Compare commits
No commits in common. "c8" and "a9" have entirely different histories.
|
@ -1 +1 @@
|
|||
SOURCES/tigervnc-1.12.0.tar.gz
|
||||
SOURCES/tigervnc-1.13.1.tar.gz
|
||||
|
|
|
@ -1 +1 @@
|
|||
44db63993d8ad04f730b0b48e8aca32933bff15a SOURCES/tigervnc-1.12.0.tar.gz
|
||||
6f7a23f14833f552c88523da1a5e102f3b8d35c2 SOURCES/tigervnc-1.13.1.tar.gz
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
#EndSection
|
||||
|
||||
#Section "Screen"
|
||||
# Identifier "Screen0"
|
||||
# Identifier "Screen0
|
||||
# DefaultDepth 16
|
||||
# Option "SecurityTypes" "VncAuth"
|
||||
# Option "PasswordFile" "/root/.vnc/passwd"
|
||||
|
|
|
@ -0,0 +1,80 @@
|
|||
From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 3 Oct 2023 11:53:05 +1000
|
||||
Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
|
||||
|
||||
The handling of appending/prepending properties was incorrect, with at
|
||||
least two bugs: the property length was set to the length of the new
|
||||
part only, i.e. appending or prepending N elements to a property with P
|
||||
existing elements always resulted in the property having N elements
|
||||
instead of N + P.
|
||||
|
||||
Second, when pre-pending a value to a property, the offset for the old
|
||||
values was incorrect, leaving the new property with potentially
|
||||
uninitalized values and/or resulting in OOB memory writes.
|
||||
For example, prepending a 3 element value to a 5 element property would
|
||||
result in this 8 value array:
|
||||
[N, N, N, ?, ?, P, P, P ] P, P
|
||||
^OOB write
|
||||
|
||||
The XI2 code is a copy/paste of the RandR code, so the bug exists in
|
||||
both.
|
||||
|
||||
CVE-2023-5367, ZDI-CAN-22153
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
Xi/xiproperty.c | 4 ++--
|
||||
randr/rrproperty.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
||||
index 066ba21fba..d315f04d0e 100644
|
||||
--- a/Xi/xiproperty.c
|
||||
+++ b/Xi/xiproperty.c
|
||||
@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
|
||||
XIDestroyDeviceProperty(prop);
|
||||
return BadAlloc;
|
||||
}
|
||||
- new_value.size = len;
|
||||
+ new_value.size = total_len;
|
||||
new_value.type = type;
|
||||
new_value.format = format;
|
||||
|
||||
@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
|
||||
case PropModePrepend:
|
||||
new_data = new_value.data;
|
||||
old_data = (void *) (((char *) new_value.data) +
|
||||
- (prop_value->size * size_in_bytes));
|
||||
+ (len * size_in_bytes));
|
||||
break;
|
||||
}
|
||||
if (new_data)
|
||||
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
||||
index c2fb9585c6..25469f57b2 100644
|
||||
--- a/randr/rrproperty.c
|
||||
+++ b/randr/rrproperty.c
|
||||
@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
|
||||
RRDestroyOutputProperty(prop);
|
||||
return BadAlloc;
|
||||
}
|
||||
- new_value.size = len;
|
||||
+ new_value.size = total_len;
|
||||
new_value.type = type;
|
||||
new_value.format = format;
|
||||
|
||||
@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
|
||||
case PropModePrepend:
|
||||
new_data = new_value.data;
|
||||
old_data = (void *) (((char *) new_value.data) +
|
||||
- (prop_value->size * size_in_bytes));
|
||||
+ (len * size_in_bytes));
|
||||
break;
|
||||
}
|
||||
if (new_data)
|
||||
--
|
||||
GitLab
|
||||
|
|
@ -0,0 +1,98 @@
|
|||
From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Thu, 5 Oct 2023 12:19:45 +1000
|
||||
Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
|
||||
|
||||
PointerWindows[] keeps a reference to the last window our sprite
|
||||
entered - changes are usually handled by CheckMotion().
|
||||
|
||||
If we switch between screens via XWarpPointer our
|
||||
dev->spriteInfo->sprite->win is set to the new screen's root window.
|
||||
If there's another window at the cursor location CheckMotion() will
|
||||
trigger the right enter/leave events later. If there is not, it skips
|
||||
that process and we never trigger LeaveWindow() - PointerWindows[] for
|
||||
the device still refers to the previous window.
|
||||
|
||||
If that window is destroyed we have a dangling reference that will
|
||||
eventually cause a use-after-free bug when checking the window hierarchy
|
||||
later.
|
||||
|
||||
To trigger this, we require:
|
||||
- two protocol screens
|
||||
- XWarpPointer to the other screen's root window
|
||||
- XDestroyWindow before entering any other window
|
||||
|
||||
This is a niche bug so we hack around it by making sure we reset the
|
||||
PointerWindows[] entry so we cannot have a dangling pointer. This
|
||||
doesn't handle Enter/Leave events correctly but the previous code didn't
|
||||
either.
|
||||
|
||||
CVE-2023-5380, ZDI-CAN-21608
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Sri working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
---
|
||||
dix/enterleave.h | 2 --
|
||||
include/eventstr.h | 3 +++
|
||||
mi/mipointer.c | 17 +++++++++++++++--
|
||||
3 files changed, 18 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.h b/dix/enterleave.h
|
||||
index 4b833d8a3b..e8af924c68 100644
|
||||
--- a/dix/enterleave.h
|
||||
+++ b/dix/enterleave.h
|
||||
@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
|
||||
|
||||
extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
|
||||
|
||||
-extern void LeaveWindow(DeviceIntPtr dev);
|
||||
-
|
||||
extern void CoreFocusEvent(DeviceIntPtr kbd,
|
||||
int type, int mode, int detail, WindowPtr pWin);
|
||||
|
||||
diff --git a/include/eventstr.h b/include/eventstr.h
|
||||
index 93308f9b24..a9926eaeef 100644
|
||||
--- a/include/eventstr.h
|
||||
+++ b/include/eventstr.h
|
||||
@@ -296,4 +296,7 @@ union _InternalEvent {
|
||||
#endif
|
||||
};
|
||||
|
||||
+extern void
|
||||
+LeaveWindow(DeviceIntPtr dev);
|
||||
+
|
||||
#endif
|
||||
diff --git a/mi/mipointer.c b/mi/mipointer.c
|
||||
index a638f25d4a..8cf0035140 100644
|
||||
--- a/mi/mipointer.c
|
||||
+++ b/mi/mipointer.c
|
||||
@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
|
||||
#ifdef PANORAMIX
|
||||
&& noPanoramiXExtension
|
||||
#endif
|
||||
- )
|
||||
- UpdateSpriteForScreen(pDev, pScreen);
|
||||
+ ) {
|
||||
+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
|
||||
+ /* Hack for CVE-2023-5380: if we're moving
|
||||
+ * screens PointerWindows[] keeps referring to the
|
||||
+ * old window. If that gets destroyed we have a UAF
|
||||
+ * bug later. Only happens when jumping from a window
|
||||
+ * to the root window on the other screen.
|
||||
+ * Enter/Leave events are incorrect for that case but
|
||||
+ * too niche to fix.
|
||||
+ */
|
||||
+ LeaveWindow(pDev);
|
||||
+ if (master)
|
||||
+ LeaveWindow(master);
|
||||
+ UpdateSpriteForScreen(pDev, pScreen);
|
||||
+ }
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
GitLab
|
||||
|
|
@ -0,0 +1,74 @@
|
|||
From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 28 Nov 2023 15:19:04 +1000
|
||||
Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
|
||||
|
||||
button->xkb_acts is supposed to be an array sufficiently large for all
|
||||
our buttons, not just a single XkbActions struct. Allocating
|
||||
insufficient memory here means when we memcpy() later in
|
||||
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
|
||||
leading to the usual security ooopsiedaisies.
|
||||
|
||||
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
Xi/exevents.c | 12 ++++++------
|
||||
dix/devices.c | 10 ++++++++++
|
||||
2 files changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
||||
index dcd4efb3bc..54ea11a938 100644
|
||||
--- a/Xi/exevents.c
|
||||
+++ b/Xi/exevents.c
|
||||
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
||||
}
|
||||
|
||||
if (from->button->xkb_acts) {
|
||||
- if (!to->button->xkb_acts) {
|
||||
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
|
||||
- if (!to->button->xkb_acts)
|
||||
- FatalError("[Xi] not enough memory for xkb_acts.\n");
|
||||
- }
|
||||
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
|
||||
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
|
||||
+ maxbuttons,
|
||||
+ sizeof(XkbAction));
|
||||
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
|
||||
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
||||
- sizeof(XkbAction));
|
||||
+ from->button->numButtons * sizeof(XkbAction));
|
||||
}
|
||||
else {
|
||||
free(to->button->xkb_acts);
|
||||
diff --git a/dix/devices.c b/dix/devices.c
|
||||
index b063128df0..3f3224d626 100644
|
||||
--- a/dix/devices.c
|
||||
+++ b/dix/devices.c
|
||||
@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
||||
|
||||
if (master->button && master->button->numButtons != maxbuttons) {
|
||||
int i;
|
||||
+ int last_num_buttons = master->button->numButtons;
|
||||
+
|
||||
DeviceChangedEvent event = {
|
||||
.header = ET_Internal,
|
||||
.type = ET_DeviceChanged,
|
||||
@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
||||
};
|
||||
|
||||
master->button->numButtons = maxbuttons;
|
||||
+ if (last_num_buttons < maxbuttons) {
|
||||
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
|
||||
+ maxbuttons,
|
||||
+ sizeof(XkbAction));
|
||||
+ memset(&master->button->xkb_acts[last_num_buttons],
|
||||
+ 0,
|
||||
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
|
||||
+ }
|
||||
|
||||
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
|
||||
sizeof(Atom));
|
||||
--
|
||||
GitLab
|
|
@ -0,0 +1,59 @@
|
|||
From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 27 Nov 2023 16:27:49 +1000
|
||||
Subject: [PATCH] randr: avoid integer truncation in length check of
|
||||
ProcRRChange*Property
|
||||
|
||||
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
|
||||
See also xserver@8f454b79 where this same bug was fixed for the core
|
||||
protocol and XI.
|
||||
|
||||
This fixes an OOB read and the resulting information disclosure.
|
||||
|
||||
Length calculation for the request was clipped to a 32-bit integer. With
|
||||
the correct stuff->nUnits value the expected request size was
|
||||
truncated, passing the REQUEST_FIXED_SIZE check.
|
||||
|
||||
The server then proceeded with reading at least stuff->num_items bytes
|
||||
(depending on stuff->format) from the request and stuffing whatever it
|
||||
finds into the property. In the process it would also allocate at least
|
||||
stuff->nUnits bytes, i.e. 4GB.
|
||||
|
||||
CVE-2023-6478, ZDI-CAN-22561
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
randr/rrproperty.c | 2 +-
|
||||
randr/rrproviderproperty.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
||||
index 25469f57b2..c4fef8a1f6 100644
|
||||
--- a/randr/rrproperty.c
|
||||
+++ b/randr/rrproperty.c
|
||||
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
|
||||
char format, mode;
|
||||
unsigned long len;
|
||||
int sizeInBytes;
|
||||
- int totalSize;
|
||||
+ uint64_t totalSize;
|
||||
int err;
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
|
||||
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
||||
index b79c17f9bf..90c5a9a933 100644
|
||||
--- a/randr/rrproviderproperty.c
|
||||
+++ b/randr/rrproviderproperty.c
|
||||
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
|
||||
char format, mode;
|
||||
unsigned long len;
|
||||
int sizeInBytes;
|
||||
- int totalSize;
|
||||
+ uint64_t totalSize;
|
||||
int err;
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
|
||||
--
|
||||
GitLab
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Thu, 14 Dec 2023 11:29:49 +1000
|
||||
Subject: [PATCH] dix: allocate enough space for logical button maps
|
||||
|
||||
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
|
||||
each logical button currently down. Since buttons can be arbitrarily mapped
|
||||
to anything up to 255 make sure we have enough bits for the maximum mapping.
