From ae88ffbba800058b3745a8c6cd5ae4c67c640236 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 22 May 2024 13:49:14 +0000 Subject: [PATCH] import CS tigervnc-1.13.1-10.el8 --- .gitignore | 2 +- .tigervnc.metadata | 2 +- ...add-new-keycodes-for-unknown-keysyms.patch | 199 ------------------ ...pointer-position-for-floating-device.patch | 13 ++ ...dont-install-appstream-metadata-file.patch | 51 +++++ ...rvnc-fix-ghost-cursor-in-zaphod-mode.patch | 117 ---------- ...fix-typo-in-mirror-monitor-detection.patch | 34 --- .../tigervnc-root-user-selinux-context.patch | 25 --- ...heck-when-cleaning-up-keymap-changes.patch | 28 --- ...llow-vncsession-create-vnc-directory.patch | 31 --- ...ontext-in-case-of-different-policies.patch | 81 ------- ...support-username-alias-in-plainusers.patch | 135 ++++++++++++ ...se-dup-to-get-available-fd-for-inetd.patch | 17 ++ SOURCES/vncserver | 12 +- SOURCES/xorg-CVE-2024-31083-followup.patch | 72 +++++++ ...posite-Fix-use-after-free-of-the-COW.patch | 42 ---- SPECS/tigervnc.spec | 180 ++++++++++------ 17 files changed, 416 insertions(+), 625 deletions(-) delete mode 100644 SOURCES/tigervnc-add-new-keycodes-for-unknown-keysyms.patch create mode 100644 SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch create mode 100644 SOURCES/tigervnc-dont-install-appstream-metadata-file.patch delete mode 100644 SOURCES/tigervnc-fix-ghost-cursor-in-zaphod-mode.patch delete mode 100644 SOURCES/tigervnc-fix-typo-in-mirror-monitor-detection.patch delete mode 100644 SOURCES/tigervnc-root-user-selinux-context.patch delete mode 100644 SOURCES/tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch delete mode 100644 SOURCES/tigervnc-selinux-allow-vncsession-create-vnc-directory.patch delete mode 100644 SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch create mode 100644 SOURCES/tigervnc-support-username-alias-in-plainusers.patch create mode 100644 SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch create mode 100644 SOURCES/xorg-CVE-2024-31083-followup.patch delete mode 100644 SOURCES/xorg-x11-server-composite-Fix-use-after-free-of-the-COW.patch diff --git a/.gitignore b/.gitignore index 4de86f8..7192365 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tigervnc-1.12.0.tar.gz +SOURCES/tigervnc-1.13.1.tar.gz diff --git a/.tigervnc.metadata b/.tigervnc.metadata index 9dbf56a..a37349f 100644 --- a/.tigervnc.metadata +++ b/.tigervnc.metadata @@ -1 +1 @@ -44db63993d8ad04f730b0b48e8aca32933bff15a SOURCES/tigervnc-1.12.0.tar.gz +6f7a23f14833f552c88523da1a5e102f3b8d35c2 SOURCES/tigervnc-1.13.1.tar.gz diff --git a/SOURCES/tigervnc-add-new-keycodes-for-unknown-keysyms.patch b/SOURCES/tigervnc-add-new-keycodes-for-unknown-keysyms.patch deleted file mode 100644 index d4fd2b3..0000000 --- a/SOURCES/tigervnc-add-new-keycodes-for-unknown-keysyms.patch +++ /dev/null @@ -1,199 +0,0 @@ -From ccbd491fa48f1c43daeb1a6c5ee91a1a8fa3db88 Mon Sep 17 00:00:00 2001 -From: Jan Grulich -Date: Tue, 9 Aug 2022 14:31:07 +0200 -Subject: [PATCH] x0vncserver: add new keysym in case we don't find a matching - keycode - -We might often fail to find a matching X11 keycode when the client has -a different keyboard layout and end up with no key event. To avoid a -failure we add it as a new keysym/keycode pair so the next time a keysym -from the client that is unknown to the server is send, we will find a -match and proceed with key event. This is same behavior used in Xvnc or -x11vnc, although Xvnc has more advanced mapping from keysym to keycode. ---- - unix/x0vncserver/XDesktop.cxx | 121 +++++++++++++++++++++++++++++++++- - unix/x0vncserver/XDesktop.h | 4 ++ - 2 files changed, 122 insertions(+), 3 deletions(-) - -diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx -index f2046e43e..933998f05 100644 ---- a/unix/x0vncserver/XDesktop.cxx -+++ b/unix/x0vncserver/XDesktop.cxx -@@ -31,6 +31,7 @@ - #include - - #include -+#include - #ifdef HAVE_XTEST - #include - #endif -@@ -50,6 +51,7 @@ void vncSetGlueContext(Display *dpy, void *res); - #include - #include - -+using namespace std; - using namespace rfb; - - extern const unsigned short code_map_qnum_to_xorgevdev[]; -@@ -264,6 +266,9 @@ void XDesktop::start(VNCServer* vs) { - void XDesktop::stop() { - running = false; - -+ // Delete added keycodes -+ deleteAddedKeysyms(dpy); -+ - #ifdef HAVE_XDAMAGE - if (haveDamage) - XDamageDestroy(dpy, damage); -@@ -383,6 +388,118 @@ KeyCode XDesktop::XkbKeysymToKeycode(Display* dpy, KeySym keysym) { - } - #endif - -+KeyCode XDesktop::addKeysym(Display* dpy, KeySym keysym) -+{ -+ int types[1]; -+ unsigned int key; -+ XkbDescPtr xkb; -+ XkbMapChangesRec changes; -+ KeySym *syms; -+ KeySym upper, lower; -+ -+ xkb = XkbGetMap(dpy, XkbAllComponentsMask, XkbUseCoreKbd); -+ -+ if (!xkb) -+ return 0; -+ -+ for (key = xkb->max_key_code; key >= xkb->min_key_code; key--) { -+ if (XkbKeyNumGroups(xkb, key) == 0) -+ break; -+ } -+ -+ if (key < xkb->min_key_code) -+ return 0; -+ -+ memset(&changes, 0, sizeof(changes)); -+ -+ XConvertCase(keysym, &lower, &upper); -+ -+ if (upper == lower) -+ types[XkbGroup1Index] = XkbOneLevelIndex; -+ else -+ types[XkbGroup1Index] = XkbAlphabeticIndex; -+ -+ XkbChangeTypesOfKey(xkb, key, 1, XkbGroup1Mask, types, &changes); -+ -+ syms = XkbKeySymsPtr(xkb,key); -+ if (upper == lower) -+ syms[0] = keysym; -+ else { -+ syms[0] = lower; -+ syms[1] = upper; -+ } -+ -+ changes.changed |= XkbKeySymsMask; -+ changes.first_key_sym = key; -+ changes.num_key_syms = 1; -+ -+ if (XkbChangeMap(dpy, xkb, &changes)) { -+ vlog.info("Added unknown keysym %s to keycode %d", XKeysymToString(keysym), key); -+ addedKeysyms[keysym] = key; -+ return key; -+ } -+ -+ return 0; -+} -+ -+void XDesktop::deleteAddedKeysyms(Display* dpy) { -+ XkbDescPtr xkb; -+ xkb = XkbGetMap(dpy, XkbAllComponentsMask, XkbUseCoreKbd); -+ -+ if (!xkb) -+ return; -+ -+ XkbMapChangesRec changes; -+ memset(&changes, 0, sizeof(changes)); -+ -+ KeyCode lowestKeyCode = xkb->max_key_code; -+ KeyCode highestKeyCode = xkb->min_key_code; -+ std::map::iterator it; -+ for (it = addedKeysyms.begin(); it != addedKeysyms.end(); it++) { -+ if (XkbKeyNumGroups(xkb, it->second) != 0) { -+ // Check if we are removing keysym we added ourself -+ if (XkbKeysymToKeycode(dpy, it->first) != it->second) -+ continue; -+ -+ XkbChangeTypesOfKey(xkb, it->second, 0, XkbGroup1Mask, NULL, &changes); -+ -+ if (it->second < lowestKeyCode) -+ lowestKeyCode = it->second; -+ -+ if (it->second > highestKeyCode) -+ highestKeyCode = it->second; -+ } -+ } -+ -+ changes.changed |= XkbKeySymsMask; -+ changes.first_key_sym = lowestKeyCode; -+ changes.num_key_syms = highestKeyCode - lowestKeyCode + 1; -+ XkbChangeMap(dpy, xkb, &changes); -+ -+ addedKeysyms.clear(); -+} -+ -+KeyCode XDesktop::keysymToKeycode(Display* dpy, KeySym keysym) { -+ int keycode = 0; -+ -+ // XKeysymToKeycode() doesn't respect state, so we have to use -+ // something slightly more complex -+ keycode = XkbKeysymToKeycode(dpy, keysym); -+ -+ if (keycode != 0) -+ return keycode; -+ -+ // TODO: try to further guess keycode with all possible mods as Xvnc does -+ -+ keycode = addKeysym(dpy, keysym); -+ -+ if (keycode == 0) -+ vlog.error("Failure adding new keysym 0x%lx", keysym); -+ -+ return keycode; -+} -+ -+ - void XDesktop::keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down) { - #ifdef HAVE_XTEST - int keycode = 0; -@@ -398,9 +515,7 @@ void XDesktop::keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down) { - if (pressedKeys.find(keysym) != pressedKeys.end()) - keycode = pressedKeys[keysym]; - else { -- // XKeysymToKeycode() doesn't respect state, so we have to use -- // something slightly more complex -- keycode = XkbKeysymToKeycode(dpy, keysym); -+ keycode = keysymToKeycode(dpy, keysym); - } - } - -diff --git a/unix/x0vncserver/XDesktop.h b/unix/x0vncserver/XDesktop.h -index 840d43316..6ebcd9f8a 100644 ---- a/unix/x0vncserver/XDesktop.h -+++ b/unix/x0vncserver/XDesktop.h -@@ -55,6 +55,9 @@ class XDesktop : public rfb::SDesktop, - const char* userName); - virtual void pointerEvent(const rfb::Point& pos, int buttonMask); - KeyCode XkbKeysymToKeycode(Display* dpy, KeySym keysym); -+ KeyCode addKeysym(Display* dpy, KeySym keysym); -+ void deleteAddedKeysyms(Display* dpy); -+ KeyCode keysymToKeycode(Display* dpy, KeySym keysym); - virtual void keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down); - virtual void clientCutText(const char* str); - virtual unsigned int setScreenLayout(int fb_width, int fb_height, -@@ -78,6 +81,7 @@ class XDesktop : public rfb::SDesktop, - bool haveXtest; - bool haveDamage; - int maxButtons; -+ std::map addedKeysyms; - std::map pressedKeys; - bool running; - #ifdef HAVE_XDAMAGE diff --git a/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch b/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch new file mode 100644 index 0000000..3bf7dda --- /dev/null +++ b/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch @@ -0,0 +1,13 @@ +diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c +index b3d0926d..d36a096f 100644 +--- a/unix/xserver/hw/vnc/vncInput.c ++++ b/unix/xserver/hw/vnc/vncInput.c +@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y) + + void vncGetPointerPos(int *x, int *y) + { +- if (vncPointerDev != NULL) { ++ if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) { + ScreenPtr ptrScreen; + + miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY); diff --git a/SOURCES/tigervnc-dont-install-appstream-metadata-file.patch b/SOURCES/tigervnc-dont-install-appstream-metadata-file.patch new file mode 100644 index 0000000..84bdbfc --- /dev/null +++ b/SOURCES/tigervnc-dont-install-appstream-metadata-file.patch @@ -0,0 +1,51 @@ +diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt +index 052cfb3..c84fb0e 100644 +--- a/po/CMakeLists.txt ++++ b/po/CMakeLists.txt +@@ -14,7 +14,6 @@ if (GETTEXT_XGETTEXT_EXECUTABLE) + ${PROJECT_SOURCE_DIR}/vncviewer/*.h + ${PROJECT_SOURCE_DIR}/vncviewer/*.cxx + ${PROJECT_SOURCE_DIR}/vncviewer/*.desktop.in.in +- ${PROJECT_SOURCE_DIR}/vncviewer/*.metainfo.xml.in + ) + + add_custom_target(translations_update +diff --git a/vncviewer/CMakeLists.txt b/vncviewer/CMakeLists.txt +index 15eac66..450b732 100644 +--- a/vncviewer/CMakeLists.txt ++++ b/vncviewer/CMakeLists.txt +@@ -100,34 +100,6 @@ if(UNIX) + add_custom_target(desktop ALL DEPENDS vncviewer.desktop) + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncviewer.desktop DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/applications) + +- if("${GETTEXT_VERSION_STRING}" VERSION_GREATER 0.19.6) +- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml +- COMMAND ${GETTEXT_MSGFMT_EXECUTABLE} +- --xml --template ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in +- -d ${CMAKE_SOURCE_DIR}/po -o org.tigervnc.vncviewer.metainfo.xml +- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in +- ) +- elseif(INTLTOOL_MERGE_EXECUTABLE) +- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml +- COMMAND sed -e 's@@<_name>@\;s@@@' +- -e 's@@<_summary>@\;s@@@' +- -e 's@@<_caption>@\;s@@@' +- -e 's@

