rpms
/
tigervnc
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:a8
rpms:c9-beta
rpms:c8-beta
rpms:c9s
rpms:a9
rpms:c8s
rpms:imports/c8/tigervnc-1.13.1-10.el8_10
rpms:imports/c9/tigervnc-1.13.1-8.el9_4.3
rpms:changed/a8/tigervnc-1.13.1-2.el8_9.10.alma.1
rpms:changed/a8/tigervnc-1.13.1-2.el8_9.7.alma.1
rpms:changed/a9/tigervnc-1.13.1-3.el9_3.6.alma.1
rpms:changed/a8/tigervnc-1.13.1-2.el8_9.4.alma.1
rpms:changed/a9/tigervnc-1.13.1-3.el9_3.3.alma.1
rpms:imports/c8-beta/tigervnc-1.13.1-2.el8
rpms:imports/c9-beta/tigervnc-1.13.1-2.el9
rpms:imports/c8/tigervnc-1.12.0-15.el8_8
rpms:imports/c9/tigervnc-1.12.0-13.el9_2
rpms:imports/c9/tigervnc-1.12.0-5.el9_1.2
rpms:imports/c8/tigervnc-1.12.0-9.el8_7.2
rpms:imports/c8/tigervnc-1.12.0-9.el8_7.3
rpms:imports/c9-beta/tigervnc-1.12.0-12.el9
rpms:imports/c8-beta/tigervnc-1.12.0-14.el8
rpms:imports/c8/tigervnc-1.12.0-9.el8_7.1
rpms:imports/c9/tigervnc-1.12.0-5.el9_1.1
rpms:imports/c8/tigervnc-1.12.0-8.el8_7
rpms:imports/c8s/tigervnc-1.12.0-9.el8
rpms:imports/c8s/tigervnc-1.12.0-8.el8
rpms:imports/c9/tigervnc-1.12.0-4.el9
rpms:imports/c8/tigervnc-1.12.0-7.el8
rpms:imports/c9-beta/tigervnc-1.12.0-4.el9
rpms:imports/c8-beta/tigervnc-1.12.0-7.el8
rpms:imports/c8s/tigervnc-1.12.0-7.el8
rpms:imports/c8s/tigervnc-1.12.0-6.el8
rpms:imports/c8s/tigervnc-1.12.0-5.el8
rpms:imports/c9/tigervnc-1.11.0-21.el9
rpms:imports/c8/tigervnc-1.12.0-4.el8
rpms:imports/c9-beta/tigervnc-1.11.0-21.el9
rpms:imports/c8-beta/tigervnc-1.12.0-4.el8
rpms:imports/c8s/tigervnc-1.12.0-4.el8
rpms:imports/c8s/tigervnc-1.12.0-3.el8
rpms:imports/c8/tigervnc-1.11.0-10.el8_5
rpms:imports/c8s/tigervnc-1.12.0-2.el8
rpms:imports/c9-beta/tigervnc-1.11.0-20.el9
rpms:imports/c8s/tigervnc-1.11.0-10.el8_5
rpms:imports/c9-beta/tigervnc-1.11.0-18.el9
rpms:imports/c8/tigervnc-1.11.0-9.el8
rpms:imports/c8-beta/tigervnc-1.11.0-9.el8
rpms:imports/c8-beta/tigervnc-1.11.0-6.el8
rpms:imports/c8-beta/tigervnc-1.10.1-5.el8
rpms:imports/c8-beta/tigervnc-1.9.0-12.el8
rpms:imports/c8-beta/tigervnc-1.9.0-9.el8
rpms:imports/c8s/tigervnc-1.11.0-9.el8
rpms:imports/c8s/tigervnc-1.11.0-8.el8
rpms:imports/c8s/tigervnc-1.11.0-7.el8
rpms:imports/c8s/tigervnc-1.11.0-6.el8
rpms:imports/c8s/tigervnc-1.11.0-5.el8
rpms:imports/c8/tigervnc-1.11.0-6.el8
rpms:imports/c8/tigervnc-1.10.1-9.el8_3
rpms:imports/c8/tigervnc-1.10.1-7.el8
rpms:imports/c8/tigervnc-1.9.0-15.el8_1
rpms:imports/c8/tigervnc-1.9.0-14.el8_1