|
||||
|
||||
CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
Xi/xiquerypointer.c | 3 +--
|
||||
dix/enterleave.c | 5 +++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
|
||||
index 5b77b1a444..2b05ac5f39 100644
|
||||
--- a/Xi/xiquerypointer.c
|
||||
+++ b/Xi/xiquerypointer.c
|
||||
@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
|
||||
if (pDev->button) {
|
||||
int i;
|
||||
|
||||
- rep.buttons_len =
|
||||
- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
|
||||
+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
|
||||
rep.length += rep.buttons_len;
|
||||
buttons = calloc(rep.buttons_len, 4);
|
||||
if (!buttons)
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index 867ec74363..ded8679d76 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
|
||||
|
||||
mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
|
||||
|
||||
- /* XI 2 event */
|
||||
- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
|
||||
+ /* XI 2 event contains the logical button map - maps are CARD8
|
||||
+ * so we need 256 bits for the possibly maximum mapping */
|
||||
+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
|
||||
btlen = bytes_to_int32(btlen);
|
||||
len = sizeof(xXIFocusInEvent) + btlen * 4;
|
||||
|
||||
--
|
||||
GitLab
|
||||
|
|
@ -0,0 +1,83 @@
|
|||
From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 18 Dec 2023 14:27:50 +1000
|
||||
Subject: [PATCH 2/9] dix: Allocate sufficient xEvents for our
|
||||
DeviceStateNotify
|
||||
|
||||
If a device has both a button class and a key class and numButtons is
|
||||
zero, we can get an OOB write due to event under-allocation.
|
||||
|
||||
This function seems to assume a device has either keys or buttons, not
|
||||
both. It has two virtually identical code paths, both of which assume
|
||||
they're applying to the first event in the sequence.
|
||||
|
||||
A device with both a key and button class triggered a logic bug - only
|
||||
one xEvent was allocated but the deviceStateNotify pointer was pushed on
|
||||
once per type. So effectively this logic code:
|
||||
|
||||
int count = 1;
|
||||
if (button && nbuttons > 32) count++;
|
||||
if (key && nbuttons > 0) count++;
|
||||
if (key && nkeys > 32) count++; // this is basically always true
|
||||
// count is at 2 for our keys + zero button device
|
||||
|
||||
ev = alloc(count * sizeof(xEvent));
|
||||
FixDeviceStateNotify(ev);
|
||||
if (button)
|
||||
FixDeviceStateNotify(ev++);
|
||||
if (key)
|
||||
FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
|
||||
|
||||
If the device has more than 3 valuators, the OOB is pushed back - we're
|
||||
off by one so it will happen when the last deviceValuator event is
|
||||
written instead.
|
||||
|
||||
Fix this by allocating the maximum number of events we may allocate.
|
||||
Note that the current behavior is not protocol-correct anyway, this
|
||||
patch fixes only the allocation issue.
|
||||
|
||||
Note that this issue does not trigger if the device has at least one
|
||||
button. While the server does not prevent a button class with zero
|
||||
buttons, it is very unlikely.
|
||||
|
||||
CVE-2024-0229, ZDI-CAN-22678
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
dix/enterleave.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index ded8679d76..17964b00a4 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -675,7 +675,8 @@ static void
|
||||
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
{
|
||||
int evcount = 1;
|
||||
- deviceStateNotify *ev, *sev;
|
||||
+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
|
||||
+ deviceStateNotify *ev;
|
||||
deviceKeyStateNotify *kev;
|
||||
deviceButtonStateNotify *bev;
|
||||
|
||||
@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
}
|
||||
}
|
||||
|
||||
- sev = ev = xallocarray(evcount, sizeof(xEvent));
|
||||
+ ev = sev;
|
||||
FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
|
||||
|
||||
if (b != NULL) {
|
||||
@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
|
||||
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
|
||||
DeviceStateNotifyMask, NullGrab);
|
||||
- free(sev);
|
||||
}
|
||||
|
||||
void
|
||||
--
|
||||
GitLab
|
|
@ -0,0 +1,216 @@
|
|||
From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 18 Dec 2023 12:26:20 +1000
|
||||
Subject: [PATCH 3/9] dix: fix DeviceStateNotify event calculation
|
||||
|
||||
The previous code only made sense if one considers buttons and keys to
|
||||
be mutually exclusive on a device. That is not necessarily true, causing
|
||||
a number of issues.
|
||||
|
||||
This function allocates and fills in the number of xEvents we need to
|
||||
send the device state down the wire. This is split across multiple
|
||||
32-byte devices including one deviceStateNotify event and optional
|
||||
deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
|
||||
deviceValuator events.
|
||||
|
||||
The previous behavior would instead compose a sequence
|
||||
of [state, buttonstate, state, keystate, valuator...]. This is not
|
||||
protocol correct, and on top of that made the code extremely convoluted.
|
||||
|
||||
Fix this by streamlining: add both button and key into the deviceStateNotify
|
||||
and then append the key state and button state, followed by the
|
||||
valuators. Finally, the deviceValuator events contain up to 6 valuators
|
||||
per event but we only ever sent through 3 at a time. Let's double that
|
||||
troughput.
|
||||
|
||||
CVE-2024-0229, ZDI-CAN-22678
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
|
||||
1 file changed, 52 insertions(+), 69 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index 17964b00a4..7b7ba1098b 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
||||
|
||||
ev->type = DeviceValuator;
|
||||
ev->deviceid = dev->id;
|
||||
- ev->num_valuators = nval < 3 ? nval : 3;
|
||||
+ ev->num_valuators = nval < 6 ? nval : 6;
|
||||
ev->first_valuator = first;
|
||||
switch (ev->num_valuators) {
|
||||
+ case 6:
|
||||
+ ev->valuator2 = v->axisVal[first + 5];
|
||||
+ case 5:
|
||||
+ ev->valuator2 = v->axisVal[first + 4];
|
||||
+ case 4:
|
||||
+ ev->valuator2 = v->axisVal[first + 3];
|
||||
case 3:
|
||||
ev->valuator2 = v->axisVal[first + 2];
|
||||
case 2:
|
||||
@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
||||
ev->valuator0 = v->axisVal[first];
|
||||
break;
|
||||
}
|
||||
- first += ev->num_valuators;
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
|
||||
ev->num_buttons = b->numButtons;
|
||||
memcpy((char *) ev->buttons, (char *) b->down, 4);
|
||||
}
|
||||
- else if (k) {
|
||||
+ if (k) {
|
||||
ev->classes_reported |= (1 << KeyClass);
|
||||
ev->num_keys = k->xkbInfo->desc->max_key_code -
|
||||
k->xkbInfo->desc->min_key_code;
|
||||
@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
+/**
|
||||
+ * The device state notify event is split across multiple 32-byte events.
|
||||
+ * The first one contains the first 32 button state bits, the first 32
|
||||
+ * key state bits, and the first 3 valuator values.
|
||||
+ *
|
||||
+ * If a device has more than that, the server sends out:
|
||||
+ * - one deviceButtonStateNotify for buttons 32 and above
|
||||
+ * - one deviceKeyStateNotify for keys 32 and above
|
||||
+ * - one deviceValuator event per 6 valuators above valuator 4
|
||||
+ *
|
||||
+ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
|
||||
+ */
|
||||
static void
|
||||
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
{
|
||||
+ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
|
||||
+ * and one deviceValuator for each 6 valuators */
|
||||
+ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
|
||||
int evcount = 1;
|
||||
- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
|
||||
- deviceStateNotify *ev;
|
||||
- deviceKeyStateNotify *kev;
|
||||
- deviceButtonStateNotify *bev;
|
||||
+ deviceStateNotify *ev = sev;
|
||||
|
||||
KeyClassPtr k;
|
||||
ButtonClassPtr b;
|
||||
@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
|
||||
if ((b = dev->button) != NULL) {
|
||||
nbuttons = b->numButtons;
|
||||
- if (nbuttons > 32)
|
||||
+ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
|
||||
evcount++;
|
||||
}
|
||||
if ((k = dev->key) != NULL) {
|
||||
nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
|
||||
- if (nkeys > 32)
|
||||
+ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
|
||||
evcount++;
|
||||
- if (nbuttons > 0) {
|
||||
- evcount++;
|
||||
- }
|
||||
}
|
||||
if ((v = dev->valuator) != NULL) {
|
||||
nval = v->numAxes;
|
||||
-
|
||||
- if (nval > 3)
|
||||
- evcount++;
|
||||
- if (nval > 6) {
|
||||
- if (!(k && b))
|
||||
- evcount++;
|
||||
- if (nval > 9)
|
||||
- evcount += ((nval - 7) / 3);
|
||||
- }
|
||||
+ /* first three are encoded in deviceStateNotify, then
|
||||
+ * it's 6 per deviceValuator event */
|
||||
+ evcount += ((nval - 3) + 6)/6;
|
||||
}
|
||||
|
||||
- ev = sev;
|
||||
- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
|
||||
-
|
||||
- if (b != NULL) {
|
||||
- FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- if (nbuttons > 32) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- bev = (deviceButtonStateNotify *) ev++;
|
||||
- bev->type = DeviceButtonStateNotify;
|
||||
- bev->deviceid = dev->id;
|
||||
- memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
|
||||
- DOWN_LENGTH - 4);
|
||||
- }
|
||||
- if (nval > 0) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- }
|
||||
+ BUG_RETURN(evcount <= ARRAY_SIZE(sev));
|
||||
+
|
||||
+ FixDeviceStateNotify(dev, ev, k, b, v, first);
|
||||
+
|
||||
+ if (b != NULL && nbuttons > 32) {
|
||||
+ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
|
||||
+ (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
+ bev->type = DeviceButtonStateNotify;
|
||||
+ bev->deviceid = dev->id;
|
||||
+ memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
|
||||
+ DOWN_LENGTH - 4);
|
||||
}
|
||||
|
||||
- if (k != NULL) {
|
||||
- FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- if (nkeys > 32) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- kev = (deviceKeyStateNotify *) ev++;
|
||||
- kev->type = DeviceKeyStateNotify;
|
||||
- kev->deviceid = dev->id;
|
||||
- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
|
||||
- }
|
||||
- if (nval > 0) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- }
|
||||
+ if (k != NULL && nkeys > 32) {
|
||||
+ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
|
||||
+ (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
+ kev->type = DeviceKeyStateNotify;
|
||||
+ kev->deviceid = dev->id;
|
||||
+ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
|
||||
}
|
||||
|
||||
+ first = 3;
|
||||
+ nval -= 3;
|
||||
while (nval > 0) {
|
||||
- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- if (nval > 0) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- }
|
||||
+ ev->deviceid |= MORE_EVENTS;
|
||||
+ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
|
||||
+ first += 6;
|
||||
+ nval -= 6;
|
||||
}
|
||||
|
||||
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
|
||||
--
|
||||
GitLab
|
|
@ -0,0 +1,36 @@
|
|||
From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Thu, 21 Dec 2023 13:48:10 +1000
|
||||
Subject: [PATCH 4/9] Xi: when creating a new ButtonClass, set the number of
|
||||
buttons
|
||||
|
||||
There's a racy sequence where a master device may copy the button class
|
||||
from the slave, without ever initializing numButtons. This leads to a
|
||||
device with zero buttons but a button class which is invalid.
