Compare commits
No commits in common. "c8" and "a9" have entirely different histories.
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/tigervnc-1.15.0.tar.gz
|
||||
SOURCES/tigervnc-1.13.1.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
fec424f110bdf5032cd5eb4df2596b8251d2e1ed SOURCES/tigervnc-1.15.0.tar.gz
|
||||
6f7a23f14833f552c88523da1a5e102f3b8d35c2 SOURCES/tigervnc-1.13.1.tar.gz
|
||||
|
@ -12,7 +12,7 @@
|
||||
#EndSection
|
||||
|
||||
#Section "Screen"
|
||||
# Identifier "Screen0"
|
||||
# Identifier "Screen0
|
||||
# DefaultDepth 16
|
||||
# Option "SecurityTypes" "VncAuth"
|
||||
# Option "PasswordFile" "/root/.vnc/passwd"
|
||||
|
80
SOURCES/CVE-2023-5367.patch
Normal file
80
SOURCES/CVE-2023-5367.patch
Normal file
@ -0,0 +1,80 @@
|
||||
From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 3 Oct 2023 11:53:05 +1000
|
||||
Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
|
||||
|
||||
The handling of appending/prepending properties was incorrect, with at
|
||||
least two bugs: the property length was set to the length of the new
|
||||
part only, i.e. appending or prepending N elements to a property with P
|
||||
existing elements always resulted in the property having N elements
|
||||
instead of N + P.
|
||||
|
||||
Second, when pre-pending a value to a property, the offset for the old
|
||||
values was incorrect, leaving the new property with potentially
|
||||
uninitalized values and/or resulting in OOB memory writes.
|
||||
For example, prepending a 3 element value to a 5 element property would
|
||||
result in this 8 value array:
|
||||
[N, N, N, ?, ?, P, P, P ] P, P
|
||||
^OOB write
|
||||
|
||||
The XI2 code is a copy/paste of the RandR code, so the bug exists in
|
||||
both.
|
||||
|
||||
CVE-2023-5367, ZDI-CAN-22153
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
Xi/xiproperty.c | 4 ++--
|
||||
randr/rrproperty.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
|
||||
index 066ba21fba..d315f04d0e 100644
|
||||
--- a/Xi/xiproperty.c
|
||||
+++ b/Xi/xiproperty.c
|
||||
@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
|
||||
XIDestroyDeviceProperty(prop);
|
||||
return BadAlloc;
|
||||
}
|
||||
- new_value.size = len;
|
||||
+ new_value.size = total_len;
|
||||
new_value.type = type;
|
||||
new_value.format = format;
|
||||
|
||||
@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
|
||||
case PropModePrepend:
|
||||
new_data = new_value.data;
|
||||
old_data = (void *) (((char *) new_value.data) +
|
||||
- (prop_value->size * size_in_bytes));
|
||||
+ (len * size_in_bytes));
|
||||
break;
|
||||
}
|
||||
if (new_data)
|
||||
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
||||
index c2fb9585c6..25469f57b2 100644
|
||||
--- a/randr/rrproperty.c
|
||||
+++ b/randr/rrproperty.c
|
||||
@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
|
||||
RRDestroyOutputProperty(prop);
|
||||
return BadAlloc;
|
||||
}
|
||||
- new_value.size = len;
|
||||
+ new_value.size = total_len;
|
||||
new_value.type = type;
|
||||
new_value.format = format;
|
||||
|
||||
@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
|
||||
case PropModePrepend:
|
||||
new_data = new_value.data;
|
||||
old_data = (void *) (((char *) new_value.data) +
|
||||
- (prop_value->size * size_in_bytes));
|
||||
+ (len * size_in_bytes));
|
||||
break;
|
||||
}
|
||||
if (new_data)
|
||||
--
|
||||
GitLab
|
||||
|
98
SOURCES/CVE-2023-5380.patch
Normal file
98
SOURCES/CVE-2023-5380.patch
Normal file
@ -0,0 +1,98 @@
|
||||
From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Thu, 5 Oct 2023 12:19:45 +1000
|
||||
Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
|
||||
|
||||
PointerWindows[] keeps a reference to the last window our sprite
|
||||
entered - changes are usually handled by CheckMotion().
|
||||
|
||||
If we switch between screens via XWarpPointer our
|
||||
dev->spriteInfo->sprite->win is set to the new screen's root window.
|
||||
If there's another window at the cursor location CheckMotion() will
|
||||
trigger the right enter/leave events later. If there is not, it skips
|
||||
that process and we never trigger LeaveWindow() - PointerWindows[] for
|
||||
the device still refers to the previous window.
|
||||
|
||||
If that window is destroyed we have a dangling reference that will
|
||||
eventually cause a use-after-free bug when checking the window hierarchy
|
||||
later.
|
||||
|
||||
To trigger this, we require:
|
||||
- two protocol screens
|
||||
- XWarpPointer to the other screen's root window
|
||||
- XDestroyWindow before entering any other window
|
||||
|
||||
This is a niche bug so we hack around it by making sure we reset the
|
||||
PointerWindows[] entry so we cannot have a dangling pointer. This
|
||||
doesn't handle Enter/Leave events correctly but the previous code didn't
|
||||
either.
|
||||
|
||||
CVE-2023-5380, ZDI-CAN-21608
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Sri working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
---
|
||||
dix/enterleave.h | 2 --
|
||||
include/eventstr.h | 3 +++
|
||||
mi/mipointer.c | 17 +++++++++++++++--
|
||||
3 files changed, 18 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.h b/dix/enterleave.h
|
||||
index 4b833d8a3b..e8af924c68 100644
|
||||
--- a/dix/enterleave.h
|
||||
+++ b/dix/enterleave.h
|
||||
@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
|
||||
|
||||
extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
|
||||
|
||||
-extern void LeaveWindow(DeviceIntPtr dev);
|
||||
-
|
||||
extern void CoreFocusEvent(DeviceIntPtr kbd,
|
||||
int type, int mode, int detail, WindowPtr pWin);
|
||||
|
||||
diff --git a/include/eventstr.h b/include/eventstr.h
|
||||
index 93308f9b24..a9926eaeef 100644
|
||||
--- a/include/eventstr.h
|
||||
+++ b/include/eventstr.h
|
||||
@@ -296,4 +296,7 @@ union _InternalEvent {
|
||||
#endif
|
||||
};
|
||||
|
||||
+extern void
|
||||
+LeaveWindow(DeviceIntPtr dev);
|
||||
+
|
||||
#endif
|
||||
diff --git a/mi/mipointer.c b/mi/mipointer.c
|
||||
index a638f25d4a..8cf0035140 100644
|
||||
--- a/mi/mipointer.c
|
||||
+++ b/mi/mipointer.c
|
||||
@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
|
||||
#ifdef PANORAMIX
|
||||
&& noPanoramiXExtension
|
||||
#endif
|
||||
- )
|
||||
- UpdateSpriteForScreen(pDev, pScreen);
|
||||
+ ) {
|
||||
+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
|
||||
+ /* Hack for CVE-2023-5380: if we're moving
|
||||
+ * screens PointerWindows[] keeps referring to the
|
||||
+ * old window. If that gets destroyed we have a UAF
|
||||
+ * bug later. Only happens when jumping from a window
|
||||
+ * to the root window on the other screen.
|
||||
+ * Enter/Leave events are incorrect for that case but
|
||||
+ * too niche to fix.
|
||||
+ */
|
||||
+ LeaveWindow(pDev);
|
||||
+ if (master)
|
||||
+ LeaveWindow(master);
|
||||
+ UpdateSpriteForScreen(pDev, pScreen);
|
||||
+ }
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
GitLab
|
||||
|
74
SOURCES/CVE-2023-6377.patch
Normal file
74
SOURCES/CVE-2023-6377.patch
Normal file
@ -0,0 +1,74 @@
|
||||
From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 28 Nov 2023 15:19:04 +1000
|
||||
Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
|
||||
|
||||
button->xkb_acts is supposed to be an array sufficiently large for all
|
||||
our buttons, not just a single XkbActions struct. Allocating
|
||||
insufficient memory here means when we memcpy() later in
|
||||
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
|
||||
leading to the usual security ooopsiedaisies.
|
||||
|
||||
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
Xi/exevents.c | 12 ++++++------
|
||||
dix/devices.c | 10 ++++++++++
|
||||
2 files changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
||||
index dcd4efb3bc..54ea11a938 100644
|
||||
--- a/Xi/exevents.c
|
||||
+++ b/Xi/exevents.c
|
||||
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
||||
}
|
||||
|
||||
if (from->button->xkb_acts) {
|
||||
- if (!to->button->xkb_acts) {
|
||||
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
|
||||
- if (!to->button->xkb_acts)
|
||||
- FatalError("[Xi] not enough memory for xkb_acts.\n");
|
||||
- }
|
||||
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
|
||||
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
|
||||
+ maxbuttons,
|
||||
+ sizeof(XkbAction));
|
||||
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
|
||||
memcpy(to->button->xkb_acts, from->button->xkb_acts,
|
||||
- sizeof(XkbAction));
|
||||
+ from->button->numButtons * sizeof(XkbAction));
|
||||
}
|
||||
else {
|
||||
free(to->button->xkb_acts);
|
||||
diff --git a/dix/devices.c b/dix/devices.c
|
||||
index b063128df0..3f3224d626 100644
|
||||
--- a/dix/devices.c
|
||||
+++ b/dix/devices.c
|
||||
@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
||||
|
||||
if (master->button && master->button->numButtons != maxbuttons) {
|
||||
int i;
|
||||
+ int last_num_buttons = master->button->numButtons;
|
||||
+
|
||||
DeviceChangedEvent event = {
|
||||
.header = ET_Internal,
|
||||
.type = ET_DeviceChanged,
|
||||
@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
|
||||
};
|
||||
|
||||
master->button->numButtons = maxbuttons;
|
||||
+ if (last_num_buttons < maxbuttons) {
|
||||
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
|
||||
+ maxbuttons,
|
||||
+ sizeof(XkbAction));
|
||||
+ memset(&master->button->xkb_acts[last_num_buttons],
|
||||
+ 0,
|
||||
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
|
||||
+ }
|
||||
|
||||
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
|
||||
sizeof(Atom));
|
||||
--
|
||||
GitLab
|
59
SOURCES/CVE-2023-6478.patch
Normal file
59
SOURCES/CVE-2023-6478.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 27 Nov 2023 16:27:49 +1000
|
||||
Subject: [PATCH] randr: avoid integer truncation in length check of
|
||||
ProcRRChange*Property
|
||||
|
||||
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
|
||||
See also xserver@8f454b79 where this same bug was fixed for the core
|
||||
protocol and XI.
|
||||
|
||||
This fixes an OOB read and the resulting information disclosure.
|
||||
|
||||
Length calculation for the request was clipped to a 32-bit integer. With
|
||||
the correct stuff->nUnits value the expected request size was
|
||||
truncated, passing the REQUEST_FIXED_SIZE check.
|
||||
|
||||
The server then proceeded with reading at least stuff->num_items bytes
|
||||
(depending on stuff->format) from the request and stuffing whatever it
|
||||
finds into the property. In the process it would also allocate at least
|
||||
stuff->nUnits bytes, i.e. 4GB.
|
||||
|
||||
CVE-2023-6478, ZDI-CAN-22561
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
randr/rrproperty.c | 2 +-
|
||||
randr/rrproviderproperty.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
|
||||
index 25469f57b2..c4fef8a1f6 100644
|
||||
--- a/randr/rrproperty.c
|
||||
+++ b/randr/rrproperty.c
|
||||
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
|
||||
char format, mode;
|
||||
unsigned long len;
|
||||
int sizeInBytes;
|
||||
- int totalSize;
|
||||
+ uint64_t totalSize;
|
||||
int err;
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
|
||||
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
||||
index b79c17f9bf..90c5a9a933 100644
|
||||
--- a/randr/rrproviderproperty.c
|
||||
+++ b/randr/rrproviderproperty.c
|
||||
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
|
||||
char format, mode;
|
||||
unsigned long len;
|
||||
int sizeInBytes;
|
||||
- int totalSize;
|
||||
+ uint64_t totalSize;
|
||||
int err;
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
|
||||
--
|
||||
GitLab
|
||||
|
51
SOURCES/CVE-2023-6816.patch
Normal file
51
SOURCES/CVE-2023-6816.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Thu, 14 Dec 2023 11:29:49 +1000
|
||||
Subject: [PATCH] dix: allocate enough space for logical button maps
|
||||
|
||||
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
|
||||
each logical button currently down. Since buttons can be arbitrarily mapped
|
||||
to anything up to 255 make sure we have enough bits for the maximum mapping.
|
||||
|
||||
CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
Xi/xiquerypointer.c | 3 +--
|
||||
dix/enterleave.c | 5 +++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
|
||||
index 5b77b1a444..2b05ac5f39 100644
|
||||
--- a/Xi/xiquerypointer.c
|
||||
+++ b/Xi/xiquerypointer.c
|
||||
@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
|
||||
if (pDev->button) {
|
||||
int i;
|
||||
|
||||
- rep.buttons_len =
|
||||
- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
|
||||
+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
|
||||
rep.length += rep.buttons_len;
|
||||
buttons = calloc(rep.buttons_len, 4);
|
||||
if (!buttons)
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index 867ec74363..ded8679d76 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
|
||||
|
||||
mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
|
||||
|
||||
- /* XI 2 event */
|
||||
- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
|
||||
+ /* XI 2 event contains the logical button map - maps are CARD8
|
||||
+ * so we need 256 bits for the possibly maximum mapping */
|
||||
+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
|
||||
btlen = bytes_to_int32(btlen);
|
||||
len = sizeof(xXIFocusInEvent) + btlen * 4;
|
||||
|
||||
--
|
||||
GitLab
|
||||
|
83
SOURCES/CVE-2024-0229-1.patch
Normal file
83
SOURCES/CVE-2024-0229-1.patch
Normal file
@ -0,0 +1,83 @@
|
||||
From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 18 Dec 2023 14:27:50 +1000
|
||||
Subject: [PATCH 2/9] dix: Allocate sufficient xEvents for our
|
||||
DeviceStateNotify
|
||||
|
||||
If a device has both a button class and a key class and numButtons is
|
||||
zero, we can get an OOB write due to event under-allocation.
|
||||
|
||||
This function seems to assume a device has either keys or buttons, not
|
||||
both. It has two virtually identical code paths, both of which assume
|
||||
they're applying to the first event in the sequence.
|
||||
|
||||
A device with both a key and button class triggered a logic bug - only
|
||||
one xEvent was allocated but the deviceStateNotify pointer was pushed on
|
||||
once per type. So effectively this logic code:
|
||||
|
||||
int count = 1;
|
||||
if (button && nbuttons > 32) count++;
|
||||
if (key && nbuttons > 0) count++;
|
||||
if (key && nkeys > 32) count++; // this is basically always true
|
||||
// count is at 2 for our keys + zero button device
|
||||
|
||||
ev = alloc(count * sizeof(xEvent));
|
||||
FixDeviceStateNotify(ev);
|
||||
if (button)
|
||||
FixDeviceStateNotify(ev++);
|
||||
if (key)
|
||||
FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
|
||||
|
||||
If the device has more than 3 valuators, the OOB is pushed back - we're
|
||||
off by one so it will happen when the last deviceValuator event is
|
||||
written instead.
|
||||
|
||||
Fix this by allocating the maximum number of events we may allocate.
|
||||
Note that the current behavior is not protocol-correct anyway, this
|
||||
patch fixes only the allocation issue.
|
||||
|
||||
Note that this issue does not trigger if the device has at least one
|
||||
button. While the server does not prevent a button class with zero
|
||||
buttons, it is very unlikely.
|
||||
|
||||
CVE-2024-0229, ZDI-CAN-22678
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
dix/enterleave.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index ded8679d76..17964b00a4 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -675,7 +675,8 @@ static void
|
||||
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
{
|
||||
int evcount = 1;
|
||||
- deviceStateNotify *ev, *sev;
|
||||
+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
|
||||
+ deviceStateNotify *ev;
|
||||
deviceKeyStateNotify *kev;
|
||||
deviceButtonStateNotify *bev;
|
||||
|
||||
@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
}
|
||||
}
|
||||
|
||||
- sev = ev = xallocarray(evcount, sizeof(xEvent));
|
||||
+ ev = sev;
|
||||
FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
|
||||
|
||||
if (b != NULL) {
|
||||
@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
|
||||
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
|
||||
DeviceStateNotifyMask, NullGrab);
|
||||
- free(sev);
|
||||
}
|
||||
|
||||
void
|
||||
--
|
||||
GitLab
|
216
SOURCES/CVE-2024-0229-2.patch
Normal file
216
SOURCES/CVE-2024-0229-2.patch
Normal file
@ -0,0 +1,216 @@
|
||||
From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 18 Dec 2023 12:26:20 +1000
|
||||
Subject: [PATCH 3/9] dix: fix DeviceStateNotify event calculation
|
||||
|
||||
The previous code only made sense if one considers buttons and keys to
|
||||
be mutually exclusive on a device. That is not necessarily true, causing
|
||||
a number of issues.
|
||||
|
||||
This function allocates and fills in the number of xEvents we need to
|
||||
send the device state down the wire. This is split across multiple
|
||||
32-byte devices including one deviceStateNotify event and optional
|
||||
deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
|
||||
deviceValuator events.
|
||||
|
||||
The previous behavior would instead compose a sequence
|
||||
of [state, buttonstate, state, keystate, valuator...]. This is not
|
||||
protocol correct, and on top of that made the code extremely convoluted.
|
||||
|
||||
Fix this by streamlining: add both button and key into the deviceStateNotify
|
||||
and then append the key state and button state, followed by the
|
||||
valuators. Finally, the deviceValuator events contain up to 6 valuators
|
||||
per event but we only ever sent through 3 at a time. Let's double that
|
||||
troughput.