@<_p>@g\;s@

@@g' +- ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in > org.tigervnc.vncviewer.metainfo.xml.intl +- COMMAND ${INTLTOOL_MERGE_EXECUTABLE} +- -x ${CMAKE_SOURCE_DIR}/po +- org.tigervnc.vncviewer.metainfo.xml.intl org.tigervnc.vncviewer.metainfo.xml +- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in +- ) +- else() +- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml +- COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in org.tigervnc.vncviewer.metainfo.xml +- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in +- ) +- endif() +- add_custom_target(appstream ALL DEPENDS org.tigervnc.vncviewer.metainfo.xml) +- install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tigervnc.vncviewer.metainfo.xml DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/metainfo) +- + foreach(res 16 22 24 32 48 64 128) + install(FILES ../media/icons/tigervnc_${res}.png DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/${res}x${res}/apps RENAME tigervnc.png) + endforeach() diff --git a/SOURCES/tigervnc-fix-ghost-cursor-in-zaphod-mode.patch b/SOURCES/tigervnc-fix-ghost-cursor-in-zaphod-mode.patch deleted file mode 100644 index 8e45eb6..0000000 --- a/SOURCES/tigervnc-fix-ghost-cursor-in-zaphod-mode.patch +++ /dev/null @@ -1,117 +0,0 @@ -From f783d5c8b567199178b6690f347e060a69d2aa36 Mon Sep 17 00:00:00 2001 -From: Jan Grulich -Date: Thu, 11 Aug 2022 13:15:29 +0200 -Subject: [PATCH] x0vncserver: update/display cursor only on correct screen in - zaphod mode - -We have to check whether we update cursor position/shape only in case -the cursor is on our display, otherwise in zaphod mode, ie. when having -two instances of x0vncserver on screens :0.0 and :0.1 we would be having -the cursor duplicated and actually not funcional (aka ghost cursor) as -it would be actually not present. We also additionally watch EnterNotify -and LeaveNotify events in order to show/hide cursor accordingly. - -Change made with help from Olivier Fourdan ---- - unix/x0vncserver/XDesktop.cxx | 60 +++++++++++++++++++++++++++++++---- - 1 file changed, 53 insertions(+), 7 deletions(-) - -diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx -index f2046e43e..f07fd78bf 100644 ---- a/unix/x0vncserver/XDesktop.cxx -+++ b/unix/x0vncserver/XDesktop.cxx -@@ -192,7 +192,8 @@ XDesktop::XDesktop(Display* dpy_, Geometry *geometry_) - RRScreenChangeNotifyMask | RRCrtcChangeNotifyMask); - /* Override TXWindow::init input mask */ - XSelectInput(dpy, DefaultRootWindow(dpy), -- PropertyChangeMask | StructureNotifyMask | ExposureMask); -+ PropertyChangeMask | StructureNotifyMask | -+ ExposureMask | EnterWindowMask | LeaveWindowMask); - } else { - #endif - vlog.info("RANDR extension not present"); -@@ -217,11 +218,13 @@ void XDesktop::poll() { - Window root, child; - int x, y, wx, wy; - unsigned int mask; -- XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child, -- &x, &y, &wx, &wy, &mask); -- x -= geometry->offsetLeft(); -- y -= geometry->offsetTop(); -- server->setCursorPos(rfb::Point(x, y), false); -+ -+ if (XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child, -+ &x, &y, &wx, &wy, &mask)) { -+ x -= geometry->offsetLeft(); -+ y -= geometry->offsetTop(); -+ server->setCursorPos(rfb::Point(x, y), false); -+ } - } - } - -@@ -253,7 +256,14 @@ void XDesktop::start(VNCServer* vs) { - #endif - - #ifdef HAVE_XFIXES -- setCursor(); -+ Window root, child; -+ int x, y, wx, wy; -+ unsigned int mask; -+ // Check whether the cursor is initially on our screen -+ if (XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child, -+ &x, &y, &wx, &wy, &mask)) -+ setCursor(); -+ - #endif - - server->setLEDState(ledState); -@@ -701,6 +711,15 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) { - if (cev->subtype != XFixesDisplayCursorNotify) - return false; - -+ Window root, child; -+ int x, y, wx, wy; -+ unsigned int mask; -+ -+ // Check whether the cursor is initially on our screen -+ if (!XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child, -+ &x, &y, &wx, &wy, &mask)) -+ return false; -+ - return setCursor(); - #endif - #ifdef HAVE_XRANDR -@@ -753,6 +772,33 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) { - - return true; - #endif -+#ifdef HAVE_XFIXES -+ } else if (ev->type == EnterNotify) { -+ XCrossingEvent* cev; -+ -+ if (!running) -+ return true; -+ -+ cev = (XCrossingEvent*)ev; -+ -+ if (cev->window != cev->root) -+ return false; -+ -+ return setCursor(); -+ } else if (ev->type == LeaveNotify) { -+ XCrossingEvent* cev; -+ -+ if (!running) -+ return true; -+ -+ cev = (XCrossingEvent*)ev; -+ -+ if (cev->window == cev->root) -+ return false; -+ -+ server->setCursor(0, 0, Point(), NULL); -+ return true; -+#endif - } - - return false; diff --git a/SOURCES/tigervnc-fix-typo-in-mirror-monitor-detection.patch b/SOURCES/tigervnc-fix-typo-in-mirror-monitor-detection.patch deleted file mode 100644 index 9076432..0000000 --- a/SOURCES/tigervnc-fix-typo-in-mirror-monitor-detection.