XColor* cm = new XColor[cmapSize]; -- bool* shared = new bool[cmapSize]; -- bool* usedAsNearest = new bool[cmapSize]; -+ std::vector shared; -+ std::vector usedAsNearest; - - for (i = 0; i < cmapSize; i++) { - cm[i].pixel = i; -- shared[i] = usedAsNearest[i] = false; -+ shared.push_back(false); -+ usedAsNearest.push_back(false); - } - - XQueryColors(dpy, cmap, cm, cmapSize); -diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx -index 8bd4e48e..3055223e 100644 ---- a/unix/vncpasswd/vncpasswd.cxx -+++ b/unix/vncpasswd/vncpasswd.cxx -@@ -134,7 +134,7 @@ int main(int argc, char** argv) - } else if (argv[i][0] == '-') { - usage(); - } else if (!fname) { -- fname = argv[i]; -+ fname = strDup(argv[i]); - } else { - usage(); - } -@@ -165,24 +165,37 @@ int main(int argc, char** argv) - FILE* fp = fopen(fname,"w"); - if (!fp) { - fprintf(stderr,"Couldn't open %s for writing\n",fname); -+ delete [] fname; -+ delete obfuscated; -+ delete obfuscatedReadOnly; - exit(1); - } - chmod(fname, S_IRUSR|S_IWUSR); - - if (fwrite(obfuscated->buf, obfuscated->length, 1, fp) != 1) { - fprintf(stderr,"Writing to %s failed\n",fname); -+ delete [] fname; -+ delete obfuscated; -+ delete obfuscatedReadOnly; - exit(1); - } - -+ delete obfuscated; -+ - if (obfuscatedReadOnly) { - if (fwrite(obfuscatedReadOnly->buf, obfuscatedReadOnly->length, 1, fp) != 1) { - fprintf(stderr,"Writing to %s failed\n",fname); -+ delete [] fname; -+ delete obfuscatedReadOnly; - exit(1); - } - } - - fclose(fp); - -+ delete [] fname; -+ delete obfuscatedReadOnly; -+ - return 0; - } - } -diff --git a/unix/xserver/hw/vnc/vncExtInit.cc b/unix/xserver/hw/vnc/vncExtInit.cc -index d6f6b742..7ca71d94 100644 ---- a/unix/xserver/hw/vnc/vncExtInit.cc -+++ b/unix/xserver/hw/vnc/vncExtInit.cc -@@ -184,7 +184,7 @@ void vncExtensionInit(void) - listeners.push_back(new network::TcpListener(vncInetdSock)); - vlog.info("inetd wait"); - } -- } else if (rfbunixpath.getValueStr()[0] != '\0') { -+ } else if (((const char*)rfbunixpath)[0] != '\0') { - char path[PATH_MAX]; - int mode = (int)rfbunixmode; - -@@ -192,7 +192,7 @@ void vncExtensionInit(void) - strncpy(path, rfbunixpath, sizeof(path)); - else - snprintf(path, sizeof(path), "%s.%d", -- rfbunixpath.getValueStr(), scr); -+ (const char*)rfbunixpath, scr); - path[sizeof(path)-1] = '\0'; - - listeners.push_back(new network::UnixListener(path, mode)); -diff --git a/unix/xserver/hw/vnc/vncSelection.c b/unix/xserver/hw/vnc/vncSelection.c -index 51dfd9c6..4f3538d4 100644 ---- a/unix/xserver/hw/vnc/vncSelection.c -+++ b/unix/xserver/hw/vnc/vncSelection.c -@@ -105,7 +105,7 @@ void vncClientCutText(const char* str, int len) - LOG_ERROR("Could not set PRIMARY selection"); - } - -- vncOwnSelection(xaCLIPBOARD); -+ rc = vncOwnSelection(xaCLIPBOARD); - if (rc != Success) - LOG_ERROR("Could not set CLIPBOARD selection"); - } -diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c -index 3b4d2f31..c845ebc4 100644 ---- a/unix/xserver/hw/vnc/xvnc.c -+++ b/unix/xserver/hw/vnc/xvnc.c -@@ -766,10 +766,13 @@ vfbUninstallColormap(ColormapPtr pmap) - curpmap = (ColormapPtr) LookupIDByType(pmap->pScreen->defColormap, - RT_COLORMAP); - #else -- dixLookupResourceByType((void * *) &curpmap, pmap->pScreen->defColormap, -- RT_COLORMAP, serverClient, DixUnknownAccess); -+ int rc = dixLookupResourceByType((void * *) &curpmap, pmap->pScreen->defColormap, -+ RT_COLORMAP, serverClient, DixUnknownAccess); -+ if (rc != Success) -+ ErrorF("Failed to uninstall color map\n"); -+ else - #endif -- (*pmap->pScreen->InstallColormap)(curpmap); -+ (*pmap->pScreen->InstallColormap)(curpmap); - } - } - } -diff --git a/vncviewer/DesktopWindow.cxx b/vncviewer/DesktopWindow.cxx -index d070b648..1843485a 100644 ---- a/vncviewer/DesktopWindow.cxx -+++ b/vncviewer/DesktopWindow.cxx -@@ -103,12 +103,12 @@ DesktopWindow::DesktopWindow(int w, int h, const char *name, - int geom_x = 0, geom_y = 0; - if (strcmp(geometry, "") != 0) { - int matched; -- matched = sscanf(geometry.getValueStr(), "+%d+%d", &geom_x, &geom_y); -+ matched = sscanf((const char*)geometry, "+%d+%d", &geom_x, &geom_y); - if (matched == 2) { - force_position(1); - } else { - int