Compare commits
No commits in common. "a9" and "c8" have entirely different histories.
@ -12,7 +12,7 @@
|
|||||||
#EndSection
|
#EndSection
|
||||||
|
|
||||||
#Section "Screen"
|
#Section "Screen"
|
||||||
# Identifier "Screen0
|
# Identifier "Screen0"
|
||||||
# DefaultDepth 16
|
# DefaultDepth 16
|
||||||
# Option "SecurityTypes" "VncAuth"
|
# Option "SecurityTypes" "VncAuth"
|
||||||
# Option "PasswordFile" "/root/.vnc/passwd"
|
# Option "PasswordFile" "/root/.vnc/passwd"
|
||||||
|
@ -1,80 +0,0 @@
|
|||||||
From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Tue, 3 Oct 2023 11:53:05 +1000
|
|
||||||
Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
|
|
||||||
|
|
||||||
The handling of appending/prepending properties was incorrect, with at
|
|
||||||
least two bugs: the property length was set to the length of the new
|
|
||||||
part only, i.e. appending or prepending N elements to a property with P
|
|
||||||
existing elements always resulted in the property having N elements
|
|
||||||
instead of N + P.
|
|
||||||
|
|
||||||
Second, when pre-pending a value to a property, the offset for the old
|
|
||||||
values was incorrect, leaving the new property with potentially
|
|
||||||
uninitalized values and/or resulting in OOB memory writes.
|
|
||||||
For example, prepending a 3 element value to a 5 element property would
|
|
||||||
result in this 8 value array:
|
|
||||||
[N, N, N, ?, ?, P, P, P ] P, P
|
|
||||||
^OOB write
|
|
||||||
|
|
||||||
The XI2 code is a copy/paste of the RandR code, so the bug exists in
|
|
||||||
both.
|
|
||||||
|
|
||||||
CVE-2023-5367, ZDI-CAN-22153
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
||||||
|
|
||||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
---
|
|
||||||
Xi/xiproperty.c | 4 ++--
|
|
||||||
randr/rrproperty.c | 4 ++--
|
|
||||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
|
||||||
index 066ba21fba..d315f04d0e 100644
|
|
||||||
--- a/Xi/xiproperty.c
|
|
||||||
+++ b/Xi/xiproperty.c
|
|
||||||
@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
|
|
||||||
XIDestroyDeviceProperty(prop);
|
|
||||||
return BadAlloc;
|
|
||||||
}
|
|
||||||
- new_value.size = len;
|
|
||||||
+ new_value.size = total_len;
|
|
||||||
new_value.type = type;
|
|
||||||
new_value.format = format;
|
|
||||||
|
|
||||||
@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
|
|
||||||
case PropModePrepend:
|
|
||||||
new_data = new_value.data;
|
|
||||||
old_data = (void *) (((char *) new_value.data) +
|
|
||||||
- (prop_value->size * size_in_bytes));
|
|
||||||
+ (len * size_in_bytes));
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (new_data)
|
|
||||||
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
|
||||||
index c2fb9585c6..25469f57b2 100644
|
|
||||||
--- a/randr/rrproperty.c
|
|
||||||
+++ b/randr/rrproperty.c
|
|
||||||
@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
|
|
||||||
RRDestroyOutputProperty(prop);
|
|
||||||
return BadAlloc;
|
|
||||||
}
|
|
||||||
- new_value.size = len;
|
|
||||||
+ new_value.size = total_len;
|
|
||||||
new_value.type = type;
|
|
||||||
new_value.format = format;
|
|
||||||
|
|
||||||
@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
|
|
||||||
case PropModePrepend:
|
|
||||||
new_data = new_value.data;
|
|
||||||
old_data = (void *) (((char *) new_value.data) +
|
|
||||||
- (prop_value->size * size_in_bytes));
|
|
||||||
+ (len * size_in_bytes));
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (new_data)
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
@ -1,98 +0,0 @@
|
|||||||
From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Thu, 5 Oct 2023 12:19:45 +1000
|
|
||||||
Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
|
|
||||||
|
|
||||||
PointerWindows[] keeps a reference to the last window our sprite
|
|
||||||
entered - changes are usually handled by CheckMotion().
|
|
||||||
|
|
||||||
If we switch between screens via XWarpPointer our
|
|
||||||
dev->spriteInfo->sprite->win is set to the new screen's root window.
|
|
||||||
If there's another window at the cursor location CheckMotion() will
|
|
||||||
trigger the right enter/leave events later. If there is not, it skips
|
|
||||||
that process and we never trigger LeaveWindow() - PointerWindows[] for
|
|
||||||
the device still refers to the previous window.
|
|
||||||
|
|
||||||
If that window is destroyed we have a dangling reference that will
|
|
||||||
eventually cause a use-after-free bug when checking the window hierarchy
|
|
||||||
later.
|
|
||||||
|
|
||||||
To trigger this, we require:
|
|
||||||
- two protocol screens
|
|
||||||
- XWarpPointer to the other screen's root window
|
|
||||||
- XDestroyWindow before entering any other window
|
|
||||||
|
|
||||||
This is a niche bug so we hack around it by making sure we reset the
|
|
||||||
PointerWindows[] entry so we cannot have a dangling pointer. This
|
|
||||||
doesn't handle Enter/Leave events correctly but the previous code didn't
|
|
||||||
either.
|
|
||||||
|
|
||||||
CVE-2023-5380, ZDI-CAN-21608
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Sri working with Trend Micro Zero Day Initiative
|
|
||||||
|
|
||||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
||||||
---
|
|
||||||
dix/enterleave.h | 2 --
|
|
||||||
include/eventstr.h | 3 +++
|
|
||||||
mi/mipointer.c | 17 +++++++++++++++--
|
|
||||||
3 files changed, 18 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/dix/enterleave.h b/dix/enterleave.h
|
|
||||||
index 4b833d8a3b..e8af924c68 100644
|
|
||||||
--- a/dix/enterleave.h
|
|
||||||
+++ b/dix/enterleave.h
|
|
||||||
@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
|
|
||||||
|
|
||||||
extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
|
|
||||||
|
|
||||||
-extern void LeaveWindow(DeviceIntPtr dev);
|
|
||||||
-
|
|
||||||
extern void CoreFocusEvent(DeviceIntPtr kbd,
|
|
||||||
int type, int mode, int detail, WindowPtr pWin);
|
|
||||||
|
|
||||||
diff --git a/include/eventstr.h b/include/eventstr.h
|
|
||||||
index 93308f9b24..a9926eaeef 100644
|
|
||||||
--- a/include/eventstr.h
|
|
||||||
+++ b/include/eventstr.h
|
|
||||||
@@ -296,4 +296,7 @@ union _InternalEvent {
|
|
||||||
#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
+extern void
|
|
||||||
+LeaveWindow(DeviceIntPtr dev);
|
|
||||||
+
|
|
||||||
#endif
|
|
||||||
diff --git a/mi/mipointer.c b/mi/mipointer.c
|
|
||||||
index a638f25d4a..8cf0035140 100644
|
|
||||||
--- a/mi/mipointer.c
|
|
||||||
+++ b/mi/mipointer.c
|
|
||||||
@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
|
|
||||||
#ifdef PANORAMIX
|
|
||||||
&& noPanoramiXExtension
|
|
||||||
#endif
|
|
||||||
- )
|
|
||||||
- UpdateSpriteForScreen(pDev, pScreen);
|
|
||||||
+ ) {
|
|
||||||
+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
|
|
||||||
+ /* Hack for CVE-2023-5380: if we're moving
|
|
||||||
+ * screens PointerWindows[] keeps referring to the
|
|
||||||
+ * old window. If that gets destroyed we have a UAF
|
|
||||||
+ * bug later. Only happens when jumping from a window
|
|
||||||
+ * to the root window on the other screen.
|
|
||||||
+ * Enter/Leave events are incorrect for that case but
|
|
||||||
+ * too niche to fix.
|
|
||||||
+ */
|
|
||||||
+ LeaveWindow(pDev);
|
|
||||||
+ if (master)
|
|
||||||
+ LeaveWindow(master);
|
|
||||||
+ UpdateSpriteForScreen(pDev, pScreen);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
@ -1,74 +0,0 @@
|
|||||||
From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Tue, 28 Nov 2023 15:19:04 +1000
|
|
||||||
Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
|
|
||||||
|
|
||||||
button->xkb_acts is supposed to be an array sufficiently large for all
|
|
||||||
our buttons, not just a single XkbActions struct. Allocating
|
|
||||||
insufficient memory here means when we memcpy() later in
|
|
||||||
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
|
|
||||||
leading to the usual security ooopsiedaisies.
|
|
||||||
|
|
||||||
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
||||||
---
|
|
||||||
Xi/exevents.c | 12 ++++++------
|
|
||||||
dix/devices.c | 10 ++++++++++
|
|
||||||
2 files changed, 16 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
|
||||||
index dcd4efb3bc..54ea11a938 100644
|
|
||||||
--- a/Xi/exevents.c
|
|
||||||
+++ b/Xi/exevents.c
|
|
||||||
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (from->button->xkb_acts) {
|
|
||||||
- if (!to->button->xkb_acts) {
|
|
||||||
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
|
|
||||||
- if (!to->button->xkb_acts)
|
|
||||||
- FatalError("[Xi] not enough memory for xkb_acts.\n");
|
|
||||||
- }
|
|
||||||
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
|
|
||||||
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
|
|
||||||
+ maxbuttons,
|
|
||||||
+ sizeof(XkbAction));
|
|
||||||
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
|
|
||||||
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
|
||||||
- sizeof(XkbAction));
|
|
||||||
+ from->button->numButtons * sizeof(XkbAction));
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
free(to->button->xkb_acts);
|
|
||||||
diff --git a/dix/devices.c b/dix/devices.c
|
|
||||||
index b063128df0..3f3224d626 100644
|
|
||||||
--- a/dix/devices.c
|
|
||||||
+++ b/dix/devices.c
|
|
||||||
@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
|
||||||
|
|
||||||
if (master->button && master->button->numButtons != maxbuttons) {
|
|
||||||
int i;
|
|
||||||
+ int last_num_buttons = master->button->numButtons;
|
|
||||||
+
|
|
||||||
DeviceChangedEvent event = {
|
|
||||||
.header = ET_Internal,
|
|
||||||
.type = ET_DeviceChanged,
|
|
||||||
@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
|
||||||
};
|
|
||||||
|
|
||||||
master->button->numButtons = maxbuttons;
|
|
||||||
+ if (last_num_buttons < maxbuttons) {
|
|
||||||
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
|
|
||||||
+ maxbuttons,
|
|
||||||
+ sizeof(XkbAction));
|
|
||||||
+ memset(&master->button->xkb_acts[last_num_buttons],
|
|
||||||
+ 0,
|
|
||||||
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
|
|
||||||
+ }
|
|
||||||
|
|
||||||
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
|
|
||||||
sizeof(Atom));
|
|
||||||
--
|
|
||||||
GitLab
|
|
@ -1,59 +0,0 @@
|
|||||||
From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Mon, 27 Nov 2023 16:27:49 +1000
|
|
||||||
Subject: [PATCH] randr: avoid integer truncation in length check of
|
|
||||||
ProcRRChange*Property
|
|
||||||
|
|
||||||
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
|
|
||||||
See also xserver@8f454b79 where this same bug was fixed for the core
|
|
||||||
protocol and XI.