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 2daf4126882f82b6e392dfbae87205dbdc559c3d Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Thu, 23 Dec 2021 15:58:00 +0100 -Subject: [PATCH] Fix typo in mirror monitor detection - -Bug introduced in fb561eb but still somehow passed manual testing. -Resulted in some stray reads off the end of the stack, which were -hopefully harmless. ---- - vncviewer/MonitorIndicesParameter.cxx | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/vncviewer/MonitorIndicesParameter.cxx b/vncviewer/MonitorIndicesParameter.cxx -index 5130831cb..4ac74dd1a 100644 ---- a/vncviewer/MonitorIndicesParameter.cxx -+++ b/vncviewer/MonitorIndicesParameter.cxx -@@ -211,13 +211,13 @@ std::vector MonitorIndicesParameter::fetchMoni - // Only keep a single entry for mirrored screens - match = false; - for (int j = 0; j < ((int) monitors.size()); j++) { -- if (monitors[i].x != monitor.x) -+ if (monitors[j].x != monitor.x) - continue; -- if (monitors[i].y != monitor.y) -+ if (monitors[j].y != monitor.y) - continue; -- if (monitors[i].w != monitor.w) -+ if (monitors[j].w != monitor.w) - continue; -- if (monitors[i].h != monitor.h) -+ if (monitors[j].h != monitor.h) - continue; - - match = true; diff --git a/SOURCES/tigervnc-root-user-selinux-context.patch b/SOURCES/tigervnc-root-user-selinux-context.patch deleted file mode 100644 index 67f035f..0000000 --- a/SOURCES/tigervnc-root-user-selinux-context.patch +++ /dev/null @@ -1,25 +0,0 @@ -From faf81b4b238e24fe29eb53f885a25367e212dd7b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 7 Feb 2022 10:45:41 +0100 -Subject: [PATCH] SELinux: use /root/.vnc in file context specification - -Instead of HOME_ROOT/.vnc, /root/.vnc should be used -for user root's home to specify default file context -as HOME_ROOT actually means base for home dirs (usually /home). ---- - unix/vncserver/selinux/vncsession.fc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc -index 6aaf4b1f4..bc81f8f25 100644 ---- a/unix/vncserver/selinux/vncsession.fc -+++ b/unix/vncserver/selinux/vncsession.fc -@@ -18,7 +18,7 @@ - # - - HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0) --HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0) -+/root/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0) - - /usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0) - /usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0) diff --git a/SOURCES/tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch b/SOURCES/tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch deleted file mode 100644 index 012a741..0000000 --- a/SOURCES/tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 774c6bcf33b5c9b94c1ff12895775e77c555decc Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Thu, 9 Feb 2023 11:30:37 +0100 -Subject: [PATCH] Sanity check when cleaning up keymap changes - -Make sure we don't send a bogus request to the X server in the (common) -case that we don't actually have anything to restore. - -(cherry picked from commit 1e3484f2017f038dd5149cd50741feaf39a680e4) ---- - unix/x0vncserver/XDesktop.cxx | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx -index d5c6b2db9..f9c810968 100644 ---- a/unix/x0vncserver/XDesktop.cxx -+++ b/unix/x0vncserver/XDesktop.cxx -@@ -481,6 +481,10 @@ void XDesktop::deleteAddedKeysyms(Display* dpy) { - } - } - -+ // Did we actually find something to remove? -+ if (highestKeyCode < lowestKeyCode) -+ return; -+ - changes.changed |= XkbKeySymsMask; - changes.first_key_sym = lowestKeyCode; - changes.num_key_syms = highestKeyCode - lowestKeyCode + 1; diff --git a/SOURCES/tigervnc-selinux-allow-vncsession-create-vnc-directory.patch b/SOURCES/tigervnc-selinux-allow-vncsession-create-vnc-directory.patch deleted file mode 100644 index d6bc61b..0000000 --- a/SOURCES/tigervnc-selinux-allow-vncsession-create-vnc-directory.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 717d787de8f913070446444e37d552b51f05515e Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 16 Jan 2023 12:35:40 +0100 -Subject: [PATCH] SELinux: Allow vncsession create ~/.vnc directory - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(01/12/2023 02:58:12.648:696) : proctitle=/usr/sbin/vncsession fedora :1 -type=PATH msg=audit(01/12/2023 02:58:12.648:696) : item=1 name=/home/fedora/.vnc nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=PATH msg=audit(01/12/2023 02:58:12.648:696) : item=0 name=/home/fedora/ inode=262145 dev=fc:02 mode=dir,700 ouid=fedora ogid=fedora rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(01/12/2023 02:58:12.648:696) : cwd=/home/fedora -type=SYSCALL msg=audit(01/12/2023 02:58:12.648:696) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x7fff47d52540 a1=0755 a2=0x0 a3=0x0 items=2 ppid=2869 pid=2880 auid=fedora uid=fedora gid=fedora euid=fedora suid=fedora fsuid=fedora egid=fedora sgid=fedora fsgid=fedora tty=(none) ses=8 comm=vncsession exe=/usr/sbin/vncsession subj=system_u:system_r:vnc_session_t:s0 key=(null) -type=AVC msg=audit(01/12/2023 02:58:12.648:696) : avc: denied { create } for pid=2880 comm=vncsession name=.vnc scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:vnc_home_t:s0 tclass=dir permissive=0 - -Resolves: rhbz#2143704 ---- - unix/vncserver/selinux/vncsession.