geom_w, geom_h; -- matched = sscanf(geometry.getValueStr(), "%dx%d+%d+%d", &geom_w, &geom_h, &geom_x, &geom_y); -+ matched = sscanf((const char*)geometry, "%dx%d+%d+%d", &geom_w, &geom_h, &geom_x, &geom_y); - switch (matched) { - case 4: - force_position(1); -diff --git a/vncviewer/OptionsDialog.cxx b/vncviewer/OptionsDialog.cxx -index b018c95b..62b5d9c5 100644 ---- a/vncviewer/OptionsDialog.cxx -+++ b/vncviewer/OptionsDialog.cxx -@@ -282,7 +282,7 @@ void OptionsDialog::loadOptions(void) - /* Screen */ - int width, height; - -- if (sscanf(desktopSize.getValueStr(), "%dx%d", &width, &height) != 2) { -+ if (sscanf((const char*)desktopSize, "%dx%d", &width, &height) != 2) { - desktopSizeCheckbox->value(false); - desktopWidthInput->value("1024"); - desktopHeightInput->value("768"); -diff --git a/vncviewer/ServerDialog.cxx b/vncviewer/ServerDialog.cxx -index de67f87b..fec17896 100644 ---- a/vncviewer/ServerDialog.cxx -+++ b/vncviewer/ServerDialog.cxx -@@ -150,7 +150,7 @@ void ServerDialog::handleLoad(Fl_Widget *widget, void *data) - return; - } - -- const char* filename = strdup(file_chooser->value()); -+ const char* filename = file_chooser->value(); - - try { - dialog->serverName->value(loadViewerParameters(filename)); -@@ -165,8 +165,8 @@ void ServerDialog::handleLoad(Fl_Widget *widget, void *data) - void ServerDialog::handleSaveAs(Fl_Widget *widget, void *data) - { - ServerDialog *dialog = (ServerDialog*)data; -- const char* servername = strdup(dialog->serverName->value()); -- char* filename; -+ const char* servername = dialog->serverName->value(); -+ const char* filename; - - Fl_File_Chooser* file_chooser = new Fl_File_Chooser("", _("TigerVNC configuration (*.tigervnc)"), - 2, _("Save the TigerVNC configuration to file")); -@@ -187,7 +187,7 @@ void ServerDialog::handleSaveAs(Fl_Widget *widget, void *data) - return; - } - -- filename = strdup(file_chooser->value()); -+ filename = file_chooser->value(); - - FILE* f = fopen(filename, "r"); - if (f) { -@@ -235,7 +235,7 @@ void ServerDialog::handleCancel(Fl_Widget *widget, void *data) - void ServerDialog::handleConnect(Fl_Widget *widget, void *data) - { - ServerDialog *dialog = (ServerDialog*)data; -- const char* servername = strdup(dialog->serverName->value()); -+ const char* servername = dialog->serverName->value(); - - dialog->hide(); - -diff --git a/vncviewer/parameters.cxx b/vncviewer/parameters.cxx -index 51cce3d7..94cc1b05 100644 ---- a/vncviewer/parameters.cxx -+++ b/vncviewer/parameters.cxx -@@ -499,6 +499,7 @@ void saveViewerParameters(const char *filename, const char *servername) { - } - - snprintf(filepath, sizeof(filepath), "%sdefault.tigervnc", homeDir); -+ free(homeDir); - } else { - snprintf(filepath, sizeof(filepath), "%s", filename); - } -@@ -555,6 +556,7 @@ char* loadViewerParameters(const char *filename) { - "can't obtain home directory path.")); - - snprintf(filepath, sizeof(filepath), "%sdefault.tigervnc", homeDir); -+ free(homeDir); - } else { - snprintf(filepath, sizeof(filepath), "%s", filename); - } -diff --git a/vncviewer/vncviewer.cxx b/vncviewer/vncviewer.cxx -index f076565f..a9d4dfea 100644 ---- a/vncviewer/vncviewer.cxx -+++ b/vncviewer/vncviewer.cxx -@@ -470,9 +470,9 @@ static int mktunnel() - int localPort = findFreeTcpPort(); - int remotePort; - -- gatewayHost = strDup(via.getValueStr()); - if (interpretViaParam(remoteHost, &remotePort, localPort) != 0) - return 1; -+ gatewayHost = (const char*)via; - createTunnel(gatewayHost, remoteHost, remotePort, localPort); - - return 0; diff --git a/tigervnc-cursor.patch b/tigervnc-cursor.patch deleted file mode 100644 index 1f95df8..0000000 --- a/tigervnc-cursor.