import CS tigervnc-1.13.1-8.el9

2024-03-28 11:55:41 +00:00 · 2024-03-28 11:55:41 +00:00 · e3bc105787
commit e3bc105787
parent 0b154d8129
5 changed files with 250 additions and 2 deletions
--- a/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch
+++ b/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch
@ -0,0 +1,13 @@
+diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c
+index b3d0926d..d36a096f 100644
+--- a/unix/xserver/hw/vnc/vncInput.c
+++ b/unix/xserver/hw/vnc/vncInput.c
+@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y)
+ 
+ void vncGetPointerPos(int *x, int *y)
+ {
+-	if (vncPointerDev != NULL) {
+	if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) {
+ 		ScreenPtr ptrScreen;
+ 
+ 		miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY);
--- a/SOURCES/tigervnc-support-username-alias-in-plainusers.patch
+++ b/SOURCES/tigervnc-support-username-alias-in-plainusers.patch
@ -0,0 +1,135 @@
+diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
+index 6f65e87..3142ba3 100644
+--- a/common/rfb/SSecurityPlain.cxx
+++ b/common/rfb/SSecurityPlain.cxx
+@@ -27,6 +27,8 @@
+ #include <rdr/InStream.h>
+ #if !defined(WIN32) && !defined(__APPLE__)
+ #include <rfb/UnixPasswordValidator.h>
+#include <unistd.h>
+#include <pwd.h>
+ #endif
+ #ifdef WIN32
+ #include <rfb/WinPasswdValidator.h>
+@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers
+
+ bool PasswordValidator::validUser(const char* username)
+ {
+-  CharArray users(plainUsers.getValueStr()), user;
+  std::vector<std::string> users;
+
+-  while (users.buf) {
+-    strSplit(users.buf, ',', &user.buf, &users.buf);
+-#ifdef WIN32
+-    if (0 == stricmp(user.buf, "*"))
+-	  return true;
+-    if (0 == stricmp(user.buf, username))
+-	  return true;
+-#else
+-    if (!strcmp(user.buf, "*"))
+-	  return true;
+-    if (!strcmp(user.buf, username))
+-	  return true;
+  users = split(plainUsers, ',');
+
+  for (size_t i = 0; i < users.size(); i++) {
+    if (users[i] == "*")
+      return true;
+#if !defined(WIN32) && !defined(__APPLE__)
+    if (users[i] == "%u") {
+      struct passwd *pw = getpwnam(username);
+      if (pw && pw->pw_uid == getuid())
+        return true;
+    }
+ #endif
+    if (users[i] == username)
+      return true;
+   }
+   return false;
+ }
+diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
+index 649eb0b..cce73a0 100644
+--- a/common/rfb/util.cxx
+++ b/common/rfb/util.cxx
+@@ -99,6 +99,26 @@ namespace rfb {
+     return false;
+   }
+
+  std::vector<std::string> split(const char* src,
+                                 const char delimiter)
+  {
+    std::vector<std::string> out;
+    const char *start, *stop;
+
+    start = src;
+    do {
+      stop = strchr(start, delimiter);
+      if (stop == NULL) {
+        out.push_back(start);
+      } else {
+        out.push_back(std::string(start, stop-start));
+        start = stop + 1;
+      }
+    } while (stop != NULL);
+
+    return out;
+  }
+
+   bool strContains(const char* src, char c) {
+     int l=strlen(src);
+     for (int i=0; i<l; i++)
+diff --git a/common/rfb/util.h b/common/rfb/util.h
+index f0ac9ef..ed15c28 100644
+--- a/common/rfb/util.h
+++ b/common/rfb/util.h
+@@ -27,6 +27,9 @@
+ #include <limits.h>
+ #include <string.h>
+
+#include <string>
+#include <vector>
+
+ struct timeval;
+
+ #ifdef __GNUC__
+@@ -76,6 +79,10 @@ namespace rfb {
+   // that part of the string.  Obviously, setting both to 0 is not useful...
+   bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false);
+
+  // Splits a string with the specified delimiter
+  std::vector<std::string> split(const char* src,
+                                 const char delimiter);
+
+   // Returns true if src contains c
+   bool strContains(const char* src, char c);
+
+diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
+index c36ae34..78db730 100644
+--- a/unix/x0vncserver/x0vncserver.man
+++ b/unix/x0vncserver/x0vncserver.man
+@@ -125,8 +125,8 @@ parameter instead.
+ .B \-PlainUsers \fIuser-list\fP
+ A comma separated list of user names that are allowed to authenticate via
+ any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
+-to allow any user to authenticate using this security type. Default is to
+-deny all users.
+to allow any user to authenticate using this security type. Specify \fB%u\fP
+to allow the user of the server process. Default is to deny all users.
+ .
+ .TP
+ .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
+diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
+index ea87dea..e9fb654 100644
+--- a/unix/xserver/hw/vnc/Xvnc.man
+++ b/unix/xserver/hw/vnc/Xvnc.man
+@@ -200,8 +200,8 @@ parameter instead.
+ .B \-PlainUsers \fIuser-list\fP
+ A comma separated list of user names that are allowed to authenticate via
+ any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
+-to allow any user to authenticate using this security type. Default is to
+-deny all users.
+to allow any user to authenticate using this security type. Specify \fB%u\fP
+to allow the user of the server process. Default is to deny all users.
+ .
+ .TP
+ .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
--- a/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch
+++ b/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch
@ -0,0 +1,17 @@
+diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
+index f8141959..c5c36539 100644
+--- a/unix/xserver/hw/vnc/xvnc.c
+++ b/unix/xserver/hw/vnc/xvnc.c
+@@ -366,8 +366,10 @@ ddxProcessArgument(int argc, char *argv[], int i)
+     if (strcmp(argv[i], "-inetd") == 0) {
+         int nullfd;
+ 
+-        dup2(0, 3);
+-        vncInetdSock = 3;
+        if ((vncInetdSock = dup(0)) == -1)
+            FatalError
+                ("Xvnc error: failed to allocate a new file descriptor for -inetd: %s\n", strerror(errno));
+
+ 
+         /* Avoid xserver >= 1.19's epoll-fd becoming fd 2 / stderr only to be
+            replaced by /dev/null by OsInit() because the pollfd is not
--- a/SOURCES/xorg-CVE-2024-0229-followup.patch
+++ b/SOURCES/xorg-CVE-2024-0229-followup.patch
@ -0,0 +1,32 @@
+From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 22 Jan 2024 14:22:12 +1000
+Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
+ event
+
+Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 7b7ba1098b..c1e6ac600e 100644
+--- a/dix/enterleave.c
+++ b/dix/enterleave.c
+@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+     ev->first_valuator = first;
+     switch (ev->num_valuators) {
+     case 6:
+-        ev->valuator2 = v->axisVal[first + 5];
+        ev->valuator5 = v->axisVal[first + 5];
+     case 5:
+-        ev->valuator2 = v->axisVal[first + 4];
+        ev->valuator4 = v->axisVal[first + 4];
+     case 4:
+-        ev->valuator2 = v->axisVal[first + 3];
+        ev->valuator3 = v->axisVal[first + 3];
+     case 3:
+         ev->valuator2 = v->axisVal[first + 2];
+     case 2:
+--
+GitLab
--- a/SPECS/tigervnc.spec
+++ b/SPECS/tigervnc.spec
@ -5,7 +5,7 @@