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te -index fb966c14b..680be8ea1 100644 ---- a/unix/vncserver/selinux/vncsession.te -+++ b/unix/vncserver/selinux/vncsession.te -@@ -37,6 +37,7 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms; - allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; - files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) - -+create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t) - manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) - manage_fifo_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) - manage_sock_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) diff --git a/SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch b/SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch deleted file mode 100644 index 48b3a2e..0000000 --- a/SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch +++ /dev/null @@ -1,81 +0,0 @@ -From d2d52704624ce841f4a392fccd82079d87ff13b6 Mon Sep 17 00:00:00 2001 -From: Jan Grulich -Date: Thu, 11 Nov 2021 13:52:41 +0100 -Subject: [PATCH] SELinux: restore SELinux context in case of different - policies - ---- - CMakeLists.txt | 13 +++++++++++++ - unix/vncserver/CMakeLists.txt | 2 +- - unix/vncserver/vncsession.c | 16 ++++++++++++++++ - 3 files changed, 30 insertions(+), 1 deletion(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 50247c7da..1708eb3d8 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE) - endif() - endif() - -+# Check for SELinux library -+if(UNIX AND NOT APPLE) -+ check_include_files(selinux/selinux.h HAVE_SELINUX_H) -+ if(HAVE_SELINUX_H) -+ set(CMAKE_REQUIRED_LIBRARIES -lselinux) -+ set(CMAKE_REQUIRED_LIBRARIES) -+ set(SELINUX_LIBS selinux) -+ add_definitions("-DHAVE_SELINUX") -+ else() -+ message(WARNING "Could not find SELinux development files") -+ endif() -+endif() -+ - # Generate config.h and make sure the source finds it - configure_file(config.h.in config.h) - add_definitions(-DHAVE_CONFIG_H) -diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt -index f65ccc7db..ae69dc098 100644 ---- a/unix/vncserver/CMakeLists.txt -+++ b/unix/vncserver/CMakeLists.txt -@@ -1,5 +1,5 @@ - add_executable(vncsession vncsession.c) --target_link_libraries(vncsession ${PAM_LIBS}) -+target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS}) - - configure_file(vncserver@.service.in vncserver@.service @ONLY) - configure_file(vncsession-start.in vncsession-start @ONLY) -diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c -index 3573e5e9b..f6d2fd59e 100644 ---- a/unix/vncserver/vncsession.c -+++ b/unix/vncserver/vncsession.c -@@ -37,6 +37,11 @@ - #include - #include - -+#ifdef HAVE_SELINUX -+#include -+#include -+#endif -+ - extern char **environ; - - // PAM service name -@@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display) - syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno)); - _exit(EX_OSERR); - } -+ -+#ifdef HAVE_SELINUX -+ int result; -+ if (selinux_file_context_verify(logfile, 0) == 0) { -+ result = selinux_restorecon(logfile, SELINUX_RESTORECON_RECURSE); -+ -+ if (result < 0) { -+ syslog(LOG_WARNING, "Failure restoring SELinux context for \"%s\": %s", logfile, strerror(errno)); -+ } -+ } -+#endif - } - - hostlen = sysconf(_SC_HOST_NAME_MAX); diff --git a/SOURCES/tigervnc-support-username-alias-in-plainusers.patch b/SOURCES/tigervnc-support-username-alias-in-plainusers.patch new file mode 100644 index 0000000..abf4eda --- /dev/null +++ b/SOURCES/tigervnc-support-username-alias-in-plainusers.patch @@ -0,0 +1,135 @@ +diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx +index 6f65e87..3142ba3 100644 +--- a/common/rfb/SSecurityPlain.cxx ++++ b/common/rfb/SSecurityPlain.cxx +@@ -27,6 +27,8 @@ + #include + #if !defined(WIN32) && !defined(__APPLE__) + #include ++#include ++#include + #endif + #ifdef WIN32 + #include +@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers + + bool PasswordValidator::validUser(const char* username) + { +- CharArray users(plainUsers.getValueStr()), user; ++ std::vector users; + +- while (users.buf) { +- strSplit(users.buf, ',', &user.buf, &users.buf); +-#ifdef WIN32 +- if (0 == stricmp(user.buf, "*")) +- return true; +- if (0 == stricmp(user.buf, username)) +- return true; +-#else +- if (!strcmp(user.buf, "*")) +- return true; +- if (!strcmp(user.buf, username)) +- return true; ++ users = split(plainUsers, ','); ++ ++ for (size_t i = 0; i < users.size(); i++) { ++ if (users[i] == "*") ++ return true; ++#if !defined(WIN32) && !defined(__APPLE__) ++ if (users[i] == "%u") { ++ struct passwd *pw = getpwnam(username); ++ if (pw && pw->pw_uid == getuid()) ++ return true; ++ } + #endif ++ if (users[i] == username) ++ return true; + } + return false; + } +diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx +index 649eb0b..cce73a0 100644 +--- a/common/rfb/util.cxx ++++ b/common/rfb/util.cxx +@@ -99,6 +99,26 @@ namespace rfb { + return false; + } + ++ std::vector split(const char* src, ++ const char delimiter) ++ { ++ std::vector out; ++ const char *start, *stop; ++ ++ start = src; ++ do { ++ stop = strchr(start, delimiter); ++ if (stop == NULL) { ++ out.push_back(start); ++ } else { ++ out.push_back(std::string(start, stop-start)); ++ start = stop + 1; ++ } ++ } while (stop != NULL); ++ ++ return out; ++ } ++ + bool strContains(const char* src, char c) { + int l=strlen(src); + for (int i=0; i + #include + ++#include ++#include ++ + struct timeval; + + #ifdef __GNUC__ +@@ -76,6 +79,10 @@ namespace rfb { + // that part of the string. Obviously, setting both to 0 is not useful... + bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false); + ++ // Splits a string with the specified delimiter ++ std::vector split(const char* src, ++ const char delimiter); ++ + // Returns true if src contains c + bool strContains(const char* src, char c); + +diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man +index c36ae34..78db730 100644 +--- a/unix/x0vncserver/x0vncserver.man ++++ b/unix/x0vncserver/x0vncserver.man +@@ -125,8 +125,8 @@ parameter instead. + .B \-PlainUsers \fIuser-list\fP + A comma separated list of user names that are allowed to authenticate via + any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP +-to allow any user to authenticate using this security type. Default is to +-deny all users. ++to allow any user to authenticate using this security type. Specify \fB%u\fP ++to allow the user of the server process. Default is to deny all users. + . + .TP + .B \-pam_service \fIname\fP, \-PAMService \fIname\fP +diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man +index ea87dea..e9fb654 100644 +--- a/unix/xserver/hw/vnc/Xvnc.man ++++ b/unix/xserver/hw/vnc/Xvnc.man +@@ -200,8 +200,8 @@ parameter instead. + .B \-PlainUsers \fIuser-list\fP + A comma separated list of user names that are allowed to authenticate via + any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP +-to allow any user to authenticate using this security type. Default is to +-deny all users. ++to allow any user to authenticate using this security type. Specify \fB%u\fP ++to allow the user of the server process. Default is to deny all users. + . + .TP + .B \-pam_service \fIname\fP, \-PAMService \fIname\fP diff --git a/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch b/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch new file mode 100644 index 0000000..0e0f794 --- /dev/null +++ b/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch @@ -0,0 +1,17 @@ +diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c +index f8141959..c5c36539 100644 +--- a/unix/xserver/hw/vnc/xvnc.c ++++ b/unix/xserver/hw/vnc/xvnc.c +@@ -366,8 +366,10 @@ ddxProcessArgument(int argc, char *argv[], int i) + if (strcmp(argv[i], "-inetd") == 0) { + int nullfd; + +- dup2(0, 3); +- vncInetdSock = 3; ++ if ((vncInetdSock = dup(0)) == -1) ++ FatalError ++ ("Xvnc error: failed to allocate a new file descriptor for -inetd: %s\n", strerror(errno)); ++ + + /* Avoid xserver >= 1.19's epoll-fd becoming fd 2 / stderr only to be + replaced by /dev/null by OsInit() because the pollfd is not diff --git a/SOURCES/vncserver b/SOURCES/vncserver index 3bc8d3a..79b1509 100644 --- a/SOURCES/vncserver +++ b/SOURCES/vncserver @@ -121,7 +121,7 @@ if ($fontPath eq "") { # Check command line options &ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1, - "-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1); + "-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1,"-fallbacktofreeport",0); &Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'}); @@ -168,8 +168,13 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) { $displayNumber = $1; shift(@ARGV); if (!&CheckDisplayNumber($displayNumber)) { - warn "A VNC server is already running as :$displayNumber\n"; - $displayNumber = &GetDisplayNumber(); + if ($opt{'-fallbacktofreeport'}) { + warn "A VNC server is already running as :$displayNumber\n"; + $displayNumber = &GetDisplayNumber(); + warn "Using port :$displayNumber as fallback\n"; + } else { + die "A VNC server is already running as :$displayNumber\n"; + } } } elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) { &Usage(); @@ -675,6 +680,7 @@ sub Usage " [-autokill]\n". " [-noxstartup]\n". " [-xstartup ]\n". + " [-fallbacktofreeport]\n". " ...\n\n". " $prog -kill \n\n". " $prog -list\n\n"); diff --git a/SOURCES/xorg-CVE-2024-31083-followup.patch b/SOURCES/xorg-CVE-2024-31083-followup.patch new file mode 100644 index 0000000..549f90a --- /dev/null +++ b/SOURCES/xorg-CVE-2024-31083-followup.patch @@ -0,0 +1,72 @@ +From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 5 Apr 2024 15:24:49 +0200 +Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs() + +ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and +then frees it using FreeGlyph() to decrease the reference count, after +AddGlyph() has increased it. + +AddGlyph() however may chose to reuse an existing glyph if it's already +in the glyphSet, and free the glyph that was given, in which case the +caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an +already freed glyph, as reported by ASan: + + READ of size 4 thread T0 + #0 in FreeGlyph xserver/render/glyph.c:252 + #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 + #2 in Dispatch xserver/dix/dispatch.c:546 + #3 in dix_main xserver/dix/main.c:271 + #4 in main xserver/dix/stubmain.c:34 + #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #6 in __libc_start_main_impl ../csu/libc-start.c:360 + #7 (/usr/bin/Xwayland+0x44fe4) + Address is located 0 bytes inside of 64-byte region + freed by thread T0 here: + #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 + #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 + #2 in AddGlyph xserver/render/glyph.c:295 + #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 + #4 in Dispatch xserver/dix/dispatch.c:546 + #5 in dix_main xserver/dix/main.c:271 + #6 in main xserver/dix/stubmain.c:34 + #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + previously allocated by thread T0 here: + #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 + #1 in AllocateGlyph xserver/render/glyph.c:355 + #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 + #3 in Dispatch xserver/dix/dispatch.c:546 + #4 in dix_main xserver/dix/main.c:271 + #5 in main xserver/dix/stubmain.c:34 + #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph + +To avoid that, make sure not to free the given glyph in AddGlyph(). + +v2: Simplify the test using the boolean returned from AddGlyph() (Michel) +v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) + +Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 +Signed-off-by: Olivier Fourdan +Part-of: +--- + render/glyph.