|
|
||||||
|
|
||||||
This fixes an OOB read and the resulting information disclosure.
|
|
||||||
|
|
||||||
Length calculation for the request was clipped to a 32-bit integer. With
|
|
||||||
the correct stuff->nUnits value the expected request size was
|
|
||||||
truncated, passing the REQUEST_FIXED_SIZE check.
|
|
||||||
|
|
||||||
The server then proceeded with reading at least stuff->num_items bytes
|
|
||||||
(depending on stuff->format) from the request and stuffing whatever it
|
|
||||||
finds into the property. In the process it would also allocate at least
|
|
||||||
stuff->nUnits bytes, i.e. 4GB.
|
|
||||||
|
|
||||||
CVE-2023-6478, ZDI-CAN-22561
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
||||||
---
|
|
||||||
randr/rrproperty.c | 2 +-
|
|
||||||
randr/rrproviderproperty.c | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
|
||||||
index 25469f57b2..c4fef8a1f6 100644
|
|
||||||
--- a/randr/rrproperty.c
|
|
||||||
+++ b/randr/rrproperty.c
|
|
||||||
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
|
|
||||||
char format, mode;
|
|
||||||
unsigned long len;
|
|
||||||
int sizeInBytes;
|
|
||||||
- int totalSize;
|
|
||||||
+ uint64_t totalSize;
|
|
||||||
int err;
|
|
||||||
|
|
||||||
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
|
|
||||||
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
|
||||||
index b79c17f9bf..90c5a9a933 100644
|
|
||||||
--- a/randr/rrproviderproperty.c
|
|
||||||
+++ b/randr/rrproviderproperty.c
|
|
||||||
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
|
|
||||||
char format, mode;
|
|
||||||
unsigned long len;
|
|
||||||
int sizeInBytes;
|
|
||||||
- int totalSize;
|
|
||||||
+ uint64_t totalSize;
|
|
||||||
int err;
|
|
||||||
|
|
||||||
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
@ -1,51 +0,0 @@
|
|||||||
From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Thu, 14 Dec 2023 11:29:49 +1000
|
|
||||||
Subject: [PATCH] dix: allocate enough space for logical button maps
|
|
||||||
|
|
||||||
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
|
|
||||||
each logical button currently down. Since buttons can be arbitrarily mapped
|
|
||||||
to anything up to 255 make sure we have enough bits for the maximum mapping.
|
|
||||||
|
|
||||||
CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
||||||
---
|
|
||||||
Xi/xiquerypointer.c | 3 +--
|
|
||||||
dix/enterleave.c | 5 +++--
|
|
||||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
|
|
||||||
index 5b77b1a444..2b05ac5f39 100644
|
|
||||||
--- a/Xi/xiquerypointer.c
|
|
||||||
+++ b/Xi/xiquerypointer.c
|
|
||||||
@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
|
|
||||||
if (pDev->button) {
|
|
||||||
int i;
|
|
||||||
|
|
||||||
- rep.buttons_len =
|
|
||||||
- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
|
|
||||||
+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
|
|
||||||
rep.length += rep.buttons_len;
|
|
||||||
buttons = calloc(rep.buttons_len, 4);
|
|
||||||
if (!buttons)
|
|
||||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
|
||||||
index 867ec74363..ded8679d76 100644
|
|
||||||
--- a/dix/enterleave.c
|
|
||||||
+++ b/dix/enterleave.c
|
|
||||||
@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
|
|
||||||
|
|
||||||
mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
|
|
||||||
|
|
||||||
- /* XI 2 event */
|
|
||||||
- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
|
|
||||||
+ /* XI 2 event contains the logical button map - maps are CARD8
|
|
||||||
+ * so we need 256 bits for the possibly maximum mapping */
|
|
||||||
+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
|
|
||||||
btlen = bytes_to_int32(btlen);
|
|
||||||
len = sizeof(xXIFocusInEvent) + btlen * 4;
|
|
||||||
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
@ -1,83 +0,0 @@
|
|||||||
From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Mon, 18 Dec 2023 14:27:50 +1000
|
|
||||||
Subject: [PATCH 2/9] dix: Allocate sufficient xEvents for our
|
|
||||||
DeviceStateNotify
|
|
||||||
|
|
||||||
If a device has both a button class and a key class and numButtons is
|
|
||||||
zero, we can get an OOB write due to event under-allocation.
|
|
||||||
|
|
||||||
This function seems to assume a device has either keys or buttons, not
|
|
||||||
both. It has two virtually identical code paths, both of which assume
|
|
||||||
they're applying to the first event in the sequence.
|
|
||||||
|
|
||||||
A device with both a key and button class triggered a logic bug - only
|
|
||||||
one xEvent was allocated but the deviceStateNotify pointer was pushed on
|
|
||||||
once per type. So effectively this logic code:
|
|
||||||
|
|
||||||
int count = 1;
|
|
||||||
if (button && nbuttons > 32) count++;
|
|
||||||
if (key && nbuttons > 0) count++;
|
|
||||||
if (key && nkeys > 32) count++; // this is basically always true
|
|
||||||
// count is at 2 for our keys + zero button device
|
|
||||||
|
|
||||||
ev = alloc(count * sizeof(xEvent));
|
|
||||||
FixDeviceStateNotify(ev);
|
|
||||||
if (button)
|
|
||||||
FixDeviceStateNotify(ev++);
|
|
||||||
if (key)
|
|
||||||
FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
|
|
||||||
|
|
||||||
If the device has more than 3 valuators, the OOB is pushed back - we're
|
|
||||||
off by one so it will happen when the last deviceValuator event is
|
|
||||||
written instead.
|
|
||||||
|
|
||||||
Fix this by allocating the maximum number of events we may allocate.
|
|
||||||
Note that the current behavior is not protocol-correct anyway, this
|
|
||||||
patch fixes only the allocation issue.
|
|
||||||
|
|
||||||
Note that this issue does not trigger if the device has at least one
|
|
||||||
button. While the server does not prevent a button class with zero
|
|
||||||
buttons, it is very unlikely.
|
|
||||||
|
|
||||||
CVE-2024-0229, ZDI-CAN-22678
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
||||||
---
|
|
||||||
dix/enterleave.c | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
|
||||||
index ded8679d76..17964b00a4 100644
|
|
||||||
--- a/dix/enterleave.c
|
|
||||||
+++ b/dix/enterleave.c
|
|
||||||
@@ -675,7 +675,8 @@ static void
|
|
||||||
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
|
||||||
{
|
|
||||||
int evcount = 1;
|
|
||||||
- deviceStateNotify *ev, *sev;
|
|
||||||
+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
|
|
||||||
+ deviceStateNotify *ev;
|
|
||||||
deviceKeyStateNotify *kev;
|
|
||||||
deviceButtonStateNotify *bev;
|
|
||||||
|
|
||||||
@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- sev = ev = xallocarray(evcount, sizeof(xEvent));
|
|
||||||
+ ev = sev;
|
|
||||||
FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
|
|
||||||
|
|
||||||
if (b != NULL) {
|
|
||||||
@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
|
||||||
|
|
||||||
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
|
|
||||||
DeviceStateNotifyMask, NullGrab);
|
|
||||||
- free(sev);
|
|
||||||
}
|
|
||||||
|
|
||||||
void
|
|
||||||
--
|
|
||||||
GitLab
|
|
@ -1,216 +0,0 @@
|
|||||||
From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Mon, 18 Dec 2023 12:26:20 +1000
|
|
||||||
Subject: [PATCH 3/9] dix: fix DeviceStateNotify event calculation
|
|
||||||
|
|
||||||
The previous code only made sense if one considers buttons and keys to
|
|
||||||
be mutually exclusive on a device. That is not necessarily true, causing
|
|
||||||
a number of issues.
|
|
||||||
|
|
||||||
This function allocates and fills in the number of xEvents we need to
|
|
||||||
send the device state down the wire. This is split across multiple
|
|
||||||
32-byte devices including one deviceStateNotify event and optional
|
|
||||||
deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
|
|
||||||
deviceValuator events.
|
|
||||||
|
|
||||||
The previous behavior would instead compose a sequence
|
|
||||||
of [state, buttonstate, state, keystate, valuator...]. This is not
|
|
||||||
protocol correct, and on top of that made the code extremely convoluted.
|
|
||||||
|
|
||||||
Fix this by streamlining: add both button and key into the deviceStateNotify
|
|
||||||
and then append the key state and button state, followed by the
|
|
||||||
valuators. Finally, the deviceValuator events contain up to 6 valuators
|
|
||||||
per event but we only ever sent through 3 at a time. Let's double that
|
|
||||||
troughput.
|
|
||||||
|
|
||||||
CVE-2024-0229, ZDI-CAN-22678
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
||||||
---
|
|
||||||
dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
|
|
||||||
1 file changed, 52 insertions(+), 69 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
|
||||||
index 17964b00a4..7b7ba1098b 100644
|
|
||||||
--- a/dix/enterleave.c
|
|
||||||
+++ b/dix/enterleave.c
|
|
||||||
@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
|
||||||
|
|
||||||
ev->type = DeviceValuator;
|
|
||||||
ev->deviceid = dev->id;
|
|
||||||
- ev->num_valuators = nval < 3 ? nval : 3;
|
|
||||||
+ ev->num_valuators = nval < 6 ? nval : 6;
|
|
||||||
ev->first_valuator = first;
|
|
||||||
switch (ev->num_valuators) {
|
|
||||||
+ case 6:
|
|
||||||
+ ev->valuator2 = v->axisVal[first + 5];
|
|
||||||
+ case 5:
|
|
||||||
+ ev->valuator2 = v->axisVal[first + 4];
|
|
||||||
+ case 4:
|
|
||||||
+ ev->valuator2 = v->axisVal[first + 3];
|
|
||||||
case 3:
|
|
||||||
ev->valuator2 = v->axisVal[first + 2];
|
|
||||||
case 2:
|
|
||||||
@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
|
||||||
ev->valuator0 = v->axisVal[first];
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
- first += ev->num_valuators;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
|
|
||||||
ev->num_buttons = b->numButtons;
|
|
||||||
memcpy((char *) ev->buttons, (char *) b->down, 4);
|
|
||||||
}
|
|
||||||
- else if (k) {
|
|
||||||
+ if (k) {
|
|
||||||
ev->classes_reported |= (1 << KeyClass);
|
|
||||||
ev->num_keys = k->xkbInfo->desc->max_key_code -
|
|
||||||
k->xkbInfo->desc->min_key_code;
|
|
||||||
@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-
|
|
||||||
+/**
|
|
||||||
+ * The device state notify event is split across multiple 32-byte events.
