diff --git a/0001-rpath-hack.patch b/0001-rpath-hack.patch new file mode 100644 index 0000000..4e438dd --- /dev/null +++ b/0001-rpath-hack.patch @@ -0,0 +1,24 @@ +From 2489f2f38eb32d9dd03718a36cbdbdf13d2f8b9b Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Thu, 12 Nov 2015 11:10:11 -0500 +Subject: [PATCH] rpath hack + +Normally, rpath is undesirable. But for the X server we _know_ we need +Mesa's libGL, which will always be in %{_libdir}, and not any third-party +libGL that may be configured using ld.so.conf. + +--- + configure.ac | 1 + + 1 files changed, 1 insertions(+), 0 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fa15a2d..a5af1e0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1261,6 +1261,7 @@ AM_CONDITIONAL(GLX, test "x$GLX" = xyes) + + AM_CONDITIONAL(HASHTABLE, test "x$HASHTABLE" = xyes) + ++GLX_SYS_LIBS="$GLX_SYS_LIBS -Wl,-rpath=\$(libdir)" + AC_SUBST([GLX_DEFINES]) + AC_SUBST([GLX_SYS_LIBS]) diff --git a/tigervnc-1.3.1-CVE-2014-8240.patch b/tigervnc-1.3.1-CVE-2014-8240.patch new file mode 100644 index 0000000..09217f1 --- /dev/null +++ b/tigervnc-1.3.1-CVE-2014-8240.patch @@ -0,0 +1,74 @@ +diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx +index f998c6a..fb9dbd4 100644 +--- a/unix/x0vncserver/Image.cxx ++++ b/unix/x0vncserver/Image.cxx +@@ -80,6 +80,14 @@ void Image::Init(int width, int height) + xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)), + ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0); + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ vlog.error("Invalid display size"); ++ XDestroyImage(xim); ++ exit(1); ++ } ++ + xim->data = (char *)malloc(xim->bytes_per_line * xim->height); + if (xim->data == NULL) { + vlog.error("malloc() failed"); +@@ -256,6 +264,17 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo) + return; + } + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ vlog.error("Invalid display size"); ++ XDestroyImage(xim); ++ xim = NULL; ++ delete shminfo; ++ shminfo = NULL; ++ return; ++ } ++ + shminfo->shmid = shmget(IPC_PRIVATE, + xim->bytes_per_line * xim->height, + IPC_CREAT|0777); +diff --git a/vncviewer/PlatformPixelBuffer.cxx b/vncviewer/PlatformPixelBuffer.cxx +index a2b506d..9266d9f 100644 +--- a/vncviewer/PlatformPixelBuffer.cxx ++++ b/vncviewer/PlatformPixelBuffer.cxx +@@ -49,6 +49,15 @@ PlatformPixelBuffer::PlatformPixelBuffer(int width, int height) : + if (!xim) + throw rdr::Exception("XCreateImage"); + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ if (xim) ++ XDestroyImage(xim); ++ xim = NULL; ++ throw rdr::Exception("Invalid display size"); ++ } ++ + xim->data = (char*)malloc(xim->bytes_per_line * xim->height); + if (!xim->data) + throw rdr::Exception("malloc"); +@@ -152,6 +161,16 @@ bool PlatformPixelBuffer::setupShm() + if (!xim) + goto free_shminfo; + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ XDestroyImage(xim); ++ xim = NULL; ++ delete shminfo; ++ shminfo = NULL; ++ throw rdr::Exception("Invalid display size"); ++ } ++ + shminfo->shmid = shmget(IPC_PRIVATE, + xim->bytes_per_line * xim->height, + IPC_CREAT|0600); diff --git a/tigervnc-1.3.1-do-not-die-when-port-is-already-taken.patch b/tigervnc-1.3.1-do-not-die-when-port-is-already-taken.patch new file mode 100644 index 0000000..3623b14 --- /dev/null +++ b/tigervnc-1.3.1-do-not-die-when-port-is-already-taken.patch @@ -0,0 +1,14 @@ +diff --git a/unix/vncserver b/unix/vncserver +index a6c890f..687ef72 100755 +--- a/unix/vncserver ++++ b/unix/vncserver +@@ -208,7 +208,8 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) { + $displayNumber = $1; + shift(@ARGV); + if (!