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/render/glyph.c b/render/glyph.c +index 13991f8a1..5fa7f3b5b 100644 +--- a/render/glyph.c ++++ b/render/glyph.c +@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id) + gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, + TRUE, glyph->sha1); + if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { +- FreeGlyphPicture(glyph); +- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); + glyph = gr->glyph; + } + else if (gr->glyph != glyph) { +-- +2.44.0 + diff --git a/SOURCES/xorg-x11-server-composite-Fix-use-after-free-of-the-COW.patch b/SOURCES/xorg-x11-server-composite-Fix-use-after-free-of-the-COW.patch deleted file mode 100644 index ee1ae7b..0000000 --- a/SOURCES/xorg-x11-server-composite-Fix-use-after-free-of-the-COW.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 947bd1b3f4a23565bf10879ec41ba06ebe1e1c76 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Mon, 13 Mar 2023 11:08:47 +0100 -Subject: [PATCH xserver] composite: Fix use-after-free of the COW - -ZDI-CAN-19866/CVE-2023-1393 - -If a client explicitly destroys the compositor overlay window (aka COW), -we would leave a dangling pointer to that window in the CompScreen -structure, which will trigger a use-after-free later. - -Make sure to clear the CompScreen pointer to the COW when the latter gets -destroyed explicitly by the client. - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Signed-off-by: Olivier Fourdan -Reviewed-by: Adam Jackson ---- - composite/compwindow.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/composite/compwindow.c b/composite/compwindow.c -index 4e2494b86..b30da589e 100644 ---- a/composite/compwindow.c -+++ b/composite/compwindow.c -@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) - ret = (*pScreen->DestroyWindow) (pWin); - cs->DestroyWindow = pScreen->DestroyWindow; - pScreen->DestroyWindow = compDestroyWindow; -+ -+ /* Did we just destroy the overlay window? */ -+ if (pWin == cs->pOverlayWin) -+ cs->pOverlayWin = NULL; -+ - /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ - return ret; - } --- -2.40.0 - diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec index e166d04..134b98a 100644 --- a/SPECS/tigervnc.spec +++ b/SPECS/tigervnc.spec @@ -4,8 +4,8 @@ %global modulename vncsession Name: tigervnc -Version: 1.12.0 -Release: 15%{?dist} +Version: 1.13.1 +Release: 10%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -21,50 +21,73 @@ Source3: 10-libvnc.conf # Backwards compatibility Source5: vncserver +# Downstream patches Patch1: tigervnc-use-gnome-as-default-session.patch +Patch2: tigervnc-vncsession-restore-script-systemd-service.patch +Patch3: tigervnc-dont-install-appstream-metadata-file.patch # Upstream patches -Patch50: tigervnc-selinux-restore-context-in-case-of-different-policies.patch -Patch51: tigervnc-fix-typo-in-mirror-monitor-detection.patch -Patch52: tigervnc-root-user-selinux-context.patch -Patch53: tigervnc-vncsession-restore-script-systemd-service.patch -# https://github.com/TigerVNC/tigervnc/pull/1513 -Patch54: tigervnc-fix-ghost-cursor-in-zaphod-mode.patch -# https://github.com/TigerVNC/tigervnc/pull/1510 -Patch55: tigervnc-add-new-keycodes-for-unknown-keysyms.patch -Patch56: tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch -Patch57: tigervnc-selinux-allow-vncsession-create-vnc-directory.patch +Patch50: tigervnc-support-username-alias-in-plainusers.patch +Patch51: tigervnc-use-dup-to-get-available-fd-for-inetd.patch + +# Upstreamable patches +Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg Patch100: tigervnc-xserver120.patch # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start Patch101: 0001-rpath-hack.patch -# CVE-2023-1393 tigervnc: xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability -Patch110: xorg-x11-server-composite-Fix-use-after-free-of-the-COW.patch +# XServer patches +Patch200: xorg-CVE-2024-31083-followup.patch +BuildRequires: make BuildRequires: gcc-c++ -BuildRequires: libX11-devel, automake, autoconf, libtool, gettext, gettext-autopoint -BuildRequires: libXext-devel, xorg-x11-server-source, libXi-devel -BuildRequires: xorg-x11-xtrans-devel, xorg-x11-util-macros, libXtst-devel -BuildRequires: libxkbfile-devel, openssl-devel, libpciaccess-devel -BuildRequires: mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils -BuildRequires: freetype-devel, libXdmcp-devel, libxshmfence-devel -BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel -BuildRequires: libdrm-devel, libXt-devel, pixman-devel -BuildRequires: systemd, cmake, desktop-file-utils -BuildRequires: libselinux-devel, selinux-policy-devel -BuildRequires: libXfixes-devel, libXdamage-devel, libXrandr-devel -%if 0%{?fedora} > 24 || 0%{?rhel} >= 7 -BuildRequires: libXfont2-devel -%else -BuildRequires: libXfont-devel -%endif +BuildRequires: gettext +BuildRequires: cmake + +BuildRequires: gnutls-devel +BuildRequires: desktop-file-utils +BuildRequires: libappstream-glib +BuildRequires: libjpeg-turbo-devel +BuildRequires: openssl-devel +BuildRequires: pam-devel +BuildRequires: zlib-devel # TigerVNC 1.4.x requires fltk 1.3.3 for keyboard handling support # See