From df020f7f87bb190413669503ae0d365adef8623c Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 27 Mar 2024 20:35:25 +0000
Subject: [PATCH] import CS tigervnc-1.13.1-8.el8
---
...pointer-position-for-floating-device.patch | 13 ++
...support-username-alias-in-plainusers.patch | 135 ++++++++++++++++++
...se-dup-to-get-available-fd-for-inetd.patch | 17 +++
SOURCES/xorg-CVE-2024-0229-followup.patch | 32 +++++
SPECS/tigervnc.spec | 57 +++++++-
5 files changed, 251 insertions(+), 3 deletions(-)
create mode 100644 SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch
create mode 100644 SOURCES/tigervnc-support-username-alias-in-plainusers.patch
create mode 100644 SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch
create mode 100644 SOURCES/xorg-CVE-2024-0229-followup.patch
diff --git a/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch b/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch
new file mode 100644
index 0000000..3bf7dda
--- /dev/null
+++ b/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch
@@ -0,0 +1,13 @@
+diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c
+index b3d0926d..d36a096f 100644
+--- a/unix/xserver/hw/vnc/vncInput.c
++++ b/unix/xserver/hw/vnc/vncInput.c
+@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y)
+
+ void vncGetPointerPos(int *x, int *y)
+ {
+- if (vncPointerDev != NULL) {
++ if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) {
+ ScreenPtr ptrScreen;
+
+ miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY);
diff --git a/SOURCES/tigervnc-support-username-alias-in-plainusers.patch b/SOURCES/tigervnc-support-username-alias-in-plainusers.patch
new file mode 100644
index 0000000..abf4eda
--- /dev/null
+++ b/SOURCES/tigervnc-support-username-alias-in-plainusers.patch
@@ -0,0 +1,135 @@
+diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
+index 6f65e87..3142ba3 100644
+--- a/common/rfb/SSecurityPlain.cxx
++++ b/common/rfb/SSecurityPlain.cxx
+@@ -27,6 +27,8 @@
+ #include <rdr/InStream.h>
+ #if !defined(WIN32) && !defined(__APPLE__)
+ #include <rfb/UnixPasswordValidator.h>
++#include <unistd.h>
++#include <pwd.h>
+ #endif
+ #ifdef WIN32
+ #include <rfb/WinPasswdValidator.h>
+@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers
+
+ bool PasswordValidator::validUser(const char* username)
+ {
+- CharArray users(plainUsers.getValueStr()), user;
++ std::vector<std::string> users;
+
+- while (users.buf) {
+- strSplit(users.buf, ',', &user.buf, &users.buf);
+-#ifdef WIN32
+- if (0 == stricmp(user.buf, "*"))
+- return true;
+- if (0 == stricmp(user.buf, username))
+- return true;
+-#else
+- if (!strcmp(user.buf, "*"))
+- return true;
+- if (!strcmp(user.buf, username))
+- return true;
++ users = split(plainUsers, ',');
++
++ for (size_t i = 0; i < users.size(); i++) {
++ if (users[i] == "*")
++ return true;
++#if !defined(WIN32) && !defined(__APPLE__)
++ if (users[i] == "%u") {
++ struct passwd *pw = getpwnam(username);
++ if (pw && pw->pw_uid == getuid())
++ return true;
++ }
+ #endif
++ if (users[i] == username)
++ return true;
+ }
+ return false;
+ }
+diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
+index 649eb0b..cce73a0 100644
+--- a/common/rfb/util.cxx
++++ b/common/rfb/util.cxx
+@@ -99,6 +99,26 @@ namespace rfb {
+ return false;
+ }
+
++ std::vector<std::string> split(const char* src,
++ const char delimiter)
++ {
++ std::vector<std::string> out;
++ const char *start, *stop;
++
++ start = src;
++ do {
++ stop = strchr(start, delimiter);
++ if (stop == NULL) {
++ out.push_back(start);
++ } else {
++ out.push_back(std::string(start, stop-start));
++ start = stop + 1;
++ }
++ } while (stop != NULL);
++
++ return out;
++ }
++
+ bool strContains(const char* src, char c) {
+ int l=strlen(src);
+ for (int i=0; i<l; i++)
+diff --git a/common/rfb/util.h b/common/rfb/util.h
+index f0ac9ef..ed15c28 100644
+--- a/common/rfb/util.h
++++ b/common/rfb/util.h
+@@ -27,6 +27,9 @@
+ #include <limits.h>
+ #include <string.h>
+
++#include <string>
++#include <vector>
++
+ struct timeval;
+
+ #ifdef __GNUC__
+@@ -76,6 +79,10 @@ namespace rfb {
+ // that part of the string. Obviously, setting both to 0 is not useful...
+ bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false);
+
++ // Splits a string with the specified delimiter
++ std::vector<std::string> split(const char* src,
++ const char delimiter);
++
+ // Returns true if src contains c
+ bool strContains(const char* src, char c);
+
+diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
+index c36ae34..78db730 100644
+--- a/unix/x0vncserver/x0vncserver.man
++++ b/unix/x0vncserver/x0vncserver.man
+@@ -125,8 +125,8 @@ parameter instead.
+ .B \-PlainUsers \fIuser-list\fP
+ A comma separated list of user names that are allowed to authenticate via
+ any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
+-to allow any user to authenticate using this security type. Default is to
+-deny all users.
++to allow any user to authenticate using this security type. Specify \fB%u\fP
++to allow the user of the server process. Default is to deny all users.