|
|
||||||
+ * The first one contains the first 32 button state bits, the first 32
|
|
||||||
+ * key state bits, and the first 3 valuator values.
|
|
||||||
+ *
|
|
||||||
+ * If a device has more than that, the server sends out:
|
|
||||||
+ * - one deviceButtonStateNotify for buttons 32 and above
|
|
||||||
+ * - one deviceKeyStateNotify for keys 32 and above
|
|
||||||
+ * - one deviceValuator event per 6 valuators above valuator 4
|
|
||||||
+ *
|
|
||||||
+ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
|
|
||||||
+ */
|
|
||||||
static void
|
|
||||||
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
|
||||||
{
|
|
||||||
+ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
|
|
||||||
+ * and one deviceValuator for each 6 valuators */
|
|
||||||
+ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
|
|
||||||
int evcount = 1;
|
|
||||||
- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
|
|
||||||
- deviceStateNotify *ev;
|
|
||||||
- deviceKeyStateNotify *kev;
|
|
||||||
- deviceButtonStateNotify *bev;
|
|
||||||
+ deviceStateNotify *ev = sev;
|
|
||||||
|
|
||||||
KeyClassPtr k;
|
|
||||||
ButtonClassPtr b;
|
|
||||||
@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
|
||||||
|
|
||||||
if ((b = dev->button) != NULL) {
|
|
||||||
nbuttons = b->numButtons;
|
|
||||||
- if (nbuttons > 32)
|
|
||||||
+ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
|
|
||||||
evcount++;
|
|
||||||
}
|
|
||||||
if ((k = dev->key) != NULL) {
|
|
||||||
nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
|
|
||||||
- if (nkeys > 32)
|
|
||||||
+ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
|
|
||||||
evcount++;
|
|
||||||
- if (nbuttons > 0) {
|
|
||||||
- evcount++;
|
|
||||||
- }
|
|
||||||
}
|
|
||||||
if ((v = dev->valuator) != NULL) {
|
|
||||||
nval = v->numAxes;
|
|
||||||
-
|
|
||||||
- if (nval > 3)
|
|
||||||
- evcount++;
|
|
||||||
- if (nval > 6) {
|
|
||||||
- if (!(k && b))
|
|
||||||
- evcount++;
|
|
||||||
- if (nval > 9)
|
|
||||||
- evcount += ((nval - 7) / 3);
|
|
||||||
- }
|
|
||||||
+ /* first three are encoded in deviceStateNotify, then
|
|
||||||
+ * it's 6 per deviceValuator event */
|
|
||||||
+ evcount += ((nval - 3) + 6)/6;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ev = sev;
|
|
||||||
- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
|
|
||||||
-
|
|
||||||
- if (b != NULL) {
|
|
||||||
- FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
|
|
||||||
- first += 3;
|
|
||||||
- nval -= 3;
|
|
||||||
- if (nbuttons > 32) {
|
|
||||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
|
||||||
- bev = (deviceButtonStateNotify *) ev++;
|
|
||||||
- bev->type = DeviceButtonStateNotify;
|
|
||||||
- bev->deviceid = dev->id;
|
|
||||||
- memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
|
|
||||||
- DOWN_LENGTH - 4);
|
|
||||||
- }
|
|
||||||
- if (nval > 0) {
|
|
||||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
|
||||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
|
||||||
- first += 3;
|
|
||||||
- nval -= 3;
|
|
||||||
- }
|
|
||||||
+ BUG_RETURN(evcount <= ARRAY_SIZE(sev));
|
|
||||||
+
|
|
||||||
+ FixDeviceStateNotify(dev, ev, k, b, v, first);
|
|
||||||
+
|
|
||||||
+ if (b != NULL && nbuttons > 32) {
|
|
||||||
+ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
|
|
||||||
+ (ev - 1)->deviceid |= MORE_EVENTS;
|
|
||||||
+ bev->type = DeviceButtonStateNotify;
|
|
||||||
+ bev->deviceid = dev->id;
|
|
||||||
+ memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
|
|
||||||
+ DOWN_LENGTH - 4);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (k != NULL) {
|
|
||||||
- FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
|
|
||||||
- first += 3;
|
|
||||||
- nval -= 3;
|
|
||||||
- if (nkeys > 32) {
|
|
||||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
|
||||||
- kev = (deviceKeyStateNotify *) ev++;
|
|
||||||
- kev->type = DeviceKeyStateNotify;
|
|
||||||
- kev->deviceid = dev->id;
|
|
||||||
- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
|
|
||||||
- }
|
|
||||||
- if (nval > 0) {
|
|
||||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
|
||||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
|
||||||
- first += 3;
|
|
||||||
- nval -= 3;
|
|
||||||
- }
|
|
||||||
+ if (k != NULL && nkeys > 32) {
|
|
||||||
+ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
|
|
||||||
+ (ev - 1)->deviceid |= MORE_EVENTS;
|
|
||||||
+ kev->type = DeviceKeyStateNotify;
|
|
||||||
+ kev->deviceid = dev->id;
|
|
||||||
+ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ first = 3;
|
|
||||||
+ nval -= 3;
|
|
||||||
while (nval > 0) {
|
|
||||||
- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
|
|
||||||
- first += 3;
|
|
||||||
- nval -= 3;
|
|
||||||
- if (nval > 0) {
|
|
||||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
|
||||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
|
||||||
- first += 3;
|
|
||||||
- nval -= 3;
|
|
||||||
- }
|
|
||||||
+ ev->deviceid |= MORE_EVENTS;
|
|
||||||
+ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
|
|
||||||
+ first += 6;
|
|
||||||
+ nval -= 6;
|
|
||||||
}
|
|
||||||
|
|
||||||
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
|
|
||||||
--
|
|
||||||
GitLab
|
|
@ -1,36 +0,0 @@
|
|||||||
From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Thu, 21 Dec 2023 13:48:10 +1000
|
|
||||||
Subject: [PATCH 4/9] Xi: when creating a new ButtonClass, set the number of
|
|
||||||
buttons
|
|
||||||
|
|
||||||
There's a racy sequence where a master device may copy the button class
|
|
||||||
from the slave, without ever initializing numButtons. This leads to a
|
|
||||||
device with zero buttons but a button class which is invalid.
|
|
||||||
|
|
||||||
Let's copy the numButtons value from the source - by definition if we
|
|
||||||
don't have a button class yet we do not have any other slave devices
|
|
||||||
with more than this number of buttons anyway.
|
|
||||||
|
|
||||||
CVE-2024-0229, ZDI-CAN-22678
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
||||||
---
|
|
||||||
Xi/exevents.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
|
||||||
index 54ea11a938..e161714682 100644
|
|
||||||
--- a/Xi/exevents.c
|
|
||||||
+++ b/Xi/exevents.c
|
|
||||||
@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
|
||||||
to->button = calloc(1, sizeof(ButtonClassRec));
|
|
||||||
if (!to->button)
|
|
||||||
FatalError("[Xi] no memory for class shift.\n");
|
|
||||||
+ to->button->numButtons = from->button->numButtons;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
classes->button = NULL;
|
|
||||||
--
|
|
||||||
GitLab
|
|
@ -1,108 +0,0 @@
|
|||||||
From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Thu, 4 Jan 2024 10:01:24 +1000
|
|
||||||
Subject: [PATCH 5/9] Xi: flush hierarchy events after adding/removing master
|
|
||||||
devices
|
|
||||||
|
|
||||||
The `XISendDeviceHierarchyEvent()` function allocates space to store up
|
|
||||||
to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
|
|
||||||
|
|
||||||
If a device with a given ID was removed and a new device with the same
|
|
||||||
ID added both in the same operation, the single device ID will lead to
|
|
||||||
two info structures being written to `info`.
|
|
||||||
|
|
||||||
Since this case can occur for every device ID at once, a total of two
|
|
||||||
times `MAXDEVICES` info structures might be written to the allocation.
|
|
||||||
|
|
||||||
To avoid it, once one add/remove master is processed, send out the
|
|
||||||
device hierarchy event for the current state and continue. That event
|
|
||||||
thus only ever has exactly one of either added/removed in it (and
|
|
||||||
optionally slave attached/detached).
|
|
||||||
|
|
||||||
CVE-2024-21885, ZDI-CAN-22744
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
||||||
---
|
|
||||||
Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
|
|
||||||
1 file changed, 22 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
|
|
||||||
index d2d985848d..72d00451e3 100644
|
|
||||||
--- a/Xi/xichangehierarchy.c
|
|
||||||
+++ b/Xi/xichangehierarchy.c
|
|
||||||
@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
||||||
size_t len; /* length of data remaining in request */
|
|
||||||
int rc = Success;
|
|
||||||
int flags[MAXDEVICES] = { 0 };
|
|
||||||
+ enum {
|
|
||||||
+ NO_CHANGE,
|
|
||||||
+ FLUSH,
|
|
||||||
+ CHANGED,
|
|
||||||
+ } changes = NO_CHANGE;
|
|
||||||
|
|
||||||
REQUEST(xXIChangeHierarchyReq);
|
|
||||||
REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
|
|
||||||
@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
||||||
rc = add_master(client, c, flags);
|
|
||||||
if (rc != Success)
|
|
||||||
goto unwind;
|
|
||||||
- }
|
|
||||||
+ changes = FLUSH;
|
|
||||||
break;
|
|
||||||
+ }
|
|
||||||
case XIRemoveMaster:
|
|
||||||
{
|
|
||||||
xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
|
|
||||||
@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
||||||
rc = remove_master(client, r, flags);
|
|
||||||
if (rc != Success)
|
|
||||||
goto unwind;
|
|
||||||
- }
|
|
||||||
+ changes = FLUSH;
|
|
||||||
break;
|
|
||||||
+ }
|
|
||||||
case XIDetachSlave:
|
|
||||||
{
|
|
||||||
xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
|
|
||||||
@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
||||||
rc = detach_slave(client, c, flags);
|
|
||||||
if (rc != Success)
|
|
||||||
goto unwind;
|
|
||||||
- }
|
|
||||||
+ changes = CHANGED;
|
|
||||||
break;
|
|
||||||
+ }
|
|
||||||
case XIAttachSlave:
|
|
||||||
{
|
|
||||||
xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
|
|
||||||
@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|
||||||
rc = attach_slave(client, c, flags);
|
|
||||||
if (rc != Success)
|
|
||||||
goto unwind;
|
|
||||||
+ changes = CHANGED;
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
+ default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (changes == FLUSH) {
|
|
||||||
+ XISendDeviceHierarchyEvent(flags);
|
|
||||||
+ memset(flags, 0, sizeof(flags));
|
|
||||||
+ changes = NO_CHANGE;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
len -= any->length * 4;
|
|
||||||
any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
|
|
||||||
}
|
|
||||||
|
|
||||||
unwind:
|
|
||||||
-
|
|
||||||
- XISendDeviceHierarchyEvent(flags);
|
|
||||||
+ if (changes != NO_CHANGE)
|
|
||||||
+ XISendDeviceHierarchyEvent(flags);
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
GitLab
|
|
@ -1,69 +0,0 @@
|
|||||||
From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
|
||||||
Date: Fri, 22 Dec 2023 18:28:31 +0100
|
|
||||||
Subject: [PATCH 6/9] Xi: do not keep linked list pointer during recursion
|
|
||||||
|
|
||||||
The `DisableDevice()` function is called whenever an enabled device
|
|
||||||
is disabled and it moves the device from the `inputInfo.devices` linked
|
|
||||||
list to the `inputInfo.off_devices` linked list.