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor tigervnc-1.3.0/vncviewer/Viewport.cxx ---- tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor 2013-12-17 13:28:23.170400013 +0000 -+++ tigervnc-1.3.0/vncviewer/Viewport.cxx 2013-12-17 13:29:46.095784064 +0000 -@@ -248,7 +248,7 @@ void Viewport::setCursor(int width, int height, const Point& hotspot, - } - } - -- if (Fl::belowmouse() == this) -+ if (Fl::belowmouse() == this && cursor) - window()->cursor(cursor, cursorHotspot.x, cursorHotspot.y); - } - diff --git a/tigervnc-getmaster.patch b/tigervnc-getmaster.patch deleted file mode 100644 index 6ef99b4..0000000 --- a/tigervnc-getmaster.patch +++ /dev/null @@ -1,88 +0,0 @@ -diff --git a/unix/xserver/hw/vnc/InputXKB.c b/unix/xserver/hw/vnc/InputXKB.c -index f84a6e4..4eac939 100644 ---- a/unix/xserver/hw/vnc/InputXKB.c -+++ b/unix/xserver/hw/vnc/InputXKB.c -@@ -226,10 +226,7 @@ void vncPrepareInputDevices(void) - - unsigned vncGetKeyboardState(void) - { -- DeviceIntPtr master; -- -- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT); -- return XkbStateFieldFromRec(&master->key->xkbInfo->state); -+ return XkbStateFieldFromRec(&vncKeyboardDev->master->key->xkbInfo->state); - } - - unsigned vncGetLevelThreeMask(void) -@@ -250,7 +247,7 @@ unsigned vncGetLevelThreeMask(void) - return 0; - } - -- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc; -+ xkb = vncKeyboardDev->master->key->xkbInfo->desc; - - act = XkbKeyActionPtr(xkb, keycode, state); - if (act == NULL) -@@ -275,7 +272,7 @@ KeyCode vncPressShift(void) - if (state & ShiftMask) - return 0; - -- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc; -+ xkb = vncKeyboardDev->master->key->xkbInfo->desc; - for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) { - XkbAction *act; - unsigned char mask; -@@ -315,7 +312,7 @@ size_t vncReleaseShift(KeyCode *keys, size_t maxKeys) - - count = 0; - -- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT); -+ master = vncKeyboardDev->master; - xkb = master->key->xkbInfo->desc; - for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) { - XkbAction *act; -@@ -371,7 +368,7 @@ KeyCode vncPressLevelThree(void) - return 0; - } - -- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc; -+ xkb = vncKeyboardDev->master->key->xkbInfo->desc; - - act = XkbKeyActionPtr(xkb, keycode, state); - if (act == NULL) -@@ -402,7 +399,7 @@ size_t vncReleaseLevelThree(KeyCode *keys, size_t maxKeys) - - count = 0; - -- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT); -+ master = vncKeyboardDev->master; - xkb = master->key->xkbInfo->desc; - for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) { - XkbAction *act; -@@ -447,7 +444,7 @@ KeyCode vncKeysymToKeycode(KeySym keysym, unsigned state, unsigned *new_state) - *new_state = state; - - fallback = 0; -- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc; -+ xkb = vncKeyboardDev->master->key->xkbInfo->desc; - for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) { - unsigned int state_out; - KeySym dummy; -@@ -551,7 +548,7 @@ int vncIsAffectedByNumLock(KeyCode keycode) - if (numlock_keycode == 0) - return 0; - -- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc; -+ xkb = vncKeyboardDev->master->key->xkbInfo->desc; - - act = XkbKeyActionPtr(xkb, numlock_keycode, state); - if (act == NULL) -@@ -585,7 +582,7 @@ KeyCode vncAddKeysym(KeySym keysym, unsigned state) - KeySym *syms; - KeySym upper, lower; - -- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT); -+ master = vncKeyboardDev->master; - xkb = master->key->xkbInfo->desc; - for (key = xkb->max_key_code; key >= xkb->min_key_code; key--) { - if (XkbKeyNumGroups(xkb, key) == 0) diff --git a/tigervnc.spec b/tigervnc.spec index bfc8020..512814d 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -23,9 +23,6 @@ Source4: HOWTO.md Source5: vncserver Source6: vncserver.man -Patch1: tigervnc-getmaster.patch -Patch2: tigervnc-cursor.patch -Patch3: tigervnc-1.3.1-CVE-2014-8240.patch Patch4: tigervnc-let-user-know-about-not-using-view-only-password.patch Patch5: tigervnc-working-tls-on-fips-systems.patch Patch6: tigervnc-utilize-system-crypto-policies.patch @@ -165,16 +162,6 @@ done %patch101 -p1 -b .rpath popd -# libvnc.so: don't use unexported GetMaster function (bug #744881 again). -%patch1 -p1 -b .getmaster - -# Fixed viewer crash when cursor has not been set (bug #1051333). -%patch2 -p1 -b .cursor - -# CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based -# buffer overflow in screen size handling -%patch3 -p1 -b .tigervnc-1.3.1-CVE-2014-8240 - # Bug 1447555 - view-only accepts enter, unclear whether default password is generated or not %patch4 -p1 -b .let-user-know-about-not-using-view-only-password