https://github.com/TigerVNC/tigervnc/issues/8, also bug #1208814 BuildRequires: fltk-devel >= 1.3.3 +BuildRequires: libX11-devel +BuildRequires: libXext-devel +BuildRequires: libXi-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: pixman-devel + +# X11/graphics dependencies +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gettext-autopoint +BuildRequires: libXdamage-devel +BuildRequires: libXdmcp-devel +BuildRequires: libXfixes-devel +BuildRequires: libXfont2-devel +BuildRequires: libXinerama-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +BuildRequires: libdrm-devel +BuildRequires: libtool +BuildRequires: libxkbfile-devel +BuildRequires: libxshmfence-devel +BuildRequires: mesa-libGL-devel +BuildRequires: xorg-x11-font-utils BuildRequires: xorg-x11-server-devel +BuildRequires: xorg-x11-server-source +BuildRequires: xorg-x11-util-macros +BuildRequires: xorg-x11-xtrans-devel + +# SELinux +BuildRequires: libselinux-devel, selinux-policy-devel, systemd Requires(post): coreutils Requires(postun):coreutils @@ -164,20 +187,19 @@ for all in `find . -type f -perm -001`; do done %patch100 -p1 -b .xserver120-rebased %patch101 -p1 -b .rpath -%patch110 -p1 -b .composite-Fix-use-after-free-of-the-COW +%patch200 -p1 -b .xorg-CVE-2024-31083-followup popd %patch1 -p1 -b .use-gnome-as-default-session +%patch2 -p1 -b .vncsession-restore-script-systemd-service +%patch3 -p1 -b .dont-install-appstream-metadata-file.patch # Upstream patches -%patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies -%patch51 -p1 -b .fix-typo-in-mirror-monitor-detection -%patch52 -p1 -b .root-user-selinux-context -%patch53 -p1 -b .vncsession-restore-script-systemd-service -%patch54 -p1 -b .fix-ghost-cursor-in-zaphod-mode -%patch55 -p1 -b .add-new-keycodes-for-unknown-keysyms -%patch56 -p1 -b .sanity-check-when-cleaning-up-keymap-changes -%patch57 -p1 -b .selinux-allow-vncsession-create-vnc-directory +%patch50 -p1 -b .support-username-alias-in-plainusers +%patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd + +# Upstreamable patches +%patch80 -p1 -b .dont-get-pointer-position-for-floating-device %build %ifarch sparcv9 sparc64 s390 s390x @@ -243,7 +265,7 @@ install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps pushd media/icons -for s in 16 24 48; do +for s in 16 22 24 32 48 64 128; do install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps/tigervnc.png done popd @@ -329,36 +351,68 @@ fi %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* -%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog -*Mon Mar 27 2023 Jan Grulich - 1.12.0-15 -- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability - Resolves: bz#2180305 +* Mon Apr 15 2024 Jan Grulich - 1.13.1-10 +- Drop patches that are already part of xorg-x11-server + Resolves: RHEL-30755 + Resolves: RHEL-30767 + Resolves: RHEL-30761 -* Tue Feb 21 2023 Jan Grulich - 1.12.0-14 -- SELinux: allow vncsession create .vnc directory - Resolves: bz#2164704 +* Thu Apr 04 2024 Jan Grulich - 1.13.1-9 +- Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents + Resolves: RHEL-30755 +- Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs + Resolves: RHEL-30767 +- Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice + Resolves: RHEL-30761 -* Wed Feb 15 2023 Jan Grulich - 1.12.0-13 -- Add sanity check when cleaning up keymap changes - Resolves: bz#2169960 +* Wed Feb 07 2024 Jan Grulich - 1.13.1-8 +- Fix copy/paste error in the DeviceStateNotify + Resolves: RHEL-20530 -* Mon Feb 06 2023 Jan Grulich - 1.12.0-12 -- xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation - Resolves: bz#2167058 +* Mon Jan 22 2024 Jan Grulich - 1.13.1-7 +- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice + Resolves: RHEL-20388 +- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent + Resolves: RHEL-20382 +- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access + Resolves: RHEL-20530 +- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer + Resolves: RHEL-21214 -* Tue Dec 20 2022 Tomas Popela - 1.12.0-11 -- Rebuild for xorg-x11-server CVE-2022-46340 follow up fix +* Mon Jan 08 2024 Jan Grulich - 1.13.1-6 +- Use dup() to get available file descriptor when using -inetd option + Resolves: RHEL-21000 -* Fri Dec 16 2022 Jan Grulich - 1.12.0-10 -- Rebuild for xorg-x11-server CVEs - Resolves: CVE-2022-4283 (bz#2154233) - Resolves: CVE-2022-46340 (bz#2154220) - Resolves: CVE-2022-46341 (bz#2154223) - Resolves: CVE-2022-46342 (bz#2154225) - Resolves: CVE-2022-46343 (bz#2154227) - Resolves: CVE-2022-46344 (bz#2154229) +* Mon Dec 18 2023 Jan Grulich - 1.13.1-5 +- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions + Resolves: RHEL-18410 +- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty + Resolves: RHEL-18422 + +* Wed Nov 01 2023 Jan Grulich - 1.13.1-4 +- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow + Resolves: RHEL-15236 + +- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty + Resolves: RHEL-15230 + +* Mon Oct 09 2023 Jan Grulich - 1.13.1-3 +- Support username alias in PlainUsers + Resolves: RHEL-4258 + +* Tue Apr 11 2023 Jan Grulich - 1.13.1-2 +- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege + Escalation Vulnerability + Resolves: bz#2180306 + +* Tue Mar 21 2023 Jan Grulich - 1.13.1-1 +- 1.13.1 + Resolves: bz#2175748 +- Restore "--fallbacktofreeport" option in the vncserver script + Resolves: bz#2174398 * Thu Dec 08 2022 Jan Grulich - 1.12.0-9 - Bump build version to fix upgrade path