|
|
||||||
|
|
||||||
However, its link/unlink operation has an issue during the recursive
|
|
||||||
call to `DisableDevice()` due to the `prev` pointer pointing to a
|
|
||||||
removed device.
|
|
||||||
|
|
||||||
This issue leads to a length mismatch between the total number of
|
|
||||||
devices and the number of device in the list, leading to a heap
|
|
||||||
overflow and, possibly, to local privilege escalation.
|
|
||||||
|
|
||||||
Simplify the code that checked whether the device passed to
|
|
||||||
`DisableDevice()` was in `inputInfo.devices` or not and find the
|
|
||||||
previous device after the recursion.
|
|
||||||
|
|
||||||
CVE-2024-21886, ZDI-CAN-22840
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
||||||
---
|
|
||||||
dix/devices.c | 15 ++++++++++++---
|
|
||||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/dix/devices.c b/dix/devices.c
|
|
||||||
index dca98c8d1b..389d28a23c 100644
|
|
||||||
--- a/dix/devices.c
|
|
||||||
+++ b/dix/devices.c
|
|
||||||
@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
|
||||||
{
|
|
||||||
DeviceIntPtr *prev, other;
|
|
||||||
BOOL enabled;
|
|
||||||
+ BOOL dev_in_devices_list = FALSE;
|
|
||||||
int flags[MAXDEVICES] = { 0 };
|
|
||||||
|
|
||||||
if (!dev->enabled)
|
|
||||||
return TRUE;
|
|
||||||
|
|
||||||
- for (prev = &inputInfo.devices;
|
|
||||||
- *prev && (*prev != dev); prev = &(*prev)->next);
|
|
||||||
- if (*prev != dev)
|
|
||||||
+ for (other = inputInfo.devices; other; other = other->next) {
|
|
||||||
+ if (other == dev) {
|
|
||||||
+ dev_in_devices_list = TRUE;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!dev_in_devices_list)
|
|
||||||
return FALSE;
|
|
||||||
|
|
||||||
TouchEndPhysicallyActiveTouches(dev);
|
|
||||||
@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
|
||||||
LeaveWindow(dev);
|
|
||||||
SetFocusOut(dev);
|
|
||||||
|
|
||||||
+ for (prev = &inputInfo.devices;
|
|
||||||
+ *prev && (*prev != dev); prev = &(*prev)->next);
|
|
||||||
+
|
|
||||||
*prev = dev->next;
|
|
||||||
dev->next = inputInfo.off_devices;
|
|
||||||
inputInfo.off_devices = dev;
|
|
||||||
--
|
|
||||||
GitLab
|
|
@ -1,52 +0,0 @@
|
|||||||
From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Fri, 5 Jan 2024 09:40:27 +1000
|
|
||||||
Subject: [PATCH 7/9] dix: when disabling a master, float disabled slaved
|
|
||||||
devices too
|
|
||||||
|
|
||||||
Disabling a master device floats all slave devices but we didn't do this
|
|
||||||
to already-disabled slave devices. As a result those devices kept their
|
|
||||||
reference to the master device resulting in access to already freed
|
|
||||||
memory if the master device was removed before the corresponding slave
|
|
||||||
device.
|
|
||||||
|
|
||||||
And to match this behavior, also forcibly reset that pointer during
|
|
||||||
CloseDownDevices().
|
|
||||||
|
|
||||||
Related to CVE-2024-21886, ZDI-CAN-22840
|
|
||||||
---
|
|
||||||
dix/devices.c | 12 ++++++++++++
|
|
||||||
1 file changed, 12 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/dix/devices.c b/dix/devices.c
|
|
||||||
index 389d28a23c..84a6406d13 100644
|
|
||||||
--- a/dix/devices.c
|
|
||||||
+++ b/dix/devices.c
|
|
||||||
@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
|
||||||
flags[other->id] |= XISlaveDetached;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ for (other = inputInfo.off_devices; other; other = other->next) {
|
|
||||||
+ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
|
|
||||||
+ AttachDevice(NULL, other, NULL);
|
|
||||||
+ flags[other->id] |= XISlaveDetached;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
for (other = inputInfo.devices; other; other = other->next) {
|
|
||||||
@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
|
|
||||||
dev->master = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
|
|
||||||
+ if (!IsMaster(dev) && !IsFloating(dev))
|
|
||||||
+ dev->master = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
CloseDeviceList(&inputInfo.devices);
|
|
||||||
CloseDeviceList(&inputInfo.off_devices);
|
|
||||||
|
|
||||||
--
|
|
||||||
GitLab
|
|
@ -1,77 +0,0 @@
|
|||||||
From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Povilas Kanapickas <povilas@radix.lt>
|
|
||||||
Date: Sun, 19 Dec 2021 18:11:07 +0200
|
|
||||||
Subject: [PATCH] dix: Fix use after free in input device shutdown
|
|
||||||
|
|
||||||
This fixes access to freed heap memory via dev->master. E.g. when
|
|
||||||
running BarrierNotify.ReceivesNotifyEvents/7 test from
|
|
||||||
xorg-integration-tests:
|
|
||||||
|
|
||||||
==24736==ERROR: AddressSanitizer: heap-use-after-free on address
|
|
||||||
0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
|
|
||||||
READ of size 4 at 0x619000065020 thread T0
|
|
||||||
#0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
|
|
||||||
#1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
|
|
||||||
#2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
|
|
||||||
../../../Xi/xichangehierarchy.c:95
|
|
||||||
#4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
|
|
||||||
../../../hw/xfree86/common/xf86Xinput.c:1142
|
|
||||||
#6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
|
|
||||||
#7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
|
|
||||||
#8 0x55c450e837ef in dix_main ../../../dix/main.c:302
|
|
||||||
#9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
|
||||||
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
|
||||||
#11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
|
|
||||||
|
|
||||||
0x619000065020 is located 160 bytes inside of 912-byte region
|
|
||||||
[0x619000064f80,0x619000065310)
|
|
||||||
freed by thread T0 here:
|
|
||||||
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
|
|
||||||
#1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
|
|
||||||
#2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
|
|
||||||
../../../hw/xfree86/common/xf86Xinput.c:1142
|
|
||||||
#4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
|
|
||||||
#5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
|
|
||||||
#6 0x55c450e837ef in dix_main ../../../dix/main.c:302
|
|
||||||
#7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
|
||||||
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
|
||||||
|
|
||||||
previously allocated by thread T0 here:
|
|
||||||
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
|
|
||||||
#1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
|
|
||||||
#2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
|
|
||||||
#3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
|
|
||||||
../../../Xi/xichangehierarchy.c:465
|
|
||||||
#5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
|
|
||||||
#6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
|
|
||||||
#7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
|
|
||||||
#8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
|
||||||
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
|
||||||
|
|
||||||
The problem is caused by dev->master being not reset when disabling the
|
|
||||||
device, which then causes dangling pointer when the master device itself
|
|
||||||
is being deleted when exiting whole server.
|
|
||||||
|
|
||||||
Note that RecalculateMasterButtons() requires dev->master to be still
|
|
||||||
valid, so we can reset it only at the end of function.
|
|
||||||
|
|
||||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
|
||||||
---
|
|
||||||
dix/devices.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/dix/devices.c b/dix/devices.c
|
|
||||||
index e62c34c55e..5f9ce1678f 100644
|
|
||||||
--- a/dix/devices.c
|
|
||||||
+++ b/dix/devices.c
|
|
||||||
@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
|
||||||
}
|
|
||||||
|
|
||||||
RecalculateMasterButtons(dev);
|
|
||||||
+ dev->master = NULL;
|
|
||||||
|
|
||||||
return TRUE;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
51
SOURCES/tigervnc-dont-install-appstream-metadata-file.patch
Normal file
51
SOURCES/tigervnc-dont-install-appstream-metadata-file.patch
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt
|
||||||
|
index 052cfb3..c84fb0e 100644
|
||||||
|
--- a/po/CMakeLists.txt
|
||||||
|
+++ b/po/CMakeLists.txt
|
||||||
|
@@ -14,7 +14,6 @@ if (GETTEXT_XGETTEXT_EXECUTABLE)
|
||||||
|
${PROJECT_SOURCE_DIR}/vncviewer/*.h
|
||||||
|
${PROJECT_SOURCE_DIR}/vncviewer/*.cxx
|
||||||
|
${PROJECT_SOURCE_DIR}/vncviewer/*.desktop.in.in
|
||||||
|
- ${PROJECT_SOURCE_DIR}/vncviewer/*.metainfo.xml.in
|
||||||
|
)
|
||||||
|
|
||||||
|
add_custom_target(translations_update
|
||||||
|
diff --git a/vncviewer/CMakeLists.txt b/vncviewer/CMakeLists.txt
|
||||||
|
index 15eac66..450b732 100644
|
||||||
|
--- a/vncviewer/CMakeLists.txt
|
||||||
|
+++ b/vncviewer/CMakeLists.txt
|
||||||
|
@@ -100,34 +100,6 @@ if(UNIX)
|
||||||
|
add_custom_target(desktop ALL DEPENDS vncviewer.desktop)
|
||||||
|