|
||||
|
||||
CVE-2024-0229, ZDI-CAN-22678
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
|
||||
1 file changed, 52 insertions(+), 69 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index 17964b00a4..7b7ba1098b 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
||||
|
||||
ev->type = DeviceValuator;
|
||||
ev->deviceid = dev->id;
|
||||
- ev->num_valuators = nval < 3 ? nval : 3;
|
||||
+ ev->num_valuators = nval < 6 ? nval : 6;
|
||||
ev->first_valuator = first;
|
||||
switch (ev->num_valuators) {
|
||||
+ case 6:
|
||||
+ ev->valuator2 = v->axisVal[first + 5];
|
||||
+ case 5:
|
||||
+ ev->valuator2 = v->axisVal[first + 4];
|
||||
+ case 4:
|
||||
+ ev->valuator2 = v->axisVal[first + 3];
|
||||
case 3:
|
||||
ev->valuator2 = v->axisVal[first + 2];
|
||||
case 2:
|
||||
@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
||||
ev->valuator0 = v->axisVal[first];
|
||||
break;
|
||||
}
|
||||
- first += ev->num_valuators;
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
|
||||
ev->num_buttons = b->numButtons;
|
||||
memcpy((char *) ev->buttons, (char *) b->down, 4);
|
||||
}
|
||||
- else if (k) {
|
||||
+ if (k) {
|
||||
ev->classes_reported |= (1 << KeyClass);
|
||||
ev->num_keys = k->xkbInfo->desc->max_key_code -
|
||||
k->xkbInfo->desc->min_key_code;
|
||||
@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
+/**
|
||||
+ * The device state notify event is split across multiple 32-byte events.
|
||||
+ * The first one contains the first 32 button state bits, the first 32
|
||||
+ * key state bits, and the first 3 valuator values.
|
||||
+ *
|
||||
+ * If a device has more than that, the server sends out:
|
||||
+ * - one deviceButtonStateNotify for buttons 32 and above
|
||||
+ * - one deviceKeyStateNotify for keys 32 and above
|
||||
+ * - one deviceValuator event per 6 valuators above valuator 4
|
||||
+ *
|
||||
+ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
|
||||
+ */
|
||||
static void
|
||||
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
{
|
||||
+ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
|
||||
+ * and one deviceValuator for each 6 valuators */
|
||||
+ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
|
||||
int evcount = 1;
|
||||
- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
|
||||
- deviceStateNotify *ev;
|
||||
- deviceKeyStateNotify *kev;
|
||||
- deviceButtonStateNotify *bev;
|
||||
+ deviceStateNotify *ev = sev;
|
||||
|
||||
KeyClassPtr k;
|
||||
ButtonClassPtr b;
|
||||
@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
|
||||
|
||||
if ((b = dev->button) != NULL) {
|
||||
nbuttons = b->numButtons;
|
||||
- if (nbuttons > 32)
|
||||
+ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
|
||||
evcount++;
|
||||
}
|
||||
if ((k = dev->key) != NULL) {
|
||||
nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
|
||||
- if (nkeys > 32)
|
||||
+ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
|
||||
evcount++;
|
||||
- if (nbuttons > 0) {
|
||||
- evcount++;
|
||||
- }
|
||||
}
|
||||
if ((v = dev->valuator) != NULL) {
|
||||
nval = v->numAxes;
|
||||
-
|
||||
- if (nval > 3)
|
||||
- evcount++;
|
||||
- if (nval > 6) {
|
||||
- if (!(k && b))
|
||||
- evcount++;
|
||||
- if (nval > 9)
|
||||
- evcount += ((nval - 7) / 3);
|
||||
- }
|
||||
+ /* first three are encoded in deviceStateNotify, then
|
||||
+ * it's 6 per deviceValuator event */
|
||||
+ evcount += ((nval - 3) + 6)/6;
|
||||
}
|
||||
|
||||
- ev = sev;
|
||||
- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
|
||||
-
|
||||
- if (b != NULL) {
|
||||
- FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- if (nbuttons > 32) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- bev = (deviceButtonStateNotify *) ev++;
|
||||
- bev->type = DeviceButtonStateNotify;
|
||||
- bev->deviceid = dev->id;
|
||||
- memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
|
||||
- DOWN_LENGTH - 4);
|
||||
- }
|
||||
- if (nval > 0) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- }
|
||||
+ BUG_RETURN(evcount <= ARRAY_SIZE(sev));
|
||||
+
|
||||
+ FixDeviceStateNotify(dev, ev, k, b, v, first);
|
||||
+
|
||||
+ if (b != NULL && nbuttons > 32) {
|
||||
+ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
|
||||
+ (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
+ bev->type = DeviceButtonStateNotify;
|
||||
+ bev->deviceid = dev->id;
|
||||
+ memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
|
||||
+ DOWN_LENGTH - 4);
|
||||
}
|
||||
|
||||
- if (k != NULL) {
|
||||
- FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- if (nkeys > 32) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- kev = (deviceKeyStateNotify *) ev++;
|
||||
- kev->type = DeviceKeyStateNotify;
|
||||
- kev->deviceid = dev->id;
|
||||
- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
|
||||
- }
|
||||
- if (nval > 0) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- }
|
||||
+ if (k != NULL && nkeys > 32) {
|
||||
+ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
|
||||
+ (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
+ kev->type = DeviceKeyStateNotify;
|
||||
+ kev->deviceid = dev->id;
|
||||
+ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
|
||||
}
|
||||
|
||||
+ first = 3;
|
||||
+ nval -= 3;
|
||||
while (nval > 0) {
|
||||
- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- if (nval > 0) {
|
||||
- (ev - 1)->deviceid |= MORE_EVENTS;
|
||||
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
|
||||
- first += 3;
|
||||
- nval -= 3;
|
||||
- }
|
||||
+ ev->deviceid |= MORE_EVENTS;
|
||||
+ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
|
||||
+ first += 6;
|
||||
+ nval -= 6;
|
||||
}
|
||||
|
||||
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
|
||||
--
|
||||
GitLab
|
36
SOURCES/CVE-2024-0229-3.patch
Normal file
36
SOURCES/CVE-2024-0229-3.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Thu, 21 Dec 2023 13:48:10 +1000
|
||||
Subject: [PATCH 4/9] Xi: when creating a new ButtonClass, set the number of
|
||||
buttons
|
||||
|
||||
There's a racy sequence where a master device may copy the button class
|
||||
from the slave, without ever initializing numButtons. This leads to a
|
||||
device with zero buttons but a button class which is invalid.
|
||||
|
||||
Let's copy the numButtons value from the source - by definition if we
|
||||
don't have a button class yet we do not have any other slave devices
|
||||
with more than this number of buttons anyway.
|
||||
|
||||
CVE-2024-0229, ZDI-CAN-22678
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
Xi/exevents.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/Xi/exevents.c b/Xi/exevents.c
|
||||
index 54ea11a938..e161714682 100644
|
||||
--- a/Xi/exevents.c
|
||||
+++ b/Xi/exevents.c
|
||||
@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
|
||||
to->button = calloc(1, sizeof(ButtonClassRec));
|
||||
if (!to->button)
|
||||
FatalError("[Xi] no memory for class shift.\n");
|
||||
+ to->button->numButtons = from->button->numButtons;
|
||||
}
|
||||
else
|
||||
classes->button = NULL;
|
||||
--
|
||||
GitLab
|
108
SOURCES/CVE-2024-21885.patch
Normal file
108
SOURCES/CVE-2024-21885.patch
Normal file
@ -0,0 +1,108 @@
|
||||
From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Thu, 4 Jan 2024 10:01:24 +1000
|
||||
Subject: [PATCH 5/9] Xi: flush hierarchy events after adding/removing master
|
||||
devices
|
||||
|
||||
The `XISendDeviceHierarchyEvent()` function allocates space to store up
|
||||
to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
|
||||
|
||||
If a device with a given ID was removed and a new device with the same
|
||||
ID added both in the same operation, the single device ID will lead to
|
||||
two info structures being written to `info`.
|
||||
|
||||
Since this case can occur for every device ID at once, a total of two
|
||||
times `MAXDEVICES` info structures might be written to the allocation.
|
||||
|
||||
To avoid it, once one add/remove master is processed, send out the
|
||||
device hierarchy event for the current state and continue. That event
|
||||
thus only ever has exactly one of either added/removed in it (and
|
||||
optionally slave attached/detached).
|
||||
|
||||
CVE-2024-21885, ZDI-CAN-22744
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
|
||||
1 file changed, 22 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
|
||||
index d2d985848d..72d00451e3 100644
|
||||
--- a/Xi/xichangehierarchy.c
|
||||
+++ b/Xi/xichangehierarchy.c
|
||||
@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||
size_t len; /* length of data remaining in request */
|
||||
int rc = Success;
|
||||
int flags[MAXDEVICES] = { 0 };
|
||||
+ enum {
|
||||
+ NO_CHANGE,
|
||||
+ FLUSH,
|
||||
+ CHANGED,
|
||||
+ } changes = NO_CHANGE;
|
||||
|
||||
REQUEST(xXIChangeHierarchyReq);
|
||||
REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
|
||||
@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||
rc = add_master(client, c, flags);
|
||||
if (rc != Success)
|
||||
goto unwind;
|
||||
- }
|
||||
+ changes = FLUSH;
|
||||
break;
|
||||
+ }
|
||||
case XIRemoveMaster:
|
||||
{
|
||||
xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
|
||||
@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||
rc = remove_master(client, r, flags);
|
||||
if (rc != Success)
|
||||
goto unwind;
|
||||
- }
|
||||
+ changes = FLUSH;
|
||||
break;
|
||||
+ }
|
||||
case XIDetachSlave:
|
||||
{
|
||||
xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
|
||||
@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||
rc = detach_slave(client, c, flags);
|
||||
if (rc != Success)
|
||||
goto unwind;
|
||||
- }
|
||||
+ changes = CHANGED;
|
||||
break;
|
||||
+ }
|
||||
case XIAttachSlave:
|
||||
{
|
||||
xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
|
||||
@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||
rc = attach_slave(client, c, flags);
|
||||
if (rc != Success)
|
||||
goto unwind;
|
||||
+ changes = CHANGED;
|
||||
+ break;
|
||||
}
|
||||
+ default:
|
||||
break;
|
||||
}
|
||||
|
||||
+ if (changes == FLUSH) {
|
||||
+ XISendDeviceHierarchyEvent(flags);
|
||||
+ memset(flags, 0, sizeof(flags));
|
||||
+ changes = NO_CHANGE;
|
||||
+ }
|
||||
+
|
||||
len -= any->length * 4;
|
||||
any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
|
||||
}
|
||||
|
||||
unwind:
|
||||
-
|
||||
- XISendDeviceHierarchyEvent(flags);
|
||||
+ if (changes != NO_CHANGE)
|
||||
+ XISendDeviceHierarchyEvent(flags);
|
||||
return rc;
|
||||
}
|
||||
--
|
||||
GitLab
|
69
SOURCES/CVE-2024-21886-1.patch
Normal file
69
SOURCES/CVE-2024-21886-1.patch
Normal file
@ -0,0 +1,69 @@
|
||||
From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Fri, 22 Dec 2023 18:28:31 +0100
|
||||
Subject: [PATCH 6/9] Xi: do not keep linked list pointer during recursion
|
||||
|
||||
The `DisableDevice()` function is called whenever an enabled device
|
||||
is disabled and it moves the device from the `inputInfo.devices` linked
|
||||
list to the `inputInfo.off_devices` linked list.
|
||||
|
||||
However, its link/unlink operation has an issue during the recursive
|
||||
call to `DisableDevice()` due to the `prev` pointer pointing to a
|
||||
removed device.
|
||||
|
||||
This issue leads to a length mismatch between the total number of
|
||||
devices and the number of device in the list, leading to a heap
|
||||
overflow and, possibly, to local privilege escalation.
|
||||
|
||||
Simplify the code that checked whether the device passed to
|
||||
`DisableDevice()` was in `inputInfo.devices` or not and find the
|
||||
previous device after the recursion.
|
||||
|
||||
CVE-2024-21886, ZDI-CAN-22840
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
---
|
||||
dix/devices.c | 15 ++++++++++++---
|
||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dix/devices.c b/dix/devices.c
|
||||
index dca98c8d1b..389d28a23c 100644
|
||||
--- a/dix/devices.c
|
||||
+++ b/dix/devices.c
|
||||
@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
||||
{
|
||||
DeviceIntPtr *prev, other;
|
||||
BOOL enabled;
|
||||
+ BOOL dev_in_devices_list = FALSE;
|
||||
int flags[MAXDEVICES] = { 0 };
|
||||
|
||||
if (!dev->enabled)
|
||||
return TRUE;
|
||||
|
||||
- for (prev = &inputInfo.devices;
|
||||
- *prev && (*prev != dev); prev = &(*prev)->next);
|
||||
- if (*prev != dev)
|
||||
+ for (other = inputInfo.devices; other; other = other->next) {
|
||||
+ if (other == dev) {
|
||||
+ dev_in_devices_list = TRUE;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!dev_in_devices_list)
|
||||
return FALSE;
|
||||
|
||||
TouchEndPhysicallyActiveTouches(dev);
|
||||
@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
||||
LeaveWindow(dev);
|
||||
SetFocusOut(dev);
|
||||
|
||||
+ for (prev = &inputInfo.devices;
|
||||
+ *prev && (*prev != dev); prev = &(*prev)->next);
|
||||
+
|
||||
*prev = dev->next;
|
||||
dev->next = inputInfo.off_devices;
|
||||
inputInfo.off_devices = dev;
|
||||
--
|
||||
GitLab
|
52
SOURCES/CVE-2024-21886-2.patch
Normal file
52
SOURCES/CVE-2024-21886-2.patch
Normal file
@ -0,0 +1,52 @@
|
||||
From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Fri, 5 Jan 2024 09:40:27 +1000
|
||||
Subject: [PATCH 7/9] dix: when disabling a master, float disabled slaved
|
||||
devices too
|
||||
|
||||
Disabling a master device floats all slave devices but we didn't do this
|
||||
to already-disabled slave devices. As a result those devices kept their
|
||||
reference to the master device resulting in access to already freed
|
||||
memory if the master device was removed before the corresponding slave
|
||||
device.
|
||||
|
||||
And to match this behavior, also forcibly reset that pointer during
|
||||
CloseDownDevices().
|
||||
|
||||
Related to CVE-2024-21886, ZDI-CAN-22840
|
||||
---
|
||||
dix/devices.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/dix/devices.c b/dix/devices.c
|
||||
index 389d28a23c..84a6406d13 100644
|
||||
--- a/dix/devices.c
|
||||
+++ b/dix/devices.c
|
||||
@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
||||
flags[other->id] |= XISlaveDetached;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ for (other = inputInfo.off_devices; other; other = other->next) {
|
||||
+ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
|
||||
+ AttachDevice(NULL, other, NULL);
|
||||
+ flags[other->id] |= XISlaveDetached;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
else {
|
||||
for (other = inputInfo.devices; other; other = other->next) {
|
||||
@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
|
||||
dev->master = NULL;
|
||||
}
|
||||
|
||||
+ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
|
||||
+ if (!IsMaster(dev) && !IsFloating(dev))
|
||||
+ dev->master = NULL;
|
||||
+ }
|
||||
+
|
||||
CloseDeviceList(&inputInfo.devices);
|
||||
CloseDeviceList(&inputInfo.off_devices);
|
||||
|
||||
--
|
||||
GitLab
|
@ -0,0 +1,77 @@
|
||||
From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001
|
||||
From: Povilas Kanapickas <povilas@radix.lt>
|
||||
Date: Sun, 19 Dec 2021 18:11:07 +0200
|
||||
Subject: [PATCH] dix: Fix use after free in input device shutdown
|
||||
|
||||
This fixes access to freed heap memory via dev->master. E.g. when
|
||||
running BarrierNotify.ReceivesNotifyEvents/7 test from
|
||||
xorg-integration-tests:
|
||||
|
||||
==24736==ERROR: AddressSanitizer: heap-use-after-free on address
|
||||
0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
|
||||
READ of size 4 at 0x619000065020 thread T0
|
||||
#0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
|
||||
#1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
|
||||
#2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
|
||||
../../../Xi/xichangehierarchy.c:95
|
||||
#4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
|
||||
../../../hw/xfree86/common/xf86Xinput.c:1142
|
||||
#6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
|
||||
#7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
|
||||
#8 0x55c450e837ef in dix_main ../../../dix/main.c:302
|
||||
#9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
||||
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
||||
#11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
|
||||
|
||||
0x619000065020 is located 160 bytes inside of 912-byte region
|
||||
[0x619000064f80,0x619000065310)
|
||||
freed by thread T0 here:
|
||||
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
|
||||
#1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
|
||||
#2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
|
||||
../../../hw/xfree86/common/xf86Xinput.c:1142
|
||||
#4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
|
||||
#5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
|
||||
#6 0x55c450e837ef in dix_main ../../../dix/main.c:302
|
||||
#7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
||||
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
||||
|
||||
previously allocated by thread T0 here:
|
||||
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
|
||||
#1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
|
||||
#2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
|
||||
#3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
|
||||
../../../Xi/xichangehierarchy.c:465
|
||||
#5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
|
||||
#6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
|
||||
#7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
|
||||
#8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
|
||||
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
|
||||
|
||||
The problem is caused by dev->master being not reset when disabling the
|
||||
device, which then causes dangling pointer when the master device itself
|
||||
is being deleted when exiting whole server.
|
||||
|
||||
Note that RecalculateMasterButtons() requires dev->master to be still
|
||||
valid, so we can reset it only at the end of function.
