rpms/tigervnc
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice

Browse Source 
Resolves: RHEL-20389

Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
Resolves: RHEL-20383

Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
Resolves: RHEL-20533

Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
Resolves: RHEL-21213
This commit is contained in:
Jan Grulich 2024-01-22 09:58:22 +01:00
parent 5a6c55a071
commit 75082cdb91
3 changed files with 30 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
tigervnc-dont-get-pointer-position-for-floating-device.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c
index b3d0926d..d36a096f 100644
--- a/unix/xserver/hw/vnc/vncInput.c
+++ b/unix/xserver/hw/vnc/vncInput.c
@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y)
void vncGetPointerPos(int *x, int *y)
{
- if (vncPointerDev != NULL) {
+ if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) {
ScreenPtr ptrScreen;
miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY);

22
tigervnc.spec
View File

@ -5,7 +5,7 @@
Name: tigervnc Name: tigervnc
Version: 1.13.1 Version: 1.13.1
Release: 6%{?dist} Release: 7%{?dist}
Summary: A TigerVNC remote display system Summary: A TigerVNC remote display system
%global _hardened_build 1 %global _hardened_build 1
@ -29,14 +29,14 @@ Patch2: tigervnc-vncsession-restore-script-systemd-service.patch
Patch50: tigervnc-support-username-alias-in-plainusers.patch Patch50: tigervnc-support-username-alias-in-plainusers.patch
Patch51: tigervnc-use-dup-to-get-available-fd-for-inetd.patch Patch51: tigervnc-use-dup-to-get-available-fd-for-inetd.patch
# Upstreamable patches
Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
Patch100: tigervnc-xserver120.patch Patch100: tigervnc-xserver120.patch
# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
Patch101: 0001-rpath-hack.patch Patch101: 0001-rpath-hack.patch
# Xorg backports
Patch300: xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gettext BuildRequires: gettext
@ -185,7 +185,6 @@ for all in `find . -type f -perm -001`; do
done done
%patch100 -p1 -b .xserver120-rebased %patch100 -p1 -b .xserver120-rebased
%patch101 -p1 -b .rpath %patch101 -p1 -b .rpath
%patch300 -p1 -b .xorg-rename-boolean-config-value-field-from-bool-to-boolean
popd popd
%patch1 -p1 -b .use-gnome-as-default-session %patch1 -p1 -b .use-gnome-as-default-session
@ -195,6 +194,9 @@ popd
%patch50 -p1 -b .support-username-alias-in-plainusers %patch50 -p1 -b .support-username-alias-in-plainusers
%patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd %patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd
# Upstreamable patches
%patch80 -p1 -b .dont-get-pointer-position-for-floating-device
%build %build
%ifarch sparcv9 sparc64 s390 s390x %ifarch sparcv9 sparc64 s390 s390x
export CFLAGS="$RPM_OPT_FLAGS -fPIC" export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@ -376,6 +378,16 @@ fi
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog %changelog
* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
Resolves: RHEL-20389
- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
Resolves: RHEL-20383
- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
Resolves: RHEL-20533
- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
Resolves: RHEL-21213
* Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6 * Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
- Use dup() to get available file descriptor when using -inetd option - Use dup() to get available file descriptor when using -inetd option
Resolves: RHEL-19858 Resolves: RHEL-19858

104
xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
View File

@ -1,104 +0,0 @@
From 454b3a826edb5fc6d0fea3a9cfd1a5e8fc568747 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Mon, 22 Jul 2019 13:51:06 -0400
Subject: [PATCH] hw: Rename boolean config value field from bool to boolean
"bool" conflicts with C++ (meh) and stdbool.h (ngh alright fine). This
is a driver-visible change and will likely break the build for mach64,
but it can be fixed by simply using xf86ReturnOptValBool like every
other driver.
Signed-off-by: Adam Jackson <ajax@redhat.com>
---
hw/xfree86/common/xf86Opt.h | 2 +-
hw/xfree86/common/xf86Option.c | 10 +++++-----
hw/xwin/winconfig.c | 22 +++++++++++-----------
hw/xwin/winconfig.h | 2 +-
4 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/hw/xfree86/common/xf86Opt.h b/hw/xfree86/common/xf86Opt.h
index 3be2a0fc7e..3046fbd417 100644
--- a/hw/xfree86/common/xf86Opt.h
+++ b/hw/xfree86/common/xf86Opt.h
@@ -41,7 +41,7 @@ typedef union {
unsigned long num;
const char *str;
double realnum;
- Bool bool;
+ Bool boolean;
OptFrequency freq;
} ValueUnion;
diff --git a/hw/xwin/winconfig.c b/hw/xwin/winconfig.c
index 31894d2fb0..646d690062 100644
--- a/hw/xwin/winconfig.c
+++ b/hw/xwin/winconfig.c
@@ -623,7 +623,7 @@ winSetBoolOption(void *optlist, const char *name, int deflt)
o.name = name;
o.type = OPTV_BOOLEAN;
if (ParseOptionValue(-1, optlist, &o))
- deflt = o.value.bool;
+ deflt = o.value.boolean;
return deflt;
}
@@ -918,7 +918,7 @@ ParseOptionValue(int scrnIndex, void *options, OptionInfoPtr p)
}
if ((s = winFindOptionValue(options, newn)) != NULL) {
if (GetBoolValue(&opt, s)) {
- p->value.bool = !opt.value.bool;
+ p->value.boolean = !opt.value.boolean;
p->found = TRUE;
}
else {
@@ -968,25 +968,25 @@ static Bool
GetBoolValue(OptionInfoPtr p, const char *s)
{
if (*s == 0) {
- p->value.bool = TRUE;
+ p->value.boolean = TRUE;
}
else {
if (winNameCompare(s, "1") == 0)
- p->value.bool = TRUE;
+ p->value.boolean = TRUE;
else if (winNameCompare(s, "on") == 0)
- p->value.bool = TRUE;
+ p->value.boolean = TRUE;
else if (winNameCompare(s, "true") == 0)
- p->value.bool = TRUE;
+ p->value.boolean = TRUE;
else if (winNameCompare(s, "yes") == 0)
- p->value.bool = TRUE;
+ p->value.boolean = TRUE;
else if (winNameCompare(s, "0") == 0)
- p->value.bool = FALSE;
+ p->value.boolean = FALSE;
else if (winNameCompare(s, "off") == 0)
- p->value.bool = FALSE;
+ p->value.boolean = FALSE;
else if (winNameCompare(s, "false") == 0)
- p->value.bool = FALSE;
+ p->value.boolean = FALSE;
else if (winNameCompare(s, "no") == 0)
- p->value.bool = FALSE;
+ p->value.boolean = FALSE;
}
return TRUE;
}
diff --git a/hw/xwin/winconfig.h b/hw/xwin/winconfig.h
index f079368c7c..bd1f596509 100644
--- a/hw/xwin/winconfig.h
+++ b/hw/xwin/winconfig.h
@@ -199,7 +199,7 @@ typedef union {
unsigned long num;
char *str;
double realnum;
- Bool bool;
+ Bool boolean;
OptFrequency freq;
} ValueUnion;
--
GitLab