From e304238de7b18f710fd62a311755ea61c048bc75 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Thu, 12 Dec 2013 17:31:18 +0000 Subject: [PATCH 1/7] Avoid invalid read when ZRLE connection closed (upstream bug #133). Resolves: rhbz#1039926 (cherry picked from commit 849f0627d20a5aec518f9b328bc3add127a5cff4) Conflicts: tigervnc.spec --- tigervnc-zrle-crash.patch | 69 +++++++++++++++++++++++++++++++++++++++ tigervnc.spec | 9 ++++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 tigervnc-zrle-crash.patch diff --git a/tigervnc-zrle-crash.patch b/tigervnc-zrle-crash.patch new file mode 100644 index 0000000..74545d7 --- /dev/null +++ b/tigervnc-zrle-crash.patch @@ -0,0 +1,69 @@ +diff -up tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx.zrle-crash tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx +--- tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx.zrle-crash 2013-07-01 13:41:59.000000000 +0100 ++++ tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx 2013-12-12 17:30:48.510007365 +0000 +@@ -55,16 +55,19 @@ Encoder* ZRLEEncoder::create(SMsgWriter* + } + + ZRLEEncoder::ZRLEEncoder(SMsgWriter* writer_) +- : writer(writer_), zos(0,0,zlibLevel) ++ : writer(writer_) + { + if (sharedMos) + mos = sharedMos; + else + mos = new rdr::MemOutStream(129*1024); ++ ++ zos = new rdr::ZlibOutStream(0, 0, zlibLevel); + } + + ZRLEEncoder::~ZRLEEncoder() + { ++ delete zos; + if (!sharedMos) + delete mos; + } +@@ -78,10 +81,10 @@ bool ZRLEEncoder::writeRect(const Rect& + + switch (writer->bpp()) { + case 8: +- wroteAll = zrleEncode8(r, mos, &zos, imageBuf, maxLen, actual, ig); ++ wroteAll = zrleEncode8(r, mos, zos, imageBuf, maxLen, actual, ig); + break; + case 16: +- wroteAll = zrleEncode16(r, mos, &zos, imageBuf, maxLen, actual, ig); ++ wroteAll = zrleEncode16(r, mos, zos, imageBuf, maxLen, actual, ig); + break; + case 32: + { +@@ -94,16 +97,16 @@ bool ZRLEEncoder::writeRect(const Rect& + if ((fitsInLS3Bytes && pf.isLittleEndian()) || + (fitsInMS3Bytes && pf.isBigEndian())) + { +- wroteAll = zrleEncode24A(r, mos, &zos, imageBuf, maxLen, actual, ig); ++ wroteAll = zrleEncode24A(r, mos, zos, imageBuf, maxLen, actual, ig); + } + else if ((fitsInLS3Bytes && pf.isBigEndian()) || + (fitsInMS3Bytes && pf.isLittleEndian())) + { +- wroteAll = zrleEncode24B(r, mos, &zos, imageBuf, maxLen, actual, ig); ++ wroteAll = zrleEncode24B(r, mos, zos, imageBuf, maxLen, actual, ig); + } + else + { +- wroteAll = zrleEncode32(r, mos, &zos, imageBuf, maxLen, actual, ig); ++ wroteAll = zrleEncode32(r, mos, zos, imageBuf, maxLen, actual, ig); + } + break; + } +diff -up tigervnc-1.3.0/common/rfb/ZRLEEncoder.h.zrle-crash tigervnc-1.3.0/common/rfb/ZRLEEncoder.h +--- tigervnc-1.3.0/common/rfb/ZRLEEncoder.h.zrle-crash 2013-07-01 13:42:01.000000000 +0100 ++++ tigervnc-1.3.0/common/rfb/ZRLEEncoder.h 2013-12-12 17:30:48.510007365 +0000 +@@ -45,7 +45,7 @@ namespace rfb { + private: + ZRLEEncoder(SMsgWriter* writer); + SMsgWriter* writer; +- rdr::ZlibOutStream zos; ++ rdr::ZlibOutStream* zos; + rdr::MemOutStream* mos; + static rdr::MemOutStream* sharedMos; + static int maxLen; diff --git a/tigervnc.spec b/tigervnc.spec index 905dc36..393597a 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,6 +1,6 @@ Name: tigervnc Version: 1.3.0 -Release: 7%{?dist} +Release: 8%{?dist} Summary: A TigerVNC remote display system Group: User Interface/Desktops @@ -46,6 +46,7 @@ Patch6: tigervnc-setcursor-crash.patch Patch7: tigervnc-manpages.patch Patch8: tigervnc-getmaster.patch Patch9: tigervnc-shebang.patch +Patch12: tigervnc-zrle-crash.patch %description Virtual Network Computing (VNC) is a remote display system which @@ -168,6 +169,9 @@ popd # Don't use shebang in vncserver script. %patch9 -p1 -b .shebang +# Avoid invalid read when ZRLE connection closed (upstream bug #133). +%patch12 -p1 -b .zrle-crash + %build %ifarch sparcv9 sparc64 s390 s390x export CFLAGS="$RPM_OPT_FLAGS -fPIC" @@ -336,6 +340,9 @@ fi %{_datadir}/icons/hicolor/*/apps/* %changelog +* Thu Dec 12 2013 Tim Waugh 1.3.0-8 +- Avoid invalid read when ZRLE connection closed (upstream bug #133). + * Tue Sep 24 2013 Tim Waugh 1.3.0-7 - Removed incorrect patch (for unexpected key_is_down). Fixes stuck keys bug (bug #989502). From 205a287f623c9ef6bc310a74a5490e766e67b5b5 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Fri, 10 Jan 2014 11:04:51 +0000 Subject: [PATCH 2/7] Fixed viewer crash when cursor has not been set (bug #1038701). Resolves: rhbz#1038701 (cherry picked from commit 8ef823f6eecbbde4ed907347dcad74df6139a0b3) Conflicts: tigervnc.spec --- tigervnc-cursor.patch | 12 ++++++++++++ tigervnc.spec | 5 +++++ 2 files changed, 17 insertions(+) create mode 100644 tigervnc-cursor.patch diff --git a/tigervnc-cursor.patch b/tigervnc-cursor.patch new file mode 100644 index 0000000..349c950 --- /dev/null +++ b/tigervnc-cursor.patch @@ -0,0 +1,12 @@ +diff -up tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor tigervnc-1.3.0/vncviewer/Viewport.cxx +--- tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor 2013-12-17 13:28:23.170400013 +0000 ++++ tigervnc-1.3.0/vncviewer/Viewport.cxx 2013-12-17 13:29:46.095784064 +0000 +@@ -931,7 +931,7 @@ void Viewport::popupContextMenu() + + // Back to our proper mouse pointer. + #ifdef HAVE_FLTK_CURSOR +- if (Fl::belowmouse() == this) ++ if (Fl::belowmouse() == this && cursor) + window()->cursor(cursor, cursorHotspot.x, cursorHotspot.y); + #endif + diff --git a/tigervnc.spec b/tigervnc.spec index 393597a..209a228 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -47,6 +47,7 @@ Patch7: tigervnc-manpages.patch Patch8: tigervnc-getmaster.patch Patch9: tigervnc-shebang.patch Patch12: tigervnc-zrle-crash.patch +Patch13: tigervnc-cursor.patch %description Virtual Network Computing (VNC) is a remote display system which @@ -172,6 +173,9 @@ popd # Avoid invalid read when ZRLE connection closed (upstream bug #133). %patch12 -p1 -b .zrle-crash +# Fixed viewer crash when cursor has not been set (bug #1038701). +%patch13 -p1 -b .cursor + %build %ifarch sparcv9 sparc64 s390 s390x export CFLAGS="$RPM_OPT_FLAGS -fPIC" @@ -341,6 +345,7 @@ fi %changelog * Thu Dec 12 2013 Tim Waugh 1.3.0-8 +- Fixed viewer crash when cursor has not been set (bug #1038701). - Avoid invalid read when ZRLE connection closed (upstream bug #133). * Tue Sep 24 2013 Tim Waugh 1.3.0-7 From d55ed74eb3b6eb4cd6f9479f4a832196d53da133 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Tue, 14 Jan 2014 14:32:31 +0000 Subject: [PATCH 3/7] Fixed instructions in systemd unit file. (cherry picked from commit 42f43f399c73e3b7bf2258fb1afc50d2c298fd20) Conflicts: tigervnc.spec --- tigervnc.spec | 3 ++- vncserver.service | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tigervnc.spec b/tigervnc.spec index 209a228..21246df 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -344,7 +344,8 @@ fi %{_datadir}/icons/hicolor/*/apps/* %changelog -* Thu Dec 12 2013 Tim Waugh 1.3.0-8 +* Tue Jan 21 2014 Tim Waugh 1.3.0-8 +- Fixed instructions in systemd unit file. - Fixed viewer crash when cursor has not been set (bug #1038701). - Avoid invalid read when ZRLE connection closed (upstream bug #133). diff --git a/vncserver.service b/vncserver.service index 4d55de2..5130c44 100644 --- a/vncserver.service +++ b/vncserver.service @@ -1,7 +1,7 @@ # The vncserver service unit file # # Quick HowTo: -# 1. Copy this file to /etc/systemd/system/vncserver@:.service +# 1. Copy this file to /etc/systemd/system/vncserver@.service # 2. Edit and vncserver parameters appropriately # ("runuser -l -c /usr/bin/vncserver %i -arg1 -arg2") # 3. Run `systemctl daemon-reload` From bb32676e600b76764f927bdee2504645ae26de62 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Mon, 10 Feb 2014 15:00:28 +0000 Subject: [PATCH 4/7] Clearer xstartup file (bug #923655). Resolves: rhbz#923655 (cherry picked from commit 372fc5f067eeaf137de99aef95a1b801416f3086) Conflicts: tigervnc.spec --- tigervnc-xstartup.patch | 32 ++++++++++++++++++++++++++++++++ tigervnc.spec | 5 ++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 tigervnc-xstartup.patch diff --git a/tigervnc-xstartup.patch b/tigervnc-xstartup.patch new file mode 100644 index 0000000..696d92b --- /dev/null +++ b/tigervnc-xstartup.patch @@ -0,0 +1,32 @@ +diff -up tigervnc-1.3.0/unix/vncserver.xstartup tigervnc-1.3.0/unix/vncserver +--- tigervnc-1.3.0/unix/vncserver.xstartup 2014-02-10 14:52:39.902673875 +0000 ++++ tigervnc-1.3.0/unix/vncserver 2014-02-10 14:53:30.398847723 +0000 +@@ -59,27 +59,7 @@ $defaultXStartup + = ("#!/bin/sh\n\n". + "unset SESSION_MANAGER\n". + "unset DBUS_SESSION_BUS_ADDRESS\n". +- "OS=`uname -s`\n". +- "if [ \$OS = 'Linux' ]; then\n". +- " case \"\$WINDOWMANAGER\" in\n". +- " \*gnome\*)\n". +- " if [ -e /etc/SuSE-release ]; then\n". +- " PATH=\$PATH:/opt/gnome/bin\n". +- " export PATH\n". +- " fi\n". +- " ;;\n". +- " esac\n". +- "fi\n". +- "if [ -x /etc/X11/xinit/xinitrc ]; then\n". +- " exec /etc/X11/xinit/xinitrc\n". +- "fi\n". +- "if [ -f /etc/X11/xinit/xinitrc ]; then\n". +- " exec sh /etc/X11/xinit/xinitrc\n". +- "fi\n". +- "[ -r \$HOME/.Xresources ] && xrdb \$HOME/.Xresources\n". +- "xsetroot -solid grey\n". +- "xterm -geometry 80x24+10+10 -ls -title \"\$VNCDESKTOP Desktop\" &\n". +- "twm &\n"); ++ "exec /etc/X11/xinit/xinitrc\n"); + + chop($host = `uname -n`); + diff --git a/tigervnc.spec