|
||||
|
||||
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
||||
---
|
||||
dix/devices.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/dix/devices.c b/dix/devices.c
|
||||
index e62c34c55e..5f9ce1678f 100644
|
||||
--- a/dix/devices.c
|
||||
+++ b/dix/devices.c
|
||||
@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
|
||||
}
|
||||
|
||||
RecalculateMasterButtons(dev);
|
||||
+ dev->master = NULL;
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
--
|
||||
GitLab
|
||||
|
@ -1,265 +0,0 @@
|
||||
From 69b0fd6d77ea5968bd815188ee2bda3d282ebc60 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Mon, 29 Jul 2024 14:31:14 +0200
|
||||
Subject: [PATCH] Add option allowing to connect only the user owning the
|
||||
running session
|
||||
|
||||
Checks, whether the user who is trying to authenticate is already logged
|
||||
into the running session in order to allow or reject the connection.
|
||||
This is expected to be used with 'plain' security type in combination
|
||||
with 'PlainUsers=*' option allowing everyone to connect to the session.
|
||||
---
|
||||
common/rfb/VNCServerST.cxx | 7 --
|
||||
unix/x0vncserver/XDesktop.cxx | 8 ++
|
||||
unix/xserver/hw/vnc/XserverDesktop.cc | 137 ++++++++++++++++++++++++++
|
||||
unix/xserver/hw/vnc/XserverDesktop.h | 7 ++
|
||||
unix/xserver/hw/vnc/Xvnc.man | 7 ++
|
||||
5 files changed, 159 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/common/rfb/VNCServerST.cxx b/common/rfb/VNCServerST.cxx
|
||||
index b99d33b..aa8d53e 100644
|
||||
--- a/common/rfb/VNCServerST.cxx
|
||||
+++ b/common/rfb/VNCServerST.cxx
|
||||
@@ -682,13 +682,6 @@ void VNCServerST::queryConnection(VNCSConnectionST* client,
|
||||
return;
|
||||
}
|
||||
|
||||
- // - Are we configured to do queries?
|
||||
- if (!rfb::Server::queryConnect &&
|
||||
- !client->getSock()->requiresQuery()) {
|
||||
- approveConnection(client->getSock(), true, nullptr);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
// - Does the client have the right to bypass the query?
|
||||
if (client->accessCheck(AccessNoQuery))
|
||||
{
|
||||
diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
|
||||
index b43e3f7..3d00e23 100644
|
||||
--- a/unix/x0vncserver/XDesktop.cxx
|
||||
+++ b/unix/x0vncserver/XDesktop.cxx
|
||||
@@ -31,6 +31,7 @@
|
||||
#include <network/Socket.h>
|
||||
|
||||
#include <rfb/LogWriter.h>
|
||||
+#include <rfb/ServerCore.h>
|
||||
|
||||
#include <x0vncserver/XDesktop.h>
|
||||
|
||||
@@ -320,6 +321,13 @@ void XDesktop::queryConnection(network::Socket* sock,
|
||||
{
|
||||
assert(isRunning());
|
||||
|
||||
+ // - Are we configured to do queries?
|
||||
+ if (!rfb::Server::queryConnect &&
|
||||
+ !sock->requiresQuery()) {
|
||||
+ server->approveConnection(sock, true, nullptr);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
// Someone already querying?
|
||||
if (queryConnectSock) {
|
||||
std::list<network::Socket*> sockets;
|
||||
diff --git a/unix/xserver/hw/vnc/XserverDesktop.cc b/unix/xserver/hw/vnc/XserverDesktop.cc
|
||||
index 260ed3a..c8741f6 100644
|
||||
--- a/unix/xserver/hw/vnc/XserverDesktop.cc
|
||||
+++ b/unix/xserver/hw/vnc/XserverDesktop.cc
|
||||
@@ -51,6 +51,11 @@
|
||||
#include "XorgGlue.h"
|
||||
#include "vncInput.h"
|
||||
|
||||
+#if HAVE_SYSTEMD_DAEMON
|
||||
+# include <pwd.h>
|
||||
+# include <systemd/sd-login.h>
|
||||
+#endif
|
||||
+
|
||||
extern "C" {
|
||||
void vncSetGlueContext(int screenIndex);
|
||||
void vncPresentMscEvent(uint64_t id, uint64_t msc);
|
||||
@@ -71,6 +76,15 @@ IntParameter queryConnectTimeout("QueryConnectTimeout",
|
||||
"rejecting the connection",
|
||||
10);
|
||||
|
||||
+#ifdef HAVE_SYSTEMD_DAEMON
|
||||
+BoolParameter approveLoggedUserOnly
|
||||
+("ApproveLoggedUserOnly",
|
||||
+ "Approve only the user who is currently logged into the session."
|
||||
+ "This is expected to be combined with 'plain' security type and with "
|
||||
+ "'PlainUsers=*' option allowing everyone to connect to the session."
|
||||
+ "Default is off.",
|
||||
+ false);
|
||||
+#endif
|
||||
|
||||
XserverDesktop::XserverDesktop(int screenIndex_,
|
||||
std::list<network::SocketListener*> listeners_,
|
||||
@@ -164,11 +178,134 @@ void XserverDesktop::init(rfb::VNCServer* vs)
|
||||
// ready state
|
||||
}
|
||||
|
||||
+#ifdef HAVE_SYSTEMD_DAEMON
|
||||
+bool XserverDesktop::checkUserLogged(const char* userName)
|
||||
+{
|
||||
+ bool ret = false;
|
||||
+ bool noUserSession = true;
|
||||
+ int res;
|
||||
+ char **sessions;
|
||||
+
|
||||
+ res = sd_get_sessions(&sessions);
|
||||
+ if (res < 0) {
|
||||
+ vlog.debug("logind: failed to get sessions");
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ if (sessions != nullptr && sessions[0] != nullptr) {
|
||||
+ for (int i = 0; sessions[i]; i++) {
|
||||
+ uid_t uid;
|
||||
+ char *clazz;
|
||||
+ char *display;
|
||||
+ char *type;
|
||||
+ char *state;
|
||||
+
|
||||
+ res = sd_session_get_type(sessions[i], &type);
|
||||
+ if (res < 0) {
|
||||
+ vlog.debug("logind: failed to determine session type");
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (strcmp(type, "x11") != 0) {
|
||||
+ free(type);
|
||||
+ continue;
|
||||
+ }
|
||||
+ free(type);
|
||||
+
|
||||
+ res = sd_session_get_display(sessions[i], &display);
|
||||
+ if (res < 0) {
|
||||
+ vlog.debug("logind: failed to determine display of session");
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ std::string serverDisplay = ":" + std::to_string(screenIndex);
|
||||
+ std::string serverDisplayIPv4 = "127.0.0.1:" + std::to_string(screenIndex);
|
||||
+ std::string serverDisplayIPv6 = "::1:" + std::to_string(screenIndex);
|
||||
+ if ((strcmp(display, serverDisplay.c_str()) != 0) &&
|
||||
+ (strcmp(display, serverDisplayIPv4.c_str()) != 0) &&
|
||||
+ (strcmp(display, serverDisplayIPv6.c_str()) != 0)) {
|
||||
+ free(display);
|
||||
+ continue;
|
||||
+ }
|
||||
+ free(display);
|
||||
+
|
||||
+ res = sd_session_get_class(sessions[i], &clazz);
|
||||
+ if (res < 0) {
|
||||
+ vlog.debug("logind: failed to determine session class");
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ res = sd_session_get_state(sessions[i], &state);
|
||||
+ if (res < 0) {
|
||||
+ vlog.debug("logind: failed to determine session state");
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (strcmp(state, "closing") == 0) {
|
||||
+ free(state);
|
||||
+ continue;
|
||||
+ }
|
||||
+ free(state);
|
||||
+
|
||||
+ res = sd_session_get_uid(sessions[i], &uid);
|
||||
+ if (res < 0) {
|
||||
+ vlog.debug("logind: failed to determine user id of session");
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (uid != 0 && strcmp(clazz, "user") == 0) {
|
||||
+ noUserSession = false;
|
||||
+ }
|
||||
+ free(clazz);
|
||||
+
|
||||
+ struct passwd *pw = getpwnam(userName);
|
||||
+ if (!pw) {
|
||||
+ vlog.debug("logind: user not found");
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (uid == pw->pw_uid) {
|
||||
+ ret = true;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (sessions) {
|
||||
+ for (int i = 0; sessions[i]; i ++) {
|
||||
+ free(sessions[i]);
|
||||
+ }
|
||||
+
|
||||
+ free (sessions);
|
||||
+ }
|
||||
+
|
||||
+ // If we didn't find a matching user, we can still allow the user
|
||||
+ // to log in if there is no user session yet.
|
||||
+ return !ret ? noUserSession : ret;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
void XserverDesktop::queryConnection(network::Socket* sock,
|
||||
const char* userName)
|
||||
{
|
||||
int count;
|
||||
|
||||
+#ifdef HAVE_SYSTEMD_DAEMON
|
||||
+ // - Only owner of the session can be approved
|
||||
+ if (approveLoggedUserOnly && !checkUserLogged(userName)) {
|
||||
+ server->approveConnection(sock, false,
|
||||
+ "The user is not owner of the running session");
|
||||
+ return;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ // - Are we configured to do queries?
|
||||
+ if (!rfb::Server::queryConnect &&
|
||||
+ !sock->requiresQuery()) {
|
||||
+ server->approveConnection(sock, true, nullptr);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (queryConnectTimer.isStarted()) {
|
||||
server->approveConnection(sock, false, "Another connection is currently being queried.");
|
||||
return;
|
||||
diff --git a/unix/xserver/hw/vnc/XserverDesktop.h b/unix/xserver/hw/vnc/XserverDesktop.h
|
||||
index 8c543db..8d6bde4 100644
|
||||
--- a/unix/xserver/hw/vnc/XserverDesktop.h
|
||||
+++ b/unix/xserver/hw/vnc/XserverDesktop.h
|
||||
@@ -108,6 +108,13 @@ public:
|
||||
void grabRegion(const rfb::Region& r) override;
|
||||
|
||||
protected:
|
||||
+#ifdef HAVE_SYSTEMD_DAEMON
|
||||
+ // - Check whether user is logged into a session
|
||||
+ // Returns true if user is already logged or there is no
|
||||
+ // user session at all.
|
||||
+ bool checkUserLogged(const char* userName);
|
||||
+#endif
|
||||
+
|
||||
bool handleListenerEvent(int fd,
|
||||
std::list<network::SocketListener*>* sockets,
|
||||
rfb::VNCServer* sockserv);
|
||||
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
|
||||
index d6b1664..24384df 100644
|
||||
--- a/unix/xserver/hw/vnc/Xvnc.man
|
||||
+++ b/unix/xserver/hw/vnc/Xvnc.man
|
||||
@@ -200,6 +200,13 @@ Never treat incoming connections as shared, regardless of the client-specified
|
||||
setting. Default is off.
|
||||
.
|
||||
.TP
|
||||
+.B \-ApproveLoggedUserOnly
|
||||
+Approve only the user who is currently logged into the session.
|
||||
+This is expected to be combined with "Plain" security type and with
|
||||
+"PlainUsers=*" option allowing everyone to connect to the session.
|
||||
+Default is off.
|
||||
+.
|
||||
+.TP
|
||||
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
|
||||
PAM service name to use when authentication users using any of the "Plain"
|
||||
security types. Default is \fBvnc\fP.
|
@ -1,27 +0,0 @@
|
||||
From 313200978926cc7b7521c0d645918391b7609681 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Thu, 27 Feb 2025 13:49:02 +0100
|
||||
Subject: [PATCH] Add SELinux policy rules allowing to access
|
||||
/proc/sys/fs/nr_open
|
||||
|
||||
This is needed when the nofile limit is set to unlimited, otherwise we
|
||||
will fail to start a VNC session.
|
||||
---
|
||||
unix/vncserver/selinux/vncsession.te | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
||||
index d92f1bd..2ce4fc8 100644
|
||||
--- a/unix/vncserver/selinux/vncsession.te
|
||||
+++ b/unix/vncserver/selinux/vncsession.te
|
||||
@@ -37,6 +37,10 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms;
|
||||
allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
|
||||
|
||||
+# Allow access to /proc/sys/fs/nr_open
|
||||
+# Needed when the nofile limit is set to unlimited.
|
||||
+kernel_read_fs_sysctls(vnc_session_t)
|
||||
+
|
||||
# Allowed to create ~/.local
|
||||
optional_policy(`
|
||||
gnome_filetrans_home_content(vnc_session_t)
|
@ -1,47 +0,0 @@
|
||||
From e652f06940f84fd8e19d7b674ae8c6000530fb40 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Fri, 7 Feb 2025 15:32:49 +0100
|
||||
Subject: [PATCH] Add SELinux policy rules allowing to create directories under
|
||||
/root
|
||||
|
||||
We have policy that allows to create ~/.local or ~/.config, but we don't
|
||||
have rule that allows the same under /root directory, where we fail in
|
||||
case any of these directories doesn't exist.
|
||||
---
|
||||
unix/vncserver/selinux/vncsession.te | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
||||
index d92f1bda7d..2f49717077 100644
|
||||
--- a/unix/vncserver/selinux/vncsession.te
|
||||
+++ b/unix/vncserver/selinux/vncsession.te
|
||||
@@ -48,6 +48,14 @@ optional_policy(`
|
||||
create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t)
|
||||
')
|
||||
|
||||
+# Allowed to create /root/.local
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type admin_home_t;
|
||||
+ ')
|
||||
+ create_dirs_pattern(vnc_session_t, admin_home_t, admin_home_t)
|
||||
+')
|
||||
+
|
||||
# Manage TigerVNC files (mainly ~/.local/state/*.log)
|
||||
create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
|
||||
manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
|
||||
@@ -88,6 +96,7 @@ optional_policy(`
|
||||
gen_require(`
|
||||
attribute userdomain;
|
||||
type gconf_home_t;
|
||||
+ type admin_home_t;
|
||||
')
|
||||
userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
|
||||
userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
|
||||
@@ -95,5 +104,6 @@ optional_policy(`
|
||||
gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
|
||||
gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
|
||||
filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc")
|
||||
+ filetrans_pattern(vnc_session_t, admin_home_t, vnc_home_t, dir, "tigervnc")
|
||||
filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc")
|
||||
')
|
@ -1,14 +0,0 @@
|
||||
diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx
|
||||
index 466aa1a2..197d60dc 100644
|
||||
--- a/unix/vncpasswd/vncpasswd.cxx
|
||||
+++ b/unix/vncpasswd/vncpasswd.cxx
|
||||
@@ -147,8 +147,7 @@ static std::vector<uint8_t> readpassword() {
|
||||
}
|
||||
|
||||
if (first.size() > 8) {
|
||||
- fprintf(stderr,"Password should not be greater than 8 characters\nBecause only 8 valid characters are used - try again\n");
|
||||
- continue;
|
||||
+ fprintf(stderr,"Password should not be greater than 8 characters\nBecause only 8 valid characters are used\n");
|
||||
}
|
||||
|
||||
#ifdef HAVE_PWQUALITY
|
@ -0,0 +1,13 @@
|
||||
diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c
|
||||
index b3d0926d..d36a096f 100644
|
||||
--- a/unix/xserver/hw/vnc/vncInput.c
|
||||
+++ b/unix/xserver/hw/vnc/vncInput.c
|
||||
@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y)
|
||||
|
||||
void vncGetPointerPos(int *x, int *y)
|
||||
{
|
||||
- if (vncPointerDev != NULL) {
|
||||
+ if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) {
|
||||
ScreenPtr ptrScreen;
|
||||
|
||||
miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY);
|
@ -1,53 +0,0 @@
|
||||
diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt
|
||||
index 7d316e7..4f872d0 100644
|
||||
--- a/po/CMakeLists.txt
|
||||
+++ b/po/CMakeLists.txt
|
||||
@@ -15,7 +15,6 @@ if (GETTEXT_XGETTEXT_EXECUTABLE)
|
||||
${PROJECT_SOURCE_DIR}/vncviewer/*.h
|
||||
${PROJECT_SOURCE_DIR}/vncviewer/*.cxx
|
||||
${PROJECT_SOURCE_DIR}/vncviewer/*.desktop.in.in
|
||||
- ${PROJECT_SOURCE_DIR}/vncviewer/*.metainfo.xml.in
|
||||
)
|
||||
|
||||
add_custom_target(translations_update
|
||||
diff --git a/vncviewer/CMakeLists.txt b/vncviewer/CMakeLists.txt
|
||||
index 72904b2..6a39062 100644
|
||||
--- a/vncviewer/CMakeLists.txt
|
||||
+++ b/vncviewer/CMakeLists.txt
|
||||
@@ -108,36 +108,6 @@ if(UNIX)
|
||||
add_custom_target(desktop ALL DEPENDS vncviewer.desktop)
|
||||
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncviewer.desktop DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/applications)
|
||||
|
||||
- if("${GETTEXT_VERSION_STRING}" VERSION_GREATER 0.19.6)
|
||||
- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
|
||||
- COMMAND ${GETTEXT_MSGFMT_EXECUTABLE}
|
||||
- --xml --template ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
|
||||
- -d ${CMAKE_SOURCE_DIR}/po -o org.tigervnc.vncviewer.metainfo.xml
|
||||
- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
|
||||
- ${po_FILES}
|
||||
- )
|
||||
- elseif(INTLTOOL_MERGE_EXECUTABLE)
|
||||
- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
|
||||
- COMMAND sed -e 's@<name>@<_name>@\;s@</name>@</_name>@'
|
||||
- -e 's@<summary>@<_summary>@\;s@</summary>@</_summary>@'
|
||||
- -e 's@<caption>@<_caption>@\;s@</caption>@</_caption>@'
|
||||
- -e 's@<p>@<_p>@g\;s@</p>@</_p>@g'
|
||||
- ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in > org.tigervnc.vncviewer.metainfo.xml.intl
|
||||
- COMMAND ${INTLTOOL_MERGE_EXECUTABLE}
|
||||
- -x ${CMAKE_SOURCE_DIR}/po
|
||||
- org.tigervnc.vncviewer.metainfo.xml.intl org.tigervnc.vncviewer.metainfo.xml
|
||||
- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
|
||||
- ${po_FILES}
|
||||
- )
|
||||
- else()
|
||||
- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
|
||||
- COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in org.tigervnc.vncviewer.metainfo.xml
|
||||
- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
|
||||
- )
|
||||
- endif()
|
||||
- add_custom_target(appstream ALL DEPENDS org.tigervnc.vncviewer.metainfo.xml)
|
||||
- install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tigervnc.vncviewer.metainfo.xml DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/metainfo)
|
||||
-
|
||||
foreach(res 16 22 24 32 48 64 128)
|
||||
install(FILES ../media/icons/tigervnc_${res}.png DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/${res}x${res}/apps RENAME tigervnc.png)
|
||||
endforeach()
|
@ -1,47 +0,0 @@
|
||||
From 1f1aaca09a1f9919f5169caea9c396b14c2af765 Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Tue, 8 Apr 2025 14:41:04 +0200
|
||||
Subject: [PATCH] Don't print Xvnc banner before parsing args
|
||||
|
||||
If we'll be running in inetd mode, then stdout and stderr will be a
|
||||
client socket and not an appropriate place for logging.