...
pull from: rpms:a9
Branches Tags
rpms:c8
rpms:c9
rpms:a8
rpms:c9-beta
rpms:c8-beta
rpms:c9s
rpms:a9
rpms:c8s
rpms:imports/c8/tigervnc-1.13.1-10.el8_10
rpms:imports/c9/tigervnc-1.13.1-8.el9_4.3
rpms:changed/a8/tigervnc-1.13.1-2.el8_9.10.alma.1
rpms:changed/a8/tigervnc-1.13.1-2.el8_9.7.alma.1
rpms:changed/a9/tigervnc-1.13.1-3.el9_3.6.alma.1
rpms:changed/a8/tigervnc-1.13.1-2.el8_9.4.alma.1
rpms:changed/a9/tigervnc-1.13.1-3.el9_3.3.alma.1
rpms:imports/c8-beta/tigervnc-1.13.1-2.el8
rpms:imports/c9-beta/tigervnc-1.13.1-2.el9
rpms:imports/c8/tigervnc-1.12.0-15.el8_8
rpms:imports/c9/tigervnc-1.12.0-13.el9_2
rpms:imports/c9/tigervnc-1.12.0-5.el9_1.2
rpms:imports/c8/tigervnc-1.12.0-9.el8_7.2
rpms:imports/c8/tigervnc-1.12.0-9.el8_7.3
rpms:imports/c9-beta/tigervnc-1.12.0-12.el9
rpms:imports/c8-beta/tigervnc-1.12.0-14.el8
rpms:imports/c8/tigervnc-1.12.0-9.el8_7.1
rpms:imports/c9/tigervnc-1.12.0-5.el9_1.1
rpms:imports/c8/tigervnc-1.12.0-8.el8_7
rpms:imports/c8s/tigervnc-1.12.0-9.el8
rpms:imports/c8s/tigervnc-1.12.0-8.el8
rpms:imports/c9/tigervnc-1.12.0-4.el9
rpms:imports/c8/tigervnc-1.12.0-7.el8
rpms:imports/c9-beta/tigervnc-1.12.0-4.el9
rpms:imports/c8-beta/tigervnc-1.12.0-7.el8
rpms:imports/c8s/tigervnc-1.12.0-7.el8
rpms:imports/c8s/tigervnc-1.12.0-6.el8
rpms:imports/c8s/tigervnc-1.12.0-5.el8
rpms:imports/c9/tigervnc-1.11.0-21.el9
rpms:imports/c8/tigervnc-1.12.0-4.el8
rpms:imports/c9-beta/tigervnc-1.11.0-21.el9
rpms:imports/c8-beta/tigervnc-1.12.0-4.el8
rpms:imports/c8s/tigervnc-1.12.0-4.el8
rpms:imports/c8s/tigervnc-1.12.0-3.el8
rpms:imports/c8/tigervnc-1.11.0-10.el8_5
rpms:imports/c8s/tigervnc-1.12.0-2.el8
rpms:imports/c9-beta/tigervnc-1.11.0-20.el9
rpms:imports/c8s/tigervnc-1.11.0-10.el8_5
rpms:imports/c9-beta/tigervnc-1.11.0-18.el9
rpms:imports/c8/tigervnc-1.11.0-9.el8
rpms:imports/c8-beta/tigervnc-1.11.0-9.el8
rpms:imports/c8-beta/tigervnc-1.11.0-6.el8
rpms:imports/c8-beta/tigervnc-1.10.1-5.el8
rpms:imports/c8-beta/tigervnc-1.9.0-12.el8
rpms:imports/c8-beta/tigervnc-1.9.0-9.el8
rpms:imports/c8s/tigervnc-1.11.0-9.el8
rpms:imports/c8s/tigervnc-1.11.0-8.el8
rpms:imports/c8s/tigervnc-1.11.0-7.el8
rpms:imports/c8s/tigervnc-1.11.0-6.el8
rpms:imports/c8s/tigervnc-1.11.0-5.el8
rpms:imports/c8/tigervnc-1.11.0-6.el8
rpms:imports/c8/tigervnc-1.10.1-9.el8_3
rpms:imports/c8/tigervnc-1.10.1-7.el8
rpms:imports/c8/tigervnc-1.9.0-15.el8_1
rpms:imports/c8/tigervnc-1.9.0-14.el8_1