+ .
+ .TP
+ .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
+diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
+index ea87dea..e9fb654 100644
+--- a/unix/xserver/hw/vnc/Xvnc.man
++++ b/unix/xserver/hw/vnc/Xvnc.man
+@@ -200,8 +200,8 @@ parameter instead.
+ .B \-PlainUsers \fIuser-list\fP
+ A comma separated list of user names that are allowed to authenticate via
+ any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
+-to allow any user to authenticate using this security type. Default is to
+-deny all users.
++to allow any user to authenticate using this security type. Specify \fB%u\fP
++to allow the user of the server process. Default is to deny all users.
+ .
+ .TP
+ .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
diff --git a/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch b/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch
new file mode 100644
index 0000000..0e0f794
--- /dev/null
+++ b/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch
@@ -0,0 +1,17 @@
+diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
+index f8141959..c5c36539 100644
+--- a/unix/xserver/hw/vnc/xvnc.c
++++ b/unix/xserver/hw/vnc/xvnc.c
+@@ -366,8 +366,10 @@ ddxProcessArgument(int argc, char *argv[], int i)
+ if (strcmp(argv[i], "-inetd") == 0) {
+ int nullfd;
+
+- dup2(0, 3);
+- vncInetdSock = 3;
++ if ((vncInetdSock = dup(0)) == -1)
++ FatalError
++ ("Xvnc error: failed to allocate a new file descriptor for -inetd: %s\n", strerror(errno));
++
+
+ /* Avoid xserver >= 1.19's epoll-fd becoming fd 2 / stderr only to be
+ replaced by /dev/null by OsInit() because the pollfd is not
diff --git a/SOURCES/xorg-CVE-2024-0229-followup.patch b/SOURCES/xorg-CVE-2024-0229-followup.patch
new file mode 100644
index 0000000..9ea651b
--- /dev/null
+++ b/SOURCES/xorg-CVE-2024-0229-followup.patch
@@ -0,0 +1,32 @@
+From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 22 Jan 2024 14:22:12 +1000
+Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
+ event
+
+Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 7b7ba1098b..c1e6ac600e 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+ ev->first_valuator = first;
+ switch (ev->num_valuators) {
+ case 6:
+- ev->valuator2 = v->axisVal[first + 5];
++ ev->valuator5 = v->axisVal[first + 5];
+ case 5:
+- ev->valuator2 = v->axisVal[first + 4];
++ ev->valuator4 = v->axisVal[first + 4];
+ case 4:
+- ev->valuator2 = v->axisVal[first + 3];
++ ev->valuator3 = v->axisVal[first + 3];
+ case 3:
+ ev->valuator2 = v->axisVal[first + 2];
+ case 2:
+--
+GitLab
diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec
index 64d8998..df0d991 100644
--- a/SPECS/tigervnc.spec
+++ b/SPECS/tigervnc.spec
@@ -5,7 +5,7 @@
Name: tigervnc
Version: 1.13.1
-Release: 2%{?dist}
+Release: 8%{?dist}
Summary: A TigerVNC remote display system
%global _hardened_build 1
@@ -27,13 +27,21 @@ Patch2: tigervnc-vncsession-restore-script-systemd-service.patch
Patch3: tigervnc-dont-install-appstream-metadata-file.patch
# Upstream patches
+Patch50: tigervnc-support-username-alias-in-plainusers.patch
+Patch51: tigervnc-use-dup-to-get-available-fd-for-inetd.patch
+
+# Upstreamable patches
+Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
Patch100: tigervnc-xserver120.patch
# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
Patch101: 0001-rpath-hack.patch
-# Upstreamable patches
+# XServer patches
+# CVE-2024-0229
+# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1251
+Patch200: xorg-CVE-2024-0229-followup.patch
BuildRequires: make
BuildRequires: gcc-c++
@@ -181,12 +189,20 @@ for all in `find . -type f -perm -001`; do
done
%patch100 -p1 -b .xserver120-rebased
%patch101 -p1 -b .rpath
+%patch200 -p1 -b .xorg-CVE-2024-0229-followup
popd
%patch1 -p1 -b .use-gnome-as-default-session
%patch2 -p1 -b .vncsession-restore-script-systemd-service
%patch3 -p1 -b .dont-install-appstream-metadata-file.patch
+# Upstream patches
+%patch50 -p1 -b .support-username-alias-in-plainusers
+%patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd
+
+# Upstreamable patches
+%patch80 -p1 -b .dont-get-pointer-position-for-floating-device
+
%build
%ifarch sparcv9 sparc64 s390 s390x
export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@@ -337,9 +353,44 @@ fi
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
-%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog
+* Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
+- Fix copy/paste error in the DeviceStateNotify
+ Resolves: RHEL-20530
+
+* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
+- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
+ Resolves: RHEL-20388
+- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
+ Resolves: RHEL-20382
+- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
+ Resolves: RHEL-20530
+- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
+ Resolves: RHEL-21214
+
+* Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
+- Use dup() to get available file descriptor when using -inetd option
+ Resolves: RHEL-21000
+
+* Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5
+- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions
+ Resolves: RHEL-18410
+- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
+ Resolves: RHEL-18422
+
+* Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4
+- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
+ Resolves: RHEL-15236
+
+- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty
+ Resolves: RHEL-15230
+
+* Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
+- Support username alias in PlainUsers
+ Resolves: RHEL-4258
+
* Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
Escalation Vulnerability