|
||||
|
||||
Mimic what Xorg does instead.
|
||||
---
|
||||
unix/xserver/hw/vnc/xvnc.c | 9 +++++----
|
||||
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
|
||||
index ddb249937..a13168c47 100644
|
||||
--- a/unix/xserver/hw/vnc/xvnc.c
|
||||
+++ b/unix/xserver/hw/vnc/xvnc.c
|
||||
@@ -446,7 +446,7 @@ ddxProcessArgument(int argc, char *argv[], int i)
|
||||
}
|
||||
|
||||
if (!strcmp(argv[i], "-showconfig") || !strcmp(argv[i], "-version")) {
|
||||
- /* Already shown at start */
|
||||
+ vncPrintBanner();
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -1171,8 +1171,11 @@ InitOutput(ScreenInfo * scrInfo, int argc, char **argv)
|
||||
int i;
|
||||
int NumFormats = 0;
|
||||
|
||||
- if (serverGeneration == 1)
|
||||
+ if (serverGeneration == 1) {
|
||||
+ vncPrintBanner();
|
||||
+
|
||||
LoadExtensionList(vncExtensions, ARRAY_SIZE(vncExtensions), TRUE);
|
||||
+ }
|
||||
|
||||
#if XORG_AT_LEAST(1, 20, 0)
|
||||
xorgGlxCreateVendor();
|
||||
@@ -1266,7 +1269,5 @@ vncClientGone(int fd)
|
||||
int
|
||||
main(int argc, char *argv[], char *envp[])
|
||||
{
|
||||
- vncPrintBanner();
|
||||
-
|
||||
return dix_main(argc, argv, envp);
|
||||
}
|
91
SOURCES/tigervnc-xserver120.patch
Normal file
91
SOURCES/tigervnc-xserver120.patch
Normal file
@ -0,0 +1,91 @@
|
||||
diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac
|
||||
--- xserver/configure.ac.xserver116-rebased 2016-09-29 13:14:45.595441590 +0200
|
||||
+++ xserver/configure.ac 2016-09-29 13:14:45.631442006 +0200
|
||||
@@ -74,6 +74,7 @@ dnl forcing an entire recompile.x
|
||||
AC_CONFIG_HEADERS(include/version-config.h)
|
||||
|
||||
AM_PROG_AS
|
||||
+AC_PROG_CXX
|
||||
AC_PROG_LN_S
|
||||
LT_PREREQ([2.2])
|
||||
LT_INIT([disable-static win32-dll])
|
||||
@@ -1863,6 +1864,10 @@ if test "x$XVFB" = xyes; then
|
||||
AC_SUBST([XVFB_SYS_LIBS])
|
||||
fi
|
||||
|
||||
+dnl Xvnc DDX
|
||||
+AC_SUBST([XVNC_CPPFLAGS], ["-DHAVE_DIX_CONFIG_H $XSERVER_CFLAGS"])
|
||||
+AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"])
|
||||
+AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"])
|
||||
|
||||
dnl Xnest DDX
|
||||
|
||||
@@ -1898,6 +1903,8 @@ if test "x$XORG" = xauto; then
|
||||
fi
|
||||
AC_MSG_RESULT([$XORG])
|
||||
|
||||
+AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version])
|
||||
+
|
||||
if test "x$XORG" = xyes; then
|
||||
XORG_DDXINCS='-I$(top_srcdir)/hw/xfree86 -I$(top_srcdir)/hw/xfree86/include -I$(top_srcdir)/hw/xfree86/common'
|
||||
XORG_OSINCS='-I$(top_srcdir)/hw/xfree86/os-support -I$(top_srcdir)/hw/xfree86/os-support/bus -I$(top_srcdir)/os'
|
||||
@@ -2116,7 +2123,6 @@ if test "x$XORG" = xyes; then
|
||||
AC_DEFINE(XORG_SERVER, 1, [Building Xorg server])
|
||||
AC_DEFINE(XORGSERVER, 1, [Building Xorg server])
|
||||
AC_DEFINE(XFree86Server, 1, [Building XFree86 server])
|
||||
- AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version])
|
||||
AC_DEFINE(NEED_XF86_TYPES, 1, [Need XFree86 typedefs])
|
||||
AC_DEFINE(NEED_XF86_PROTOTYPES, 1, [Need XFree86 helper functions])
|
||||
AC_DEFINE(__XSERVERNAME__, "Xorg", [Name of X server])
|
||||
@@ -2691,6 +2697,7 @@ hw/dmx/Makefile
|
||||
hw/dmx/man/Makefile
|
||||
hw/vfb/Makefile
|
||||
hw/vfb/man/Makefile
|
||||
+hw/vnc/Makefile
|
||||
hw/xnest/Makefile
|
||||
hw/xnest/man/Makefile
|
||||
hw/xwin/Makefile
|
||||
diff -up xserver/hw/Makefile.am.xserver116-rebased xserver/hw/Makefile.am
|
||||
--- xserver/hw/Makefile.am.xserver116-rebased 2016-09-29 13:14:45.601441659 +0200
|
||||
+++ xserver/hw/Makefile.am 2016-09-29 13:14:45.631442006 +0200
|
||||
@@ -38,7 +38,8 @@ SUBDIRS = \
|
||||
$(DMX_SUBDIRS) \
|
||||
$(KDRIVE_SUBDIRS) \
|
||||
$(XQUARTZ_SUBDIRS) \
|
||||
- $(XWAYLAND_SUBDIRS)
|
||||
+ $(XWAYLAND_SUBDIRS) \
|
||||
+ vnc
|
||||
|
||||
DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland
|
||||
|
||||
diff --git xserver/mi/miinitext.c xserver/mi/miinitext.c
|
||||
index 5596e21..003fc3c 100644
|
||||
--- xserver/mi/miinitext.c
|
||||
+++ xserver/mi/miinitext.c
|
||||
@@ -107,8 +107,15 @@ SOFTWARE.
|
||||
#include "os.h"
|
||||
#include "globals.h"
|
||||
|
||||
+#ifdef TIGERVNC
|
||||
+extern void vncExtensionInit(INITARGS);
|
||||
+#endif
|
||||
+
|
||||
/* List of built-in (statically linked) extensions */
|
||||
static const ExtensionModule staticExtensions[] = {
|
||||
+#ifdef TIGERVNC
|
||||
+ {vncExtensionInit, "VNC-EXTENSION", NULL},
|
||||
+#endif
|
||||
{GEExtensionInit, "Generic Event Extension", &noGEExtension},
|
||||
{ShapeExtensionInit, "SHAPE", NULL},
|
||||
#ifdef MITSHM
|
||||
--- xserver/include/os.h~ 2016-10-03 09:07:29.000000000 +0200
|
||||
+++ xserver/include/os.h 2016-10-03 14:13:00.013654506 +0200
|
||||
@@ -621,7 +621,7 @@
|
||||
extern _X_EXPORT void
|
||||
LogClose(enum ExitCode error);
|
||||
extern _X_EXPORT Bool
|
||||
-LogSetParameter(LogParameter param, int value);
|
||||
+LogSetParameter(enum _LogParameter param, int value);
|
||||
extern _X_EXPORT void
|
||||
LogVWrite(int verb, const char *f, va_list args)
|
||||
_X_ATTRIBUTE_PRINTF(2, 0);
|
@ -1,46 +0,0 @@
|
||||
From ded614e74e7175927dd2bc5ef69accaf2de29939 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Wed, 4 Dec 2024 15:49:43 +1000
|
||||
Subject: [PATCH xserver 2/2] dix: keep a ref to the rootCursor
|
||||
|
||||
CreateCursor returns a cursor with refcount 1 - that refcount is used by
|
||||
the resource system, any caller needs to call RefCursor to get their own
|
||||
reference. That happens correctly for normal cursors but for our
|
||||
rootCursor we keep a variable to the cursor despite not having a ref for
|
||||
ourselves.
|
||||
|
||||
Fix this by reffing/unreffing the rootCursor to ensure our pointer is
|
||||
valid.
|
||||
|
||||
Related to CVE-2025-26594, ZDI-CAN-25544
|
||||
|
||||
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
---
|
||||
dix/main.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/dix/main.c b/dix/main.c
|
||||
index aa7b020b2..0c57ba605 100644
|
||||
--- a/dix/main.c
|
||||
+++ b/dix/main.c
|
||||
@@ -235,6 +235,8 @@ dix_main(int argc, char *argv[], char *envp[])
|
||||
defaultCursorFont);
|
||||
}
|
||||
|
||||
+ rootCursor = RefCursor(rootCursor);
|
||||
+
|
||||
#ifdef PANORAMIX
|
||||
/*
|
||||
* Consolidate window and colourmap information for each screen
|
||||
@@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *envp[])
|
||||
|
||||
Dispatch();
|
||||
|
||||
+ UnrefCursor(rootCursor);
|
||||
+
|
||||
UndisplayDevices();
|
||||
DisableAllDevices();
|
||||
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,52 +0,0 @@
|
||||
From efca605c45ff51b57f136222b966ce1d610ebc33 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Wed, 27 Nov 2024 11:27:05 +0100
|
||||
Subject: [PATCH xserver 1/2] Cursor: Refuse to free the root cursor
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If a cursor reference count drops to 0, the cursor is freed.
|
||||
|
||||
The root cursor however is referenced with a specific global variable,
|
||||
and when the root cursor is freed, the global variable may still point
|
||||
to freed memory.
|
||||
|
||||
Make sure to prevent the rootCursor from being explicitly freed by a
|
||||
client.
|
||||
|
||||
CVE-2025-26594, ZDI-CAN-25544
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
|
||||
<peter.hutterer@who-t.net>)
|
||||
v3: Return BadCursor instead of BadValue (Michel Dänzer
|
||||
<michel@daenzer.net>)
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
dix/dispatch.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/dix/dispatch.c b/dix/dispatch.c
|
||||
index 5f7cfe02d..d1241fa96 100644
|
||||
--- a/dix/dispatch.c
|
||||
+++ b/dix/dispatch.c
|
||||
@@ -3039,6 +3039,10 @@ ProcFreeCursor(ClientPtr client)
|
||||
rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR,
|
||||
client, DixDestroyAccess);
|
||||
if (rc == Success) {
|
||||
+ if (pCursor == rootCursor) {
|
||||
+ client->errorValue = stuff->id;
|
||||
+ return BadCursor;
|
||||
+ }
|
||||
FreeResource(stuff->id, RT_NONE);
|
||||
return Success;
|
||||
}
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,60 +0,0 @@
|
||||
From 98602942c143075ab7464f917e0fc5d31ce28c3f Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Wed, 27 Nov 2024 14:41:45 +0100
|
||||
Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbVModMaskText()
|
||||
|
||||
The code in XkbVModMaskText() allocates a fixed sized buffer on the
|
||||
stack and copies the virtual mod name.
|
||||
|
||||
There's actually two issues in the code that can lead to a buffer
|
||||
overflow.
|
||||
|
||||
First, the bound check mixes pointers and integers using misplaced
|
||||
parenthesis, defeating the bound check.
|
||||
|
||||
But even though, if the check fails, the data is still copied, so the
|
||||
stack overflow will occur regardless.
|
||||
|
||||
Change the logic to skip the copy entirely if the bound check fails.
|
||||
|
||||
CVE-2025-26595, ZDI-CAN-25545
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
xkb/xkbtext.c | 16 ++++++++--------
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
|
||||
index 018466420..93262528b 100644
|
||||
--- a/xkb/xkbtext.c
|
||||
+++ b/xkb/xkbtext.c
|
||||
@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb,
|
||||
len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
|
||||
if (format == XkbCFile)
|
||||
len += 4;
|
||||
- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
|
||||
- if (str != buf) {
|
||||
- if (format == XkbCFile)
|
||||
- *str++ = '|';
|
||||
- else
|
||||
- *str++ = '+';
|
||||
- len--;
|
||||
- }
|
||||
+ if ((str - buf) + len > VMOD_BUFFER_SIZE)
|
||||
+ continue; /* Skip */
|
||||
+ if (str != buf) {
|
||||
+ if (format == XkbCFile)
|
||||
+ *str++ = '|';
|
||||
+ else
|
||||
+ *str++ = '+';
|
||||
+ len--;
|
||||
}
|
||||
if (format == XkbCFile)
|
||||
sprintf(str, "%sMask", tmp);
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,44 +0,0 @@
|
||||
From b41f6fce201e77a174550935330e2f7772d4adf9 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Thu, 28 Nov 2024 11:49:34 +0100
|
||||
Subject: [PATCH xserver] xkb: Fix computation of XkbSizeKeySyms
|
||||
|
||||
The computation of the length in XkbSizeKeySyms() differs from what is
|
||||
actually written in XkbWriteKeySyms(), leading to a heap overflow.
|
||||
|
||||
Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
|
||||
does.
|
||||
|
||||
CVE-2025-26596, ZDI-CAN-25543
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
xkb/xkb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index 85659382d..744dba63d 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)
|
||||
len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);
|
||||
symMap = &xkb->map->key_sym_map[rep->firstKeySym];
|
||||
for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {
|
||||
- if (symMap->offset != 0) {
|
||||
- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
|
||||
- nSyms += nSymsThisKey;
|
||||
- }
|
||||
+ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
|
||||
+ if (nSymsThisKey == 0)
|
||||
+ continue;
|
||||
+ nSyms += nSymsThisKey;
|
||||
}
|
||||
len += nSyms * 4;
|
||||
rep->totalSyms = nSyms;
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,41 +0,0 @@
|
||||
From c5114475db18f29d639537d60e135bdfc11a5d3a Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Thu, 28 Nov 2024 14:09:04 +0100
|
||||
Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbChangeTypesOfKey()
|
||||
|
||||
If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
|
||||
key syms to 0 but leave the key actions unchanged.
|
||||
|
||||
If later, the same function is called with a non-zero value for nGroups,
|
||||
this will cause a buffer overflow because the key actions are of the wrong
|
||||
size.
|
||||
|
||||
To avoid the issue, make sure to resize both the key syms and key actions
|
||||
when nGroups is 0.
|
||||
|
||||
CVE-2025-26597, ZDI-CAN-25683
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
xkb/XKBMisc.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
|
||||
index abbfed90e..fd180fad2 100644
|
||||
--- a/xkb/XKBMisc.c
|
||||
+++ b/xkb/XKBMisc.c
|
||||
@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
|
||||
i = XkbSetNumGroups(i, 0);
|
||||
xkb->map->key_sym_map[key].group_info = i;
|
||||
XkbResizeKeySyms(xkb, key, 0);
|
||||
+ XkbResizeKeyActions(xkb, key, 0);
|
||||
return Success;
|
||||
}
|
||||
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,115 +0,0 @@
|
||||
From 0f5ea9d269ac6225bcb302a1ec0f58878114da9f Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 16 Dec 2024 11:25:11 +0100
|
||||
Subject: [PATCH xserver] Xi: Fix barrier device search
|
||||
|
||||
The function GetBarrierDevice() would search for the pointer device
|
||||
based on its device id and return the matching value, or supposedly NULL
|
||||
if no match was found.
|
||||
|
||||
Unfortunately, as written, it would return the last element of the list
|
||||
if no matching device id was found which can lead to out of bounds
|
||||
memory access.
|
||||
|
||||
Fix the search function to return NULL if not matching device is found,
|
||||
and adjust the callers to handle the case where the device cannot be
|
||||
found.
