Fix use after free related to CVE-2024-21886 Resolves: RHEL-20389

Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
Resolves: RHEL-20389 Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent Resolves: RHEL-20383 Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access Resolves: RHEL-20533 Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer Resolves: RHEL-21213
2024-02-08 04:59:25 +00:00 · 2024-01-22 10:28:43 +01:00
5 changed files with 72 additions and 108 deletions
--- a/.tigervnc.metadata
+++ b/.tigervnc.metadata
@ -0,0 +1 @@
+6f7a23f14833f552c88523da1a5e102f3b8d35c2 tigervnc-1.13.1.tar.gz
--- a/tigervnc-dont-get-pointer-position-for-floating-device.patch
+++ b/tigervnc-dont-get-pointer-position-for-floating-device.patch
@ -0,0 +1,13 @@
+diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c
+index b3d0926d..d36a096f 100644
+--- a/unix/xserver/hw/vnc/vncInput.c
+++ b/unix/xserver/hw/vnc/vncInput.c
+@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y)
+ 
+ void vncGetPointerPos(int *x, int *y)
+ {
+-	if (vncPointerDev != NULL) {
+	if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) {
+ 		ScreenPtr ptrScreen;
+ 
+ 		miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY);
--- a/tigervnc.spec
+++ b/tigervnc.spec
@ -5,7 +5,7 @@

 Name:           tigervnc
 Version:        1.13.1
-Release:        6%{?dist}
+Release:        8%{?dist}
 Summary:        A TigerVNC remote display system

 %global _hardened_build 1
@ -29,13 +29,18 @@ Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
 Patch50:        tigervnc-support-username-alias-in-plainusers.patch
 Patch51:        tigervnc-use-dup-to-get-available-fd-for-inetd.patch

+# Upstreamable patches
+Patch80:        tigervnc-dont-get-pointer-position-for-floating-device.patch
+
 # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
 Patch100:       tigervnc-xserver120.patch
 # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
 Patch101:       0001-rpath-hack.patch

-# Xorg backports
-Patch300:       xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
+# XServer patches
+# CVE-2024-0229
+# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1251
+Patch200:       xorg-CVE-2024-0229-followup.patch

 BuildRequires:  make
 BuildRequires:  gcc-c++
@ -185,7 +190,7 @@ for all in `find . -type f -perm -001`; do
 done
 %patch100 -p1 -b .xserver120-rebased
 %patch101 -p1 -b .rpath
-%patch300 -p1 -b .xorg-rename-boolean-config-value-field-from-bool-to-boolean
+%patch200 -p1 -b .xorg-CVE-2024-0229-followup
 popd

 %patch1 -p1 -b .use-gnome-as-default-session
@ -195,6 +200,9 @@ popd
 %patch50 -p1 -b .support-username-alias-in-plainusers
 %patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd

+# Upstreamable patches
+%patch80 -p1 -b .dont-get-pointer-position-for-floating-device
+
 %build
 %ifarch sparcv9 sparc64 s390 s390x
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@ -376,6 +384,20 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