b/tigervnc.spec index 21246df..44d3661 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,6 +1,6 @@ Name: tigervnc Version: 1.3.0 -Release: 8%{?dist} +Release: 9%{?dist} Summary: A TigerVNC remote display system Group: User Interface/Desktops @@ -344,6 +344,9 @@ fi %{_datadir}/icons/hicolor/*/apps/* %changelog +* Mon Feb 10 2014 Tim Waugh 1.3.0-9 +- Clearer xstartup file (bug #923655). + * Tue Jan 21 2014 Tim Waugh 1.3.0-8 - Fixed instructions in systemd unit file. - Fixed viewer crash when cursor has not been set (bug #1038701). From 97b7a0c24dab855af5ff568a58df9b511b3f1e0d Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 19 Mar 2014 12:28:35 +0000 Subject: [PATCH 5/7] Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928). Resolves: rhbz#1050928 (cherry picked from commit 0235d7a4993a3bbbea574ec846096ac3ab8fbf2c) Conflicts: tigervnc.spec --- tigervnc-CVE-2014-0011.patch | 49 ++++++++++++++++++++++++++++++++++++ tigervnc.spec | 9 ++++++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 tigervnc-CVE-2014-0011.patch diff --git a/tigervnc-CVE-2014-0011.patch b/tigervnc-CVE-2014-0011.patch new file mode 100644 index 0000000..0075720 --- /dev/null +++ b/tigervnc-CVE-2014-0011.patch @@ -0,0 +1,49 @@ +diff -up tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 tigervnc-1.3.0/common/CMakeLists.txt +--- tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 2013-07-01 13:42:01.000000000 +0100 ++++ tigervnc-1.3.0/common/CMakeLists.txt 2014-02-04 16:59:10.840037314 +0000 +@@ -23,3 +23,6 @@ if(CMAKE_COMPILER_IS_GNUCXX AND (CMAKE_S + set_target_properties(zlib PROPERTIES COMPILE_FLAGS -fPIC) + endif() + endif() ++ ++# Turn asserts on. ++set_target_properties(rdr rfb PROPERTIES COMPILE_FLAGS -UNDEBUG) +diff -up tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 tigervnc-1.3.0/common/rfb/zrleDecode.h +--- tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 2013-07-01 13:41:59.000000000 +0100 ++++ tigervnc-1.3.0/common/rfb/zrleDecode.h 2014-02-04 16:17:00.881565540 +0000 +@@ -25,9 +25,10 @@ + // FILL_RECT - fill a rectangle with a single colour + // IMAGE_RECT - draw a rectangle of pixel data from a buffer + ++#include + #include + #include +-#include ++#include + + namespace rfb { + +@@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In + len += b; + } while (b == 255); + +- assert(len <= end - ptr); ++ if (end - ptr < len) { ++ fprintf (stderr, "ZRLE decode error\n"); ++ throw Exception ("ZRLE decode error"); ++ } + + #ifdef FAVOUR_FILL_RECT + int i = ptr - buf; +@@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In + len += b; + } while (b == 255); + +- assert(len <= end - ptr); ++ if (end - ptr < len) { ++ fprintf (stderr, "ZRLE decode error\n"); ++ throw Exception ("ZRLE decode error"); ++ } + } + + index &= 127; diff --git a/tigervnc.spec b/tigervnc.spec index 44d3661..40892da 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,6 +1,6 @@ Name: tigervnc Version: 1.3.0 -Release: 9%{?dist} +Release: 10%{?dist} Summary: A TigerVNC remote display system Group: User Interface/Desktops @@ -48,6 +48,7 @@ Patch8: tigervnc-getmaster.patch