|
||||
|
||||
CVE-2025-26598, ZDI-CAN-25740
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
Xi/xibarriers.c | 27 +++++++++++++++++++++++----
|
||||
1 file changed, 23 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
|
||||
index 80c4b5981..28bc0a24f 100644
|
||||
--- a/Xi/xibarriers.c
|
||||
+++ b/Xi/xibarriers.c
|
||||
@@ -131,14 +131,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c)
|
||||
|
||||
static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid)
|
||||
{
|
||||
- struct PointerBarrierDevice *pbd = NULL;
|
||||
+ struct PointerBarrierDevice *p, *pbd = NULL;
|
||||
|
||||
- xorg_list_for_each_entry(pbd, &c->per_device, entry) {
|
||||
- if (pbd->deviceid == deviceid)
|
||||
+ xorg_list_for_each_entry(p, &c->per_device, entry) {
|
||||
+ if (p->deviceid == deviceid) {
|
||||
+ pbd = p;
|
||||
break;
|
||||
+ }
|
||||
}
|
||||
|
||||
- BUG_WARN(!pbd);
|
||||
return pbd;
|
||||
}
|
||||
|
||||
@@ -339,6 +340,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
|
||||
double distance;
|
||||
|
||||
pbd = GetBarrierDevice(c, dev->id);
|
||||
+ if (!pbd)
|
||||
+ continue;
|
||||
+
|
||||
if (pbd->seen)
|
||||
continue;
|
||||
|
||||
@@ -447,6 +451,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
|
||||
nearest = &c->barrier;
|
||||
|
||||
pbd = GetBarrierDevice(c, master->id);
|
||||
+ if (!pbd)
|
||||
+ continue;
|
||||
+
|
||||
new_sequence = !pbd->hit;
|
||||
|
||||
pbd->seen = TRUE;
|
||||
@@ -487,6 +494,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
|
||||
int flags = 0;
|
||||
|
||||
pbd = GetBarrierDevice(c, master->id);
|
||||
+ if (!pbd)
|
||||
+ continue;
|
||||
+
|
||||
pbd->seen = FALSE;
|
||||
if (!pbd->hit)
|
||||
continue;
|
||||
@@ -681,6 +691,9 @@ BarrierFreeBarrier(void *data, XID id)
|
||||
continue;
|
||||
|
||||
pbd = GetBarrierDevice(c, dev->id);
|
||||
+ if (!pbd)
|
||||
+ continue;
|
||||
+
|
||||
if (!pbd->hit)
|
||||
continue;
|
||||
|
||||
@@ -740,6 +753,8 @@ static void remove_master_func(void *res, XID id, void *devid)
|
||||
barrier = container_of(b, struct PointerBarrierClient, barrier);
|
||||
|
||||
pbd = GetBarrierDevice(barrier, *deviceid);
|
||||
+ if (!pbd)
|
||||
+ return;
|
||||
|
||||
if (pbd->hit) {
|
||||
BarrierEvent ev = {
|
||||
@@ -904,6 +919,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
|
||||
barrier = container_of(b, struct PointerBarrierClient, barrier);
|
||||
|
||||
pbd = GetBarrierDevice(barrier, dev->id);
|
||||
+ if (!pbd) {
|
||||
+ client->errorValue = dev->id;
|
||||
+ return BadDevice;
|
||||
+ }
|
||||
|
||||
if (pbd->barrier_event_id == event_id)
|
||||
pbd->release_event_id = event_id;
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,124 +0,0 @@
|
||||
From f5ce639ff9d3af05e79efce6c51e084352d28ed1 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 13 Jan 2025 16:09:43 +0100
|
||||
Subject: [PATCH xserver 2/2] composite: initialize border clip even when
|
||||
pixmap alloc fails
|
||||
|
||||
If it fails to allocate the pixmap, the function compAllocPixmap() would
|
||||
return early and leave the borderClip region uninitialized, which may
|
||||
lead to the use of uninitialized value as reported by valgrind:
|
||||
|
||||
Conditional jump or move depends on uninitialised value(s)
|
||||
at 0x4F9B33: compClipNotify (compwindow.c:317)
|
||||
by 0x484FC9: miComputeClips (mivaltree.c:476)
|
||||
by 0x48559A: miValidateTree (mivaltree.c:679)
|
||||
by 0x4F0685: MapWindow (window.c:2693)
|
||||
by 0x4A344A: ProcMapWindow (dispatch.c:922)
|
||||
by 0x4A25B5: Dispatch (dispatch.c:560)
|
||||
by 0x4B082A: dix_main (main.c:282)
|
||||
by 0x429233: main (stubmain.c:34)
|
||||
Uninitialised value was created by a heap allocation
|
||||
at 0x4841866: malloc (vg_replace_malloc.c:446)
|
||||
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
|
||||
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
|
||||
by 0x4EBB89: CreateWindow (window.c:925)
|
||||
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
|
||||
by 0x4A25B5: Dispatch (dispatch.c:560)
|
||||
by 0x4B082A: dix_main (main.c:282)
|
||||
by 0x429233: main (stubmain.c:34)
|
||||
|
||||
Conditional jump or move depends on uninitialised value(s)
|
||||
at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
|
||||
by 0x4F9255: RegionTranslate (regionstr.h:312)
|
||||
by 0x4F9B7E: compClipNotify (compwindow.c:319)
|
||||
by 0x484FC9: miComputeClips (mivaltree.c:476)
|
||||
by 0x48559A: miValidateTree (mivaltree.c:679)
|
||||
by 0x4F0685: MapWindow (window.c:2693)
|
||||
by 0x4A344A: ProcMapWindow (dispatch.c:922)
|
||||
by 0x4A25B5: Dispatch (dispatch.c:560)
|
||||
by 0x4B082A: dix_main (main.c:282)
|
||||
by 0x429233: main (stubmain.c:34)
|
||||
Uninitialised value was created by a heap allocation
|
||||
at 0x4841866: malloc (vg_replace_malloc.c:446)
|
||||
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
|
||||
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
|
||||
by 0x4EBB89: CreateWindow (window.c:925)
|
||||
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
|
||||
by 0x4A25B5: Dispatch (dispatch.c:560)
|
||||
by 0x4B082A: dix_main (main.c:282)
|
||||
by 0x429233: main (stubmain.c:34)
|
||||
|
||||
Conditional jump or move depends on uninitialised value(s)
|
||||
at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
|
||||
by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
|
||||
by 0x4F9255: RegionTranslate (regionstr.h:312)
|
||||
by 0x4F9B7E: compClipNotify (compwindow.c:319)
|
||||
by 0x484FC9: miComputeClips (mivaltree.c:476)
|
||||
by 0x48559A: miValidateTree (mivaltree.c:679)
|
||||
by 0x4F0685: MapWindow (window.c:2693)
|
||||
by 0x4A344A: ProcMapWindow (dispatch.c:922)
|
||||
by 0x4A25B5: Dispatch (dispatch.c:560)
|
||||
by 0x4B082A: dix_main (main.c:282)
|
||||
by 0x429233: main (stubmain.c:34)
|
||||
Uninitialised value was created by a heap allocation
|
||||
at 0x4841866: malloc (vg_replace_malloc.c:446)
|
||||
by 0x4F47BC: compRedirectWindow (compalloc.c:171)
|
||||
by 0x4FA8AD: compCreateWindow (compwindow.c:592)
|
||||
by 0x4EBB89: CreateWindow (window.c:925)
|
||||
by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
|
||||
by 0x4A25B5: Dispatch (dispatch.c:560)
|
||||
by 0x4B082A: dix_main (main.c:282)
|
||||
by 0x429233: main (stubmain.c:34)
|
||||
|
||||
Fix compAllocPixmap() to initialize the border clip even if the creation
|
||||
of the backing pixmap has failed, to avoid depending later on
|
||||
uninitialized border clip values.
|
||||
|
||||
Related to CVE-2025-26599, ZDI-CAN-25851
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
composite/compalloc.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/composite/compalloc.c b/composite/compalloc.c
|
||||
index ecb1b6147..d1342799b 100644
|
||||
--- a/composite/compalloc.c
|
||||
+++ b/composite/compalloc.c
|
||||
@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin)
|
||||
int h = pWin->drawable.height + (bw << 1);
|
||||
PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h);
|
||||
CompWindowPtr cw = GetCompWindow(pWin);
|
||||
+ Bool status;
|
||||
|
||||
- if (!pPixmap)
|
||||
- return FALSE;
|
||||
+ if (!pPixmap) {
|
||||
+ status = FALSE;
|
||||
+ goto out;
|
||||
+ }
|
||||
if (cw->update == CompositeRedirectAutomatic)
|
||||
pWin->redirectDraw = RedirectDrawAutomatic;
|
||||
else
|
||||
@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin)
|
||||
DamageRegister(&pWin->drawable, cw->damage);
|
||||
cw->damageRegistered = TRUE;
|
||||
}
|
||||
+ status = TRUE;
|
||||
|
||||
+out:
|
||||
/* Make sure our borderClip is up to date */
|
||||
RegionUninit(&cw->borderClip);
|
||||
RegionCopy(&cw->borderClip, &pWin->borderClip);
|
||||
cw->borderClipX = pWin->drawable.x;
|
||||
cw->borderClipY = pWin->drawable.y;
|
||||
|
||||
- return TRUE;
|
||||
+ return status;
|
||||
}
|
||||
|
||||
void
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,62 +0,0 @@
|
||||
From 10a24e364ac15983051d0bb90817c88bbe107036 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Tue, 17 Dec 2024 15:19:45 +0100
|
||||
Subject: [PATCH xserver 1/2] composite: Handle failure to redirect in
|
||||
compRedirectWindow()
|
||||
|
||||
The function compCheckRedirect() may fail if it cannot allocate the
|
||||
backing pixmap.
|
||||
|
||||
In that case, compRedirectWindow() will return a BadAlloc error.
|
||||
|
||||
However that failure code path will shortcut the validation of the
|
||||
window tree marked just before, which leaves the validate data partly
|
||||
initialized.
|
||||
|
||||
That causes a use of uninitialized pointer later.
|
||||
|
||||
The fix is to not shortcut the call to compHandleMarkedWindows() even in
|
||||
the case of compCheckRedirect() returning an error.
|
||||
|
||||
CVE-2025-26599, ZDI-CAN-25851
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
composite/compalloc.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/composite/compalloc.c b/composite/compalloc.c
|
||||
index e52c009bd..ecb1b6147 100644
|
||||
--- a/composite/compalloc.c
|
||||
+++ b/composite/compalloc.c
|
||||
@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
|
||||
CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
|
||||
WindowPtr pLayerWin;
|
||||
Bool anyMarked = FALSE;
|
||||
+ int status = Success;
|
||||
|
||||
if (pWin == cs->pOverlayWin) {
|
||||
return Success;
|
||||
@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
|
||||
|
||||
if (!compCheckRedirect(pWin)) {
|
||||
FreeResource(ccw->id, RT_NONE);
|
||||
- return BadAlloc;
|
||||
+ status = BadAlloc;
|
||||
}
|
||||
|
||||
if (anyMarked)
|
||||
compHandleMarkedWindows(pWin, pLayerWin);
|
||||
|
||||
- return Success;
|
||||
+ return status;
|
||||
}
|
||||
|
||||
void
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,64 +0,0 @@
|
||||
From 70ad5d36ae80f6e5a436eabfee642c2c013e51cc Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 16 Dec 2024 16:18:04 +0100
|
||||
Subject: [PATCH xserver] dix: Dequeue pending events on frozen device on
|
||||
removal
|
||||
|
||||
When a device is removed while still frozen, the events queued for that
|
||||
device remain while the device itself is freed.
|
||||
|
||||
As a result, replaying the events will cause a use after free.
|
||||
|
||||
To avoid the issue, make sure to dequeue and free any pending events on
|
||||
a frozen device when removed.
|
||||
|
||||
CVE-2025-26600, ZDI-CAN-25871
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
dix/devices.c | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/dix/devices.c b/dix/devices.c
|
||||
index 969819534..740390207 100644
|
||||
--- a/dix/devices.c
|
||||
+++ b/dix/devices.c
|
||||
@@ -966,6 +966,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
|
||||
|
||||
}
|
||||
|
||||
+static void
|
||||
+FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
|
||||
+{
|
||||
+ QdEventPtr qe, tmp;
|
||||
+
|
||||
+ if (!dev->deviceGrab.sync.frozen)
|
||||
+ return;
|
||||
+
|
||||
+ /* Dequeue any frozen pending events */
|
||||
+ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
|
||||
+ if (qe->device == dev) {
|
||||
+ xorg_list_del(&qe->next);
|
||||
+ free(qe);
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* Close down a device and free all resources.
|
||||
* Once closed down, the driver will probably not expect you that you'll ever
|
||||
@@ -1030,6 +1047,7 @@ CloseDevice(DeviceIntPtr dev)
|
||||
free(dev->last.touches[j].valuators);
|
||||
free(dev->last.touches);
|
||||
dev->config_info = NULL;
|
||||
+ FreePendingFrozenDeviceEvents(dev);
|
||||
dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
|
||||
free(dev);
|
||||
}
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,80 +0,0 @@
|
||||
From 7dc3f11abb51cad8a59ecbff5278c8c8a318df41 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 20 Jan 2025 16:54:30 +0100
|
||||
Subject: [PATCH xserver 2/4] sync: Check values before applying changes
|
||||
|
||||
In SyncInitTrigger(), we would set the CheckTrigger function before
|
||||
validating the counter value.
|
||||
|
||||
As a result, if the counter value overflowed, we would leave the
|
||||
function SyncInitTrigger() with the CheckTrigger applied but without
|
||||
updating the trigger object.
|
||||
|
||||
To avoid that issue, move the portion of code checking for the trigger
|
||||
check value before updating the CheckTrigger function.
|
||||
|
||||
Related to CVE-2025-26601, ZDI-CAN-25870
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
Xext/sync.c | 36 ++++++++++++++++++------------------
|
||||
1 file changed, 18 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/Xext/sync.c b/Xext/sync.c
|
||||
index 4267d3af6..4eab5a6ac 100644
|
||||
--- a/Xext/sync.c
|
||||
+++ b/Xext/sync.c
|
||||
@@ -351,6 +351,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (changes & (XSyncCAValueType | XSyncCAValue)) {
|
||||
+ if (pTrigger->value_type == XSyncAbsolute)
|
||||
+ pTrigger->test_value = pTrigger->wait_value;
|
||||
+ else { /* relative */
|
||||
+ Bool overflow;
|
||||
+
|
||||
+ if (pCounter == NULL)
|
||||
+ return BadMatch;
|
||||
+
|
||||
+ overflow = checked_int64_add(&pTrigger->test_value,
|
||||
+ pCounter->value, pTrigger->wait_value);
|
||||
+ if (overflow) {
|
||||
+ client->errorValue = pTrigger->wait_value >> 32;
|
||||
+ return BadValue;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (changes & XSyncCATestType) {
|
||||
|
||||
if (pSync && SYNC_FENCE == pSync->type) {
|
||||
@@ -379,24 +397,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
||||
}
|
||||
}
|
||||
|
||||
- if (changes & (XSyncCAValueType | XSyncCAValue)) {
|
||||
- if (pTrigger->value_type == XSyncAbsolute)
|
||||
- pTrigger->test_value = pTrigger->wait_value;
|
||||
- else { /* relative */
|
||||
- Bool overflow;
|
||||
-
|
||||
- if (pCounter == NULL)
|
||||
- return BadMatch;
|
||||
-
|
||||
- overflow = checked_int64_add(&pTrigger->test_value,
|
||||
- pCounter->value, pTrigger->wait_value);
|
||||
- if (overflow) {
|
||||
- client->errorValue = pTrigger->wait_value >> 32;
|
||||
- return BadValue;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
if (changes & XSyncCACounter) {
|
||||
if (pSync != pTrigger->pSync) { /* new counter for trigger */
|
||||
SyncDeleteTriggerFromSyncObject(pTrigger);
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,47 +0,0 @@
|
||||
From 4ccaa5134482b6be9c9a7f0b66cd221ef325d082 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 20 Jan 2025 17:06:07 +0100
|
||||
Subject: [PATCH xserver 3/4] sync: Do not fail SyncAddTriggerToSyncObject()
|
||||
|
||||
We do not want to return a failure at the very last step in
|
||||
SyncInitTrigger() after having all changes applied.
|
||||
|
||||
SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
|
||||
allocation of the SyncTriggerList fails, trigger a FatalError() instead.
|
||||
|
||||
Related to CVE-2025-26601, ZDI-CAN-25870
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
Xext/sync.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Xext/sync.c b/Xext/sync.c
|
||||
index 4eab5a6ac..c36de1a2e 100644
|
||||
--- a/Xext/sync.c
|
||||
+++ b/Xext/sync.c
|
||||
@@ -200,8 +200,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
|
||||
return Success;
|
||||
}
|
||||
|
||||
- if (!(pCur = malloc(sizeof(SyncTriggerList))))
|
||||
- return BadAlloc;
|
||||
+ /* Failure is not an option, it's succeed or burst! */
|
||||
+ pCur = XNFalloc(sizeof(SyncTriggerList));
|
||||
|
||||
pCur->pTrigger = pTrigger;
|
||||
pCur->next = pTrigger->pSync->pTriglist;
|
||||
@@ -409,8 +409,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
||||
* a new counter on a trigger
|
||||
*/
|
||||
if (newSyncObject) {
|
||||
- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
|
||||
- return rc;
|
||||
+ SyncAddTriggerToSyncObject(pTrigger);
|
||||
}
|
||||
else if (pCounter && IsSystemCounter(pCounter)) {
|
||||
SyncComputeBracketValues(pCounter);
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,128 +0,0 @@
|
||||
From f0984082067f79b45383fa1eb889c6a901667331 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 20 Jan 2025 17:10:31 +0100
|
||||
Subject: [PATCH xserver 4/4] sync: Apply changes last in
|
||||
SyncChangeAlarmAttributes()
|
||||
|
||||
SyncChangeAlarmAttributes() would apply the various changes while
|
||||
checking for errors.
|
||||
|
||||
If one of the changes triggers an error, the changes for the trigger,
|
||||
counter or delta value would remain, possibly leading to inconsistent
|
||||
changes.
|
||||
|
||||
Postpone the actual changes until we're sure nothing else can go wrong.