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncviewer.desktop DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/applications)
|
||||||
|
|
||||||
|
- if("${GETTEXT_VERSION_STRING}" VERSION_GREATER 0.19.6)
|
||||||
|
- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
|
||||||
|
- COMMAND ${GETTEXT_MSGFMT_EXECUTABLE}
|
||||||
|
- --xml --template ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
|
||||||
|
- -d ${CMAKE_SOURCE_DIR}/po -o org.tigervnc.vncviewer.metainfo.xml
|
||||||
|
- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
|
||||||
|
- )
|
||||||
|
- elseif(INTLTOOL_MERGE_EXECUTABLE)
|
||||||
|
- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
|
||||||
|
- COMMAND sed -e 's@<name>@<_name>@\;s@</name>@</_name>@'
|
||||||
|
- -e 's@<summary>@<_summary>@\;s@</summary>@</_summary>@'
|
||||||
|
- -e 's@<caption>@<_caption>@\;s@</caption>@</_caption>@'
|
||||||
|
- -e 's@<p>@<_p>@g\;s@</p>@</_p>@g'
|
||||||
|
- ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in > org.tigervnc.vncviewer.metainfo.xml.intl
|
||||||
|
- COMMAND ${INTLTOOL_MERGE_EXECUTABLE}
|
||||||
|
- -x ${CMAKE_SOURCE_DIR}/po
|
||||||
|
- org.tigervnc.vncviewer.metainfo.xml.intl org.tigervnc.vncviewer.metainfo.xml
|
||||||
|
- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
|
||||||
|
- )
|
||||||
|
- else()
|
||||||
|
- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
|
||||||
|
- COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in org.tigervnc.vncviewer.metainfo.xml
|
||||||
|
- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
|
||||||
|
- )
|
||||||
|
- endif()
|
||||||
|
- add_custom_target(appstream ALL DEPENDS org.tigervnc.vncviewer.metainfo.xml)
|
||||||
|
- install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tigervnc.vncviewer.metainfo.xml DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/metainfo)
|
||||||
|
-
|
||||||
|
foreach(res 16 22 24 32 48 64 128)
|
||||||
|
install(FILES ../media/icons/tigervnc_${res}.png DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/${res}x${res}/apps RENAME tigervnc.png)
|
||||||
|
endforeach()
|
135
SOURCES/tigervnc-support-username-alias-in-plainusers.patch
Normal file
135
SOURCES/tigervnc-support-username-alias-in-plainusers.patch
Normal file
@ -0,0 +1,135 @@
|
|||||||
|
diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
|
||||||
|
index 6f65e87..3142ba3 100644
|
||||||
|
--- a/common/rfb/SSecurityPlain.cxx
|
||||||
|
+++ b/common/rfb/SSecurityPlain.cxx
|
||||||
|
@@ -27,6 +27,8 @@
|
||||||
|
#include <rdr/InStream.h>
|
||||||
|
#if !defined(WIN32) && !defined(__APPLE__)
|
||||||
|
#include <rfb/UnixPasswordValidator.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <pwd.h>
|
||||||
|
#endif
|
||||||
|
#ifdef WIN32
|
||||||
|
#include <rfb/WinPasswdValidator.h>
|
||||||
|
@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers
|
||||||
|
|
||||||
|
bool PasswordValidator::validUser(const char* username)
|
||||||
|
{
|
||||||
|
- CharArray users(plainUsers.getValueStr()), user;
|
||||||
|
+ std::vector<std::string> users;
|
||||||
|
|
||||||
|
- while (users.buf) {
|
||||||
|
- strSplit(users.buf, ',', &user.buf, &users.buf);
|
||||||
|
-#ifdef WIN32
|
||||||
|
- if (0 == stricmp(user.buf, "*"))
|
||||||
|
- return true;
|
||||||
|
- if (0 == stricmp(user.buf, username))
|
||||||
|
- return true;
|
||||||
|
-#else
|
||||||
|
- if (!strcmp(user.buf, "*"))
|
||||||
|
- return true;
|
||||||
|
- if (!strcmp(user.buf, username))
|
||||||
|
- return true;
|
||||||
|
+ users = split(plainUsers, ',');
|
||||||
|
+
|
||||||
|
+ for (size_t i = 0; i < users.size(); i++) {
|
||||||
|
+ if (users[i] == "*")
|
||||||
|
+ return true;
|
||||||
|
+#if !defined(WIN32) && !defined(__APPLE__)
|
||||||
|
+ if (users[i] == "%u") {
|
||||||
|
+ struct passwd *pw = getpwnam(username);
|
||||||
|
+ if (pw && pw->pw_uid == getuid())
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
+ if (users[i] == username)
|
||||||
|
+ return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
|
||||||
|
index 649eb0b..cce73a0 100644
|
||||||
|
--- a/common/rfb/util.cxx
|
||||||
|
+++ b/common/rfb/util.cxx
|
||||||
|
@@ -99,6 +99,26 @@ namespace rfb {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ std::vector<std::string> split(const char* src,
|
||||||
|
+ const char delimiter)
|
||||||
|
+ {
|
||||||
|
+ std::vector<std::string> out;
|
||||||
|
+ const char *start, *stop;
|
||||||
|
+
|
||||||
|
+ start = src;
|
||||||
|
+ do {
|
||||||
|
+ stop = strchr(start, delimiter);
|
||||||
|
+ if (stop == NULL) {
|
||||||
|
+ out.push_back(start);
|
||||||
|
+ } else {
|
||||||
|
+ out.push_back(std::string(start, stop-start));
|
||||||
|
+ start = stop + 1;
|
||||||
|
+ }
|
||||||
|
+ } while (stop != NULL);
|
||||||
|
+
|
||||||
|
+ return out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
bool strContains(const char* src, char c) {
|
||||||
|
int l=strlen(src);
|
||||||
|
for (int i=0; i<l; i++)
|
||||||
|
diff --git a/common/rfb/util.h b/common/rfb/util.h
|
||||||
|
index f0ac9ef..ed15c28 100644
|
||||||
|
--- a/common/rfb/util.h
|
||||||
|
+++ b/common/rfb/util.h
|
||||||
|
@@ -27,6 +27,9 @@
|
||||||
|
#include <limits.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
+#include <string>
|
||||||
|
+#include <vector>
|
||||||
|
+
|
||||||
|
struct timeval;
|
||||||
|
|
||||||
|
#ifdef __GNUC__
|
||||||
|
@@ -76,6 +79,10 @@ namespace rfb {
|
||||||
|
// that part of the string. Obviously, setting both to 0 is not useful...
|
||||||
|
bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false);
|
||||||
|
|
||||||
|
+ // Splits a string with the specified delimiter
|
||||||
|
+ std::vector<std::string> split(const char* src,
|
||||||
|
+ const char delimiter);
|
||||||
|
+
|
||||||
|
// Returns true if src contains c
|
||||||
|
bool strContains(const char* src, char c);
|
||||||
|
|
||||||
|
diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
|
||||||
|
index c36ae34..78db730 100644
|
||||||
|
--- a/unix/x0vncserver/x0vncserver.man
|
||||||
|
+++ b/unix/x0vncserver/x0vncserver.man
|
||||||
|
@@ -125,8 +125,8 @@ parameter instead.
|
||||||
|
.B \-PlainUsers \fIuser-list\fP
|
||||||
|
A comma separated list of user names that are allowed to authenticate via
|
||||||
|
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
|
||||||
|
-to allow any user to authenticate using this security type. Default is to
|
||||||
|
-deny all users.
|
||||||
|
+to allow any user to authenticate using this security type. Specify \fB%u\fP
|
||||||
|
+to allow the user of the server process. Default is to deny all users.
|
||||||
|
.
|
||||||
|
.TP
|
||||||
|
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
|
||||||
|
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
|
||||||
|
index ea87dea..e9fb654 100644
|
||||||
|
--- a/unix/xserver/hw/vnc/Xvnc.man
|
||||||
|
+++ b/unix/xserver/hw/vnc/Xvnc.man
|
||||||
|
@@ -200,8 +200,8 @@ parameter instead.
|
||||||
|
.B \-PlainUsers \fIuser-list\fP
|
||||||
|
A comma separated list of user names that are allowed to authenticate via
|
||||||
|
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
|
||||||
|
-to allow any user to authenticate using this security type. Default is to
|
||||||
|
-deny all users.
|
||||||
|
+to allow any user to authenticate using this security type. Specify \fB%u\fP
|
||||||
|
+to allow the user of the server process. Default is to deny all users.
|
||||||
|
.
|
||||||
|
.TP
|
||||||
|
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
|
17
SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch
Normal file
17
SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
|
||||||
|
index f8141959..c5c36539 100644
|
||||||
|
--- a/unix/xserver/hw/vnc/xvnc.c
|
||||||
|
+++ b/unix/xserver/hw/vnc/xvnc.c
|
||||||
|
@@ -366,8 +366,10 @@ ddxProcessArgument(int argc, char *argv[], int i)
|
||||||
|
if (strcmp(argv[i], "-inetd") == 0) {
|
||||||
|
int nullfd;
|
||||||
|
|
||||||
|
- dup2(0, 3);
|
||||||
|
- vncInetdSock = 3;
|
||||||
|
+ if ((vncInetdSock = dup(0)) == -1)
|
||||||
|
+ FatalError
|
||||||
|
+ ("Xvnc error: failed to allocate a new file descriptor for -inetd: %s\n", strerror(errno));
|
||||||
|
+
|
||||||
|
|
||||||
|
/* Avoid xserver >= 1.19's epoll-fd becoming fd 2 / stderr only to be
|
||||||
|
replaced by /dev/null by OsInit() because the pollfd is not
|
@ -0,0 +1,29 @@
|
|||||||
|
From 4db34f73d461b973867ddaf18bf690219229cd7a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Carlos Santos <casantos@redhat.com>
|
||||||
|
Date: Thu, 25 Jul 2024 18:39:59 -0300
|
||||||
|
Subject: [PATCH] vncsession: use /bin/sh if the user shell is not set
|
||||||
|
|
||||||
|
An empty shell field in the password file is valid, although not common.
|
||||||
|
Use /bin/sh in this case, as documented in the passwd(5) man page, since
|
||||||
|
the vncserver script requires a non-empty SHELL environment variable.
|
||||||
|
|
||||||
|
Fixes issue #1786.