|
||||
|
||||
Let's copy the numButtons value from the source - by definition if we
|
||||
don't have a button class yet we do not have any other slave devices
|
||||
with more than this number of buttons anyway.
|
||||
|
||||
CVE-2024-0229, ZDI-CAN-22678
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
Xi/exevents.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
||||
index 54ea11a938..e161714682 100644
|
||||
--- a/Xi/exevents.c
|
||||
+++ b/Xi/exevents.c
|
||||
@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
||||
to->button = calloc(1, sizeof(ButtonClassRec));
|
||||
if (!to->button)
|
||||
FatalError("[Xi] no memory for class shift.\n");
|
||||
+ to->button->numButtons = from->button->numButtons;
|
||||
}
|
||||
else
|
||||
classes->button = NULL;
|
||||
--
|
||||
GitLab
|
|
@ -0,0 +1,108 @@
|
|||
From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Thu, 4 Jan 2024 10:01:24 +1000
|
||||
Subject: [PATCH 5/9] Xi: flush hierarchy events after adding/removing master
|
||||
devices
|
||||
|
||||
The `XISendDeviceHierarchyEvent()` function allocates space to store up
|
||||
to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
|
||||
|
||||
If a device with a given ID was removed and a new device with the same
|
||||
ID added both in the same operation, the single device ID will lead to
|
||||
two info structures being written to `info`.
|
||||
|
||||
Since this case can occur for every device ID at once, a total of two
|
||||
times `MAXDEVICES` info structures might be written to the allocation.
|
||||
|
||||
To avoid it, once one add/remove master is processed, send out the
|
||||
device hierarchy event for the current state and continue. That event
|
||||
thus only ever has exactly one of either added/removed in it (and
|
||||
optionally slave attached/detached).
|
||||
|
||||
CVE-2024-21885, ZDI-CAN-22744
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
|
||||
1 file changed, 22 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
|
||||
index d2d985848d..72d00451e3 100644
|
||||
--- a/Xi/xichangehierarchy.c
|
||||
+++ b/Xi/xichangehierarchy.c
|
||||
@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||
size_t len; /* length of data remaining in request */
|
||||
int rc = Success;
|
||||
int flags[MAXDEVICES] = { 0 };
|
||||
+ enum {
|
||||
+ NO_CHANGE,
|
||||
+ FLUSH,
|
||||
+ CHANGED,
|
||||
+ } changes = NO_CHANGE;
|
||||
|
||||
REQUEST(xXIChangeHierarchyReq);
|
||||
REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
|
||||
@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||
rc = add_master(client, c, flags);
|
||||
if (rc != Success)
|
||||
goto unwind;
|
||||
- }
|
||||
+ changes = FLUSH;
|
||||
break;
|
||||
+ }
|
||||
case XIRemoveMaster:
|
||||
{
|
||||
xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
|
||||
@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||
rc = remove_master(client, r, flags);
|
||||
if (rc != Success)
|
||||
goto unwind;
|
||||
- }
|
||||
+ changes = FLUSH;
|
||||
break;
|
||||
+ }
|
||||
case XIDetachSlave:
|
||||
{
|
||||
xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
|
||||
@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||
rc = detach_slave(client, c, flags);
|
||||
if (rc != Success)
|
||||
goto unwind;
|
||||
- }
|
||||
+ changes = CHANGED;
|
||||
break;
|
||||
+ }
|
||||
case XIAttachSlave:
|
||||
{
|
||||
xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
|
||||
@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||
rc = attach_slave(client, c, flags);
|
||||
if (rc != Success)
|
||||
goto unwind;
|
||||
+ changes = CHANGED;
|
||||
+ break;
|
||||
}
|
||||
+ default:
|
||||
break;
|
||||
}
|
||||
|
||||
+ if (changes == FLUSH) {
|
||||
+ XISendDeviceHierarchyEvent(flags);
|
||||
+ memset(flags, 0, sizeof(flags));
|
||||
+ changes = NO_CHANGE;
|
||||
+ }
|
||||
+
|
||||
len -= any->length * 4;
|
||||
any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
|
||||
}
|
||||
|
||||
unwind:
|
||||
-
|
||||
- XISendDeviceHierarchyEvent(flags);
|
||||
+ if (changes != NO_CHANGE)
|
||||
+ XISendDeviceHierarchyEvent(flags);
|
||||
return rc;
|
||||
}
|
||||
--
|
||||
GitLab
|
|
@ -0,0 +1,69 @@
|
|||
From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Fri, 22 Dec 2023 18:28:31 +0100
|
||||
Subject: [PATCH 6/9] Xi: do not keep linked list pointer during recursion
|
||||
|
||||
The `DisableDevice()` function is called whenever an enabled device
|
||||
is disabled and it moves the device from the `inputInfo.devices` linked
|
||||
list to the `inputInfo.off_devices` linked list.
|
||||
|
||||
However, its link/unlink operation has an issue during the recursive
|
||||
call to `DisableDevice()` due to the `prev` pointer pointing to a
|
||||
removed device.
|
||||
|
||||
This issue leads to a length mismatch between the total number of
|
||||
devices and the number of device in the list, leading to a heap
|
||||
overflow and, possibly, to local privilege escalation.
|
||||
|
||||
Simplify the code that checked whether the device passed to
|
||||
`DisableDevice()` was in `inputInfo.devices` or not and find the
|
||||
previous device after the recursion.
|
||||
|
||||
CVE-2024-21886, ZDI-CAN-22840
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
dix/devices.c | 15 ++++++++++++---
|
||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dix/devices.c b/dix/devices.c
|
||||
index dca98c8d1b..389d28a23c 100644
|
||||
--- a/dix/devices.c
|
||||
+++ b/dix/devices.c
|
||||
@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
||||
{
|
||||
DeviceIntPtr *prev, other;
|
||||
BOOL enabled;
|
||||
+ BOOL dev_in_devices_list = FALSE;
|
||||
int flags[MAXDEVICES] = { 0 };
|
||||
|
||||
if (!dev->enabled)
|
||||
return TRUE;
|
||||
|
||||
- for (prev = &inputInfo.devices;
|
||||
- *prev && (*prev != dev); prev = &(*prev)->next);
|
||||
- if (*prev != dev)
|
||||
+ for (other = inputInfo.devices; other; other = other->next) {
|
||||
+ if (other == dev) {
|
||||
+ dev_in_devices_list = TRUE;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!dev_in_devices_list)
|
||||
return FALSE;
|
||||
|
||||
TouchEndPhysicallyActiveTouches(dev);
|
||||
@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
||||
LeaveWindow(dev);
|
||||
SetFocusOut(dev);
|
||||
|
||||
+ for (prev = &inputInfo.devices;
|
||||
+ *prev && (*prev != dev); prev = &(*prev)->next);
|
||||
+
|
||||
*prev = dev->next;
|
||||
dev->next = inputInfo.off_devices;
|
||||
inputInfo.off_devices = dev;
|
||||
--
|
||||
GitLab
|
|
@ -0,0 +1,52 @@
|
|||
From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Fri, 5 Jan 2024 09:40:27 +1000
|
||||
Subject: [PATCH 7/9] dix: when disabling a master, float disabled slaved
|
||||
devices too
|
||||
|
||||
Disabling a master device floats all slave devices but we didn't do this
|
||||
to already-disabled slave devices. As a result those devices kept their
|
||||
reference to the master device resulting in access to already freed
|
||||
memory if the master device was removed before the corresponding slave
|
||||
device.
|
||||
|
||||
And to match this behavior, also forcibly reset that pointer during
|
||||
CloseDownDevices().
|
||||
|
||||
Related to CVE-2024-21886, ZDI-CAN-22840
|
||||
---
|
||||
dix/devices.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/dix/devices.c b/dix/devices.c
|
||||
index 389d28a23c..84a6406d13 100644
|
||||
--- a/dix/devices.c
|
||||
+++ b/dix/devices.c
|
||||
@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
||||
flags[other->id] |= XISlaveDetached;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ for (other = inputInfo.off_devices; other; other = other->next) {
|
||||
+ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
|
||||
+ AttachDevice(NULL, other, NULL);
|
||||
+ flags[other->id] |= XISlaveDetached;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
else {
|
||||
for (other = inputInfo.devices; other; other = other->next) {
|
||||
@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
|
||||
dev->master = NULL;
|
||||
}
|
||||
|
||||
+ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
|
||||
+ if (!IsMaster(dev) && !IsFloating(dev))
|
||||
+ dev->master = NULL;
|
||||
+ }
|
||||
+
|
||||
CloseDeviceList(&inputInfo.devices);
|
||||
CloseDeviceList(&inputInfo.off_devices);
|
||||
|
||||
--
|
||||
GitLab
|
|
@ -0,0 +1,77 @@
|
|||
From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Sun, 19 Dec 2021 18:11:07 +0200
|
||||
Subject: [PATCH] dix: Fix use after free in input device shutdown
|
||||
|
||||
This fixes access to freed heap memory via dev->master. E.g. when
|
||||
running BarrierNotify.ReceivesNotifyEvents/7 test from
|
||||
xorg-integration-tests:
|
||||
|
||||
==24736==ERROR: AddressSanitizer: heap-use-after-free on address
|
||||
0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
|
||||
READ of size 4 at 0x619000065020 thread T0
|
||||
#0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
|
||||
#1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
|
||||
#2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
|
||||
../../../Xi/xichangehierarchy.c:95
|
||||
#4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
|
||||
../../../hw/xfree86/common/xf86Xinput.c:1142
|
||||
#6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
|
||||
#7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
|
||||
#8 0x55c450e837ef in dix_main ../../../dix/main.c:302
|
||||
#9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
||||
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
||||
#11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
|
||||
|
||||
0x619000065020 is located 160 bytes inside of 912-byte region
|
||||
[0x619000064f80,0x619000065310)
|
||||
freed by thread T0 here:
|
||||
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
|
||||
#1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
|
||||
#2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
|
||||
../../../hw/xfree86/common/xf86Xinput.c:1142
|
||||
#4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
|
||||
#5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
|
||||
#6 0x55c450e837ef in dix_main ../../../dix/main.c:302
|
||||
#7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
||||
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
||||
|
||||
previously allocated by thread T0 here:
|
||||
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
|
||||
#1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
|
||||
#2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
|
||||
#3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
|
||||
../../../Xi/xichangehierarchy.c:465
|
||||
#5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
|
||||
#6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
|
||||
#7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
|
||||
#8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
||||
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
||||
|
||||
The problem is caused by dev->master being not reset when disabling the
|
||||
device, which then causes dangling pointer when the master device itself
|
||||
is being deleted when exiting whole server.
|
||||
|
||||
Note that RecalculateMasterButtons() requires dev->master to be still
|
||||
valid, so we can reset it only at the end of function.