|
||||
|
||||
Related to CVE-2025-26601, ZDI-CAN-25870
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
Xext/sync.c | 42 +++++++++++++++++++++++++++---------------
|
||||
1 file changed, 27 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/Xext/sync.c b/Xext/sync.c
|
||||
index c36de1a2e..e282e6657 100644
|
||||
--- a/Xext/sync.c
|
||||
+++ b/Xext/sync.c
|
||||
@@ -800,8 +800,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
|
||||
int status;
|
||||
XSyncCounter counter;
|
||||
Mask origmask = mask;
|
||||
+ SyncTrigger trigger;
|
||||
+ Bool select_events_changed = FALSE;
|
||||
+ Bool select_events_value;
|
||||
+ int64_t delta;
|
||||
|
||||
- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None;
|
||||
+ trigger = pAlarm->trigger;
|
||||
+ delta = pAlarm->delta;
|
||||
+ counter = trigger.pSync ? trigger.pSync->id : None;
|
||||
|
||||
while (mask) {
|
||||
int index2 = lowbit(mask);
|
||||
@@ -817,24 +823,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
|
||||
case XSyncCAValueType:
|
||||
mask &= ~XSyncCAValueType;
|
||||
/* sanity check in SyncInitTrigger */
|
||||
- pAlarm->trigger.value_type = *values++;
|
||||
+ trigger.value_type = *values++;
|
||||
break;
|
||||
|
||||
case XSyncCAValue:
|
||||
mask &= ~XSyncCAValue;
|
||||
- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
|
||||
+ trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
|
||||
values += 2;
|
||||
break;
|
||||
|
||||
case XSyncCATestType:
|
||||
mask &= ~XSyncCATestType;
|
||||
/* sanity check in SyncInitTrigger */
|
||||
- pAlarm->trigger.test_type = *values++;
|
||||
+ trigger.test_type = *values++;
|
||||
break;
|
||||
|
||||
case XSyncCADelta:
|
||||
mask &= ~XSyncCADelta;
|
||||
- pAlarm->delta = ((int64_t)values[0] << 32) | values[1];
|
||||
+ delta = ((int64_t)values[0] << 32) | values[1];
|
||||
values += 2;
|
||||
break;
|
||||
|
||||
@@ -844,10 +850,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
|
||||
client->errorValue = *values;
|
||||
return BadValue;
|
||||
}
|
||||
- status = SyncEventSelectForAlarm(pAlarm, client,
|
||||
- (Bool) (*values++));
|
||||
- if (status != Success)
|
||||
- return status;
|
||||
+ select_events_value = (Bool) (*values++);
|
||||
+ select_events_changed = TRUE;
|
||||
break;
|
||||
|
||||
default:
|
||||
@@ -856,25 +860,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (select_events_changed) {
|
||||
+ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value);
|
||||
+ if (status != Success)
|
||||
+ return status;
|
||||
+ }
|
||||
+
|
||||
/* "If the test-type is PositiveComparison or PositiveTransition
|
||||
* and delta is less than zero, or if the test-type is
|
||||
* NegativeComparison or NegativeTransition and delta is
|
||||
* greater than zero, a Match error is generated."
|
||||
*/
|
||||
if (origmask & (XSyncCADelta | XSyncCATestType)) {
|
||||
- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) ||
|
||||
- (pAlarm->trigger.test_type == XSyncPositiveTransition))
|
||||
- && pAlarm->delta < 0)
|
||||
+ if ((((trigger.test_type == XSyncPositiveComparison) ||
|
||||
+ (trigger.test_type == XSyncPositiveTransition))
|
||||
+ && delta < 0)
|
||||
||
|
||||
- (((pAlarm->trigger.test_type == XSyncNegativeComparison) ||
|
||||
- (pAlarm->trigger.test_type == XSyncNegativeTransition))
|
||||
- && pAlarm->delta > 0)
|
||||
+ (((trigger.test_type == XSyncNegativeComparison) ||
|
||||
+ (trigger.test_type == XSyncNegativeTransition))
|
||||
+ && delta > 0)
|
||||
) {
|
||||
return BadMatch;
|
||||
}
|
||||
}
|
||||
|
||||
/* postpone this until now, when we're sure nothing else can go wrong */
|
||||
+ pAlarm->delta = delta;
|
||||
+ pAlarm->trigger = trigger;
|
||||
if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter,
|
||||
origmask & XSyncCAAllTrigger)) != Success)
|
||||
return status;
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,66 +0,0 @@
|
||||
From 573a2265aacfeaddcc1bb001905a6f7d4fa15ee6 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 20 Jan 2025 16:52:01 +0100
|
||||
Subject: [PATCH xserver 1/4] sync: Do not let sync objects uninitialized
|
||||
|
||||
When changing an alarm, the change mask values are evaluated one after
|
||||
the other, changing the trigger values as requested and eventually,
|
||||
SyncInitTrigger() is called.
|
||||
|
||||
SyncInitTrigger() will evaluate the XSyncCACounter first and may free
|
||||
the existing sync object.
|
||||
|
||||
Other changes are then evaluated and may trigger an error and an early
|
||||
return, not adding the new sync object.
|
||||
|
||||
This can be used to cause a use after free when the alarm eventually
|
||||
triggers.
|
||||
|
||||
To avoid the issue, delete the existing sync object as late as possible
|
||||
only once we are sure that no further error will cause an early exit.
|
||||
|
||||
CVE-2025-26601, ZDI-CAN-25870
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
Xext/sync.c | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/Xext/sync.c b/Xext/sync.c
|
||||
index b6417b3b0..4267d3af6 100644
|
||||
--- a/Xext/sync.c
|
||||
+++ b/Xext/sync.c
|
||||
@@ -330,11 +330,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
||||
client->errorValue = syncObject;
|
||||
return rc;
|
||||
}
|
||||
- if (pSync != pTrigger->pSync) { /* new counter for trigger */
|
||||
- SyncDeleteTriggerFromSyncObject(pTrigger);
|
||||
- pTrigger->pSync = pSync;
|
||||
- newSyncObject = TRUE;
|
||||
- }
|
||||
}
|
||||
|
||||
/* if system counter, ask it what the current value is */
|
||||
@@ -402,6 +397,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (changes & XSyncCACounter) {
|
||||
+ if (pSync != pTrigger->pSync) { /* new counter for trigger */
|
||||
+ SyncDeleteTriggerFromSyncObject(pTrigger);
|
||||
+ pTrigger->pSync = pSync;
|
||||
+ newSyncObject = TRUE;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/* we wait until we're sure there are no errors before registering
|
||||
* a new counter on a trigger
|
||||
*/
|
||||
--
|
||||
2.48.1
|
||||
|
@ -1,87 +0,0 @@
|
||||
From 53e0de91e307870b6790690bd74cf30ac501de50 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 28 Mar 2025 09:43:52 +0100
|
||||
Subject: [PATCH xserver] render: Avoid 0 or less animated cursors
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Animated cursors use a series of cursors that the client can set.
|
||||
|
||||
By default, the Xserver assumes at least one cursor is specified
|
||||
while a client may actually pass no cursor at all.
|
||||
|
||||
That causes an out-of-bound read creating the animated cursor and a
|
||||
crash of the Xserver:
|
||||
|
||||
| Invalid read of size 8
|
||||
| at 0x5323F4: AnimCursorCreate (animcur.c:325)
|
||||
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
|
||||
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
|
||||
| by 0x4A1E9D: Dispatch (dispatch.c:560)
|
||||
| by 0x4B0169: dix_main (main.c:284)
|
||||
| by 0x4287F5: main (stubmain.c:34)
|
||||
| Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
|
||||
| at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
|
||||
| by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
|
||||
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
|
||||
| by 0x4A1E9D: Dispatch (dispatch.c:560)
|
||||
| by 0x4B0169: dix_main (main.c:284)
|
||||
| by 0x4287F5: main (stubmain.c:34)
|
||||
|
|
||||
| Invalid read of size 2
|
||||
| at 0x5323F7: AnimCursorCreate (animcur.c:325)
|
||||
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
|
||||
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
|
||||
| by 0x4A1E9D: Dispatch (dispatch.c:560)
|
||||
| by 0x4B0169: dix_main (main.c:284)
|
||||
| by 0x4287F5: main (stubmain.c:34)
|
||||
| Address 0x8 is not stack'd, malloc'd or (recently) free'd
|
||||
|
||||
To avoid the issue, check the number of cursors specified and return a
|
||||
BadValue error in both the proc handler (early) and the animated cursor
|
||||
creation (as this is a public function) if there is 0 or less cursor.
|
||||
|
||||
CVE-2025-49175
|
||||
|
||||
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: José Expósito <jexposit@redhat.com>
|
||||
(cherry picked from commit 9304e31035f97ddbfcc1d5f3c178da1d04a472ad)
|
||||
---
|
||||
render/animcur.c | 3 +++
|
||||
render/render.c | 2 ++
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/render/animcur.c b/render/animcur.c
|
||||
index ef27bda27..77942d846 100644
|
||||
--- a/render/animcur.c
|
||||
+++ b/render/animcur.c
|
||||
@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
|
||||
int rc = BadAlloc, i;
|
||||
AnimCurPtr ac;
|
||||
|
||||
+ if (ncursor <= 0)
|
||||
+ return BadValue;
|
||||
+
|
||||
for (i = 0; i < screenInfo.numScreens; i++)
|
||||
if (!GetAnimCurScreen(screenInfo.screens[i]))
|
||||
return BadImplementation;
|
||||
diff --git a/render/render.c b/render/render.c
|
||||
index 5bc2a204b..a8c2da056 100644
|
||||
--- a/render/render.c
|
||||
+++ b/render/render.c
|
||||
@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client)
|
||||
ncursor =
|
||||
(client->req_len -
|
||||
(bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
|
||||
+ if (ncursor <= 0)
|
||||
+ return BadValue;
|
||||
cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
|
||||
if (!cursors)
|
||||
return BadAlloc;
|
||||
--
|
||||
2.49.0
|
||||
|
@ -1,88 +0,0 @@
|
||||
From 57248c57e971bb7cc0ccae6de4c49a49ff13b45c Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 7 Apr 2025 16:13:34 +0200
|
||||
Subject: [PATCH xserver] os: Do not overflow the integer size with BigRequest
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The BigRequest extension allows request larger than the 16-bit length
|
||||
limit.
|
||||
|
||||
It uses integers for the request length and checks for the size not to
|
||||
exceed the maxBigRequestSize limit, but does so after translating the
|
||||
length to integer by multiplying the given size in bytes by 4.
|
||||
|
||||
In doing so, it might overflow the integer size limit before actually
|
||||
checking for the overflow, defeating the purpose of the test.
|
||||
|
||||
To avoid the issue, make sure to check that the request size does not
|
||||
overflow the maxBigRequestSize limit prior to any conversion.
|
||||
|
||||
The caller Dispatch() function however expects the return value to be in
|
||||
bytes, so we cannot just return the converted value in case of error, as
|
||||
that would also overflow the integer size.
|
||||
|
||||
To preserve the existing API, we use a negative value for the X11 error
|
||||
code BadLength as the function only return positive values, 0 or -1 and
|
||||
update the caller Dispatch() function to take that case into account to
|
||||
return the error code to the offending client.
|
||||
|
||||
CVE-2025-49176
|
||||
|
||||
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
|
||||
(cherry picked from commit b380b0a6c2022fbd3115552b1cd88251b5268daa)
|
||||
---
|
||||
dix/dispatch.c | 9 +++++----
|
||||
os/io.c | 4 ++++
|
||||
2 files changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/dix/dispatch.c b/dix/dispatch.c
|
||||
index 6f4e349e0..15e63e22a 100644
|
||||
--- a/dix/dispatch.c
|
||||
+++ b/dix/dispatch.c
|
||||
@@ -518,9 +518,10 @@ Dispatch(void)
|
||||
|
||||
/* now, finally, deal with client requests */
|
||||
result = ReadRequestFromClient(client);
|
||||
- if (result <= 0) {
|
||||
- if (result < 0)
|
||||
- CloseDownClient(client);
|
||||
+ if (result == 0)
|
||||
+ break;
|
||||
+ else if (result == -1) {
|
||||
+ CloseDownClient(client);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -541,7 +542,7 @@ Dispatch(void)
|
||||
client->index,
|
||||
client->requestBuffer);
|
||||
#endif
|
||||
- if (result > (maxBigRequestSize << 2))
|
||||
+ if (result < 0 || result > (maxBigRequestSize << 2))
|
||||
result = BadLength;
|
||||
else {
|
||||
result = XaceHookDispatch(client, client->majorOp);
|
||||
diff --git a/os/io.c b/os/io.c
|
||||
index 5b7fac349..5fc05821c 100644
|
||||
--- a/os/io.c
|
||||
+++ b/os/io.c
|
||||
@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client)
|
||||
needed = get_big_req_len(request, client);
|
||||
}
|
||||
client->req_len = needed;
|
||||
+ if (needed > MAXINT >> 2) {
|
||||
+ /* Check for potential integer overflow */
|
||||
+ return -(BadLength);
|
||||
+ }
|
||||
needed <<= 2; /* needed is in bytes now */
|
||||
}
|
||||
if (gotnow < needed) {
|
||||
--
|
||||
2.49.0
|
||||
|
@ -1,32 +0,0 @@
|
||||
From 6794bf46b1c76c0a424940c97be3576dc2e7e9b1 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Wed, 18 Jun 2025 08:39:02 +0200
|
||||
Subject: [PATCH] os: Check for integer overflow on BigRequest length
|
||||
|
||||
Check for another possible integer overflow once we get a complete xReq
|
||||
with BigRequest.
|
||||
|
||||
Related to CVE-2025-49176
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
|
||||
---
|
||||
os/io.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/os/io.c b/os/io.c
|
||||
index e7b76b9cea..167b40a720 100644
|
||||
--- a/os/io.c
|
||||
+++ b/os/io.c
|
||||
@@ -394,6 +394,8 @@ ReadRequestFromClient(ClientPtr client)
|
||||
needed = get_big_req_len(request, client);
|
||||
}
|
||||
client->req_len = needed;
|
||||
+ if (needed > MAXINT >> 2)
|
||||
+ return -(BadLength);
|
||||
needed <<= 2;
|
||||
}
|
||||
if (gotnow < needed) {
|
||||
--
|
||||
GitLab
|
||||
|
@ -1,46 +0,0 @@
|
||||
From 90a13c564e7b9ba5c0d8d92acac80689cd051898 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 28 Apr 2025 10:46:03 +0200
|
||||
Subject: [PATCH xserver] os: Account for bytes to ignore when sharing input
|
||||
buffer
|
||||
|
||||
When reading requests from the clients, the input buffer might be shared
|
||||
and used between different clients.
|
||||
|
||||
If a given client sends a full request with non-zero bytes to ignore,
|
||||
the bytes to ignore may still be non-zero even though the request is
|
||||
full, in which case the buffer could be shared with another client who's
|
||||
request will not be processed because of those bytes to ignore, leading
|
||||
to a possible hang of the other client request.
|
||||
|
||||
To avoid the issue, make sure we have zero bytes to ignore left in the
|
||||
input request when sharing the input buffer with another client.
|
||||
|
||||
CVE-2025-49178
|
||||
|
||||
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
(cherry picked from commit b0c1cbf4f8e6baa372b1676d2f30512de8ab4ed3)
|
||||
---
|
||||
os/io.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/os/io.c b/os/io.c
|
||||
index 5fc05821c..26f9161ef 100644
|
||||
--- a/os/io.c
|
||||
+++ b/os/io.c
|
||||
@@ -442,7 +442,7 @@ ReadRequestFromClient(ClientPtr client)
|
||||
*/
|
||||
|
||||
gotnow -= needed;
|
||||
- if (!gotnow)
|
||||
+ if (!gotnow && !oci->ignoreBytes)
|
||||
AvailableInput = oc;
|
||||
if (move_header) {
|
||||
if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
|
||||
--
|
||||
2.49.0
|
||||
|
@ -1,62 +0,0 @@
|
||||
From 9a4f3012ba5752be1634455a3f0c7c125eabb328 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Mon, 28 Apr 2025 11:47:15 +0200
|
||||
Subject: [PATCH xserver] record: Check for overflow in
|
||||
RecordSanityCheckRegisterClients()
|
||||
|
||||
The RecordSanityCheckRegisterClients() checks for the request length,
|
||||
but does not check for integer overflow.
|
||||
|
||||
A client might send a very large value for either the number of clients
|
||||
or the number of protocol ranges that will cause an integer overflow in
|
||||
the request length computation, defeating the check for request length.
|
||||
|
||||
To avoid the issue, explicitly check the number of clients against the
|
||||
limit of clients (which is much lower than an maximum integer value) and
|
||||
the number of protocol ranges (multiplied by the record length) do not
|
||||
exceed the maximum integer value.
|
||||
|
||||
This way, we ensure that the final computation for the request length
|
||||
will not overflow the maximum integer limit.
|
||||
|
||||
CVE-2025-49179
|
||||
|
||||
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
(cherry picked from commit ea52403bf222f8bd6ee4c509bed5e34f0c789b00)
|
||||
---
|
||||
record/record.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/record/record.c b/record/record.c
|
||||
index e123867a7..018e53f81 100644
|
||||
--- a/record/record.c
|
||||
+++ b/record/record.c
|
||||
@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
|
||||
#include "inputstr.h"
|
||||
#include "eventconvert.h"
|
||||
#include "scrnintstr.h"
|
||||
+#include "opaque.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <assert.h>
|
||||
@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
|
||||
int i;
|
||||
XID recordingClient;
|
||||
|
||||
+ /* LimitClients is 2048 at max, way less that MAXINT */
|
||||
+ if (stuff->nClients > LimitClients)
|
||||
+ return BadValue;
|
||||
+
|
||||
+ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
|
||||
+ return BadValue;
|
||||
+
|
||||
if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
|
||||
4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
|
||||
return BadLength;
|
||||
--
|
||||
2.49.0
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 5e7a3a955853218536ba4a7e696360aab0064206 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Tue, 20 May 2025 15:18:19 +0200
|
||||
Subject: [PATCH xserver 1/2] randr: Check for overflow in
|
||||
RRChangeProviderProperty()
|
||||
|
||||
A client might send a request causing an integer overflow when computing
|
||||
the total size to allocate in RRChangeProviderProperty().
|
||||
|
||||
To avoid the issue, check that total length in bytes won't exceed the
|
||||
maximum integer value.