|
||||||
|
|
||||||
|
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
||||||
|
---
|
||||||
|
unix/vncserver/vncsession.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
||||||
|
index 1ee096c7c..98a0432aa 100644
|
||||||
|
--- a/unix/vncserver/vncsession.c
|
||||||
|
+++ b/unix/vncserver/vncsession.c
|
||||||
|
@@ -545,7 +545,7 @@ run_script(const char *username, const char *display, char **envp)
|
||||||
|
|
||||||
|
// Set up some basic environment for the script
|
||||||
|
setenv("HOME", pwent->pw_dir, 1);
|
||||||
|
- setenv("SHELL", pwent->pw_shell, 1);
|
||||||
|
+ setenv("SHELL", *pwent->pw_shell != '\0' ? pwent->pw_shell : "/bin/sh", 1);
|
||||||
|
setenv("LOGNAME", pwent->pw_name, 1);
|
||||||
|
setenv("USER", pwent->pw_name, 1);
|
||||||
|
setenv("USERNAME", pwent->pw_name, 1);
|
@ -32,7 +32,7 @@
|
|||||||
Description=XVNC Per-Connection Daemon
|
Description=XVNC Per-Connection Daemon
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None
|
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None -Log *:syslog:30
|
||||||
User=nobody
|
User=nobody
|
||||||
StandardInput=socket
|
StandardInput=socket
|
||||||
StandardError=syslog
|
StandardError=syslog
|
||||||
|
@ -5,12 +5,12 @@
|
|||||||
|
|
||||||
Name: tigervnc
|
Name: tigervnc
|
||||||
Version: 1.13.1
|
Version: 1.13.1
|
||||||
Release: 3%{?dist}.6.alma.1
|
Release: 13%{?dist}
|
||||||
Summary: A TigerVNC remote display system
|
Summary: A TigerVNC remote display system
|
||||||
|
|
||||||
%global _hardened_build 1
|
%global _hardened_build 1
|
||||||
|
|
||||||
License: GPL-2.0-or-later
|
License: GPLv2+
|
||||||
URL: http://www.tigervnc.com
|
URL: http://www.tigervnc.com
|
||||||
|
|
||||||
Source0: %{name}-%{version}.tar.gz
|
Source0: %{name}-%{version}.tar.gz
|
||||||
@ -24,37 +24,23 @@ Source5: vncserver
|
|||||||
# Downstream patches
|
# Downstream patches
|
||||||
Patch1: tigervnc-use-gnome-as-default-session.patch
|
Patch1: tigervnc-use-gnome-as-default-session.patch
|
||||||
Patch2: tigervnc-vncsession-restore-script-systemd-service.patch
|
Patch2: tigervnc-vncsession-restore-script-systemd-service.patch
|
||||||
|
Patch3: tigervnc-dont-install-appstream-metadata-file.patch
|
||||||
# https://gitlab.com/redhat/centos-stream/rpms/tigervnc/-/commit/75082cdb91390f66637d1dcacbb291181afbc9af
|
|
||||||
Patch3: tigervnc-dont-get-pointer-position-for-floating-device.patch
|
|
||||||
|
|
||||||
# Upstream patches
|
# Upstream patches
|
||||||
|
Patch50: tigervnc-support-username-alias-in-plainusers.patch
|
||||||
|
Patch51: tigervnc-use-dup-to-get-available-fd-for-inetd.patch
|
||||||
|
Patch52: tigervnc-add-option-to-force-view-only-remote-connections.patch
|
||||||
|
Patch53: tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch
|
||||||
|
|
||||||
|
# Upstreamable patches
|
||||||
|
Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch
|
||||||
|
|
||||||
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
|
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
|
||||||
Patch100: tigervnc-xserver120.patch
|
Patch100: tigervnc-xserver120.patch
|
||||||
# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
|
# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
|
||||||
Patch101: 0001-rpath-hack.patch
|
Patch101: 0001-rpath-hack.patch
|
||||||
|
|
||||||
|
# XServer patches
|
||||||
# Patches were taken from:
|
|
||||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
|
|
||||||
Patch102: CVE-2023-5367.patch
|
|
||||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
|
|
||||||
Patch103: CVE-2023-5380.patch
|
|
||||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
|
|
||||||
Patch104: CVE-2023-6377.patch
|
|
||||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
|
|
||||||
Patch105: CVE-2023-6478.patch
|
|
||||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3
|
|
||||||
Patch106: CVE-2023-6816.patch
|
|
||||||
# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1245?commit_id=ece23be888a93b741aa1209d1dbf64636109d6a5
|
|
||||||
Patch107: CVE-2024-0229-1.patch
|
|
||||||
Patch108: CVE-2024-0229-2.patch
|
|
||||||
Patch109: CVE-2024-0229-3.patch
|
|
||||||
Patch110: CVE-2024-21885.patch
|
|
||||||
Patch111: CVE-2024-21886-1.patch
|
|
||||||
Patch112: CVE-2024-21886-2.patch
|
|
||||||
Patch113: dix-fix-use-after-free-in-input-device-shutdown.patch
|
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -140,12 +126,10 @@ X session.
|
|||||||
|
|
||||||
%package server-minimal
|
%package server-minimal
|
||||||
Summary: A minimal installation of TigerVNC server
|
Summary: A minimal installation of TigerVNC server
|
||||||
Requires(post): systemd
|
Requires(post): chkconfig
|
||||||
Requires(preun): systemd
|
Requires(preun):chkconfig
|
||||||
Requires(postun): systemd
|
|
||||||
Requires(post): systemd
|
|
||||||
|
|
||||||
Requires: mesa-dri-drivers, xkeyboard-config, xkbcomp
|
Requires: mesa-dri-drivers, xkeyboard-config, xorg-x11-xkb-utils
|
||||||
Requires: tigervnc-license, dbus-x11
|
Requires: tigervnc-license, dbus-x11
|
||||||
|
|
||||||
%description server-minimal
|
%description server-minimal
|
||||||
@ -181,9 +165,6 @@ This package contains icons for TigerVNC viewer
|
|||||||
Summary: SELinux module for TigerVNC
|
Summary: SELinux module for TigerVNC
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: selinux-policy-devel
|
BuildRequires: selinux-policy-devel
|
||||||
BuildRequires: pkgconfig(systemd)
|
|
||||||
BuildRequires: selinux-policy
|
|
||||||
|
|
||||||
Requires: selinux-policy-%{selinuxtype}
|
Requires: selinux-policy-%{selinuxtype}
|
||||||
Requires(post): selinux-policy-%{selinuxtype}
|
Requires(post): selinux-policy-%{selinuxtype}
|
||||||
BuildRequires: selinux-policy-devel
|
BuildRequires: selinux-policy-devel
|
||||||
@ -191,15 +172,7 @@ BuildRequires: selinux-policy-devel
|
|||||||
Requires: libselinux-utils
|
Requires: libselinux-utils
|
||||||
# Required for restorecon
|
# Required for restorecon
|
||||||
Requires: policycoreutils
|
Requires: policycoreutils
|
||||||
|
%{?selinux_requires}
|
||||||
Requires: libselinux-utils
|
|
||||||
Requires: selinux-policy
|
|
||||||
Requires: selinux-policy-%{selinuxtype}
|
|
||||||
Requires(post): selinux-policy-base
|
|
||||||
Requires(post): selinux-policy-%{selinuxtype}
|
|
||||||
Requires(post): libselinux-utils
|
|
||||||
Requires(post): policycoreutils
|
|
||||||
Requires(post): policycoreutils-python-utils
|
|
||||||
|
|
||||||
%description selinux
|
%description selinux
|
||||||
This package provides the SELinux policy module to ensure TigerVNC
|
This package provides the SELinux policy module to ensure TigerVNC
|
||||||
@ -215,26 +188,20 @@ for all in `find . -type f -perm -001`; do
|
|||||||
done
|
done
|
||||||
%patch100 -p1 -b .xserver120-rebased
|
%patch100 -p1 -b .xserver120-rebased
|
||||||
%patch101 -p1 -b .rpath
|
%patch101 -p1 -b .rpath
|
||||||
%patch102 -p1 -b .CVE-2023-5367
|
|
||||||
%patch103 -p1 -b .CVE-2023-5380
|
|
||||||
%patch104 -p1 -b .CVE-2023-6377
|
|
||||||
%patch105 -p1 -b .CVE-2023-6478
|
|
||||||
%patch106 -p1 -b .CVE-2023-6816
|
|
||||||
%patch107 -p1 -b .CVE-2024-0229-1
|
|
||||||
%patch108 -p1 -b .CVE-2024-0229-2
|
|
||||||
%patch109 -p1 -b .CVE-2024-0229-3
|
|
||||||
%patch110 -p1 -b .CVE-2024-21885
|
|
||||||
%patch111 -p1 -b .CVE-2024-21886-1
|
|
||||||
%patch112 -p1 -b .CVE-2024-21886-2
|
|
||||||
%patch113 -p1 -b .dix-fix-use-after-free-in-input-device-shutdown
|
|
||||||
|
|
||||||
popd
|
popd
|
||||||
|
|
||||||
%patch1 -p1 -b .use-gnome-as-default-session
|
%patch1 -p1 -b .use-gnome-as-default-session
|
||||||
%patch2 -p1 -b .vncsession-restore-script-systemd-service
|
%patch2 -p1 -b .vncsession-restore-script-systemd-service
|
||||||
%patch3 -p1 -b .dont-get-pointer-position-for-floating-device
|
%patch3 -p1 -b .dont-install-appstream-metadata-file.patch
|
||||||
|
|
||||||
# Upstream patches
|
# Upstream patches
|
||||||
|
%patch50 -p1 -b .support-username-alias-in-plainusers
|
||||||
|
%patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd
|
||||||
|
%patch52 -p1 -b .add-option-to-force-view-only-remote-connections
|
||||||
|
%patch53 -p1 -b .tigervnc-vncsession-use-bin-sh-when-shell-not-set
|
||||||
|
|
||||||
|
# Upstreamable patches
|
||||||
|
%patch80 -p1 -b .dont-get-pointer-position-for-floating-device
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%ifarch sparcv9 sparc64 s390 s390x
|
%ifarch sparcv9 sparc64 s390 s390x
|
||||||
@ -242,22 +209,12 @@ export CFLAGS="$RPM_OPT_FLAGS -fPIC"
|
|||||||
%else
|
%else
|
||||||
export CFLAGS="$RPM_OPT_FLAGS -fpic"
|
export CFLAGS="$RPM_OPT_FLAGS -fpic"
|
||||||
%endif
|
%endif
|
||||||
export CXXFLAGS="$CFLAGS -std=c++11"
|
export CXXFLAGS="$CFLAGS"
|
||||||
|
|
||||||
%define __cmake_builddir %{_target_platform}
|
%{cmake} .
|
||||||
|
make %{?_smp_mflags}
|
||||||
mkdir -p %{%__cmake_builddir}
|
|
||||||
|
|
||||||
%cmake
|
|
||||||
|
|
||||||
%cmake_build
|
|
||||||
|
|
||||||
pushd unix/xserver
|
pushd unix/xserver
|
||||||
|
|
||||||
%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
|
|
||||||
sed -i 's@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am
|
|
||||||
%endif
|
|
||||||
|
|
||||||
autoreconf -fiv
|
autoreconf -fiv
|
||||||
%configure \
|
%configure \
|
||||||
--disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
|
--disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
|
||||||
@ -280,11 +237,7 @@ make %{?_smp_mflags}
|
|||||||
popd
|
popd
|
||||||
|
|
||||||
# Build icons
|
# Build icons
|
||||||
%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
|
|
||||||
pushd %{_target_platform}/media
|
|
||||||
%else
|
|
||||||
pushd media
|
pushd media
|
||||||
%endif
|
|
||||||
make
|
make
|
||||||
popd
|
popd
|
||||||
|
|
||||||
@ -293,19 +246,19 @@ pushd unix/vncserver/selinux
|
|||||||
make
|
make
|
||||||
popd
|
popd
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%cmake_install
|
%make_install
|
||||||
rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT}
|
|
||||||
|
|
||||||
pushd unix/xserver/hw/vnc
|
pushd unix/xserver/hw/vnc
|
||||||
%make_install
|
make install DESTDIR=%{buildroot}
|
||||||
popd
|
popd
|
||||||
|
|
||||||
# Install systemd unit file
|
|
||||||
pushd unix/vncserver/selinux
|
pushd unix/vncserver/selinux
|
||||||
make install DESTDIR=%{buildroot}
|
make install DESTDIR=%{buildroot}
|
||||||
popd
|
popd
|
||||||
|
|
||||||
|
|
||||||
# Install systemd unit file
|
# Install systemd unit file
|
||||||
install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service
|
install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service
|
||||||
install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket
|
install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket
|
||||||
@ -319,21 +272,7 @@ install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps
|
|||||||
done
|
done
|
||||||
popd
|
popd
|
||||||
|
|
||||||
appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/org.tigervnc.vncviewer.metainfo.xml
|
|
||||||
desktop-file-validate %{buildroot}%{_datadir}/applications/vncviewer.desktop
|
|
||||||
|
|
||||||
%if 0%{?rhel} > 9
|
|
||||||
# Install a replacement for /usr/bin/vncserver which will tell the user to read the
|
|
||||||
# HOWTO.md file
|
|
||||||
cat <<EOF > %{buildroot}/%{_bindir}/vncserver
|
|
||||||
#!/bin/bash
|
|
||||||
echo "vncserver has been replaced by a systemd unit."