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
---
|
||||
dix/devices.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/dix/devices.c b/dix/devices.c
|
||||
index e62c34c55e..5f9ce1678f 100644
|
||||
--- a/dix/devices.c
|
||||
+++ b/dix/devices.c
|
||||
@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
||||
}
|
||||
|
||||
RecalculateMasterButtons(dev);
|
||||
+ dev->master = NULL;
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
--
|
||||
GitLab
|
||||
|
|
@ -1,199 +0,0 @@
|
|||
From ccbd491fa48f1c43daeb1a6c5ee91a1a8fa3db88 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Tue, 9 Aug 2022 14:31:07 +0200
|
||||
Subject: [PATCH] x0vncserver: add new keysym in case we don't find a matching
|
||||
keycode
|
||||
|
||||
We might often fail to find a matching X11 keycode when the client has
|
||||
a different keyboard layout and end up with no key event. To avoid a
|
||||
failure we add it as a new keysym/keycode pair so the next time a keysym
|
||||
from the client that is unknown to the server is send, we will find a
|
||||
match and proceed with key event. This is same behavior used in Xvnc or
|
||||
x11vnc, although Xvnc has more advanced mapping from keysym to keycode.
|
||||
---
|
||||
unix/x0vncserver/XDesktop.cxx | 121 +++++++++++++++++++++++++++++++++-
|
||||
unix/x0vncserver/XDesktop.h | 4 ++
|
||||
2 files changed, 122 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
|
||||
index f2046e43e..933998f05 100644
|
||||
--- a/unix/x0vncserver/XDesktop.cxx
|
||||
+++ b/unix/x0vncserver/XDesktop.cxx
|
||||
@@ -31,6 +31,7 @@
|
||||
#include <x0vncserver/XDesktop.h>
|
||||
|
||||
#include <X11/XKBlib.h>
|
||||
+#include <X11/Xutil.h>
|
||||
#ifdef HAVE_XTEST
|
||||
#include <X11/extensions/XTest.h>
|
||||
#endif
|
||||
@@ -50,6 +51,7 @@ void vncSetGlueContext(Display *dpy, void *res);
|
||||
#include <x0vncserver/Geometry.h>
|
||||
#include <x0vncserver/XPixelBuffer.h>
|
||||
|
||||
+using namespace std;
|
||||
using namespace rfb;
|
||||
|
||||
extern const unsigned short code_map_qnum_to_xorgevdev[];
|
||||
@@ -264,6 +266,9 @@ void XDesktop::start(VNCServer* vs) {
|
||||
void XDesktop::stop() {
|
||||
running = false;
|
||||
|
||||
+ // Delete added keycodes
|
||||
+ deleteAddedKeysyms(dpy);
|
||||
+
|
||||
#ifdef HAVE_XDAMAGE
|
||||
if (haveDamage)
|
||||
XDamageDestroy(dpy, damage);
|
||||
@@ -383,6 +388,118 @@ KeyCode XDesktop::XkbKeysymToKeycode(Display* dpy, KeySym keysym) {
|
||||
}
|
||||
#endif
|
||||
|
||||
+KeyCode XDesktop::addKeysym(Display* dpy, KeySym keysym)
|
||||
+{
|
||||
+ int types[1];
|
||||
+ unsigned int key;
|
||||
+ XkbDescPtr xkb;
|
||||
+ XkbMapChangesRec changes;
|
||||
+ KeySym *syms;
|
||||
+ KeySym upper, lower;
|
||||
+
|
||||
+ xkb = XkbGetMap(dpy, XkbAllComponentsMask, XkbUseCoreKbd);
|
||||
+
|
||||
+ if (!xkb)
|
||||
+ return 0;
|
||||
+
|
||||
+ for (key = xkb->max_key_code; key >= xkb->min_key_code; key--) {
|
||||
+ if (XkbKeyNumGroups(xkb, key) == 0)
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (key < xkb->min_key_code)
|
||||
+ return 0;
|
||||
+
|
||||
+ memset(&changes, 0, sizeof(changes));
|
||||
+
|
||||
+ XConvertCase(keysym, &lower, &upper);
|
||||
+
|
||||
+ if (upper == lower)
|
||||
+ types[XkbGroup1Index] = XkbOneLevelIndex;
|
||||
+ else
|
||||
+ types[XkbGroup1Index] = XkbAlphabeticIndex;
|
||||
+
|
||||
+ XkbChangeTypesOfKey(xkb, key, 1, XkbGroup1Mask, types, &changes);
|
||||
+
|
||||
+ syms = XkbKeySymsPtr(xkb,key);
|
||||
+ if (upper == lower)
|
||||
+ syms[0] = keysym;
|
||||
+ else {
|
||||
+ syms[0] = lower;
|
||||
+ syms[1] = upper;
|
||||
+ }
|
||||
+
|
||||
+ changes.changed |= XkbKeySymsMask;
|
||||
+ changes.first_key_sym = key;
|
||||
+ changes.num_key_syms = 1;
|
||||
+
|
||||
+ if (XkbChangeMap(dpy, xkb, &changes)) {
|
||||
+ vlog.info("Added unknown keysym %s to keycode %d", XKeysymToString(keysym), key);
|
||||
+ addedKeysyms[keysym] = key;
|
||||
+ return key;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+void XDesktop::deleteAddedKeysyms(Display* dpy) {
|
||||
+ XkbDescPtr xkb;
|
||||
+ xkb = XkbGetMap(dpy, XkbAllComponentsMask, XkbUseCoreKbd);
|
||||
+
|
||||
+ if (!xkb)
|
||||
+ return;
|
||||
+
|
||||
+ XkbMapChangesRec changes;
|
||||
+ memset(&changes, 0, sizeof(changes));
|
||||
+
|
||||
+ KeyCode lowestKeyCode = xkb->max_key_code;
|
||||
+ KeyCode highestKeyCode = xkb->min_key_code;
|
||||
+ std::map<KeySym, KeyCode>::iterator it;
|
||||
+ for (it = addedKeysyms.begin(); it != addedKeysyms.end(); it++) {
|
||||
+ if (XkbKeyNumGroups(xkb, it->second) != 0) {
|
||||
+ // Check if we are removing keysym we added ourself
|
||||
+ if (XkbKeysymToKeycode(dpy, it->first) != it->second)
|
||||
+ continue;
|
||||
+
|
||||
+ XkbChangeTypesOfKey(xkb, it->second, 0, XkbGroup1Mask, NULL, &changes);
|
||||
+
|
||||
+ if (it->second < lowestKeyCode)
|
||||
+ lowestKeyCode = it->second;
|
||||
+
|
||||
+ if (it->second > highestKeyCode)
|
||||
+ highestKeyCode = it->second;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ changes.changed |= XkbKeySymsMask;
|
||||
+ changes.first_key_sym = lowestKeyCode;
|
||||
+ changes.num_key_syms = highestKeyCode - lowestKeyCode + 1;
|
||||
+ XkbChangeMap(dpy, xkb, &changes);
|
||||
+
|
||||
+ addedKeysyms.clear();
|
||||
+}
|
||||
+
|
||||
+KeyCode XDesktop::keysymToKeycode(Display* dpy, KeySym keysym) {
|
||||
+ int keycode = 0;
|
||||
+
|
||||
+ // XKeysymToKeycode() doesn't respect state, so we have to use
|
||||
+ // something slightly more complex
|
||||
+ keycode = XkbKeysymToKeycode(dpy, keysym);
|
||||
+
|
||||
+ if (keycode != 0)
|
||||
+ return keycode;
|
||||
+
|
||||
+ // TODO: try to further guess keycode with all possible mods as Xvnc does
|
||||
+
|
||||
+ keycode = addKeysym(dpy, keysym);
|
||||
+
|
||||
+ if (keycode == 0)
|
||||
+ vlog.error("Failure adding new keysym 0x%lx", keysym);
|
||||
+
|
||||
+ return keycode;
|
||||
+}
|
||||
+
|
||||
+
|
||||
void XDesktop::keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down) {
|
||||
#ifdef HAVE_XTEST
|
||||
int keycode = 0;
|
||||
@@ -398,9 +515,7 @@ void XDesktop::keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down) {
|
||||
if (pressedKeys.find(keysym) != pressedKeys.end())
|
||||
keycode = pressedKeys[keysym];
|
||||
else {
|
||||
- // XKeysymToKeycode() doesn't respect state, so we have to use
|
||||
- // something slightly more complex
|
||||
- keycode = XkbKeysymToKeycode(dpy, keysym);
|
||||
+ keycode = keysymToKeycode(dpy, keysym);
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/unix/x0vncserver/XDesktop.h b/unix/x0vncserver/XDesktop.h
|
||||
index 840d43316..6ebcd9f8a 100644
|
||||
--- a/unix/x0vncserver/XDesktop.h
|
||||
+++ b/unix/x0vncserver/XDesktop.h
|
||||
@@ -55,6 +55,9 @@ class XDesktop : public rfb::SDesktop,
|
||||
const char* userName);
|
||||
virtual void pointerEvent(const rfb::Point& pos, int buttonMask);
|
||||
KeyCode XkbKeysymToKeycode(Display* dpy, KeySym keysym);
|
||||
+ KeyCode addKeysym(Display* dpy, KeySym keysym);
|
||||
+ void deleteAddedKeysyms(Display* dpy);
|
||||
+ KeyCode keysymToKeycode(Display* dpy, KeySym keysym);
|
||||
virtual void keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down);
|
||||
virtual void clientCutText(const char* str);
|
||||
virtual unsigned int setScreenLayout(int fb_width, int fb_height,
|
||||
@@ -78,6 +81,7 @@ class XDesktop : public rfb::SDesktop,
|
||||
bool haveXtest;
|
||||
bool haveDamage;
|
||||
int maxButtons;
|
||||
+ std::map<KeySym, KeyCode> addedKeysyms;
|
||||
std::map<KeySym, KeyCode> pressedKeys;
|
||||
bool running;
|
||||
#ifdef HAVE_XDAMAGE
|
|
@ -0,0 +1,13 @@
|
|||
diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c
|
||||
index b3d0926d..d36a096f 100644
|
||||
--- a/unix/xserver/hw/vnc/vncInput.c
|
||||
+++ b/unix/xserver/hw/vnc/vncInput.c
|
||||
@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y)
|
||||
|
||||
void vncGetPointerPos(int *x, int *y)
|
||||
{
|
||||
- if (vncPointerDev != NULL) {
|
||||
+ if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) {
|
||||
ScreenPtr ptrScreen;
|
||||
|
||||
miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY);
|
|
@ -1,117 +0,0 @@
|
|||
From f783d5c8b567199178b6690f347e060a69d2aa36 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Thu, 11 Aug 2022 13:15:29 +0200
|
||||
Subject: [PATCH] x0vncserver: update/display cursor only on correct screen in
|
||||
zaphod mode
|
||||
|
||||
We have to check whether we update cursor position/shape only in case
|
||||
the cursor is on our display, otherwise in zaphod mode, ie. when having
|
||||
two instances of x0vncserver on screens :0.0 and :0.1 we would be having
|
||||
the cursor duplicated and actually not funcional (aka ghost cursor) as
|
||||
it would be actually not present. We also additionally watch EnterNotify
|
||||
and LeaveNotify events in order to show/hide cursor accordingly.