|
||||
|
||||
CVE-2025-49180
|
||||
|
||||
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||||
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
(cherry picked from commit 1b0bf563a3a76b06ddcd6fc4d8e72d81f6773699)
|
||||
---
|
||||
randr/rrproviderproperty.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
||||
index 90c5a9a93..0aa35ad87 100644
|
||||
--- a/randr/rrproviderproperty.c
|
||||
+++ b/randr/rrproviderproperty.c
|
||||
@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
|
||||
|
||||
if (mode == PropModeReplace || len > 0) {
|
||||
void *new_data = NULL, *old_data = NULL;
|
||||
-
|
||||
+ if (total_len > MAXINT / size_in_bytes)
|
||||
+ return BadValue;
|
||||
total_size = total_len * size_in_bytes;
|
||||
new_value.data = (void *) malloc(total_size);
|
||||
if (!new_value.data && total_size) {
|
||||
--
|
||||
2.49.0
|
||||
|
@ -32,7 +32,7 @@
|
||||
Description=XVNC Per-Connection Daemon
|
||||
|
||||
[Service]
|
||||
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None -Log *:syslog:30
|
||||
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None
|
||||
User=nobody
|
||||
StandardInput=socket
|
||||
StandardError=syslog
|
||||
|
@ -4,16 +4,16 @@
|
||||
%global modulename vncsession
|
||||
|
||||
Name: tigervnc
|
||||
Version: 1.15.0
|
||||
Release: 7%{?dist}
|
||||
Version: 1.13.1
|
||||
Release: 3%{?dist}.6.alma.1
|
||||
Summary: A TigerVNC remote display system
|
||||
|
||||
%global _hardened_build 1
|
||||
|
||||
License: GPLv2+
|
||||
License: GPL-2.0-or-later
|
||||
URL: http://www.tigervnc.com
|
||||
|
||||
Source0: https://github.com/TigerVNC/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
Source1: xvnc.service
|
||||
Source2: xvnc.socket
|
||||
Source3: 10-libvnc.conf
|
||||
@ -23,44 +23,38 @@ Source5: vncserver
|
||||
|
||||
# Downstream patches
|
||||
Patch1: tigervnc-use-gnome-as-default-session.patch
|
||||
# https://github.com/TigerVNC/tigervnc/pull/1425
|
||||
Patch2: tigervnc-vncsession-restore-script-systemd-service.patch
|
||||
Patch3: tigervnc-dont-install-appstream-metadata-file.patch
|
||||
# Only warn about passwords longer than 8 characters, but allow them to be used as in the past
|
||||
Patch4: tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch
|
||||
# https://github.com/TigerVNC/tigervnc/pull/1792
|
||||
Patch5: tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch
|
||||
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/tigervnc/-/commit/75082cdb91390f66637d1dcacbb291181afbc9af
|
||||
Patch3: tigervnc-dont-get-pointer-position-for-floating-device.patch
|
||||
|
||||
# Upstream patches
|
||||
Patch50: tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch
|
||||
Patch51: tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch
|
||||
Patch52: tigervnc-dont-print-xvnc-banner-before-parsing-args.patch
|
||||
|
||||
# Upstreamable patches
|
||||
|
||||
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
|
||||
Patch100: tigervnc-xserver120.patch
|
||||
# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
|
||||
Patch100: 0001-rpath-hack.patch
|
||||
Patch101: 0001-rpath-hack.patch
|
||||
|
||||
# XServer patches
|
||||
Patch200: xorg-CVE-2025-26594.patch
|
||||
Patch201: xorg-CVE-2025-26594-2.patch
|
||||
Patch202: xorg-CVE-2025-26595.patch
|
||||
Patch203: xorg-CVE-2025-26596.patch
|
||||
Patch204: xorg-CVE-2025-26597.patch
|
||||
Patch205: xorg-CVE-2025-26598.patch
|
||||
Patch206: xorg-CVE-2025-26599.patch
|
||||
Patch207: xorg-CVE-2025-26599-2.patch
|
||||
Patch208: xorg-CVE-2025-26600.patch
|
||||
Patch209: xorg-CVE-2025-26601.patch
|
||||
Patch210: xorg-CVE-2025-26601-2.patch
|
||||
Patch211: xorg-CVE-2025-26601-3.patch
|
||||
Patch212: xorg-CVE-2025-26601-4.patch
|
||||
Patch213: xorg-CVE-2025-49175.patch
|
||||
Patch214: xorg-CVE-2025-49176-1.patch
|
||||
Patch215: xorg-CVE-2025-49176-2.patch
|
||||
Patch216: xorg-CVE-2025-49178.patch
|
||||
Patch217: xorg-CVE-2025-49179.patch
|
||||
Patch218: xorg-CVE-2025-49180.patch
|
||||
|
||||
# Patches were taken from:
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
|
||||
Patch102: CVE-2023-5367.patch
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
|
||||
Patch103: CVE-2023-5380.patch
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
|
||||
Patch104: CVE-2023-6377.patch
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
|
||||
Patch105: CVE-2023-6478.patch
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3
|
||||
Patch106: CVE-2023-6816.patch
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1245?commit_id=ece23be888a93b741aa1209d1dbf64636109d6a5
|
||||
Patch107: CVE-2024-0229-1.patch
|
||||
Patch108: CVE-2024-0229-2.patch
|
||||
Patch109: CVE-2024-0229-3.patch
|
||||
Patch110: CVE-2024-21885.patch
|
||||
Patch111: CVE-2024-21886-1.patch
|
||||
Patch112: CVE-2024-21886-2.patch
|
||||
Patch113: dix-fix-use-after-free-in-input-device-shutdown.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc-c++
|
||||
@ -97,26 +91,18 @@ BuildRequires: libXinerama-devel
|
||||
BuildRequires: libXt-devel
|
||||
BuildRequires: libXtst-devel
|
||||
BuildRequires: libdrm-devel
|
||||
BuildRequires: mesa-libgbm-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: libxkbfile-devel
|
||||
BuildRequires: libxshmfence-devel
|
||||
BuildRequires: mesa-libGL-devel
|
||||
BuildRequires: pkgconfig(fontutil)
|
||||
BuildRequires: pkgconfig(xkbcomp)
|
||||
BuildRequires: xorg-x11-font-utils
|
||||
BuildRequires: xorg-x11-server-devel
|
||||
BuildRequires: xorg-x11-server-source
|
||||
BuildRequires: xorg-x11-util-macros
|
||||
BuildRequires: xorg-x11-xtrans-devel
|
||||
|
||||
# SELinux
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: selinux-policy-devel
|
||||
|
||||
# For RHEL-91104
|
||||
BuildRequires: pkgconfig(dbus-1) >= 1.0
|
||||
BuildRequires: pkgconfig(libsystemd) >= 209
|
||||
BuildRequires: pkgconfig(libudev) >= 143
|
||||
BuildRequires: libselinux-devel, selinux-policy-devel, systemd
|
||||
|
||||
Requires(post): coreutils
|
||||
Requires(postun):coreutils
|
||||
@ -124,7 +110,6 @@ Requires(postun):coreutils
|
||||
Requires: hicolor-icon-theme
|
||||
Requires: tigervnc-license
|
||||
Requires: tigervnc-icons
|
||||
Requires: which
|
||||
|
||||
%description
|
||||
Virtual Network Computing (VNC) is a remote display system which
|
||||
@ -160,11 +145,8 @@ Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
Requires(post): systemd
|
||||
|
||||
Requires: dbus-x11
|
||||
Requires: mesa-dri-drivers
|
||||
Requires: tigervnc-license
|
||||
Requires: xkbcomp
|
||||
Requires: xkeyboard-config
|
||||
Requires: mesa-dri-drivers, xkeyboard-config, xkbcomp
|
||||
Requires: tigervnc-license, dbus-x11
|
||||
|
||||
%description server-minimal
|
||||
The VNC system allows you to access the same desktop from a wide
|
||||
@ -199,6 +181,9 @@ This package contains icons for TigerVNC viewer
|
||||
Summary: SELinux module for TigerVNC
|
||||
BuildArch: noarch
|
||||
BuildRequires: selinux-policy-devel
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
BuildRequires: selinux-policy
|
||||
|
||||
Requires: selinux-policy-%{selinuxtype}
|
||||
Requires(post): selinux-policy-%{selinuxtype}
|
||||
BuildRequires: selinux-policy-devel
|
||||
@ -206,7 +191,15 @@ BuildRequires: selinux-policy-devel
|
||||
Requires: libselinux-utils
|
||||
# Required for restorecon
|
||||
Requires: policycoreutils
|
||||
%{?selinux_requires}
|
||||
|
||||
Requires: libselinux-utils
|
||||
Requires: selinux-policy
|
||||
Requires: selinux-policy-%{selinuxtype}
|
||||
Requires(post): selinux-policy-base
|
||||
Requires(post): selinux-policy-%{selinuxtype}
|
||||
Requires(post): libselinux-utils
|
||||
Requires(post): policycoreutils
|
||||
Requires(post): policycoreutils-python-utils
|
||||
|
||||
%description selinux
|
||||
This package provides the SELinux policy module to ensure TigerVNC
|
||||
@ -220,42 +213,28 @@ pushd unix/xserver
|
||||
for all in `find . -type f -perm -001`; do
|
||||
chmod -x "$all"
|
||||
done
|
||||
%patch -P100 -p1 -b .rpath
|
||||
cat ../xserver120.patch | patch -p1
|
||||
%patch100 -p1 -b .xserver120-rebased
|
||||
%patch101 -p1 -b .rpath
|
||||
%patch102 -p1 -b .CVE-2023-5367
|
||||
%patch103 -p1 -b .CVE-2023-5380
|
||||
%patch104 -p1 -b .CVE-2023-6377
|
||||
%patch105 -p1 -b .CVE-2023-6478
|
||||
%patch106 -p1 -b .CVE-2023-6816
|
||||
%patch107 -p1 -b .CVE-2024-0229-1
|
||||
%patch108 -p1 -b .CVE-2024-0229-2
|
||||
%patch109 -p1 -b .CVE-2024-0229-3
|
||||
%patch110 -p1 -b .CVE-2024-21885
|
||||
%patch111 -p1 -b .CVE-2024-21886-1
|
||||
%patch112 -p1 -b .CVE-2024-21886-2
|
||||
%patch113 -p1 -b .dix-fix-use-after-free-in-input-device-shutdown
|
||||
|
||||
%patch -P200 -p1 -b .xorg-CVE-2025-26594
|
||||
%patch -P201 -p1 -b .xorg-CVE-2025-26594-2
|
||||
%patch -P202 -p1 -b .xorg-CVE-2025-26595
|
||||
%patch -P203 -p1 -b .xorg-CVE-2025-26596
|
||||
%patch -P204 -p1 -b .xorg-CVE-2025-26597
|
||||
%patch -P205 -p1 -b .xorg-CVE-2025-26598
|
||||
%patch -P206 -p1 -b .xorg-CVE-2025-26599
|
||||
%patch -P207 -p1 -b .xorg-CVE-2025-26599-2
|
||||
%patch -P208 -p1 -b .xorg-CVE-2025-26600
|
||||
%patch -P209 -p1 -b .xorg-CVE-2025-26601
|
||||
%patch -P210 -p1 -b .xorg-CVE-2025-26601-2
|
||||
%patch -P211 -p1 -b .xorg-CVE-2025-26601-3
|
||||
%patch -P212 -p1 -b .xorg-CVE-2025-26601-4
|
||||
%patch -P213 -p1 -b .xorg-CVE-2025-49175
|
||||
%patch -P214 -p1 -b .xorg-CVE-2025-49176-1
|
||||
%patch -P215 -p1 -b .xorg-CVE-2025-49176-2
|
||||
%patch -P216 -p1 -b .xorg-CVE-2025-49178
|
||||
%patch -P217 -p1 -b .xorg-CVE-2025-49179
|
||||
%patch -P218 -p1 -b .xorg-CVE-2025-49180
|
||||
popd
|
||||
|
||||
%patch -P1 -p1 -b .use-gnome-as-default-session
|
||||
%patch -P2 -p1 -b .vncsession-restore-script-systemd-service
|
||||
%patch -P3 -p1 -b .dont-install-appstream-metadata-file.patch
|
||||
%patch -P4 -p1 -b .allow-use-of-passwords-longer-than-eight-characters
|
||||
%patch -P5 -p1 -b .add-option-allowing-to-connect-only-user-owning-session
|
||||
%patch1 -p1 -b .use-gnome-as-default-session
|
||||
%patch2 -p1 -b .vncsession-restore-script-systemd-service
|
||||
%patch3 -p1 -b .dont-get-pointer-position-for-floating-device
|
||||
|
||||
# Upstream patches
|
||||
%patch -P50 -p1 -b .add-selinux-policy-rules-allowing-create-dirs-under-root-dir
|
||||
%patch -P51 -p1 -b .add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open
|
||||
%patch -P52 -p1 -b .dont-print-xvnc-banner-before-parsing-args
|
||||
|
||||
# Upstreamable patches
|
||||
|
||||
%build
|
||||
%ifarch sparcv9 sparc64 s390 s390x
|
||||
@ -265,32 +244,47 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic"
|
||||
%endif
|
||||
export CXXFLAGS="$CFLAGS -std=c++11"
|
||||
|
||||
%{cmake} .
|
||||
make %{?_smp_mflags}
|
||||
%define __cmake_builddir %{_target_platform}
|
||||
|
||||
mkdir -p %{%__cmake_builddir}
|
||||
|
||||
%cmake
|
||||
|
||||
%cmake_build
|
||||
|
||||
pushd unix/xserver
|
||||
|
||||
%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
|
||||
sed -i 's@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am
|
||||
%endif
|
||||
|
||||
autoreconf -fiv
|
||||
%configure \
|
||||
--disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
|
||||
--disable-xwin --disable-xephyr --disable-kdrive --disable-xwayland \
|
||||
--with-pic --disable-static \
|
||||
--with-default-font-path="catalogue:/etc/X11/fontpath.d,built-ins" \
|
||||
--with-default-font-path="catalogue:%{_sysconfdir}/X11/fontpath.d,built-ins" \
|
||||
--with-fontdir=%{_datadir}/X11/fonts \
|
||||
--with-xkb-output=%{_localstatedir}/lib/xkb \
|
||||
--enable-glx --disable-dri --enable-dri2 --enable-dri3 \
|
||||
--enable-install-libxf86config \
|
||||
--enable-glx --disable-dri --enable-dri2 --disable-dri3 \
|
||||
--disable-unit-tests \
|
||||
--disable-config-hal \
|
||||
--disable-config-udev \
|
||||
--with-dri-driver-path=%{_libdir}/dri \
|
||||
--without-dtrace \
|
||||
--disable-devel-docs \
|
||||
--disable-selective-werror \
|
||||
--enable-systemd-logind \
|
||||
--enable-config-udev
|
||||
--disable-selective-werror
|
||||
|
||||
make %{?_smp_mflags}
|
||||
popd
|
||||
|
||||
# Build icons
|
||||
%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
|
||||
pushd %{_target_platform}/media
|
||||
%else
|
||||
pushd media
|
||||
%endif
|
||||
make
|
||||
popd
|
||||
|
||||
@ -299,24 +293,22 @@ pushd unix/vncserver/selinux
|
||||
make
|
||||
popd
|
||||
|
||||
|
||||
%install
|
||||
%make_install
|
||||
%cmake_install
|
||||
rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT}
|
||||
|
||||
pushd unix/xserver/hw/vnc
|
||||
make install DESTDIR=%{buildroot}
|
||||
%make_install
|
||||
popd
|
||||
|
||||
# Install systemd unit file
|
||||
pushd unix/vncserver/selinux
|
||||
make install DESTDIR=%{buildroot}
|
||||
popd
|
||||
|
||||
|
||||
# Install systemd unit file
|
||||
install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service
|
||||
install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket
|
||||
# Install old vncserver script
|
||||
install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
|
||||
|
||||
# Install desktop stuff
|
||||
mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps
|
||||
@ -327,6 +319,21 @@ install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps
|
||||
done
|
||||
popd
|
||||
|
||||
appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/org.tigervnc.vncviewer.metainfo.xml
|
||||
desktop-file-validate %{buildroot}%{_datadir}/applications/vncviewer.desktop
|
||||
|
||||
%if 0%{?rhel} > 9
|
||||
# Install a replacement for /usr/bin/vncserver which will tell the user to read the
|
||||
# HOWTO.md file
|
||||
cat <<EOF > %{buildroot}/%{_bindir}/vncserver
|
||||
#!/bin/bash
|
||||
echo "vncserver has been replaced by a systemd unit."
|
||||
echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information."