No commits in common. "c8" and "a9" have entirely different histories.
c8 ... a9

19 changed files with 1273 additions and 489 deletions
Show Stats Expand all files Collapse all files

2
SOURCES/10-libvnc.conf
View File

@ -12,7 +12,7 @@
#EndSection
#Section "Screen"
# Identifier "Screen0"
# Identifier "Screen0
# DefaultDepth 16
# Option "SecurityTypes" "VncAuth"
# Option "PasswordFile" "/root/.vnc/passwd"

80
SOURCES/CVE-2023-5367.patch Normal file
View File

@ -0,0 +1,80 @@
From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 3 Oct 2023 11:53:05 +1000
Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
The handling of appending/prepending properties was incorrect, with at
least two bugs: the property length was set to the length of the new
part only, i.e. appending or prepending N elements to a property with P
existing elements always resulted in the property having N elements
instead of N + P.
Second, when pre-pending a value to a property, the offset for the old
values was incorrect, leaving the new property with potentially
uninitalized values and/or resulting in OOB memory writes.
For example, prepending a 3 element value to a 5 element property would
result in this 8 value array:
[N, N, N, ?, ?, P, P, P ] P, P
^OOB write
The XI2 code is a copy/paste of the RandR code, so the bug exists in
both.
CVE-2023-5367, ZDI-CAN-22153
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
Xi/xiproperty.c | 4 ++--
randr/rrproperty.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
index 066ba21fba..d315f04d0e 100644
--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
XIDestroyDeviceProperty(prop);
return BadAlloc;
}
- new_value.size = len;
+ new_value.size = total_len;
new_value.type = type;
new_value.format = format;
@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
case PropModePrepend:
new_data = new_value.data;
old_data = (void *) (((char *) new_value.data) +
- (prop_value->size * size_in_bytes));
+ (len * size_in_bytes));
break;
}
if (new_data)
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
index c2fb9585c6..25469f57b2 100644
--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
RRDestroyOutputProperty(prop);
return BadAlloc;
}
- new_value.size = len;
+ new_value.size = total_len;
new_value.type = type;
new_value.format = format;
@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
case PropModePrepend:
new_data = new_value.data;
old_data = (void *) (((char *) new_value.data) +
- (prop_value->size * size_in_bytes));
+ (len * size_in_bytes));
break;
}
if (new_data)
--
GitLab

98
SOURCES/CVE-2023-5380.patch Normal file
View File

@ -0,0 +1,98 @@
From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 5 Oct 2023 12:19:45 +1000
Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
PointerWindows[] keeps a reference to the last window our sprite
entered - changes are usually handled by CheckMotion().
If we switch between screens via XWarpPointer our
dev->spriteInfo->sprite->win is set to the new screen's root window.
If there's another window at the cursor location CheckMotion() will
trigger the right enter/leave events later. If there is not, it skips
that process and we never trigger LeaveWindow() - PointerWindows[] for
the device still refers to the previous window.
If that window is destroyed we have a dangling reference that will
eventually cause a use-after-free bug when checking the window hierarchy
later.
To trigger this, we require:
- two protocol screens
- XWarpPointer to the other screen's root window
- XDestroyWindow before entering any other window
This is a niche bug so we hack around it by making sure we reset the
PointerWindows[] entry so we cannot have a dangling pointer. This
doesn't handle Enter/Leave events correctly but the previous code didn't
either.
CVE-2023-5380, ZDI-CAN-21608
This vulnerability was discovered by:
Sri working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
---
dix/enterleave.h | 2 --
include/eventstr.h | 3 +++
mi/mipointer.c | 17 +++++++++++++++--
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/dix/enterleave.h b/dix/enterleave.h
index 4b833d8a3b..e8af924c68 100644
--- a/dix/enterleave.h
+++ b/dix/enterleave.h
@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
-extern void LeaveWindow(DeviceIntPtr dev);
-
extern void CoreFocusEvent(DeviceIntPtr kbd,
int type, int mode, int detail, WindowPtr pWin);
diff --git a/include/eventstr.h b/include/eventstr.h
index 93308f9b24..a9926eaeef 100644
--- a/include/eventstr.h
+++ b/include/eventstr.h
@@ -296,4 +296,7 @@ union _InternalEvent {
#endif
};
+extern void
+LeaveWindow(DeviceIntPtr dev);
+
#endif
diff --git a/mi/mipointer.c b/mi/mipointer.c
index a638f25d4a..8cf0035140 100644
--- a/mi/mipointer.c
+++ b/mi/mipointer.c
@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
#ifdef PANORAMIX
&& noPanoramiXExtension
#endif
- )
- UpdateSpriteForScreen(pDev, pScreen);
+ ) {
+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
+ /* Hack for CVE-2023-5380: if we're moving
+ * screens PointerWindows[] keeps referring to the
+ * old window. If that gets destroyed we have a UAF
+ * bug later. Only happens when jumping from a window
+ * to the root window on the other screen.
+ * Enter/Leave events are incorrect for that case but
+ * too niche to fix.
+ */
+ LeaveWindow(pDev);
+ if (master)
+ LeaveWindow(master);
+ UpdateSpriteForScreen(pDev, pScreen);
+ }
}
/**
--
GitLab