|
|
||||||
echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information."
|
|
||||||
EOF
|
|
||||||
chmod +x %{buildroot}/%{_bindir}/vncserver
|
|
||||||
%else
|
|
||||||
install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
|
install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
|
||||||
%endif
|
|
||||||
|
|
||||||
%find_lang %{name} %{name}.lang
|
%find_lang %{name} %{name}.lang
|
||||||
|
|
||||||
@ -344,14 +283,15 @@ mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/
|
|||||||
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
|
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
|
||||||
|
|
||||||
%post server
|
%post server
|
||||||
%systemd_post xvnc@.service
|
%systemd_post xvnc.service
|
||||||
%systemd_post xvnc.socket
|
%systemd_post xvnc.socket
|
||||||
|
|
||||||
%preun server
|
%preun server
|
||||||
|
%systemd_preun xvnc.service
|
||||||
%systemd_preun xvnc.socket
|
%systemd_preun xvnc.socket
|
||||||
|
|
||||||
%postun server
|
%postun server
|
||||||
%systemd_postun xvnc@.service
|
%systemd_postun xvnc.service
|
||||||
%systemd_postun xvnc.socket
|
%systemd_postun xvnc.socket
|
||||||
|
|
||||||
%pre selinux
|
%pre selinux
|
||||||
@ -373,7 +313,6 @@ fi
|
|||||||
%{_bindir}/vncviewer
|
%{_bindir}/vncviewer
|
||||||
%{_datadir}/applications/*
|
%{_datadir}/applications/*
|
||||||
%{_mandir}/man1/vncviewer.1*
|
%{_mandir}/man1/vncviewer.1*
|
||||||
%{_datadir}/metainfo/org.tigervnc.vncviewer.metainfo.xml
|
|
||||||
|
|
||||||
%files server
|
%files server
|
||||||
%config(noreplace) %{_sysconfdir}/pam.d/tigervnc
|
%config(noreplace) %{_sysconfdir}/pam.d/tigervnc
|
||||||
@ -383,8 +322,8 @@ fi
|
|||||||
%{_unitdir}/vncserver@.service
|
%{_unitdir}/vncserver@.service
|
||||||
%{_unitdir}/xvnc@.service
|
%{_unitdir}/xvnc@.service
|
||||||
%{_unitdir}/xvnc.socket
|
%{_unitdir}/xvnc.socket
|
||||||
%{_bindir}/vncserver
|
|
||||||
%{_bindir}/x0vncserver
|
%{_bindir}/x0vncserver
|
||||||
|
%{_bindir}/vncserver
|
||||||
%{_sbindir}/vncsession
|
%{_sbindir}/vncsession
|
||||||
%{_libexecdir}/vncserver
|
%{_libexecdir}/vncserver
|
||||||
%{_libexecdir}/vncsession-start
|
%{_libexecdir}/vncsession-start
|
||||||
@ -404,7 +343,7 @@ fi
|
|||||||
|
|
||||||
%files server-module
|
%files server-module
|
||||||
%{_libdir}/xorg/modules/extensions/libvnc.so
|
%{_libdir}/xorg/modules/extensions/libvnc.so
|
||||||
%config(noreplace) %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
|
%config %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
|
||||||
|
|
||||||
%files license
|
%files license
|
||||||
%{_docdir}/tigervnc/LICENCE.TXT
|
%{_docdir}/tigervnc/LICENCE.TXT
|
||||||
@ -417,236 +356,255 @@ fi
|
|||||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Jan 30 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-3.3.alma.1
|
* Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-13
|
||||||
- CVE-2023-6816, CVE-2024-0029, CVE-2024-21885, CVE-2024-21886
|
- vncsession: use /bin/sh if the user shell is not set
|
||||||
- dix: Fix use after free in input device shutdown
|
Resolves: RHEL-52827
|
||||||
|
|
||||||
* Wed Jan 03 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-3.3.alma.1
|
* Fri Jul 12 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-12
|
||||||
- CVE-2023-5367, CVE-2023-5380, CVE-2023-6377, CVE-2023-6478
|
- Fix FTBS: drop already applied Xorg patches
|
||||||
|
Resolves: RHEL-46696
|
||||||
|
|
||||||
|
* Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
|
||||||
|
- vncconfig: add option to force view-only remote client connections
|
||||||
|
Resolves: RHEL-11908
|
||||||
|
|
||||||
|
* Mon Apr 15 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
|
||||||
|
- Drop patches that are already part of xorg-x11-server
|
||||||
|
Resolves: RHEL-30755
|
||||||
|
Resolves: RHEL-30767
|
||||||
|
Resolves: RHEL-30761
|
||||||
|
|
||||||
|
* Thu Apr 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
|
||||||
|
- Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
|
||||||
|
Resolves: RHEL-30755
|
||||||
|
- Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs
|
||||||
|
Resolves: RHEL-30767
|
||||||
|
- Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
|
||||||
|
Resolves: RHEL-30761
|
||||||
|
|
||||||
|
* Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
|
||||||
|
- Fix copy/paste error in the DeviceStateNotify
|
||||||
|
Resolves: RHEL-20530
|
||||||
|
|
||||||
|
* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
|
||||||
|
- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
|
||||||
|
Resolves: RHEL-20388
|
||||||
|
- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
|
||||||
|
Resolves: RHEL-20382
|
||||||
|
- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
|
||||||
|
Resolves: RHEL-20530
|
||||||
|
- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
|
||||||
|
Resolves: RHEL-21214
|
||||||
|
|
||||||
|
* Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
|
||||||
|
- Use dup() to get available file descriptor when using -inetd option
|
||||||
|
Resolves: RHEL-21000
|
||||||
|
|
||||||
|
* Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5
|
||||||
|
- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions
|
||||||
|
Resolves: RHEL-18410
|
||||||
|
- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
|
||||||
|
Resolves: RHEL-18422
|
||||||
|
|
||||||
|
* Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4
|
||||||
|
- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
|
||||||
|
Resolves: RHEL-15236
|
||||||
|
|
||||||
|
- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty
|
||||||
|
Resolves: RHEL-15230
|
||||||
|
|
||||||
|
* Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
|
||||||
|
- Support username alias in PlainUsers
|
||||||
|
Resolves: RHEL-4258
|
||||||
|
|
||||||
* Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
|
* Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
|
||||||
- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
|
- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
|
||||||
Escalation Vulnerability
|
Escalation Vulnerability
|
||||||
Resolves: bz#2180310
|
Resolves: bz#2180306
|
||||||
|
|
||||||
* Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1
|
* Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1
|
||||||
- 1.13.1
|
- 1.13.1
|
||||||
Resolves: bz#2175732
|
Resolves: bz#2175748
|
||||||
|
- Restore "--fallbacktofreeport" option in the vncserver script
|
||||||
|
Resolves: bz#2174398
|
||||||
|
|
||||||
* Tue Feb 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-12
|
* Thu Dec 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9
|
||||||
- SELinux: allow vncsession create .vnc directory
|
- Bump build version to fix upgrade path
|
||||||
Resolves: bz#2164703
|
Resolves: bz#1437569
|
||||||
|
|
||||||
* Wed Feb 15 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-11
|
* Fri Nov 18 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
|
||||||
- Add sanity check when cleaning up keymap changes
|
|
||||||
Resolves: bz#2169965
|
|
||||||
|
|
||||||
* Mon Feb 06 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-10
|
|
||||||
- xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation
|
|
||||||
Resolves: bz#2167061
|
|
||||||
|
|
||||||
* Tue Dec 20 2022 Tomas Popela <tpopela@redhat.com> - 1.12.0-9
|
|
||||||
- Rebuild for xorg-x11-server CVE-2022-46340 follow up fix
|
|
||||||
|
|
||||||
* Fri Dec 16 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
|
|
||||||
- Rebuild for xorg-x11-server CVEs
|
|
||||||
Resolves: CVE-2022-4283 (bz#2154234)
|
|
||||||
Resolves: CVE-2022-46340 (bz#2154221)
|
|
||||||
Resolves: CVE-2022-46341 (bz#2154224)
|
|
||||||
Resolves: CVE-2022-46342 (bz#2154226)
|
|
||||||
Resolves: CVE-2022-46343 (bz#2154228)
|
|
||||||
Resolves: CVE-2022-46344 (bz#2154230)
|
|
||||||
|
|
||||||
* Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
|
|
||||||
- x0vncserver: add new keysym in case we don't find matching keycode
|
- x0vncserver: add new keysym in case we don't find matching keycode
|
||||||
+ actually apply the patch
|
Resolves: bz#1437569
|
||||||
Resolves: bz#2119017
|
|
||||||
|
|
||||||
* Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
|
* Wed Aug 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
|
||||||
- x0vncserver: add new keysym in case we don't find matching keycode
|
|
||||||
Resolves: bz#2119017
|
|
||||||
|
|
||||||
* Mon Oct 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
|
|
||||||
- x0vncserver: fix ghost cursor in zaphod mode (better version)
|
- x0vncserver: fix ghost cursor in zaphod mode (better version)
|
||||||
Resolves: bz#2119016
|
Resolves: bz#2109679
|
||||||
|
|
||||||
* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
|
* Wed Aug 17 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
|
||||||
- Add BR: libXdamage, libXfixes, libXrandr
|
- x0vncserver: fix ghost cursor in zaphod mode
|
||||||
Resolves: bz#2091833
|
Resolves: bz#2109679
|
||||||
|
|
||||||
* Tue Apr 05 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
|
* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
|
||||||
- Do not run systemd_preun on Xvnc service file
|
- BR: libXdamage, libXfixes, libXrandr
|
||||||
Resolves: bz#2048011
|
Resolves: bz#2088733
|
||||||
|
|
||||||
* Mon Apr 04 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
|
* Tue Feb 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
|
||||||
- Drop unexisting option from the old vncserver script
|
|
||||||
Resolves: bz#2021893
|
|
||||||
|
|
||||||
* Wed Mar 23 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
|
|
||||||
- 1.12.0 + sync with Fedora
|
|
||||||
Resolves: bz#2048011
|
|
||||||
Resolves: bz#2021893
|
|
||||||
|
|
||||||
* Mon Feb 07 2022 Jan Grulich <jgrulich@redhat.com> - 1.11.0-21
|
|
||||||
- Added vncsession-restore script for SELinux policy migration
|
- Added vncsession-restore script for SELinux policy migration
|
||||||
Fix SELinux context for root user
|
Fix SELinux context for root user
|
||||||
Resolves: bz#2049506
|
Resolves: bz#2021892
|
||||||
|
|
||||||
* Fri Nov 26 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-20
|
* Fri Jan 21 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
|
||||||
- Rebuild for absence in RHEL 9.0
|
- Fix crash in vncviewer
|
||||||
Resolves: bz#1985858
|
Resolves: bz#2021892
|
||||||
|
|
||||||
* Mon Aug 16 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-19
|
* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
|
||||||
- Sync upstream patches + drop unused patches
|
- Remove unavailable option from vncserver script
|
||||||
Resolves: bz#1985858
|
Resolves: bz#2021892
|
||||||
|
|
||||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-18
|
* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- 1.12.0
|
||||||
Related: rhbz#1991688
|
Resolves: bz#2021892
|
||||||
|
|
||||||
* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-17
|
* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
|
||||||
- Fix logout from VNC session using vncserver
|
- Fix logout from VNC session using vncserver
|
||||||