|
||||
EOF
|
||||
chmod +x %{buildroot}/%{_bindir}/vncserver
|
||||
%else
|
||||
install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
|
||||
%endif
|
||||
|
||||
%find_lang %{name} %{name}.lang
|
||||
|
||||
@ -366,6 +373,7 @@ fi
|
||||
%{_bindir}/vncviewer
|
||||
%{_datadir}/applications/*
|
||||
%{_mandir}/man1/vncviewer.1*
|
||||
%{_datadir}/metainfo/org.tigervnc.vncviewer.metainfo.xml
|
||||
|
||||
%files server
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/tigervnc
|
||||
@ -409,315 +417,236 @@ fi
|
||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||||
|
||||
%changelog
|
||||
* Wed Jun 18 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-7
|
||||
- Additional fix to CVE-2025-49176: xorg-x11-server: Integer Overflow in Big Requests Extension
|
||||
Resolves: RHEL-97294
|
||||
* Tue Jan 30 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-3.3.alma.1
|
||||
- CVE-2023-6816, CVE-2024-0029, CVE-2024-21885, CVE-2024-21886
|
||||
- dix: Fix use after free in input device shutdown
|
||||
|
||||
* Tue Jun 17 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-6
|
||||
- Fix CVE-2025-49175: xorg-x11-server: Out-of-Bounds Read in X Rendering Extension Animated Cursors
|
||||
Resolves: RHEL-97268
|
||||
- Fix CVE-2025-49176: xorg-x11-server: Integer Overflow in Big Requests Extension
|
||||
Resolves: RHEL-97294
|
||||
- Fix CVE-2025-49178: xorg-x11-server: Unprocessed Client Request Due to Bytes to Ignore
|
||||
Resolves: RHEL-97364
|
||||
- Fix CVE-2025-49179: xorg-x11-server: Integer overflow in X Record extension
|
||||
Resolves: RHEL-97397
|
||||
- Fix CVE-2025-49180: xorg-x11-server: Integer Overflow in X Resize, Rotate and Reflect (RandR) Extension
|
||||
Resolves: RHEL-97232
|
||||
|
||||
* Tue May 27 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-5
|
||||
- Fix broken authentication with x0vncserver
|
||||
Resolves: RHEL-93729
|
||||
|
||||
* Thu May 15 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-4
|
||||
- Add option "ApproveLoggedUserOnly" allowing to connect only the user
|
||||
owning the running session
|
||||
Resolves: RHEL-91104
|
||||
|
||||
* Wed Apr 30 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-3
|
||||
- Only warn about 8 characters limit, but let it proceed
|
||||
Resolves: RHEL-89430
|
||||
|
||||
* Wed Apr 16 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-2
|
||||
- Fix inetd mode not working
|
||||
Resolves: RHEL-86513
|
||||
|
||||
* Wed Feb 26 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-1
|
||||
- 1.15.0
|
||||
Resolves: RHEL-79161
|
||||
Resolves: RHEL-79982
|
||||
|
||||
* Wed Feb 26 2025 Jan Grulich <jgrulich@redhat.com> - 1.13.1-15
|
||||
- Fix CVE-2025-26594 xorg-x11-server Use-after-free of the root cursor
|
||||
Resolves: RHEL-79397
|
||||
- Fix CVE-2025-26595 xorg-x11-server Buffer overflow in XkbVModMaskText()
|
||||
Resolves: RHEL-79401
|
||||
- Fix CVE-2025-26596 xorg-x11-server Heap overflow in XkbWriteKeySyms()
|
||||
Resolves: RHEL-79386
|
||||
- Fix CVE-2025-26597 xorg-x11-server Buffer overflow in XkbChangeTypesOfKey()
|
||||
Resolves: RHEL-79380
|
||||
- Fix CVE-2025-26598 xorg-x11-server Out-of-bounds write in CreatePointerBarrierClient()
|
||||
Resolves: RHEL-79369
|
||||
- Fix CVE-2025-26599 xorg-x11-server Use of uninitialized pointer in compRedirectWindow()
|
||||
Resolves: RHEL-79364
|
||||
- Fix CVE-2025-26600 xorg-x11-server Use-after-free in PlayReleasedEvents()
|
||||
Resolves: RHEL-79360
|
||||
- Fix CVE-2025-26601 xorg-x11-server Use-after-free in SyncInitTrigger()
|
||||
Resolves: RHEL-79348
|
||||
|
||||
* Thu Oct 31 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-14
|
||||
- Fix CVE-2024-9632: xorg-x11-server: heap-based buffer overflow privilege escalation vulnerability
|
||||
Resolves: RHEL-61999
|
||||
|
||||
* Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-13
|
||||
- vncsession: use /bin/sh if the user shell is not set
|
||||
Resolves: RHEL-52827
|
||||
|
||||
* Fri Jul 12 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-12
|
||||
- Fix FTBS: drop already applied Xorg patches
|
||||
Resolves: RHEL-46696
|
||||
|
||||
* Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
|
||||
- vncconfig: add option to force view-only remote client connections
|
||||
Resolves: RHEL-11908
|
||||
|
||||
* Mon Apr 15 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
|
||||
- Drop patches that are already part of xorg-x11-server
|
||||
Resolves: RHEL-30755
|
||||
Resolves: RHEL-30767
|
||||
Resolves: RHEL-30761
|
||||
|
||||
* Thu Apr 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
|
||||
- Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
|
||||
Resolves: RHEL-30755
|
||||
- Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs
|
||||
Resolves: RHEL-30767
|
||||
- Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
|
||||
Resolves: RHEL-30761
|
||||
|
||||
* Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
|
||||
- Fix copy/paste error in the DeviceStateNotify
|
||||
Resolves: RHEL-20530
|
||||
|
||||
* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
|
||||
- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
|
||||
Resolves: RHEL-20388
|
||||
- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
|
||||
Resolves: RHEL-20382
|
||||
- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
|
||||
Resolves: RHEL-20530
|
||||
- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
|
||||
Resolves: RHEL-21214
|
||||
|
||||
* Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
|
||||
- Use dup() to get available file descriptor when using -inetd option
|
||||
Resolves: RHEL-21000
|
||||
|
||||
* Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5
|
||||
- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions
|
||||
Resolves: RHEL-18410
|
||||
- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
|
||||
Resolves: RHEL-18422
|
||||
|
||||
* Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4
|
||||
- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
|
||||
Resolves: RHEL-15236
|
||||
|
||||
- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty
|
||||
Resolves: RHEL-15230
|
||||
|
||||
* Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
|
||||
- Support username alias in PlainUsers
|
||||
Resolves: RHEL-4258
|
||||
* Wed Jan 03 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-3.3.alma.1
|
||||
- CVE-2023-5367, CVE-2023-5380, CVE-2023-6377, CVE-2023-6478
|
||||
|
||||
* Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
|
||||
- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
|
||||
Escalation Vulnerability
|
||||
Resolves: bz#2180306
|
||||
Resolves: bz#2180310
|
||||
|
||||
* Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1
|
||||
- 1.13.1
|
||||
Resolves: bz#2175748
|
||||
- Restore "--fallbacktofreeport" option in the vncserver script
|
||||
Resolves: bz#2174398
|
||||
Resolves: bz#2175732
|
||||
|
||||
* Thu Dec 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9
|
||||
- Bump build version to fix upgrade path
|
||||
Resolves: bz#1437569
|
||||
* Tue Feb 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-12
|
||||
- SELinux: allow vncsession create .vnc directory
|
||||
Resolves: bz#2164703
|
||||
|
||||
* Fri Nov 18 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
|
||||
* Wed Feb 15 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-11
|
||||
- Add sanity check when cleaning up keymap changes
|
||||
Resolves: bz#2169965
|
||||
|
||||
* Mon Feb 06 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-10
|
||||
- xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation
|
||||
Resolves: bz#2167061
|
||||
|
||||
* Tue Dec 20 2022 Tomas Popela <tpopela@redhat.com> - 1.12.0-9
|
||||
- Rebuild for xorg-x11-server CVE-2022-46340 follow up fix
|
||||
|
||||
* Fri Dec 16 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
|
||||
- Rebuild for xorg-x11-server CVEs
|
||||
Resolves: CVE-2022-4283 (bz#2154234)
|
||||
Resolves: CVE-2022-46340 (bz#2154221)
|
||||
Resolves: CVE-2022-46341 (bz#2154224)
|
||||
Resolves: CVE-2022-46342 (bz#2154226)
|
||||
Resolves: CVE-2022-46343 (bz#2154228)
|
||||
Resolves: CVE-2022-46344 (bz#2154230)
|
||||
|
||||
* Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
|
||||
- x0vncserver: add new keysym in case we don't find matching keycode
|
||||
Resolves: bz#1437569
|
||||
+ actually apply the patch
|
||||
Resolves: bz#2119017
|
||||
|
||||
* Wed Aug 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
|
||||
* Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
|
||||
- x0vncserver: add new keysym in case we don't find matching keycode
|
||||
Resolves: bz#2119017
|
||||
|
||||
* Mon Oct 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
|
||||
- x0vncserver: fix ghost cursor in zaphod mode (better version)
|
||||
Resolves: bz#2109679
|
||||
Resolves: bz#2119016
|
||||
|
||||
* Wed Aug 17 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
|
||||
- x0vncserver: fix ghost cursor in zaphod mode
|
||||
Resolves: bz#2109679
|
||||
* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
|
||||
- Add BR: libXdamage, libXfixes, libXrandr
|
||||
Resolves: bz#2091833
|
||||
|
||||
* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
|
||||
- BR: libXdamage, libXfixes, libXrandr
|
||||
Resolves: bz#2088733
|
||||
* Tue Apr 05 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
|
||||
- Do not run systemd_preun on Xvnc service file
|
||||
Resolves: bz#2048011
|
||||
|
||||
* Tue Feb 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
|
||||
* Mon Apr 04 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
|
||||
- Drop unexisting option from the old vncserver script
|
||||
Resolves: bz#2021893
|
||||
|
||||
* Wed Mar 23 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
|
||||
- 1.12.0 + sync with Fedora
|
||||
Resolves: bz#2048011
|
||||
Resolves: bz#2021893
|
||||
|
||||
* Mon Feb 07 2022 Jan Grulich <jgrulich@redhat.com> - 1.11.0-21
|
||||
- Added vncsession-restore script for SELinux policy migration
|
||||
Fix SELinux context for root user
|
||||
Resolves: bz#2021892
|
||||
Resolves: bz#2049506
|
||||
|
||||
* Fri Jan 21 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
|
||||
- Fix crash in vncviewer
|
||||
Resolves: bz#2021892
|
||||
* Fri Nov 26 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-20
|
||||
- Rebuild for absence in RHEL 9.0
|
||||
Resolves: bz#1985858
|
||||
|
||||
* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
|
||||
- Remove unavailable option from vncserver script
|
||||
Resolves: bz#2021892
|
||||
* Mon Aug 16 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-19
|
||||
- Sync upstream patches + drop unused patches
|
||||
Resolves: bz#1985858
|
||||
|
||||
* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
|
||||
- 1.12.0
|
||||
Resolves: bz#2021892
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-18
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
|
||||
* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-17
|
||||
- Fix logout from VNC session using vncserver
|
||||
Resolves: bz#1983706
|
||||
Resolves: bz#1983704
|
||||
|
||||
* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
|
||||
- Run all SELinux RPM macros on correct package
|
||||
Resolves: bz#1907963
|
||||
* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-16
|
||||
- Bump version for rebuild (binutils)
|
||||
Resolves: bz#1961488
|
||||
|
||||
* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-7
|
||||
* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-14
|
||||
- SELinux improvements
|
||||
Resolves: bz#1907963
|
||||
Resolves: bz#1961488
|
||||
|
||||
* Tue Dec 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
|
||||
- Use GNOME as default session
|
||||
Resolves: bz#1853608
|
||||
- Fix endianness issue on s390x
|
||||
Resolves: bz#1963029
|
||||
|
||||
* Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5
|
||||
- Make sure we log properly output to journal (actually log to syslog)
|
||||
Resolves: bz#1841537
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-13
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4
|
||||
- Make sure we log properly output to journal
|
||||
Resolves: bz#1841537
|
||||
* Mon Mar 08 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-12
|
||||
- Include RHEL8 patches
|
||||
|
||||
* Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3
|
||||
- vncserver: ignore new "session" parameter from the new systemd support
|
||||
Resolves: bz#1897504
|
||||
* Fri Mar 05 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-11
|
||||
- Enable old vncserver script for RHEL 9
|
||||
|
||||
* Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2
|
||||
- Revert removal of vncserver
|
||||
Resolves: bz#1897504
|
||||
- Correctly start vncsession as a daemon
|
||||
Resolves: bz#1897498
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.11.0-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Tue Oct 20 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1
|
||||
- Update to 1.11.0
|
||||
Resolves: bz#1880985
|
||||
- Backport fix to allow Tigervnc use boolean values in config files
|
||||
Resolves: bz#1883415
|
||||
* Thu Dec 10 07:45:46 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
|
||||
- vncserver: ignore new session parameter from the new systemd support
|
||||
|
||||
* Wed Sep 30 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-8
|
||||
- Tolerate specifying -BoolParam 0 and similar
|
||||
Resolves: bz#1883415
|
||||
* Fri Nov 13 14:08:29 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
|
||||
- Use /run instead of /var/run which is just a symlink
|
||||
|
||||
* Wed Jul 08 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-7
|
||||
- Enable server module on s390x
|
||||
Resolves: bz#1854925
|
||||
* Thu Nov 05 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.11.0-7
|
||||
- Require xkbcomp directly, not xorg-x11-xkb-utils. The latter has had
|
||||
Provides xkbcomp for years.
|
||||
|
||||
* Fri Jul 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-6
|
||||
- Remove trailing spaces in user name
|
||||
Resolves: bz#1852432
|
||||
* Tue Sep 29 13:12:22 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
|
||||
- Backport upstream fix allowing Tigervnc to specify boolean valus in configuration
|
||||
- Revert removal of vncserver for F32 and F33
|
||||
|
||||
* Thu Jun 25 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5
|
||||
- Install the HOWTO file to correct location
|
||||
* Thu Sep 24 07:14:06 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5
|
||||
- Actually install the HOWTO.md file
|
||||
|
||||
* Wed Sep 23 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4
|
||||
- Call systemd macros on correct service file
|
||||
|
||||
* Tue Sep 22 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3
|
||||
- Do not overwrite libvnc.conf config file
|
||||
|
||||
* Thu Sep 17 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2
|
||||
- Add /usr/bin/vncserver file informing users to read the HOWTO.md file
|
||||
Resolves: bz#1790443
|
||||
|
||||
* Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-4
|
||||
- Improve SELinux policy
|
||||
Resolves: bz#1790443
|
||||
* Wed Sep 09 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1
|
||||
- 1.11.0
|
||||
|
||||
* Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-3
|
||||
- Add a HOWTO.md file with instructions how to start VNC server
|
||||
Resolves: bz#1790443
|
||||
* Mon Aug 24 2020 Jan Grulich <jgrulich@redhat.com. - 1.10.90-1
|
||||
- Update to 1.10.90 (1.11.0 beta)
|
||||
|
||||
* Tue May 26 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2
|
||||
- Make the systemd service run also for root user
|
||||
Resolves: bz#1790443
|
||||
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-9
|
||||
- Second attempt - Rebuilt for
|
||||
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Mon Apr 27 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-7
|
||||
- Use make macros
|
||||
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||
|
||||
* Sat Jul 11 2020 Jiri Vanek <jvanek@redhat.com> - 1.10.1-6
|
||||
- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
|
||||
|
||||
* Sun Apr 19 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5
|
||||
- Requires: dbus-x11
|
||||
Resolves: bz#1825331
|
||||
|
||||
* Fri Mar 13 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.10.1-4
|
||||
- Fix build with xserver 1.20.7
|
||||
|
||||
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Mon Jan 13 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2
|
||||
- Build with -std=c++11
|
||||
|
||||
* Fri Dec 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1
|
||||
- Update to 1.10.1
|
||||
Resolves: bz#1806992
|
||||
|
||||
- Add proper systemd support
|
||||
Resolves: bz#1790443
|
||||
* Tue Dec 10 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-2
|
||||
- Properly install systemd files
|
||||
|
||||
* Tue Jan 28 2020 Jan Grulich <jgrulich@redhat.com> - 1.9.0-13
|
||||
- Bump build because of z-stream
|
||||
Resolves: bz#1671714
|
||||
* Mon Nov 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-1
|
||||
- Update to 1.10.0
|
||||
|
||||
* Wed Dec 11 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-12
|
||||
- Fix installation of systemd files
|
||||
Resolves: bz#1671714
|
||||
* Fri Oct 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.90-1
|
||||
- Update to 1.9.90 (1.10 beta)
|
||||
- Add systemd user service file
|
||||
- Use a wrapper for systemd system service file to workaround systemd limitations
|
||||
|
||||
* Wed Nov 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-11
|
||||
- Use wrapper script to workaround systemd issues
|
||||
Resolves: bz#1671714
|
||||
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Jul 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-10
|
||||
- Do not return returncode indicating error when running "vncserver -list"
|
||||
Resolves: bz#1727860
|
||||
* Fri Jul 19 2019 Dan Horák <dan[at]danny.cz> - 1.9.0-6
|
||||
- drop the s390x special handling (related #1727029)
|
||||
|
||||
* Fri Feb 08 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-9
|
||||
- Make tigervnc systemd service a user service
|
||||
Resolves: bz#1639846
|
||||
* Wed Jun 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5
|
||||
- Add missing arguments to systemd_postun scriptlets
|
||||
Resolves: bz#1716411
|
||||
|
||||
* Mon Jan 21 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-8
|
||||
- Kill the session automatically only when Gnome is installed
|
||||
Resolves: bz#1665876
|
||||
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Tue Nov 20 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-7
|
||||
- Improve coverity scan fixes
|
||||
Resolves: bz#1602714
|
||||
|
||||
Inform whether view-only password is used or not
|
||||
Resolves: bz#1639169
|
||||
|
||||
Backport fixes from RHEL 7
|
||||
Resolves: bz#1651254
|
||||
|
||||
* Tue Oct 09 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-6
|
||||
* Tue Sep 25 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
|
||||
- Do not crash passwd when using malloc perturb checks
|
||||
Resolves: bz#1637086
|
||||
|
||||
* Mon Oct 08 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5
|
||||
- Improve coverity scan fixes
|
||||
Resolves: bz#1602714
|
||||
|
||||
* Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-4
|
||||
- Improve coverity scan fixes
|
||||
Resolves: bz#1602714
|
||||
|
||||
* Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
|
||||
- Fix some coverity scan issues
|
||||
Resolves: bz#1602714
|
||||
Resolves: bz#1631483
|
||||
|
||||
* Wed Aug 01 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-2
|
||||
- Remove dependency on initscripts
|
||||
- Ignore buttons in mouse leave events
|
||||
Resolves: bz#1609516
|
||||
|
||||
* Tue Jul 17 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-1
|
||||
- Update to 1.9.0 + sync with Fedora
|
||||
- Update to 1.9.0
|
||||
|
||||
* Tue Jun 12 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-10
|
||||
- Fix GLX initialization with Xorg 1.20
|
||||
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.90-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Tue May 29 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-9
|
||||
- Build against Xorg 1.20
|
||||
* Wed Jul 4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.90-2
|
||||
- Clean up spec: use macros consistenly, drop old sys-v migrations
|
||||
- Drop ancient obsolete/provides
|
||||
|
||||
* Mon May 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-8
|
||||
- Drop BR: ImageMagick
|
||||
* Thu Jun 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.90-1
|
||||
- Update to 1.8.90
|
||||
|
||||
* Wed Jun 13 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-10
|
||||
- Fix tigervnc systemd unit file
|
||||
Resolves: bz#1583159
|
||||
|
||||
* Wed Jun 06 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-9
|
||||
- Fix GLX initialization with 1.20
|
||||
|
||||
* Wed Apr 04 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-8
|
||||
- Rebuild for xserver 1.20
|
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
Loading…
Reference in New Issue
Block a user