74
SOURCES/CVE-2023-6377.patch Normal file
View File

@ -0,0 +1,74 @@
From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 28 Nov 2023 15:19:04 +1000
Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
button->xkb_acts is supposed to be an array sufficiently large for all
our buttons, not just a single XkbActions struct. Allocating
insufficient memory here means when we memcpy() later in
XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
leading to the usual security ooopsiedaisies.
CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/exevents.c | 12 ++++++------
dix/devices.c | 10 ++++++++++
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index dcd4efb3bc..54ea11a938 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
}
if (from->button->xkb_acts) {
- if (!to->button->xkb_acts) {
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
- if (!to->button->xkb_acts)
- FatalError("[Xi] not enough memory for xkb_acts.\n");
- }
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
memcpy(to->button->xkb_acts, from->button->xkb_acts,
- sizeof(XkbAction));
+ from->button->numButtons * sizeof(XkbAction));
}
else {
free(to->button->xkb_acts);
diff --git a/dix/devices.c b/dix/devices.c
index b063128df0..3f3224d626 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
if (master->button && master->button->numButtons != maxbuttons) {
int i;
+ int last_num_buttons = master->button->numButtons;
+
DeviceChangedEvent event = {
.header = ET_Internal,
.type = ET_DeviceChanged,
@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
};
master->button->numButtons = maxbuttons;
+ if (last_num_buttons < maxbuttons) {
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(&master->button->xkb_acts[last_num_buttons],
+ 0,
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+ }
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom));
--
GitLab

59
SOURCES/CVE-2023-6478.patch Normal file
View File

@ -0,0 +1,59 @@
From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 27 Nov 2023 16:27:49 +1000
Subject: [PATCH] randr: avoid integer truncation in length check of
ProcRRChange*Property
Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
See also xserver@8f454b79 where this same bug was fixed for the core
protocol and XI.
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
CVE-2023-6478, ZDI-CAN-22561
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
randr/rrproperty.c | 2 +-
randr/rrproviderproperty.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/randr/rrproperty.c b/randr/rrproperty.c
index 25469f57b2..c4fef8a1f6 100644
--- a/randr/rrproperty.c
+++ b/randr/rrproperty.c
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
index b79c17f9bf..90c5a9a933 100644
--- a/randr/rrproviderproperty.c
+++ b/randr/rrproviderproperty.c
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
--
GitLab

51
SOURCES/CVE-2023-6816.patch Normal file
View File

@ -0,0 +1,51 @@
From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 14 Dec 2023 11:29:49 +1000
Subject: [PATCH] dix: allocate enough space for logical button maps
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
each logical button currently down. Since buttons can be arbitrarily mapped
to anything up to 255 make sure we have enough bits for the maximum mapping.
CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/xiquerypointer.c | 3 +--
dix/enterleave.c | 5 +++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
index 5b77b1a444..2b05ac5f39 100644
--- a/Xi/xiquerypointer.c
+++ b/Xi/xiquerypointer.c
@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
if (pDev->button) {
int i;
- rep.buttons_len =
- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
rep.length += rep.buttons_len;
buttons = calloc(rep.buttons_len, 4);
if (!buttons)
diff --git a/dix/enterleave.c b/dix/enterleave.c
index 867ec74363..ded8679d76 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
- /* XI 2 event */
- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
+ /* XI 2 event contains the logical button map - maps are CARD8
+ * so we need 256 bits for the possibly maximum mapping */
+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
btlen = bytes_to_int32(btlen);
len = sizeof(xXIFocusInEvent) + btlen * 4;
--
GitLab