Resolves: bz#1983704
|
Resolves: bz#1983706
|
||||||
|
|
||||||
* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-16
|
* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
|
||||||
- Bump version for rebuild (binutils)
|
- Run all SELinux RPM macros on correct package
|
||||||
Resolves: bz#1961488
|
Resolves: bz#1907963
|
||||||
|
|
||||||
* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-14
|
* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-7
|
||||||
- SELinux improvements
|
- SELinux improvements
|
||||||
Resolves: bz#1961488
|
Resolves: bz#1907963
|
||||||
|
|
||||||
- Fix endianness issue on s390x
|
* Tue Dec 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
|
||||||
Resolves: bz#1963029
|
- Use GNOME as default session
|
||||||
|
Resolves: bz#1853608
|
||||||
|
|
||||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-13
|
* Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- Make sure we log properly output to journal (actually log to syslog)
|
||||||
|
Resolves: bz#1841537
|
||||||
|
|
||||||
* Mon Mar 08 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-12
|
* Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4
|
||||||
- Include RHEL8 patches
|
- Make sure we log properly output to journal
|
||||||
|
Resolves: bz#1841537
|
||||||
|
|
||||||
* Fri Mar 05 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-11
|
* Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3
|
||||||
- Enable old vncserver script for RHEL 9
|
- vncserver: ignore new "session" parameter from the new systemd support
|
||||||
|
Resolves: bz#1897504
|
||||||
|
|
||||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.11.0-10
|
* Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- Revert removal of vncserver
|
||||||
|
Resolves: bz#1897504
|
||||||
|
- Correctly start vncsession as a daemon
|
||||||
|
Resolves: bz#1897498
|
||||||
|
|
||||||
* Thu Dec 10 07:45:46 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
|
* Tue Oct 20 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1
|
||||||
- vncserver: ignore new session parameter from the new systemd support
|
- Update to 1.11.0
|
||||||
|
Resolves: bz#1880985
|
||||||
|
- Backport fix to allow Tigervnc use boolean values in config files
|
||||||
|
Resolves: bz#1883415
|
||||||
|
|
||||||
* Fri Nov 13 14:08:29 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
|
* Wed Sep 30 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-8
|
||||||
- Use /run instead of /var/run which is just a symlink
|
- Tolerate specifying -BoolParam 0 and similar
|
||||||
|
Resolves: bz#1883415
|
||||||
|
|
||||||
* Thu Nov 05 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.11.0-7
|
* Wed Jul 08 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-7
|
||||||
- Require xkbcomp directly, not xorg-x11-xkb-utils. The latter has had
|
- Enable server module on s390x
|
||||||
Provides xkbcomp for years.
|
Resolves: bz#1854925
|
||||||
|
|
||||||
* Tue Sep 29 13:12:22 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
|
* Fri Jul 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-6
|
||||||
- Backport upstream fix allowing Tigervnc to specify boolean valus in configuration
|
- Remove trailing spaces in user name
|
||||||
- Revert removal of vncserver for F32 and F33
|
Resolves: bz#1852432
|
||||||
|
|
||||||
* Thu Sep 24 07:14:06 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5
|
* Thu Jun 25 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5
|
||||||
- Actually install the HOWTO.md file
|
- Install the HOWTO file to correct location
|
||||||
|
|
||||||
* Wed Sep 23 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4
|
|
||||||
- Call systemd macros on correct service file
|
|
||||||
|
|
||||||
* Tue Sep 22 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3
|
|
||||||
- Do not overwrite libvnc.conf config file
|
|
||||||
|
|
||||||
* Thu Sep 17 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2
|
|
||||||
- Add /usr/bin/vncserver file informing users to read the HOWTO.md file
|
- Add /usr/bin/vncserver file informing users to read the HOWTO.md file
|
||||||
|
Resolves: bz#1790443
|
||||||
|
|
||||||
* Wed Sep 09 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1
|
* Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-4
|
||||||
- 1.11.0
|
- Improve SELinux policy
|
||||||
|
Resolves: bz#1790443
|
||||||
|
|
||||||
* Mon Aug 24 2020 Jan Grulich <jgrulich@redhat.com. - 1.10.90-1
|
* Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-3
|
||||||
- Update to 1.10.90 (1.11.0 beta)
|
- Add a HOWTO.md file with instructions how to start VNC server
|
||||||
|
Resolves: bz#1790443
|
||||||
|
|
||||||
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-9
|
* Tue May 26 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2
|
||||||
- Second attempt - Rebuilt for
|
- Make the systemd service run also for root user
|
||||||
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
Resolves: bz#1790443
|
||||||
|
|
||||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-8
|
* Mon Apr 27 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-7
|
|
||||||
- Use make macros
|
|
||||||
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
|
||||||
|
|
||||||
* Sat Jul 11 2020 Jiri Vanek <jvanek@redhat.com> - 1.10.1-6
|
|
||||||
- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
|
|
||||||
|
|
||||||
* Sun Apr 19 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5
|
|
||||||
- Requires: dbus-x11
|
|
||||||
Resolves: bz#1825331
|
|
||||||
|
|
||||||
* Fri Mar 13 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.10.1-4
|
|
||||||
- Fix build with xserver 1.20.7
|
|
||||||
|
|
||||||
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jan 13 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2
|
|
||||||
- Build with -std=c++11
|
|
||||||
|
|
||||||
* Fri Dec 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1
|
|
||||||
- Update to 1.10.1
|
- Update to 1.10.1
|
||||||
|
Resolves: bz#1806992
|
||||||
|
|
||||||
* Tue Dec 10 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-2
|
- Add proper systemd support
|
||||||
- Properly install systemd files
|
Resolves: bz#1790443
|
||||||
|
|
||||||
* Mon Nov 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-1
|
* Tue Jan 28 2020 Jan Grulich <jgrulich@redhat.com> - 1.9.0-13
|
||||||
- Update to 1.10.0
|
- Bump build because of z-stream
|
||||||
|
Resolves: bz#1671714
|
||||||
|
|
||||||
* Fri Oct 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.90-1
|
* Wed Dec 11 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-12
|
||||||
- Update to 1.9.90 (1.10 beta)
|
- Fix installation of systemd files
|
||||||
- Add systemd user service file
|
Resolves: bz#1671714
|
||||||
- Use a wrapper for systemd system service file to workaround systemd limitations
|
|
||||||
|
|
||||||
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-7
|
* Wed Nov 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-11
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
- Use wrapper script to workaround systemd issues
|
||||||
|
Resolves: bz#1671714
|
||||||
|
|
||||||
* Fri Jul 19 2019 Dan Horák <dan[at]danny.cz> - 1.9.0-6
|
* Fri Jul 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-10
|
||||||
- drop the s390x special handling (related #1727029)
|
- Do not return returncode indicating error when running "vncserver -list"
|
||||||
|
Resolves: bz#1727860
|
||||||
|
|
||||||
* Wed Jun 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5
|
* Fri Feb 08 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-9
|
||||||
- Add missing arguments to systemd_postun scriptlets
|
- Make tigervnc systemd service a user service
|
||||||
Resolves: bz#1716411
|
Resolves: bz#1639846
|
||||||
|
|
||||||
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-4
|
* Mon Jan 21 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-8
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
- Kill the session automatically only when Gnome is installed
|
||||||
|
Resolves: bz#1665876
|
||||||
|
|
||||||
* Tue Sep 25 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
|
* Tue Nov 20 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-7
|
||||||
|
- Improve coverity scan fixes
|
||||||
|
Resolves: bz#1602714
|
||||||
|
|
||||||
|
Inform whether view-only password is used or not
|
||||||
|
Resolves: bz#1639169
|
||||||
|
|
||||||
|
Backport fixes from RHEL 7
|
||||||
|
Resolves: bz#1651254
|
||||||
|
|
||||||
|
* Tue Oct 09 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-6
|
||||||
- Do not crash passwd when using malloc perturb checks
|
- Do not crash passwd when using malloc perturb checks
|
||||||
Resolves: bz#1631483
|
Resolves: bz#1637086
|
||||||
|
|
||||||
|
* Mon Oct 08 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5
|
||||||
|
- Improve coverity scan fixes
|
||||||
|
Resolves: bz#1602714
|
||||||
|
|
||||||
|
* Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-4
|
||||||
|
- Improve coverity scan fixes
|
||||||
|
Resolves: bz#1602714
|
||||||
|
|
||||||
|
* Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
|
||||||
|
- Fix some coverity scan issues
|
||||||
|
Resolves: bz#1602714
|
||||||
|
|
||||||
* Wed Aug 01 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-2
|
* Wed Aug 01 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-2
|
||||||
- Ignore buttons in mouse leave events
|
- Remove dependency on initscripts
|
||||||
Resolves: bz#1609516
|
|
||||||
|
|
||||||
* Tue Jul 17 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-1
|
* Tue Jul 17 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-1
|
||||||
- Update to 1.9.0
|
- Update to 1.9.0 + sync with Fedora
|
||||||
|
|
||||||
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.90-3
|
* Tue Jun 12 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-10
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
- Fix GLX initialization with Xorg 1.20
|
||||||
|
|
||||||
* Wed Jul 4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.90-2
|
* Tue May 29 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-9
|
||||||
- Clean up spec: use macros consistenly, drop old sys-v migrations
|
- Build against Xorg 1.20
|
||||||
- Drop ancient obsolete/provides
|
|
||||||
|
|
||||||
* Thu Jun 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.90-1
|
* Mon May 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-8
|
||||||
- Update to 1.8.90
|
- Drop BR: ImageMagick
|
||||||
|
|
||||||
* Wed Jun 13 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-10
|
|
||||||
- Fix tigervnc systemd unit file
|
|
||||||
Resolves: bz#1583159
|
|
||||||
|
|
||||||
* Wed Jun 06 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-9
|
|
||||||
- Fix GLX initialization with 1.20
|
|
||||||
|
|
||||||
* Wed Apr 04 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-8
|
|
||||||
- Rebuild for xserver 1.20
|
|
||||||
|
|
||||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-7
|
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-7
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
Loading…
Reference in New Issue
Block a user