Patch9: tigervnc-shebang.patch Patch12: tigervnc-zrle-crash.patch Patch13: tigervnc-cursor.patch +Patch14: tigervnc-CVE-2014-0011.patch %description Virtual Network Computing (VNC) is a remote display system which @@ -176,6 +177,9 @@ popd # Fixed viewer crash when cursor has not been set (bug #1038701). %patch13 -p1 -b .cursor +# Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928). +%patch14 -p1 -b .CVE-2014-0011 + %build %ifarch sparcv9 sparc64 s390 s390x export CFLAGS="$RPM_OPT_FLAGS -fPIC" @@ -344,6 +348,9 @@ fi %{_datadir}/icons/hicolor/*/apps/* %changelog +* Wed Mar 19 2014 Tim Waugh 1.3.0-10 +- Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928). + * Mon Feb 10 2014 Tim Waugh 1.3.0-9 - Clearer xstartup file (bug #923655). From e38dd7e00e7f9653adfb3420b2b61ee9fba81e31 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 19 Mar 2014 12:31:34 +0000 Subject: [PATCH 6/7] Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928). Resolves: rhbz#1050928 --- tigervnc-CVE-2014-0011.patch | 49 ++++++++++++++++++++++++++++++++++++ tigervnc.spec | 9 ++++++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 tigervnc-CVE-2014-0011.patch diff --git a/tigervnc-CVE-2014-0011.patch b/tigervnc-CVE-2014-0011.patch new file mode 100644 index 0000000..0075720 --- /dev/null +++ b/tigervnc-CVE-2014-0011.patch @@ -0,0 +1,49 @@ +diff -up tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 tigervnc-1.3.0/common/CMakeLists.txt +--- tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 2013-07-01 13:42:01.000000000 +0100 ++++ tigervnc-1.3.0/common/CMakeLists.txt 2014-02-04 16:59:10.840037314 +0000 +@@ -23,3 +23,6 @@ if(CMAKE_COMPILER_IS_GNUCXX AND (CMAKE_S + set_target_properties(zlib PROPERTIES COMPILE_FLAGS -fPIC) + endif() + endif() ++ ++# Turn asserts on. ++set_target_properties(rdr rfb PROPERTIES COMPILE_FLAGS -UNDEBUG) +diff -up tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 tigervnc-1.3.0/common/rfb/zrleDecode.h +--- tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 2013-07-01 13:41:59.000000000 +0100 ++++ tigervnc-1.3.0/common/rfb/zrleDecode.h 2014-02-04 16:17:00.881565540 +0000 +@@ -25,9 +25,10 @@ + // FILL_RECT - fill a rectangle with a single colour + // IMAGE_RECT - draw a rectangle of pixel data from a buffer + ++#include + #include + #include +-#include ++#include + + namespace rfb { + +@@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In + len += b; + } while (b == 255); + +- assert(len <= end - ptr); ++ if (end - ptr < len) { ++ fprintf (stderr, "ZRLE decode error\n"); ++ throw Exception ("ZRLE decode error"); ++ } + + #ifdef FAVOUR_FILL_RECT + int i = ptr - buf; +@@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In + len += b; + } while (b == 255); + +- assert(len <= end - ptr); ++ if (end - ptr < len) { ++ fprintf (stderr, "ZRLE decode error\n"); ++ throw Exception ("ZRLE decode error"); ++ } + } + + index &= 127; diff --git a/tigervnc.spec b/tigervnc.spec index cf999e5..60d3415 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,6 +1,6 @@ Name: tigervnc Version: 1.3.0 -Release: 13%{?dist} +Release: 14%{?dist} Summary: A TigerVNC remote display system Group: User Interface/Desktops @@ -50,6 +50,7 @@ Patch10: tigervnc-1.3.0-xserver-1.15.patch Patch11: tigervnc-format-security.patch Patch12: tigervnc-zrle-crash.patch Patch13: tigervnc-cursor.patch +Patch14: tigervnc-CVE-2014-0011.patch %description Virtual Network Computing (VNC) is a remote display system which @@ -183,6 +184,9 @@ popd # Fixed viewer crash when cursor has not been set (bug #1038701). %patch13 -p1 -b .cursor +# Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928). +%patch14 -p1 -b .CVE-2014-0011 + %build %ifarch sparcv9 sparc64 s390 s390x export CFLAGS="$RPM_OPT_FLAGS -fPIC" @@ -355,6 +359,9 @@ fi %{_datadir}/icons/hicolor/*/apps/* %changelog +* Wed Mar 19 2014 Tim Waugh 1.3.0-14 +- Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928). + * Mon Feb 10 2014 Tim Waugh 1.3.0-13 - Clearer xstartup file (bug #923655). From 70f6b2285b194f50eef1124176f0f7b535e2a3eb Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 21 May 2014 08:36:39 +0100 Subject: [PATCH 7/7] Keep pointer in sync when using module (upstream bug #152). --- tigervnc-pointersync.patch | 18 ++++++++++++++++++ tigervnc.spec | 9 ++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 tigervnc-pointersync.patch diff --git a/tigervnc-pointersync.patch b/tigervnc-pointersync.patch new file mode 100644 index 0000000..e0d60fa --- /dev/null +++ b/tigervnc-pointersync.patch @@ -0,0 +1,18 @@ +diff -up tigervnc-1.3.0/unix/xserver/hw/vnc/Input.cc.pointersync tigervnc-1.3.0/unix/xserver/hw/vnc/Input.cc +--- tigervnc-1.3.0/unix/xserver/hw/vnc/Input.cc.pointersync 2013-07-01 13:41:24.000000000 +0100 ++++ tigervnc-1.3.0/unix/xserver/hw/vnc/Input.cc 2014-05-22 11:47:16.707816457 +0100 +@@ -197,6 +197,14 @@ void InputDevice::PointerMove(const rfb: + + void InputDevice::PointerSync(void) + { ++ if (initialized) { ++ int x, y; ++ ++ GetSpritePosition (pointerDev, &x, &y); ++ cursorPos.x = x; ++ cursorPos.y = y; ++ } ++ + if (cursorPos.equals(oldCursorPos)) + return; + diff --git a/tigervnc.spec b/tigervnc.spec index 40892da..8c144e6 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,6 +1,6 @@ Name: tigervnc Version: 1.3.0 -Release: 10%{?dist} +Release: 11%{?dist} Summary: A TigerVNC remote display system Group: User Interface/Desktops @@ -49,6 +49,7 @@ Patch9: tigervnc-shebang.patch Patch12: tigervnc-zrle-crash.patch Patch13: tigervnc-cursor.patch Patch14: tigervnc-CVE-2014-0011.patch +Patch15: tigervnc-pointersync.patch %description Virtual Network Computing (VNC) is a remote display system which @@ -180,6 +181,9 @@ popd # Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928). %patch14 -p1 -b .CVE-2014-0011 +# Keep pointer in sync when using module (upstream bug #152). +%patch15 -p1 -b .pointersync + %build %ifarch sparcv9 sparc64 s390 s390x export CFLAGS="$RPM_OPT_FLAGS -fPIC" @@ -348,6 +352,9 @@ fi %{_datadir}/icons/hicolor/*/apps/* %changelog +* Thu May 22 2014 Tim Waugh 1.3.0-11 +- Keep pointer in sync when using module (upstream bug #152). + * Wed Mar 19 2014 Tim Waugh 1.3.0-10 - Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).