|
||||
|
||||
Change made with help from Olivier Fourdan <ofourdan@redhat.com>
|
||||
---
|
||||
unix/x0vncserver/XDesktop.cxx | 60 +++++++++++++++++++++++++++++++----
|
||||
1 file changed, 53 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
|
||||
index f2046e43e..f07fd78bf 100644
|
||||
--- a/unix/x0vncserver/XDesktop.cxx
|
||||
+++ b/unix/x0vncserver/XDesktop.cxx
|
||||
@@ -192,7 +192,8 @@ XDesktop::XDesktop(Display* dpy_, Geometry *geometry_)
|
||||
RRScreenChangeNotifyMask | RRCrtcChangeNotifyMask);
|
||||
/* Override TXWindow::init input mask */
|
||||
XSelectInput(dpy, DefaultRootWindow(dpy),
|
||||
- PropertyChangeMask | StructureNotifyMask | ExposureMask);
|
||||
+ PropertyChangeMask | StructureNotifyMask |
|
||||
+ ExposureMask | EnterWindowMask | LeaveWindowMask);
|
||||
} else {
|
||||
#endif
|
||||
vlog.info("RANDR extension not present");
|
||||
@@ -217,11 +218,13 @@ void XDesktop::poll() {
|
||||
Window root, child;
|
||||
int x, y, wx, wy;
|
||||
unsigned int mask;
|
||||
- XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
|
||||
- &x, &y, &wx, &wy, &mask);
|
||||
- x -= geometry->offsetLeft();
|
||||
- y -= geometry->offsetTop();
|
||||
- server->setCursorPos(rfb::Point(x, y), false);
|
||||
+
|
||||
+ if (XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
|
||||
+ &x, &y, &wx, &wy, &mask)) {
|
||||
+ x -= geometry->offsetLeft();
|
||||
+ y -= geometry->offsetTop();
|
||||
+ server->setCursorPos(rfb::Point(x, y), false);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -253,7 +256,14 @@ void XDesktop::start(VNCServer* vs) {
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_XFIXES
|
||||
- setCursor();
|
||||
+ Window root, child;
|
||||
+ int x, y, wx, wy;
|
||||
+ unsigned int mask;
|
||||
+ // Check whether the cursor is initially on our screen
|
||||
+ if (XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
|
||||
+ &x, &y, &wx, &wy, &mask))
|
||||
+ setCursor();
|
||||
+
|
||||
#endif
|
||||
|
||||
server->setLEDState(ledState);
|
||||
@@ -701,6 +711,15 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) {
|
||||
if (cev->subtype != XFixesDisplayCursorNotify)
|
||||
return false;
|
||||
|
||||
+ Window root, child;
|
||||
+ int x, y, wx, wy;
|
||||
+ unsigned int mask;
|
||||
+
|
||||
+ // Check whether the cursor is initially on our screen
|
||||
+ if (!XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
|
||||
+ &x, &y, &wx, &wy, &mask))
|
||||
+ return false;
|
||||
+
|
||||
return setCursor();
|
||||
#endif
|
||||
#ifdef HAVE_XRANDR
|
||||
@@ -753,6 +772,33 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) {
|
||||
|
||||
return true;
|
||||
#endif
|
||||
+#ifdef HAVE_XFIXES
|
||||
+ } else if (ev->type == EnterNotify) {
|
||||
+ XCrossingEvent* cev;
|
||||
+
|
||||
+ if (!running)
|
||||
+ return true;
|
||||
+
|
||||
+ cev = (XCrossingEvent*)ev;
|
||||
+
|
||||
+ if (cev->window != cev->root)
|
||||
+ return false;
|
||||
+
|
||||
+ return setCursor();
|
||||
+ } else if (ev->type == LeaveNotify) {
|
||||
+ XCrossingEvent* cev;
|
||||
+
|
||||
+ if (!running)
|
||||
+ return true;
|
||||
+
|
||||
+ cev = (XCrossingEvent*)ev;
|
||||
+
|
||||
+ if (cev->window == cev->root)
|
||||
+ return false;
|
||||
+
|
||||
+ server->setCursor(0, 0, Point(), NULL);
|
||||
+ return true;
|
||||
+#endif
|
||||
}
|
||||
|
||||
return false;
|
|
@ -1,34 +0,0 @@
|
|||
From 2daf4126882f82b6e392dfbae87205dbdc559c3d Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Thu, 23 Dec 2021 15:58:00 +0100
|
||||
Subject: [PATCH] Fix typo in mirror monitor detection
|
||||
|
||||
Bug introduced in fb561eb but still somehow passed manual testing.
|
||||
Resulted in some stray reads off the end of the stack, which were
|
||||
hopefully harmless.
|
||||
---
|
||||
vncviewer/MonitorIndicesParameter.cxx | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/vncviewer/MonitorIndicesParameter.cxx b/vncviewer/MonitorIndicesParameter.cxx
|
||||
index 5130831cb..4ac74dd1a 100644
|
||||
--- a/vncviewer/MonitorIndicesParameter.cxx
|
||||
+++ b/vncviewer/MonitorIndicesParameter.cxx
|
||||
@@ -211,13 +211,13 @@ std::vector<MonitorIndicesParameter::Monitor> MonitorIndicesParameter::fetchMoni
|
||||
// Only keep a single entry for mirrored screens
|
||||
match = false;
|
||||
for (int j = 0; j < ((int) monitors.size()); j++) {
|
||||
- if (monitors[i].x != monitor.x)
|
||||
+ if (monitors[j].x != monitor.x)
|
||||
continue;
|
||||
- if (monitors[i].y != monitor.y)
|
||||
+ if (monitors[j].y != monitor.y)
|
||||
continue;
|
||||
- if (monitors[i].w != monitor.w)
|
||||
+ if (monitors[j].w != monitor.w)
|
||||
continue;
|
||||
- if (monitors[i].h != monitor.h)
|
||||
+ if (monitors[j].h != monitor.h)
|
||||
continue;
|
||||
|
||||
match = true;
|
|
@ -1,25 +0,0 @@
|
|||
From faf81b4b238e24fe29eb53f885a25367e212dd7b Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Mon, 7 Feb 2022 10:45:41 +0100
|
||||
Subject: [PATCH] SELinux: use /root/.vnc in file context specification
|
||||
|
||||
Instead of HOME_ROOT/.vnc, /root/.vnc should be used
|
||||
for user root's home to specify default file context
|
||||
as HOME_ROOT actually means base for home dirs (usually /home).
|
||||
---
|
||||
unix/vncserver/selinux/vncsession.fc | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
|
||||
index 6aaf4b1f4..bc81f8f25 100644
|
||||
--- a/unix/vncserver/selinux/vncsession.fc
|
||||
+++ b/unix/vncserver/selinux/vncsession.fc
|
||||
@@ -18,7 +18,7 @@
|
||||
#
|
||||
|
||||
HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
|
||||
-HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
|
||||
+/root/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
|
||||
|
||||
/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
|
||||
/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
|
|
@ -1,28 +0,0 @@
|
|||
From 774c6bcf33b5c9b94c1ff12895775e77c555decc Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Thu, 9 Feb 2023 11:30:37 +0100
|
||||
Subject: [PATCH] Sanity check when cleaning up keymap changes
|
||||
|
||||
Make sure we don't send a bogus request to the X server in the (common)
|
||||
case that we don't actually have anything to restore.
|
||||
|
||||
(cherry picked from commit 1e3484f2017f038dd5149cd50741feaf39a680e4)
|
||||
---
|
||||
unix/x0vncserver/XDesktop.cxx | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
|
||||
index d5c6b2db9..f9c810968 100644
|
||||
--- a/unix/x0vncserver/XDesktop.cxx
|
||||
+++ b/unix/x0vncserver/XDesktop.cxx
|
||||
@@ -481,6 +481,10 @@ void XDesktop::deleteAddedKeysyms(Display* dpy) {
|
||||
}
|
||||
}
|
||||
|
||||
+ // Did we actually find something to remove?
|
||||
+ if (highestKeyCode < lowestKeyCode)
|
||||
+ return;
|
||||
+
|
||||
changes.changed |= XkbKeySymsMask;
|
||||
changes.first_key_sym = lowestKeyCode;
|
||||
changes.num_key_syms = highestKeyCode - lowestKeyCode + 1;
|
|
@ -1,31 +0,0 @@
|
|||
From 717d787de8f913070446444e37d552b51f05515e Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Mon, 16 Jan 2023 12:35:40 +0100
|
||||
Subject: [PATCH] SELinux: Allow vncsession create ~/.vnc directory
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=PROCTITLE msg=audit(01/12/2023 02:58:12.648:696) : proctitle=/usr/sbin/vncsession fedora :1
|
||||
type=PATH msg=audit(01/12/2023 02:58:12.648:696) : item=1 name=/home/fedora/.vnc nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
|
||||
type=PATH msg=audit(01/12/2023 02:58:12.648:696) : item=0 name=/home/fedora/ inode=262145 dev=fc:02 mode=dir,700 ouid=fedora ogid=fedora rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
|
||||
type=CWD msg=audit(01/12/2023 02:58:12.648:696) : cwd=/home/fedora
|
||||
type=SYSCALL msg=audit(01/12/2023 02:58:12.648:696) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x7fff47d52540 a1=0755 a2=0x0 a3=0x0 items=2 ppid=2869 pid=2880 auid=fedora uid=fedora gid=fedora euid=fedora suid=fedora fsuid=fedora egid=fedora sgid=fedora fsgid=fedora tty=(none) ses=8 comm=vncsession exe=/usr/sbin/vncsession subj=system_u:system_r:vnc_session_t:s0 key=(null)
|
||||
type=AVC msg=audit(01/12/2023 02:58:12.648:696) : avc: denied { create } for pid=2880 comm=vncsession name=.vnc scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:vnc_home_t:s0 tclass=dir permissive=0
|
||||
|
||||
Resolves: rhbz#2143704
|
||||
---
|
||||
unix/vncserver/selinux/vncsession.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
||||
index fb966c14b..680be8ea1 100644
|
||||
--- a/unix/vncserver/selinux/vncsession.te
|
||||
+++ b/unix/vncserver/selinux/vncsession.te
|
||||
@@ -37,6 +37,7 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms;
|
||||
allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
|
||||
|
||||
+create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
|
||||
manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
|
||||
manage_fifo_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
|
||||
manage_sock_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
|
|
@ -1,81 +0,0 @@
|
|||
From d2d52704624ce841f4a392fccd82079d87ff13b6 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Thu, 11 Nov 2021 13:52:41 +0100
|
||||
Subject: [PATCH] SELinux: restore SELinux context in case of different
|
||||
policies
|
||||
|
||||
---
|
||||
CMakeLists.txt | 13 +++++++++++++
|
||||
unix/vncserver/CMakeLists.txt | 2 +-
|
||||
unix/vncserver/vncsession.c | 16 ++++++++++++++++
|
||||
3 files changed, 30 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
index 50247c7da..1708eb3d8 100644
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE)
|
||||
endif()
|
||||
endif()
|
||||
|
||||
+# Check for SELinux library
|
||||
+if(UNIX AND NOT APPLE)
|
||||
+ check_include_files(selinux/selinux.h HAVE_SELINUX_H)
|
||||
+ if(HAVE_SELINUX_H)
|
||||
+ set(CMAKE_REQUIRED_LIBRARIES -lselinux)
|
||||
+ set(CMAKE_REQUIRED_LIBRARIES)
|
||||
+ set(SELINUX_LIBS selinux)
|
||||
+ add_definitions("-DHAVE_SELINUX")
|
||||
+ else()
|
||||
+ message(WARNING "Could not find SELinux development files")
|
||||
+ endif()
|
||||
+endif()
|
||||
+
|
||||
# Generate config.h and make sure the source finds it
|
||||
configure_file(config.h.in config.h)
|
||||
add_definitions(-DHAVE_CONFIG_H)
|
||||
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
|
||||
index f65ccc7db..ae69dc098 100644
|
||||
--- a/unix/vncserver/CMakeLists.txt
|
||||
+++ b/unix/vncserver/CMakeLists.txt
|
||||
@@ -1,5 +1,5 @@
|
||||
add_executable(vncsession vncsession.c)
|
||||
-target_link_libraries(vncsession ${PAM_LIBS})
|
||||
+target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
|
||||
|
||||
configure_file(vncserver@.service.in vncserver@.service @ONLY)
|
||||
configure_file(vncsession-start.in vncsession-start @ONLY)
|
||||
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
||||
index 3573e5e9b..f6d2fd59e 100644
|
||||
--- a/unix/vncserver/vncsession.c
|
||||
+++ b/unix/vncserver/vncsession.c
|
||||
@@ -37,6 +37,11 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
+#ifdef HAVE_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/restorecon.h>
|
||||
+#endif
|
||||
+
|
||||
extern char **environ;
|
||||
|
||||
// PAM service name
|
||||
@@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display)
|
||||
syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
|
||||
_exit(EX_OSERR);
|
||||
}
|
||||
+
|
||||
+#ifdef HAVE_SELINUX
|
||||
+ int result;
|
||||
+ if (selinux_file_context_verify(logfile, 0) == 0) {
|
||||
+ result = selinux_restorecon(logfile, SELINUX_RESTORECON_RECURSE);
|
||||
+
|
||||
+ if (result < 0) {
|
||||
+ syslog(LOG_WARNING, "Failure restoring SELinux context for \"%s\": %s", logfile, strerror(errno));
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
|
||||
hostlen = sysconf(_SC_HOST_NAME_MAX);
|
|
@ -121,7 +121,7 @@ if ($fontPath eq "") {
|
|||
# Check command line options
|
||||
|
||||
&ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1,
|
||||
"-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1);
|
||||
"-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1,"-fallbacktofreeport",0);
|
||||
|
||||
&Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'});
|
||||
|
||||
|
@ -168,8 +168,13 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) {
|
|||
$displayNumber = $1;
|
||||
shift(@ARGV);
|
||||
if (!&CheckDisplayNumber($displayNumber)) {
|
||||
warn "A VNC server is already running as :$displayNumber\n";
|
||||
$displayNumber = &GetDisplayNumber();
|
||||
if ($opt{'-fallbacktofreeport'}) {
|
||||
warn "A VNC server is already running as :$displayNumber\n";
|
||||
$displayNumber = &GetDisplayNumber();
|
||||
warn "Using port :$displayNumber as fallback\n";
|
||||
} else {
|
||||
die "A VNC server is already running as :$displayNumber\n";
|
||||
}
|
||||
}
|
||||
} elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) {
|
||||
&Usage();
|
||||
|
@ -675,6 +680,7 @@ sub Usage
|
|||
" [-autokill]\n".