 %changelog
+* Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
+- Fix copy/paste error in the DeviceStateNotify
+  Resolves: RHEL-20533
+
+* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
+- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
+  Resolves: RHEL-20389
+- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
+  Resolves: RHEL-20383
+- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
+  Resolves: RHEL-20533
+- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
+  Resolves: RHEL-21213
+
 * Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
 - Use dup() to get available file descriptor when using -inetd option
  Resolves: RHEL-19858
--- a/xorg-CVE-2024-0229-followup.patch
+++ b/xorg-CVE-2024-0229-followup.patch
@ -0,0 +1,32 @@
+From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 22 Jan 2024 14:22:12 +1000
+Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
+ event
+
+Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 7b7ba1098b..c1e6ac600e 100644
+--- a/dix/enterleave.c
+++ b/dix/enterleave.c
+@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+     ev->first_valuator = first;
+     switch (ev->num_valuators) {
+     case 6:
+-        ev->valuator2 = v->axisVal[first + 5];
+        ev->valuator5 = v->axisVal[first + 5];
+     case 5:
+-        ev->valuator2 = v->axisVal[first + 4];
+        ev->valuator4 = v->axisVal[first + 4];
+     case 4:
+-        ev->valuator2 = v->axisVal[first + 3];
+        ev->valuator3 = v->axisVal[first + 3];
+     case 3:
+         ev->valuator2 = v->axisVal[first + 2];
+     case 2:
+--
+GitLab
--- a/xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
+++ b/xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
@ -1,104 +0,0 @@
-From 454b3a826edb5fc6d0fea3a9cfd1a5e8fc568747 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 22 Jul 2019 13:51:06 -0400
-Subject: [PATCH] hw: Rename boolean config value field from bool to boolean
-
-"bool" conflicts with C++ (meh) and stdbool.h (ngh alright fine). This
-is a driver-visible change and will likely break the build for mach64,
-but it can be fixed by simply using xf86ReturnOptValBool like every
-other driver.
-
-Signed-off-by: Adam Jackson <ajax@redhat.com>
---
- hw/xfree86/common/xf86Opt.h    |  2 +-
- hw/xfree86/common/xf86Option.c | 10 +++++-----
- hw/xwin/winconfig.c            | 22 +++++++++++-----------
- hw/xwin/winconfig.h            |  2 +-
- 4 files changed, 18 insertions(+), 18 deletions(-)
-
-diff --git a/hw/xfree86/common/xf86Opt.h b/hw/xfree86/common/xf86Opt.h
-index 3be2a0fc7e..3046fbd417 100644
--- a/hw/xfree86/common/xf86Opt.h
-+++ b/hw/xfree86/common/xf86Opt.h
-@@ -41,7 +41,7 @@ typedef union {
-     unsigned long num;
-     const char *str;
-     double realnum;
-    Bool bool;
-+    Bool boolean;
-     OptFrequency freq;
- } ValueUnion;
-
-diff --git a/hw/xwin/winconfig.c b/hw/xwin/winconfig.c
-index 31894d2fb0..646d690062 100644
--- a/hw/xwin/winconfig.c
-+++ b/hw/xwin/winconfig.c
-@@ -623,7 +623,7 @@ winSetBoolOption(void *optlist, const char *name, int deflt)
-     o.name = name;
-     o.type = OPTV_BOOLEAN;
-     if (ParseOptionValue(-1, optlist, &o))
-        deflt = o.value.bool;
-+        deflt = o.value.boolean;
-     return deflt;
- }
-
-@@ -918,7 +918,7 @@ ParseOptionValue(int scrnIndex, void *options, OptionInfoPtr p)
-         }
-         if ((s = winFindOptionValue(options, newn)) != NULL) {
-             if (GetBoolValue(&opt, s)) {
-                p->value.bool = !opt.value.bool;
-+                p->value.boolean = !opt.value.boolean;
-                 p->found = TRUE;
-             }
-             else {
-@@ -968,25 +968,25 @@ static Bool
- GetBoolValue(OptionInfoPtr p, const char *s)
- {
-     if (*s == 0) {
-        p->value.bool = TRUE;
-+        p->value.boolean = TRUE;
-     }
-     else {
-         if (winNameCompare(s, "1") == 0)
-            p->value.bool = TRUE;
-+            p->value.boolean = TRUE;
-         else if (winNameCompare(s, "on") == 0)
-            p->value.bool = TRUE;
-+            p->value.boolean = TRUE;
-         else if (winNameCompare(s, "true") == 0)
-            p->value.bool = TRUE;
-+            p->value.boolean = TRUE;
-         else if (winNameCompare(s, "yes") == 0)
-            p->value.bool = TRUE;
-+            p->value.boolean = TRUE;
-         else if (winNameCompare(s, "0") == 0)
-            p->value.bool = FALSE;
-+            p->value.boolean = FALSE;
-         else if (winNameCompare(s, "off") == 0)
-            p->value.bool = FALSE;
-+            p->value.boolean = FALSE;
-         else if (winNameCompare(s, "false") == 0)
-            p->value.bool = FALSE;
-+            p->value.boolean = FALSE;
-         else if (winNameCompare(s, "no") == 0)
-            p->value.bool = FALSE;
-+            p->value.boolean = FALSE;
-     }
-     return TRUE;
- }
-diff --git a/hw/xwin/winconfig.h b/hw/xwin/winconfig.h
-index f079368c7c..bd1f596509 100644
--- a/hw/xwin/winconfig.h
-+++ b/hw/xwin/winconfig.h
-@@ -199,7 +199,7 @@ typedef union {
-     unsigned long num;
-     char *str;
-     double realnum;
-    Bool bool;
-+    Bool boolean;
-     OptFrequency freq;
- } ValueUnion;
-
--
-GitLab
-
				`@ -0,0 +1 @@`
				`6f7a23f14833f552c88523da1a5e102f3b8d35c2 tigervnc-1.13.1.tar.gz`