 Name:           tigervnc
 Version:        1.13.1
-Release:        2%{?dist}
+Release:        8%{?dist}
 Summary:        A TigerVNC remote display system

 %global _hardened_build 1
@ -26,12 +26,22 @@ Patch1:         tigervnc-use-gnome-as-default-session.patch
 Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch

 # Upstream patches
+Patch50:        tigervnc-support-username-alias-in-plainusers.patch
+Patch51:        tigervnc-use-dup-to-get-available-fd-for-inetd.patch
+
+# Upstreamable patches
+Patch80:        tigervnc-dont-get-pointer-position-for-floating-device.patch

 # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
 Patch100:       tigervnc-xserver120.patch
 # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
 Patch101:       0001-rpath-hack.patch

+# XServer patches
+# CVE-2024-0229
+# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1251
+Patch200:       xorg-CVE-2024-0229-followup.patch
+
 BuildRequires:  make
 BuildRequires:  gcc-c++
 BuildRequires:  gettext
@ -180,12 +190,18 @@ for all in `find . -type f -perm -001`; do
 done
 %patch100 -p1 -b .xserver120-rebased
 %patch101 -p1 -b .rpath
+%patch200 -p1 -b .xorg-CVE-2024-0229-followup
 popd

 %patch1 -p1 -b .use-gnome-as-default-session
 %patch2 -p1 -b .vncsession-restore-script-systemd-service

 # Upstream patches
+%patch50 -p1 -b .support-username-alias-in-plainusers
+%patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd
+
+# Upstreamable patches
+%patch80 -p1 -b .dont-get-pointer-position-for-floating-device

 %build
 %ifarch sparcv9 sparc64 s390 s390x
@ -365,9 +381,44 @@ fi

 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
-%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

 %changelog
+* Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
+- Fix copy/paste error in the DeviceStateNotify
+  Resolves: RHEL-20533
+
+* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
+- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
+  Resolves: RHEL-20389
+- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
+  Resolves: RHEL-20383
+- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
+  Resolves: RHEL-20533
+- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
+  Resolves: RHEL-21213
+
+* Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
+- Use dup() to get available file descriptor when using -inetd option
+  Resolves: RHEL-19858
+
+* Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5
+- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions
+  Resolves: RHEL-18414
+- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
+  Resolves: RHEL-18426
+
+* Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4
+- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
+  Resolves: RHEL-15237
+
+- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty
+  Resolves: RHEL-15249
+
+* Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
+- Support username alias in PlainUsers
+  Resolves: RHEL-8430
+
 * Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
 - xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
  Escalation Vulnerability