|
||||
" [-noxstartup]\n".
|
||||
" [-xstartup <file>]\n".
|
||||
" [-fallbacktofreeport]\n".
|
||||
" <Xvnc-options>...\n\n".
|
||||
" $prog -kill <X-display>\n\n".
|
||||
" $prog -list\n\n");
|
||||
|
|
|
@ -1,42 +0,0 @@
|
|||
From 947bd1b3f4a23565bf10879ec41ba06ebe1e1c76 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 13 Mar 2023 11:08:47 +0100
|
||||
Subject: [PATCH xserver] composite: Fix use-after-free of the COW
|
||||
|
||||
ZDI-CAN-19866/CVE-2023-1393
|
||||
|
||||
If a client explicitly destroys the compositor overlay window (aka COW),
|
||||
we would leave a dangling pointer to that window in the CompScreen
|
||||
structure, which will trigger a use-after-free later.
|
||||
|
||||
Make sure to clear the CompScreen pointer to the COW when the latter gets
|
||||
destroyed explicitly by the client.
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
---
|
||||
composite/compwindow.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/composite/compwindow.c b/composite/compwindow.c
|
||||
index 4e2494b86..b30da589e 100644
|
||||
--- a/composite/compwindow.c
|
||||
+++ b/composite/compwindow.c
|
||||
@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
|
||||
ret = (*pScreen->DestroyWindow) (pWin);
|
||||
cs->DestroyWindow = pScreen->DestroyWindow;
|
||||
pScreen->DestroyWindow = compDestroyWindow;
|
||||
+
|
||||
+ /* Did we just destroy the overlay window? */
|
||||
+ if (pWin == cs->pOverlayWin)
|
||||
+ cs->pOverlayWin = NULL;
|
||||
+
|
||||
/* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
|
||||
return ret;
|
||||
}
|
||||
--
|
||||
2.40.0
|
||||
|
|
@ -32,7 +32,7 @@
|
|||
Description=XVNC Per-Connection Daemon
|
||||
|
||||
[Service]
|
||||
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None -Log *:syslog:30
|
||||
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None
|
||||
User=nobody
|
||||
StandardInput=socket
|
||||
StandardError=syslog
|
||||
|
|
|
@ -4,13 +4,13 @@
|
|||
%global modulename vncsession
|
||||
|
||||
Name: tigervnc
|
||||
Version: 1.12.0
|
||||
Release: 15%{?dist}
|
||||
Version: 1.13.1
|
||||
Release: 3%{?dist}.6.alma.1
|
||||
Summary: A TigerVNC remote display system
|
||||
|
||||
%global _hardened_build 1
|
||||
|
||||
License: GPLv2+
|
||||
License: GPL-2.0-or-later
|
||||
URL: http://www.tigervnc.com
|
||||
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
|
@ -21,50 +21,88 @@ Source3: 10-libvnc.conf
|
|||
# Backwards compatibility
|
||||
Source5: vncserver
|
||||
|
||||
# Downstream patches
|
||||
Patch1: tigervnc-use-gnome-as-default-session.patch
|
||||
Patch2: tigervnc-vncsession-restore-script-systemd-service.patch
|
||||
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/tigervnc/-/commit/75082cdb91390f66637d1dcacbb291181afbc9af
|
||||
Patch3: tigervnc-dont-get-pointer-position-for-floating-device.patch
|
||||
|
||||
# Upstream patches
|
||||
Patch50: tigervnc-selinux-restore-context-in-case-of-different-policies.patch
|
||||
Patch51: tigervnc-fix-typo-in-mirror-monitor-detection.patch
|
||||
Patch52: tigervnc-root-user-selinux-context.patch
|
||||
Patch53: tigervnc-vncsession-restore-script-systemd-service.patch
|
||||
# https://github.com/TigerVNC/tigervnc/pull/1513
|
||||
Patch54: tigervnc-fix-ghost-cursor-in-zaphod-mode.patch
|
||||
# https://github.com/TigerVNC/tigervnc/pull/1510
|
||||
Patch55: tigervnc-add-new-keycodes-for-unknown-keysyms.patch
|
||||
Patch56: tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch
|
||||
Patch57: tigervnc-selinux-allow-vncsession-create-vnc-directory.patch
|
||||
|
||||
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
|
||||
Patch100: tigervnc-xserver120.patch
|
||||
# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
|
||||
Patch101: 0001-rpath-hack.patch
|
||||
|
||||
# CVE-2023-1393 tigervnc: xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability
|
||||
Patch110: xorg-x11-server-composite-Fix-use-after-free-of-the-COW.patch
|
||||
|
||||
# Patches were taken from:
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
|
||||
Patch102: CVE-2023-5367.patch
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
|
||||
Patch103: CVE-2023-5380.patch
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
|
||||
Patch104: CVE-2023-6377.patch
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
|
||||
Patch105: CVE-2023-6478.patch
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3
|
||||
Patch106: CVE-2023-6816.patch
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1245?commit_id=ece23be888a93b741aa1209d1dbf64636109d6a5
|
||||
Patch107: CVE-2024-0229-1.patch
|
||||
Patch108: CVE-2024-0229-2.patch
|
||||
Patch109: CVE-2024-0229-3.patch
|
||||
Patch110: CVE-2024-21885.patch
|
||||
Patch111: CVE-2024-21886-1.patch
|
||||
Patch112: CVE-2024-21886-2.patch
|
||||
Patch113: dix-fix-use-after-free-in-input-device-shutdown.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libX11-devel, automake, autoconf, libtool, gettext, gettext-autopoint
|
||||
BuildRequires: libXext-devel, xorg-x11-server-source, libXi-devel
|
||||
BuildRequires: xorg-x11-xtrans-devel, xorg-x11-util-macros, libXtst-devel
|
||||
BuildRequires: libxkbfile-devel, openssl-devel, libpciaccess-devel
|
||||
BuildRequires: mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils
|
||||
BuildRequires: freetype-devel, libXdmcp-devel, libxshmfence-devel
|
||||
BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel
|
||||
BuildRequires: libdrm-devel, libXt-devel, pixman-devel
|
||||
BuildRequires: systemd, cmake, desktop-file-utils
|
||||
BuildRequires: libselinux-devel, selinux-policy-devel
|
||||
BuildRequires: libXfixes-devel, libXdamage-devel, libXrandr-devel
|
||||
%if 0%{?fedora} > 24 || 0%{?rhel} >= 7
|
||||
BuildRequires: libXfont2-devel
|
||||
%else
|
||||
BuildRequires: libXfont-devel
|
||||
%endif
|
||||
BuildRequires: gettext
|
||||
BuildRequires: cmake
|
||||
|
||||
BuildRequires: gnutls-devel
|
||||
BuildRequires: desktop-file-utils
|
||||
BuildRequires: libappstream-glib
|
||||
BuildRequires: libjpeg-turbo-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: zlib-devel
|
||||
|
||||
# TigerVNC 1.4.x requires fltk 1.3.3 for keyboard handling support
|
||||
# See https://github.com/TigerVNC/tigervnc/issues/8, also bug #1208814
|
||||
BuildRequires: fltk-devel >= 1.3.3
|
||||
BuildRequires: libX11-devel
|
||||
BuildRequires: libXext-devel
|
||||
BuildRequires: libXi-devel
|
||||
BuildRequires: libXrandr-devel
|
||||
BuildRequires: libXrender-devel
|
||||
BuildRequires: pixman-devel
|
||||
|
||||
# X11/graphics dependencies
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: gettext-autopoint
|
||||
BuildRequires: libXdamage-devel
|
||||
BuildRequires: libXdmcp-devel
|
||||
BuildRequires: libXfixes-devel
|
||||
BuildRequires: libXfont2-devel
|
||||
BuildRequires: libXinerama-devel
|
||||
BuildRequires: libXt-devel
|
||||
BuildRequires: libXtst-devel
|
||||
BuildRequires: libdrm-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: libxkbfile-devel
|
||||
BuildRequires: libxshmfence-devel
|
||||
BuildRequires: mesa-libGL-devel
|
||||
BuildRequires: xorg-x11-font-utils
|
||||
BuildRequires: xorg-x11-server-devel
|
||||
BuildRequires: xorg-x11-server-source
|
||||
BuildRequires: xorg-x11-util-macros
|
||||
BuildRequires: xorg-x11-xtrans-devel
|
||||
|
||||
# SELinux
|
||||
BuildRequires: libselinux-devel, selinux-policy-devel, systemd
|
||||
|
||||
Requires(post): coreutils
|
||||
Requires(postun):coreutils
|
||||
|
@ -102,10 +140,12 @@ X session.