&CheckDisplayNumber($displayNumber)) { +- die "A VNC server is already running as :$displayNumber\n"; ++ warn "A VNC server is already running as :$displayNumber\n"; ++ $displayNumber = &GetDisplayNumber(); + } + } elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) { + &Usage(); diff --git a/tigervnc-correctly-start-vncsession-as-daemon.patch b/tigervnc-correctly-start-vncsession-as-daemon.patch new file mode 100644 index 0000000..af5e7f2 --- /dev/null +++ b/tigervnc-correctly-start-vncsession-as-daemon.patch @@ -0,0 +1,13 @@ +diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c +index 2b47f5f5..f78c096f 100644 +--- a/unix/vncserver/vncsession.c ++++ b/unix/vncserver/vncsession.c +@@ -99,7 +99,7 @@ begin_daemon(void) + return -1; + } + +- if (pid == 0) ++ if (pid != 0) + _exit(0); + + /* Send all stdio to /dev/null */ diff --git a/tigervnc-covscan.patch b/tigervnc-covscan.patch new file mode 100644 index 0000000..803f71a --- /dev/null +++ b/tigervnc-covscan.patch @@ -0,0 +1,312 @@ +diff --git a/common/network/TcpSocket.cxx b/common/network/TcpSocket.cxx +index 51d77c76..9e277cbb 100644 +--- a/common/network/TcpSocket.cxx ++++ b/common/network/TcpSocket.cxx +@@ -736,7 +736,7 @@ char* TcpFilter::patternToStr(const TcpFilter::Pattern& p) { + buffer + 1, sizeof (buffer) - 2, NULL, 0, NI_NUMERICHOST); + strcat(buffer, "]"); + addr.buf = rfb::strDup(buffer); +- } else if (p.address.u.sa.sa_family == AF_UNSPEC) ++ } else + addr.buf = rfb::strDup(""); + + char action; +diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx +index e1a31f78..d268202b 100644 +--- a/common/rfb/CSecurityTLS.cxx ++++ b/common/rfb/CSecurityTLS.cxx +@@ -95,9 +95,9 @@ void CSecurityTLS::setDefaults() + delete [] homeDir; + + if (!fileexists(caDefault.buf)) +- X509CA.setDefaultStr(strdup(caDefault.buf)); ++ X509CA.setDefaultStr(caDefault.buf); + if (!fileexists(crlDefault.buf)) +- X509CRL.setDefaultStr(strdup(crlDefault.buf)); ++ X509CRL.setDefaultStr(crlDefault.buf); + } + + void CSecurityTLS::shutdown(bool needbye) +diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx +index 6d48b65c..6f72432a 100644 +--- a/common/rfb/SSecurityPlain.cxx ++++ b/common/rfb/SSecurityPlain.cxx +@@ -41,7 +41,7 @@ StringParameter PasswordValidator::plainUsers + + bool PasswordValidator::validUser(const char* username) + { +- CharArray users(strDup(plainUsers.getValueStr())), user; ++ CharArray users(plainUsers.getValueStr()), user; + + while (users.buf) { + strSplit(users.buf, ',', &user.buf, &users.buf); +diff --git a/unix/tx/TXWindow.cxx b/unix/tx/TXWindow.cxx +index a6819179..6129840e 100644 +--- a/unix/tx/TXWindow.cxx ++++ b/unix/tx/TXWindow.cxx +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + + std::list windows; +@@ -132,20 +133,20 @@ TXGlobalEventHandler* TXWindow::setGlobalEventHandler(TXGlobalEventHandler* h) + + void TXWindow::getColours(Display* dpy, XColor* cols, int nCols) + { +- bool* got = new bool[nCols]; ++ std::vector got; ++ + bool failed = false; + int i; + for (i = 0; i < nCols; i++) { + if (XAllocColor(dpy, cmap, &cols[i])) { +- got[i] = true; ++ got.push_back(true); + } else { +- got[i] = false; ++ got.push_back(false); + failed = true; + } + } + + if (!failed) { +- delete [] got; + return; + } + +@@ -168,12 +169,13 @@ void TXWindow::getColours(Display* dpy, XColor* cols, int nCols) + int cmapSize = DisplayCells(dpy,DefaultScreen(dpy)); + + XColor* cm = new XColor[cmapSize]; +- bool* shared = new bool[cmapSize]; +- bool* usedAsNearest = new bool[cmapSize]; ++ std::vector shared; ++ std::vector usedAsNearest; + + for (i = 0; i < cmapSize; i++) { + cm[i].pixel = i; +- shared[i] = usedAsNearest[i] = false; ++ shared.push_back(false); ++ usedAsNearest.push_back(false); + } + + XQueryColors(dpy, cmap, cm, cmapSize); +diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx +index 8bd4e48e..3055223e 100644 +--- a/unix/vncpasswd/vncpasswd.cxx ++++ b/unix/vncpasswd/vncpasswd.cxx +@@ -134,7 +134,7 @@ int main(int argc, char** argv) + } else if (argv[i][0] == '-') { + usage(); + } else if (!fname) { +- fname = argv[i]; ++ fname = strDup(argv[i]); + } else { + usage(); + } +@@ -165,24 +165,37 @@ int main(int argc, char** argv) + FILE* fp = fopen(fname,"w"); + if (!fp) { + fprintf(stderr,"Couldn't open %s for writing\n",fname); ++ delete [] fname; ++ delete obfuscated; ++ delete obfuscatedReadOnly; + exit(1); + } + chmod(fname, S_IRUSR|S_IWUSR); + + if (fwrite(obfuscated->buf, obfuscated->length, 1, fp) != 1) { + fprintf(stderr,"Writing to %s failed\n",fname); ++ delete [] fname; ++ delete obfuscated; ++ delete obfuscatedReadOnly; + exit(1); + } + ++ delete obfuscated; ++ + if (obfuscatedReadOnly) { + if (fwrite(obfuscatedReadOnly->buf, obfuscatedReadOnly->length, 1, fp) != 1) { + fprintf(stderr,"Writing to %s failed\n",fname); ++ delete [] fname; ++ delete obfuscatedReadOnly; + exit(1); + } + } + + fclose(fp); + ++ delete [] fname; ++ delete obfuscatedReadOnly; ++ + return 0; + } + } +diff --git a/unix/xserver/hw/vnc/vncExtInit.cc b/unix/xserver/hw/vnc/vncExtInit.cc +index d6f6b742..7ca71d94 100644 +--- a/unix/xserver/hw/vnc/vncExtInit.cc ++++ b/unix/xserver/hw/vnc/vncExtInit.cc +@@ -184,7 +184,7 @@ void vncExtensionInit(void) + listeners.push_back(new network::TcpListener(vncInetdSock)); + vlog.info("inetd wait"); + } +- } else if (rfbunixpath.getValueStr()[0] != '\0') { ++ } else if (((const char*)rfbunixpath)[0] != '\0') { + char path[PATH_MAX]; + int mode = (int)rfbunixmode; + +@@ -192,7 +192,7 @@ void vncExtensionInit(void) + strncpy(path, rfbunixpath, sizeof(path)); + else + snprintf(path, sizeof(path), "%s.%d", +- rfbunixpath.getValueStr(), scr); ++ (const char*)rfbunixpath, scr); + path[sizeof(path)-1] = '\0'; + + listeners.push_back(new network::UnixListener(path, mode)); +diff --git a/unix/xserver/hw/vnc/vncSelection.c b/unix/xserver/hw/vnc/vncSelection.c +index 51dfd9c6..4f3538d4 100644 +--- a/unix/xserver/hw/vnc/vncSelection.c ++++ b/unix/xserver/hw/vnc/vncSelection.c +@@ -105,7 +105,7 @@ void vncClientCutText(const char* str, int len) + LOG_ERROR("Could not set PRIMARY selection"); + } + +- vncOwnSelection(xaCLIPBOARD); ++ rc = vncOwnSelection(xaCLIPBOARD); + if (rc != Success) + LOG_ERROR("Could not set CLIPBOARD selection"); + } +diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c +index 3b4d2f31..c845ebc4 100644 +--- a/unix/xserver/hw/vnc/xvnc.c ++++ b/unix/xserver/hw/vnc/xvnc.c +@@ -766,10 +766,13 @@ vfbUninstallColormap(ColormapPtr pmap) + curpmap = (ColormapPtr) LookupIDByType(pmap->pScreen->defColormap, + RT_COLORMAP); + #else +- dixLookupResourceByType((void * *) &curpmap, pmap->pScreen->defColormap, +- RT_COLORMAP, serverClient, DixUnknownAccess); ++ int rc = dixLookupResourceByType((void * *) &curpmap, pmap->pScreen->defColormap, ++ RT_COLORMAP, serverClient, DixUnknownAccess); ++ if (rc != Success) ++ ErrorF("Failed to uninstall color map\n"); ++ else + #endif +- (*pmap->pScreen->InstallColormap)(curpmap); ++ (*pmap->pScreen->InstallColormap)(curpmap); + } + } + } +diff --git a/vncviewer/DesktopWindow.cxx b/vncviewer/DesktopWindow.cxx +index d070b648..1843485a 100644 +--- a/vncviewer/DesktopWindow.cxx ++++ b/vncviewer/DesktopWindow.cxx +@@ -103,12 +103,12 @@ DesktopWindow::DesktopWindow(int w, int h, const char *name, + int geom_x = 0, geom_y = 0; + if (strcmp(geometry, "") != 0) { + int matched; +- matched = sscanf(geometry.getValueStr(), "+%d+%d", &geom_x, &geom_y); ++ matched = sscanf((const char*)geometry, "+%d+%d", &geom_x, &geom_y); + if (matched == 2) { + force_position(1); + } else { + int geom_w, geom_h; +- matched = sscanf(geometry.getValueStr(), "%dx%d+%d+%d", &geom_w, &geom_h, &geom_x, &geom_y); ++ matched = sscanf((const char*)geometry, "%dx%d+%d+%d", &geom_w, &geom_h, &geom_x, &geom_y); + switch (matched) { + case 4: + force_position(1); +diff --git a/vncviewer/OptionsDialog.cxx b/vncviewer/OptionsDialog.cxx +index b018c95b..62b5d9c5 100644 +--- a/vncviewer/OptionsDialog.cxx ++++ b/vncviewer/OptionsDialog.cxx +@@ -282,7 +282,7 @@ void OptionsDialog::loadOptions(void) + /* Screen */ + int width, height; + +- if (sscanf(desktopSize.getValueStr(), "%dx%d", &width, &height) != 2) { ++ if (sscanf((const char*)desktopSize, "%dx%d", &width, &height) != 2) { + desktopSizeCheckbox->value(false); + desktopWidthInput->value("1024"); + desktopHeightInput->value("768"); +diff --git a/vncviewer/ServerDialog.cxx b/vncviewer/ServerDialog.cxx +index de67f87b..fec17896 100644 +--- a/vncviewer/ServerDialog.cxx ++++ b/vncviewer/ServerDialog.cxx +@@ -150,7 +150,7 @@ void ServerDialog::handleLoad(Fl_Widget *widget, void *data) + return; + } + +- const char* filename = strdup(file_chooser->value()); ++ const char* filename = file_chooser->value(); + + try { + dialog->serverName->value(loadViewerParameters(filename)); +@@ -165,8 +165,8 @@ void ServerDialog::handleLoad(Fl_Widget *widget, void *data) + void ServerDialog::handleSaveAs(Fl_Widget *widget, void *data) + { + ServerDialog *dialog = (ServerDialog*)data; +- const char* servername = strdup(dialog->serverName->value()); +- char* filename; ++ const char* servername = dialog->serverName->value(); ++ const char* filename; + + Fl_File_Chooser* file_chooser = new Fl_File_Chooser("", _("TigerVNC configuration (*.tigervnc)"), + 2, _("Save the TigerVNC configuration to file")); +@@ -187,7 +187,7 @@ void ServerDialog::handleSaveAs(Fl_Widget *widget, void *data) + return; + } + +- filename = strdup(file_chooser->value()); ++ filename = file_chooser->value(); + + FILE* f = fopen(filename, "r"); + if (f) { +@@ -235,7 +235,7 @@ void ServerDialog::handleCancel(Fl_Widget *widget, void *data) + void ServerDialog::handleConnect(Fl_Widget *widget, void *data) + { + ServerDialog *dialog = (ServerDialog*)data; +- const char* servername = strdup(dialog->serverName->value()); ++ const char* servername = dialog->serverName->value(); + + dialog->hide(); + +diff --git a/vncviewer/parameters.cxx b/vncviewer/parameters.cxx +index 51cce3d7..94cc1b05 100644 +--- a/vncviewer/parameters.cxx ++++ b/vncviewer/parameters.cxx +@@ -499,6 +499,7 @@ void saveViewerParameters(const char *filename, const char *servername) { + } + + snprintf(filepath, sizeof(filepath), "%sdefault.tigervnc", homeDir); ++ free(homeDir); + } else { + snprintf(filepath, sizeof(filepath), "%s", filename); + } +@@ -555,6 +556,7 @@ char* loadViewerParameters(const char *filename) { + "can't obtain home directory path.")); + + snprintf(filepath, sizeof(filepath), "%sdefault.tigervnc", homeDir); ++ free(homeDir); + } else { + snprintf(filepath, sizeof(filepath), "%s", filename); + } +diff --git a/vncviewer/vncviewer.cxx b/vncviewer/vncviewer.cxx +index f076565f..a9d4dfea 100644 +--- a/vncviewer/vncviewer.cxx ++++ b/vncviewer/vncviewer.cxx +@@ -470,9 +470,9 @@ static int mktunnel() + int localPort = findFreeTcpPort(); + int remotePort; + +- gatewayHost = strDup(via.getValueStr()); + if (interpretViaParam(remoteHost, &remotePort, localPort) != 0) + return 1; ++ gatewayHost = (const char*)via; + createTunnel(gatewayHost, remoteHost, remotePort, localPort); + + return 0; diff --git a/tigervnc-cursor.patch b/tigervnc-cursor.patch new file mode 100644 index 0000000..1f95df8 --- /dev/null +++ b/tigervnc-cursor.patch @@ -0,0 +1,12 @@ +diff -up tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor tigervnc-1.3.0/vncviewer/Viewport.cxx +--- tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor 2013-12-17 13:28:23.170400013 +0000 ++++ tigervnc-1.3.0/vncviewer/Viewport.cxx 2013-12-17 13:29:46.095784064 +0000 +@@ -248,7 +248,7 @@ void Viewport::setCursor(int width, int height, const Point& hotspot, + } + } + +- if (Fl::belowmouse() == this) ++ if (Fl::belowmouse() == this && cursor) + window()->cursor(cursor, cursorHotspot.x, cursorHotspot.y); + } + diff --git a/tigervnc-let-user-know-about-not-using-view-only-password.patch b/tigervnc-let-user-know-about-not-using-view-only-password.patch new file mode 100644 index 0000000..e28ffa9 --- /dev/null +++ b/tigervnc-let-user-know-about-not-using-view-only-password.patch @@ -0,0 +1,13 @@ +diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx +index 16c925ee..6398121e 100644 +--- a/unix/vncpasswd/vncpasswd.cxx ++++ b/unix/vncpasswd/vncpasswd.cxx +@@ -150,6 +150,8 @@ int main(int argc, char** argv) + char yesno[3]; + if (fgets(yesno, 3, stdin) != NULL && (yesno[0] == 'y' || yesno[0] == 'Y')) { + obfuscatedReadOnly = readpassword(); ++ } else { ++ fprintf(stderr, "A view-only password is not used\n"); + } + + FILE* fp = fopen(fname,"w"); diff --git a/tigervnc-use-gnome-as-default-session.patch b/tigervnc-use-gnome-as-default-session.patch new file mode 100644 index 0000000..a767c40 --- /dev/null +++ b/tigervnc-use-gnome-as-default-session.patch @@ -0,0 +1,12 @@ +diff --git a/unix/vncserver/vncserver-config-defaults b/unix/vncserver/vncserver-config-defaults +index 0c217bf..2889347 100644 +--- a/unix/vncserver/vncserver-config-defaults ++++ b/unix/vncserver/vncserver-config-defaults +@@ -13,3 +13,7 @@ + # geometry=2000x1200 + # localhost + # alwaysshared ++ ++# Default to GNOME session ++# Note: change this only when you know what are you doing ++session=gnome diff --git a/tigervnc-working-tls-on-fips-systems.patch b/tigervnc-working-tls-on-fips-systems.patch new file mode 100644 index 0000000..841ac2f --- /dev/null +++ b/tigervnc-working-tls-on-fips-systems.patch @@ -0,0 +1,13 @@ +diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx +index b946022..2daefa2 100644 +--- a/common/rfb/SSecurityTLS.cxx ++++ b/common/rfb/SSecurityTLS.cxx +@@ -186,7 +186,7 @@ void SSecurityTLS::setParams(gnutls_session_t session) + if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_dh_params_init failed"); + +- if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS) ++ if (gnutls_dh_params_generate2(dh_params, gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM)) != GNUTLS_E_SUCCESS) + throw AuthFailureException("gnutls_dh_params_generate2 failed"); + + if (anon) { diff --git a/tigervnc.spec b/tigervnc.spec index ff2e755..e61d261 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,6 +1,6 @@ Name: tigervnc Version: 1.11.0 -Release: 11%{?dist} +Release: 12%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -19,14 +19,23 @@ Source5: vncserver Source6: vncserver.man Patch1: tigervnc-getmaster.patch -Patch2: tigervnc-utilize-system-crypto-policies.patch -Patch3: tigervnc-passwd-crash-with-malloc-checks.patch -Patch4: tigervnc-systemd-service.patch +Patch2: tigervnc-cursor.patch +Patch3: tigervnc-1.3.1-CVE-2014-8240.patch +Patch4: tigervnc-let-user-know-about-not-using-view-only-password.patch +Patch5: tigervnc-working-tls-on-fips-systems.patch +Patch6: tigervnc-utilize-system-crypto-policies.patch +Patch7: tigervnc-passwd-crash-with-malloc-checks.patch +Patch8: tigervnc-use-gnome-as-default-session.patch # Upstream patches Patch50: tigervnc-tolerate-specifying-boolparam.patch +Patch51: tigervnc-systemd-service.patch +Patch52: tigervnc-correctly-start-vncsession-as-daemon.patch +# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg Patch100: tigervnc-xserver120.patch +# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start +Patch101: 0001-rpath-hack.patch BuildRequires: make BuildRequires: gcc-c++ @@ -144,20 +153,35 @@ for all in `find . -type f -perm -001`; do chmod -x "$all" done %patch100 -p1 -b .xserver120-rebased +%patch101 -p1 -b .rpath popd # libvnc.so: don't use unexported GetMaster function (bug #744881 again). %patch1 -p1 -b .getmaster +# Fixed viewer crash when cursor has not been set (bug #1051333). +%patch2 -p1 -b .cursor + +# CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based +# buffer overflow in screen size handling +%patch3 -p1 -b .tigervnc-1.3.1-CVE-2014-8240 + +# Bug 1447555 - view-only accepts enter, unclear whether default password is generated or not +%patch4 -p1 -b .let-user-know-about-not-using-view-only-password + +# Bug 1492107 - VNC cannot be used when FIPS is enabled because DH_BITS is too low +%patch5 -p1 -b .working-tls-on-fips-systems + # Utilize system-wide crypto policies -%patch2 -p1 -b .utilize-system-crypto-policies +%patch6 -p1 -b .utilize-system-crypto-policies.patch -%patch3 -p1 -b .tigervnc-passwd-crash-with-malloc-checks +%patch7 -p1 -b .passwd-crash-with-malloc-checks +%patch8 -p1 -b .use-gnome-as-default-session -# https://github.com/TigerVNC/tigervnc/pull/1115 -%patch4 -p1 -b .tigervnc-systemd-service - -%patch50 -p1 -b .tigervnc-tolerate-specifying-boolparam +# Upstream patches +%patch50 -p1 -b .tolerate-specifying-boolparam +%patch51 -p1 -b .systemd-service +%patch52 -p1 -b .correctly-start-vncsession-as-daemon %build %ifarch sparcv9 sparc64 s390 s390x @@ -339,6 +363,9 @@ fi %{_datadir}/selinux/packages/vncsession.pp %changelog +* Mon Mar 08 2021 Jan Grulich - 1.11.0-12 +- Include RHEL8 patches + * Fri Mar 05 2021 Jan Grulich - 1.11.0-11 - Enable old vncserver script for RHEL 9