rpms/tigervnc
6
0
Fork 0
Code Issues Pull Requests Releases Activity

1.13.0

Browse Source 
CVE-2023-0494
This commit is contained in:
Jan Grulich 2023-02-07 08:42:41 +01:00
parent 23abde10fa
commit c52f97ee5f
4 changed files with 9 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
tigervnc-fix-typo-in-mirror-monitor-detection.patch
View File

@ -1,34 +0,0 @@
From 2daf4126882f82b6e392dfbae87205dbdc559c3d Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Thu, 23 Dec 2021 15:58:00 +0100
Subject: [PATCH] Fix typo in mirror monitor detection
Bug introduced in fb561eb but still somehow passed manual testing.
Resulted in some stray reads off the end of the stack, which were
hopefully harmless.
---
vncviewer/MonitorIndicesParameter.cxx | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/vncviewer/MonitorIndicesParameter.cxx b/vncviewer/MonitorIndicesParameter.cxx
index 5130831cb..4ac74dd1a 100644
--- a/vncviewer/MonitorIndicesParameter.cxx
+++ b/vncviewer/MonitorIndicesParameter.cxx
@@ -211,13 +211,13 @@ std::vector<MonitorIndicesParameter::Monitor> MonitorIndicesParameter::fetchMoni
// Only keep a single entry for mirrored screens
match = false;
for (int j = 0; j < ((int) monitors.size()); j++) {
- if (monitors[i].x != monitor.x)
+ if (monitors[j].x != monitor.x)
continue;
- if (monitors[i].y != monitor.y)
+ if (monitors[j].y != monitor.y)
continue;
- if (monitors[i].w != monitor.w)
+ if (monitors[j].w != monitor.w)
continue;
- if (monitors[i].h != monitor.h)
+ if (monitors[j].h != monitor.h)
continue;
match = true;

25
tigervnc-root-user-selinux-context.patch
View File

@ -1,25 +0,0 @@
From faf81b4b238e24fe29eb53f885a25367e212dd7b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 7 Feb 2022 10:45:41 +0100
Subject: [PATCH] SELinux: use /root/.vnc in file context specification
Instead of HOME_ROOT/.vnc, /root/.vnc should be used
for user root's home to specify default file context
as HOME_ROOT actually means base for home dirs (usually /home).
---
unix/vncserver/selinux/vncsession.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
index 6aaf4b1f4..bc81f8f25 100644
--- a/unix/vncserver/selinux/vncsession.fc
+++ b/unix/vncserver/selinux/vncsession.fc
@@ -18,7 +18,7 @@
#
HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
-HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
+/root/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0)

81
tigervnc-selinux-restore-context-in-case-of-different-policies.patch
View File

@ -1,81 +0,0 @@
From d2d52704624ce841f4a392fccd82079d87ff13b6 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Thu, 11 Nov 2021 13:52:41 +0100
Subject: [PATCH] SELinux: restore SELinux context in case of different
policies
---
CMakeLists.txt | 13 +++++++++++++
unix/vncserver/CMakeLists.txt | 2 +-
unix/vncserver/vncsession.c | 16 ++++++++++++++++
3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 50247c7da..1708eb3d8 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE)
endif()
endif()
+# Check for SELinux library
+if(UNIX AND NOT APPLE)
+ check_include_files(selinux/selinux.h HAVE_SELINUX_H)
+ if(HAVE_SELINUX_H)
+ set(CMAKE_REQUIRED_LIBRARIES -lselinux)
+ set(CMAKE_REQUIRED_LIBRARIES)
+ set(SELINUX_LIBS selinux)
+ add_definitions("-DHAVE_SELINUX")
+ else()
+ message(WARNING "Could not find SELinux development files")
+ endif()
+endif()
+
# Generate config.h and make sure the source finds it
configure_file(config.h.in config.h)
add_definitions(-DHAVE_CONFIG_H)
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
index f65ccc7db..ae69dc098 100644
--- a/unix/vncserver/CMakeLists.txt
+++ b/unix/vncserver/CMakeLists.txt
@@ -1,5 +1,5 @@
add_executable(vncsession vncsession.c)
-target_link_libraries(vncsession ${PAM_LIBS})
+target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
configure_file(vncserver@.service.in vncserver@.service @ONLY)
configure_file(vncsession-start.in vncsession-start @ONLY)
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
index 3573e5e9b..f6d2fd59e 100644
--- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c
@@ -37,6 +37,11 @@
#include <sys/types.h>
#include <sys/wait.h>
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/restorecon.h>
+#endif
+
extern char **environ;
// PAM service name
@@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display)
syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
_exit(EX_OSERR);
}
+
+#ifdef HAVE_SELINUX
+ int result;
+ if (selinux_file_context_verify(logfile, 0) == 0) {
+ result = selinux_restorecon(logfile, SELINUX_RESTORECON_RECURSE);
+
+ if (result < 0) {
+ syslog(LOG_WARNING, "Failure restoring SELinux context for \"%s\": %s", logfile, strerror(errno));
+ }
+ }
+#endif
}
hostlen = sysconf(_SC_HOST_NAME_MAX);

19
tigervnc.spec
View File

@ -3,8 +3,8 @@
%global modulename vncsession %global modulename vncsession
Name: tigervnc Name: tigervnc
Version: 1.12.0 Version: 1.13.0
Release: 9%{?dist} Release: 1%{?dist}
Summary: A TigerVNC remote display system Summary: A TigerVNC remote display system
%global _hardened_build 1 %global _hardened_build 1
@ -24,10 +24,7 @@ Source5: vncserver
# Downstream patches # Downstream patches
# Upstream patches # Upstream patches
Patch50: tigervnc-selinux-restore-context-in-case-of-different-policies.patch Patch50: tigervnc-vncsession-restore-script-systemd-service.patch
Patch51: tigervnc-fix-typo-in-mirror-monitor-detection.patch
Patch52: tigervnc-root-user-selinux-context.patch
Patch53: tigervnc-vncsession-restore-script-systemd-service.patch
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
Patch100: tigervnc-xserver120.patch Patch100: tigervnc-xserver120.patch
@ -148,10 +145,7 @@ runs properly under an environment with SELinux enabled.
%prep %prep
%setup -q %setup -q
%patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies %patch50 -p1 -b .vncsession-restore-script-systemd-service
%patch51 -p1 -b .fix-typo-in-mirror-monitor-detection
%patch52 -p1 -b .root-user-selinux-context
%patch53 -p1 -b .vncsession-restore-script-systemd-service
cp -r /usr/share/xorg-x11-server-source/* unix/xserver cp -r /usr/share/xorg-x11-server-source/* unix/xserver
pushd unix/xserver pushd unix/xserver
@ -291,6 +285,7 @@ fi
%{_bindir}/vncviewer %{_bindir}/vncviewer
%{_datadir}/applications/* %{_datadir}/applications/*
%{_mandir}/man1/vncviewer.1* %{_mandir}/man1/vncviewer.1*
%{_datadir}/metainfo/org.tigervnc.vncviewer.metainfo.xml
%files server %files server
%config(noreplace) %{_sysconfdir}/pam.d/tigervnc %config(noreplace) %{_sysconfdir}/pam.d/tigervnc
@ -334,6 +329,10 @@ fi
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog %changelog
* Tue Feb 07 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.0-1
- 1.13.0
- CVE-2023-0494
* Tue Jan 31 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9 * Tue Jan 31 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9
- migrated to SPDX license - migrated to SPDX license