|
|||
|
||||
%package server-minimal
|
||||
Summary: A minimal installation of TigerVNC server
|
||||
Requires(post): chkconfig
|
||||
Requires(preun):chkconfig
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
Requires(post): systemd
|
||||
|
||||
Requires: mesa-dri-drivers, xkeyboard-config, xorg-x11-xkb-utils
|
||||
Requires: mesa-dri-drivers, xkeyboard-config, xkbcomp
|
||||
Requires: tigervnc-license, dbus-x11
|
||||
|
||||
%description server-minimal
|
||||
|
@ -141,6 +181,9 @@ This package contains icons for TigerVNC viewer
|
|||
Summary: SELinux module for TigerVNC
|
||||
BuildArch: noarch
|
||||
BuildRequires: selinux-policy-devel
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
BuildRequires: selinux-policy
|
||||
|
||||
Requires: selinux-policy-%{selinuxtype}
|
||||
Requires(post): selinux-policy-%{selinuxtype}
|
||||
BuildRequires: selinux-policy-devel
|
||||
|
@ -148,7 +191,15 @@ BuildRequires: selinux-policy-devel
|
|||
Requires: libselinux-utils
|
||||
# Required for restorecon
|
||||
Requires: policycoreutils
|
||||
%{?selinux_requires}
|
||||
|
||||
Requires: libselinux-utils
|
||||
Requires: selinux-policy
|
||||
Requires: selinux-policy-%{selinuxtype}
|
||||
Requires(post): selinux-policy-base
|
||||
Requires(post): selinux-policy-%{selinuxtype}
|
||||
Requires(post): libselinux-utils
|
||||
Requires(post): policycoreutils
|
||||
Requires(post): policycoreutils-python-utils
|
||||
|
||||
%description selinux
|
||||
This package provides the SELinux policy module to ensure TigerVNC
|
||||
|
@ -164,20 +215,26 @@ for all in `find . -type f -perm -001`; do
|
|||
done
|
||||
%patch100 -p1 -b .xserver120-rebased
|
||||
%patch101 -p1 -b .rpath
|
||||
%patch110 -p1 -b .composite-Fix-use-after-free-of-the-COW
|
||||
%patch102 -p1 -b .CVE-2023-5367
|
||||
%patch103 -p1 -b .CVE-2023-5380
|
||||
%patch104 -p1 -b .CVE-2023-6377
|
||||
%patch105 -p1 -b .CVE-2023-6478
|
||||
%patch106 -p1 -b .CVE-2023-6816
|
||||
%patch107 -p1 -b .CVE-2024-0229-1
|
||||
%patch108 -p1 -b .CVE-2024-0229-2
|
||||
%patch109 -p1 -b .CVE-2024-0229-3
|
||||
%patch110 -p1 -b .CVE-2024-21885
|
||||
%patch111 -p1 -b .CVE-2024-21886-1
|
||||
%patch112 -p1 -b .CVE-2024-21886-2
|
||||
%patch113 -p1 -b .dix-fix-use-after-free-in-input-device-shutdown
|
||||
|
||||
popd
|
||||
|
||||
%patch1 -p1 -b .use-gnome-as-default-session
|
||||
%patch2 -p1 -b .vncsession-restore-script-systemd-service
|
||||
%patch3 -p1 -b .dont-get-pointer-position-for-floating-device
|
||||
|
||||
# Upstream patches
|
||||
%patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies
|
||||
%patch51 -p1 -b .fix-typo-in-mirror-monitor-detection
|
||||
%patch52 -p1 -b .root-user-selinux-context
|
||||
%patch53 -p1 -b .vncsession-restore-script-systemd-service
|
||||
%patch54 -p1 -b .fix-ghost-cursor-in-zaphod-mode
|
||||
%patch55 -p1 -b .add-new-keycodes-for-unknown-keysyms
|
||||
%patch56 -p1 -b .sanity-check-when-cleaning-up-keymap-changes
|
||||
%patch57 -p1 -b .selinux-allow-vncsession-create-vnc-directory
|
||||
|
||||
%build
|
||||
%ifarch sparcv9 sparc64 s390 s390x
|
||||
|
@ -185,12 +242,22 @@ export CFLAGS="$RPM_OPT_FLAGS -fPIC"
|
|||
%else
|
||||
export CFLAGS="$RPM_OPT_FLAGS -fpic"
|
||||
%endif
|
||||
export CXXFLAGS="$CFLAGS"
|
||||
export CXXFLAGS="$CFLAGS -std=c++11"
|
||||
|
||||
%{cmake} .
|
||||
make %{?_smp_mflags}
|
||||
%define __cmake_builddir %{_target_platform}
|
||||
|
||||
mkdir -p %{%__cmake_builddir}
|
||||
|
||||
%cmake
|
||||
|
||||
%cmake_build
|
||||
|
||||
pushd unix/xserver
|
||||
|
||||
%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
|
||||
sed -i 's@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am
|
||||
%endif
|
||||
|
||||
autoreconf -fiv
|
||||
%configure \
|
||||
--disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
|
||||
|
@ -213,7 +280,11 @@ make %{?_smp_mflags}
|
|||
popd
|
||||
|
||||
# Build icons
|
||||
%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
|
||||
pushd %{_target_platform}/media
|
||||
%else
|
||||
pushd media
|
||||
%endif
|
||||
make
|
||||
popd
|
||||
|
||||
|
@ -222,19 +293,19 @@ pushd unix/vncserver/selinux
|
|||
make
|
||||
popd
|
||||
|
||||
|
||||
%install
|
||||
%make_install
|
||||
%cmake_install
|
||||
rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT}
|
||||
|
||||
pushd unix/xserver/hw/vnc
|
||||
make install DESTDIR=%{buildroot}
|
||||
%make_install
|
||||
popd
|
||||
|
||||
# Install systemd unit file
|
||||
pushd unix/vncserver/selinux
|
||||
make install DESTDIR=%{buildroot}
|
||||
popd
|
||||
|
||||
|
||||
# Install systemd unit file
|
||||
install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service
|
||||
install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket
|
||||
|
@ -243,12 +314,26 @@ install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket
|
|||
mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps
|
||||
|
||||
pushd media/icons
|
||||
for s in 16 24 48; do
|
||||
for s in 16 22 24 32 48 64 128; do
|
||||
install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps/tigervnc.png
|
||||
done
|
||||
popd
|
||||
|
||||
appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/org.tigervnc.vncviewer.metainfo.xml
|
||||
desktop-file-validate %{buildroot}%{_datadir}/applications/vncviewer.desktop
|
||||
|
||||
%if 0%{?rhel} > 9
|
||||
# Install a replacement for /usr/bin/vncserver which will tell the user to read the
|
||||
# HOWTO.md file
|
||||
cat <<EOF > %{buildroot}/%{_bindir}/vncserver
|
||||
#!/bin/bash
|
||||
echo "vncserver has been replaced by a systemd unit."
|
||||
echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information."
|
||||
EOF
|
||||
chmod +x %{buildroot}/%{_bindir}/vncserver
|
||||
%else
|
||||
install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
|
||||
%endif
|
||||
|
||||
%find_lang %{name} %{name}.lang
|
||||
|
||||
|
@ -259,15 +344,14 @@ mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/
|
|||
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
|
||||
|
||||
%post server
|
||||
%systemd_post xvnc.service
|
||||
%systemd_post xvnc@.service
|
||||
%systemd_post xvnc.socket
|
||||
|
||||
%preun server
|
||||
%systemd_preun xvnc.service
|
||||
%systemd_preun xvnc.socket
|
||||
|
||||
%postun server
|
||||
%systemd_postun xvnc.service
|
||||
%systemd_postun xvnc@.service
|
||||
%systemd_postun xvnc.socket
|
||||
|
||||
%pre selinux
|
||||
|
@ -289,6 +373,7 @@ fi
|
|||
%{_bindir}/vncviewer
|
||||
%{_datadir}/applications/*
|
||||
%{_mandir}/man1/vncviewer.1*
|
||||
%{_datadir}/metainfo/org.tigervnc.vncviewer.metainfo.xml
|
||||
|
||||
%files server
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/tigervnc
|
||||
|
@ -298,8 +383,8 @@ fi
|
|||
%{_unitdir}/vncserver@.service
|
||||
%{_unitdir}/xvnc@.service
|
||||
%{_unitdir}/xvnc.socket
|
||||
%{_bindir}/x0vncserver
|
||||
%{_bindir}/vncserver
|
||||
%{_bindir}/x0vncserver
|
||||
%{_sbindir}/vncsession
|
||||
%{_libexecdir}/vncserver
|
||||
%{_libexecdir}/vncsession-start
|
||||
|
@ -319,7 +404,7 @@ fi
|
|||
|
||||
%files server-module
|
||||
%{_libdir}/xorg/modules/extensions/libvnc.so
|
||||
%config %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
|
||||
%config(noreplace) %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
|
||||
|
||||
%files license
|
||||
%{_docdir}/tigervnc/LICENCE.TXT
|
||||
|
@ -329,214 +414,239 @@ fi
|
|||
|
||||
%files selinux
|
||||
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
|
||||
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||||
|
||||
%changelog
|
||||
*Mon Mar 27 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-15
|
||||
- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability
|
||||
Resolves: bz#2180305
|
||||
* Tue Jan 30 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-3.3.alma.1
|
||||
- CVE-2023-6816, CVE-2024-0029, CVE-2024-21885, CVE-2024-21886
|
||||
- dix: Fix use after free in input device shutdown
|
||||
|
||||
* Tue Feb 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-14
|
||||
* Wed Jan 03 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-3.3.alma.1
|
||||
- CVE-2023-5367, CVE-2023-5380, CVE-2023-6377, CVE-2023-6478
|
||||
|
||||
* Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
|
||||
- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
|
||||
Escalation Vulnerability
|
||||
Resolves: bz#2180310
|
||||
|
||||
* Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1
|
||||
- 1.13.1
|
||||
Resolves: bz#2175732
|
||||
|
||||
* Tue Feb 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-12
|
||||
- SELinux: allow vncsession create .vnc directory
|
||||
Resolves: bz#2164704
|
||||
Resolves: bz#2164703
|
||||
|
||||
* Wed Feb 15 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-13
|
||||
* Wed Feb 15 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-11
|
||||
- Add sanity check when cleaning up keymap changes
|
||||
Resolves: bz#2169960
|
||||
Resolves: bz#2169965
|
||||
|
||||
* Mon Feb 06 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-12
|
||||
* Mon Feb 06 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-10
|
||||
- xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation
|
||||
Resolves: bz#2167058
|
||||
Resolves: bz#2167061
|
||||
|
||||
* Tue Dec 20 2022 Tomas Popela <tpopela@redhat.com> - 1.12.0-11
|
||||
* Tue Dec 20 2022 Tomas Popela <tpopela@redhat.com> - 1.12.0-9
|
||||
- Rebuild for xorg-x11-server CVE-2022-46340 follow up fix
|
||||
|
||||
* Fri Dec 16 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-10
|
||||
* Fri Dec 16 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
|
||||
- Rebuild for xorg-x11-server CVEs
|
||||
Resolves: CVE-2022-4283 (bz#2154233)
|
||||
Resolves: CVE-2022-46340 (bz#2154220)
|
||||
Resolves: CVE-2022-46341 (bz#2154223)
|
||||
Resolves: CVE-2022-46342 (bz#2154225)
|
||||
Resolves: CVE-2022-46343 (bz#2154227)
|
||||
Resolves: CVE-2022-46344 (bz#2154229)
|
||||
Resolves: CVE-2022-4283 (bz#2154234)
|
||||
Resolves: CVE-2022-46340 (bz#2154221)
|
||||
Resolves: CVE-2022-46341 (bz#2154224)
|
||||
Resolves: CVE-2022-46342 (bz#2154226)
|
||||
Resolves: CVE-2022-46343 (bz#2154228)
|
||||
Resolves: CVE-2022-46344 (bz#2154230)
|
||||
|
||||
* Thu Dec 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9
|
||||
- Bump build version to fix upgrade path
|
||||
Resolves: bz#1437569
|
||||
|
||||
* Fri Nov 18 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
|
||||
* Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
|
||||
- x0vncserver: add new keysym in case we don't find matching keycode
|
||||
Resolves: bz#1437569
|
||||
+ actually apply the patch
|
||||
Resolves: bz#2119017
|
||||
|
||||
* Wed Aug 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
|
||||
* Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
|
||||
- x0vncserver: add new keysym in case we don't find matching keycode
|
||||
Resolves: bz#2119017
|
||||
|
||||
* Mon Oct 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
|
||||
- x0vncserver: fix ghost cursor in zaphod mode (better version)
|
||||
Resolves: bz#2109679
|
||||
Resolves: bz#2119016
|
||||
|
||||
* Wed Aug 17 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
|
||||
- x0vncserver: fix ghost cursor in zaphod mode
|
||||
Resolves: bz#2109679
|
||||
* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
|
||||
- Add BR: libXdamage, libXfixes, libXrandr
|
||||
Resolves: bz#2091833
|
||||
|
||||
* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
|
||||
- BR: libXdamage, libXfixes, libXrandr
|
||||
Resolves: bz#2088733
|
||||
* Tue Apr 05 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
|
||||
- Do not run systemd_preun on Xvnc service file
|
||||
Resolves: bz#2048011
|
||||
|
||||
* Tue Feb 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
|
||||
* Mon Apr 04 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
|
||||
- Drop unexisting option from the old vncserver script
|
||||
Resolves: bz#2021893
|
||||
|
||||
* Wed Mar 23 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
|
||||
- 1.12.0 + sync with Fedora
|
||||
Resolves: bz#2048011
|
||||
Resolves: bz#2021893
|
||||
|
||||
* Mon Feb 07 2022 Jan Grulich <jgrulich@redhat.com> - 1.11.0-21
|
||||
- Added vncsession-restore script for SELinux policy migration
|
||||
Fix SELinux context for root user
|
||||
Resolves: bz#2021892
|
||||
Resolves: bz#2049506
|
||||
|
||||
* Fri Jan 21 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
|
||||
- Fix crash in vncviewer
|
||||
Resolves: bz#2021892
|
||||
* Fri Nov 26 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-20
|
||||
- Rebuild for absence in RHEL 9.0
|
||||
Resolves: bz#1985858
|
||||
|
||||
* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
|
||||
- Remove unavailable option from vncserver script
|
||||
Resolves: bz#2021892
|
||||
* Mon Aug 16 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-19
|
||||
- Sync upstream patches + drop unused patches
|
||||
Resolves: bz#1985858
|
||||
|
||||
* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
|
||||
- 1.12.0
|
||||
Resolves: bz#2021892
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-18
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
|
||||
* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-17
|
||||
- Fix logout from VNC session using vncserver
|
||||
Resolves: bz#1983706
|
||||
Resolves: bz#1983704
|
||||
|
||||
* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
|
||||
- Run all SELinux RPM macros on correct package
|
||||
Resolves: bz#1907963
|
||||
* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-16
|
||||
- Bump version for rebuild (binutils)
|
||||
Resolves: bz#1961488
|
||||
|
||||
* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-7
|
||||
* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-14
|
||||
- SELinux improvements
|
||||
Resolves: bz#1907963
|
||||
Resolves: bz#1961488
|
||||
|
||||
* Tue Dec 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
|
||||
- Use GNOME as default session
|
||||
Resolves: bz#1853608
|
||||
- Fix endianness issue on s390x
|
||||
Resolves: bz#1963029
|
||||
|
||||
* Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5
|
||||
- Make sure we log properly output to journal (actually log to syslog)
|
||||
Resolves: bz#1841537
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-13
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4
|
||||
- Make sure we log properly output to journal
|
||||
Resolves: bz#1841537
|
||||
* Mon Mar 08 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-12
|
||||
- Include RHEL8 patches
|
||||
|
||||
* Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3
|
||||
- vncserver: ignore new "session" parameter from the new systemd support
|
||||
Resolves: bz#1897504
|
||||
* Fri Mar 05 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-11
|
||||
- Enable old vncserver script for RHEL 9
|
||||
|
||||
* Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2
|
||||
- Revert removal of vncserver
|
||||
Resolves: bz#1897504
|
||||
- Correctly start vncsession as a daemon
|
||||
Resolves: bz#1897498
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.11.0-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Tue Oct 20 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1
|
||||
- Update to 1.11.0
|
||||
Resolves: bz#1880985
|
||||
- Backport fix to allow Tigervnc use boolean values in config files
|
||||
Resolves: bz#1883415
|
||||
* Thu Dec 10 07:45:46 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
|
||||
- vncserver: ignore new session parameter from the new systemd support
|
||||
|
||||
* Wed Sep 30 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-8
|
||||
- Tolerate specifying -BoolParam 0 and similar
|
||||
Resolves: bz#1883415
|
||||
* Fri Nov 13 14:08:29 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
|
||||
- Use /run instead of /var/run which is just a symlink
|
||||
|
||||
* Wed Jul 08 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-7
|
||||
- Enable server module on s390x
|
||||
Resolves: bz#1854925
|
||||
* Thu Nov 05 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.11.0-7
|
||||
- Require xkbcomp directly, not xorg-x11-xkb-utils. The latter has had
|
||||
Provides xkbcomp for years.
|
||||
|
||||
* Fri Jul 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-6
|
||||
- Remove trailing spaces in user name
|
||||
Resolves: bz#1852432
|
||||
* Tue Sep 29 13:12:22 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
|
||||
- Backport upstream fix allowing Tigervnc to specify boolean valus in configuration
|
||||
- Revert removal of vncserver for F32 and F33
|
||||
|
||||
* Thu Jun 25 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5
|
||||
- Install the HOWTO file to correct location
|
||||
* Thu Sep 24 07:14:06 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5
|
||||
- Actually install the HOWTO.md file
|
||||
|
||||
* Wed Sep 23 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4
|
||||
- Call systemd macros on correct service file
|
||||
|
||||
* Tue Sep 22 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3
|
||||
- Do not overwrite libvnc.conf config file
|
||||
|
||||
* Thu Sep 17 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2
|
||||
- Add /usr/bin/vncserver file informing users to read the HOWTO.md file
|
||||
Resolves: bz#1790443
|
||||
|
||||
* Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-4
|
||||
- Improve SELinux policy
|
||||
Resolves: bz#1790443
|
||||
* Wed Sep 09 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1
|
||||
- 1.11.0
|
||||
|
||||
* Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-3
|
||||
- Add a HOWTO.md file with instructions how to start VNC server
|
||||
Resolves: bz#1790443
|
||||
* Mon Aug 24 2020 Jan Grulich <jgrulich@redhat.com. - 1.10.90-1
|
||||
- Update to 1.10.90 (1.11.0 beta)
|
||||
|
||||
* Tue May 26 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2
|
||||
- Make the systemd service run also for root user
|
||||
Resolves: bz#1790443
|
||||
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-9
|
||||
- Second attempt - Rebuilt for
|
||||
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Mon Apr 27 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-7
|
||||
- Use make macros
|
||||
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||
|
||||
* Sat Jul 11 2020 Jiri Vanek <jvanek@redhat.com> - 1.10.1-6
|
||||
- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
|
||||
|
||||
* Sun Apr 19 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5
|
||||
- Requires: dbus-x11
|
||||
Resolves: bz#1825331
|
||||
|
||||
* Fri Mar 13 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.10.1-4
|
||||
- Fix build with xserver 1.20.7
|
||||
|
||||
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Mon Jan 13 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2
|
||||
- Build with -std=c++11
|
||||
|
||||
* Fri Dec 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1
|
||||
- Update to 1.10.1
|
||||
Resolves: bz#1806992
|
||||
|
||||
- Add proper systemd support
|
||||
Resolves: bz#1790443
|
||||
* Tue Dec 10 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-2
|
||||
- Properly install systemd files
|
||||
|
||||
* Tue Jan 28 2020 Jan Grulich <jgrulich@redhat.com> - 1.9.0-13
|
||||
- Bump build because of z-stream
|
||||
Resolves: bz#1671714
|
||||
* Mon Nov 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-1
|
||||
- Update to 1.10.0
|
||||
|
||||
* Wed Dec 11 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-12
|
||||
- Fix installation of systemd files
|
||||
Resolves: bz#1671714
|
||||
* Fri Oct 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.90-1
|
||||
- Update to 1.9.90 (1.10 beta)
|
||||
- Add systemd user service file
|
||||
- Use a wrapper for systemd system service file to workaround systemd limitations
|
||||
|
||||
* Wed Nov 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-11
|
||||
- Use wrapper script to workaround systemd issues
|
||||
Resolves: bz#1671714
|
||||
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Jul 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-10
|
||||
- Do not return returncode indicating error when running "vncserver -list"
|
||||
Resolves: bz#1727860
|
||||
* Fri Jul 19 2019 Dan Horák <dan[at]danny.cz> - 1.9.0-6
|
||||
- drop the s390x special handling (related #1727029)
|
||||
|
||||
* Fri Feb 08 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-9
|
||||
- Make tigervnc systemd service a user service
|
||||
Resolves: bz#1639846
|
||||
* Wed Jun 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5
|
||||
- Add missing arguments to systemd_postun scriptlets
|
||||
Resolves: bz#1716411
|
||||
|
||||
* Mon Jan 21 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-8
|
||||
- Kill the session automatically only when Gnome is installed
|
||||
Resolves: bz#1665876
|
||||
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Tue Nov 20 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-7
|
||||
- Improve coverity scan fixes
|
||||
Resolves: bz#1602714
|
||||
|
||||
Inform whether view-only password is used or not
|
||||
Resolves: bz#1639169
|
||||
|
||||
Backport fixes from RHEL 7
|
||||
Resolves: bz#1651254
|
||||
|
||||
* Tue Oct 09 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-6
|
||||
* Tue Sep 25 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
|
||||
- Do not crash passwd when using malloc perturb checks
|
||||
Resolves: bz#1637086
|
||||
|
||||
* Mon Oct 08 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5
|
||||
- Improve coverity scan fixes
|
||||
Resolves: bz#1602714
|
||||
|
||||
* Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-4
|
||||
- Improve coverity scan fixes
|
||||
Resolves: bz#1602714
|
||||
|
||||
* Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
|
||||
- Fix some coverity scan issues
|
||||
Resolves: bz#1602714
|
||||
Resolves: bz#1631483
|
||||
|
||||
* Wed Aug 01 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-2
|
||||
- Remove dependency on initscripts
|
||||
- Ignore buttons in mouse leave events
|
||||
Resolves: bz#1609516
|
||||
|
||||
* Tue Jul 17 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-1
|
||||
- Update to 1.9.0 + sync with Fedora
|
||||
- Update to 1.9.0
|
||||
|
||||
* Tue Jun 12 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-10
|
||||
- Fix GLX initialization with Xorg 1.20
|
||||
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.90-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Tue May 29 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-9
|
||||
- Build against Xorg 1.20
|
||||
* Wed Jul 4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.90-2
|
||||
- Clean up spec: use macros consistenly, drop old sys-v migrations
|
||||
- Drop ancient obsolete/provides
|
||||
|
||||
* Mon May 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-8
|
||||
- Drop BR: ImageMagick
|
||||
* Thu Jun 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.90-1
|
||||
- Update to 1.8.90
|
||||
|
||||
* Wed Jun 13 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-10
|
||||
- Fix tigervnc systemd unit file
|
||||
Resolves: bz#1583159
|
||||
|
||||
* Wed Jun 06 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-9
|
||||
- Fix GLX initialization with 1.20
|
||||
|
||||
* Wed Apr 04 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-8
|
||||
- Rebuild for xserver 1.20
|
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
|
Loading…
Reference in New Issue