83
SOURCES/CVE-2024-0229-1.patch Normal file
View File

@ -0,0 +1,83 @@
From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 18 Dec 2023 14:27:50 +1000
Subject: [PATCH 2/9] dix: Allocate sufficient xEvents for our
DeviceStateNotify
If a device has both a button class and a key class and numButtons is
zero, we can get an OOB write due to event under-allocation.
This function seems to assume a device has either keys or buttons, not
both. It has two virtually identical code paths, both of which assume
they're applying to the first event in the sequence.
A device with both a key and button class triggered a logic bug - only
one xEvent was allocated but the deviceStateNotify pointer was pushed on
once per type. So effectively this logic code:
int count = 1;
if (button && nbuttons > 32) count++;
if (key && nbuttons > 0) count++;
if (key && nkeys > 32) count++; // this is basically always true
// count is at 2 for our keys + zero button device
ev = alloc(count * sizeof(xEvent));
FixDeviceStateNotify(ev);
if (button)
FixDeviceStateNotify(ev++);
if (key)
FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
If the device has more than 3 valuators, the OOB is pushed back - we're
off by one so it will happen when the last deviceValuator event is
written instead.
Fix this by allocating the maximum number of events we may allocate.
Note that the current behavior is not protocol-correct anyway, this
patch fixes only the allocation issue.
Note that this issue does not trigger if the device has at least one
button. While the server does not prevent a button class with zero
buttons, it is very unlikely.
CVE-2024-0229, ZDI-CAN-22678
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
dix/enterleave.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/dix/enterleave.c b/dix/enterleave.c
index ded8679d76..17964b00a4 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -675,7 +675,8 @@ static void
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
{
int evcount = 1;
- deviceStateNotify *ev, *sev;
+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
+ deviceStateNotify *ev;
deviceKeyStateNotify *kev;
deviceButtonStateNotify *bev;
@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
}
}
- sev = ev = xallocarray(evcount, sizeof(xEvent));
+ ev = sev;
FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
if (b != NULL) {
@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
DeviceStateNotifyMask, NullGrab);
- free(sev);
}
void
--
GitLab

216
SOURCES/CVE-2024-0229-2.patch Normal file
View File

@ -0,0 +1,216 @@
From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 18 Dec 2023 12:26:20 +1000
Subject: [PATCH 3/9] dix: fix DeviceStateNotify event calculation
The previous code only made sense if one considers buttons and keys to
be mutually exclusive on a device. That is not necessarily true, causing
a number of issues.
This function allocates and fills in the number of xEvents we need to
send the device state down the wire. This is split across multiple
32-byte devices including one deviceStateNotify event and optional
deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
deviceValuator events.
The previous behavior would instead compose a sequence
of [state, buttonstate, state, keystate, valuator...]. This is not
protocol correct, and on top of that made the code extremely convoluted.
Fix this by streamlining: add both button and key into the deviceStateNotify
and then append the key state and button state, followed by the
valuators. Finally, the deviceValuator events contain up to 6 valuators
per event but we only ever sent through 3 at a time. Let's double that
troughput.
CVE-2024-0229, ZDI-CAN-22678
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
1 file changed, 52 insertions(+), 69 deletions(-)
diff --git a/dix/enterleave.c b/dix/enterleave.c
index 17964b00a4..7b7ba1098b 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
ev->type = DeviceValuator;
ev->deviceid = dev->id;
- ev->num_valuators = nval < 3 ? nval : 3;
+ ev->num_valuators = nval < 6 ? nval : 6;
ev->first_valuator = first;
switch (ev->num_valuators) {
+ case 6:
+ ev->valuator2 = v->axisVal[first + 5];
+ case 5:
+ ev->valuator2 = v->axisVal[first + 4];
+ case 4:
+ ev->valuator2 = v->axisVal[first + 3];
case 3:
ev->valuator2 = v->axisVal[first + 2];
case 2:
@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
ev->valuator0 = v->axisVal[first];
break;
}
- first += ev->num_valuators;
}
static void
@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
ev->num_buttons = b->numButtons;
memcpy((char *) ev->buttons, (char *) b->down, 4);
}
- else if (k) {
+ if (k) {
ev->classes_reported |= (1 << KeyClass);
ev->num_keys = k->xkbInfo->desc->max_key_code -
k->xkbInfo->desc->min_key_code;
@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
}
}
-
+/**
+ * The device state notify event is split across multiple 32-byte events.
+ * The first one contains the first 32 button state bits, the first 32
+ * key state bits, and the first 3 valuator values.
+ *
+ * If a device has more than that, the server sends out:
+ * - one deviceButtonStateNotify for buttons 32 and above
+ * - one deviceKeyStateNotify for keys 32 and above
+ * - one deviceValuator event per 6 valuators above valuator 4
+ *
+ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
+ */
static void
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
{
+ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
+ * and one deviceValuator for each 6 valuators */
+ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
int evcount = 1;
- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
- deviceStateNotify *ev;
- deviceKeyStateNotify *kev;
- deviceButtonStateNotify *bev;
+ deviceStateNotify *ev = sev;
KeyClassPtr k;
ButtonClassPtr b;
@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
if ((b = dev->button) != NULL) {
nbuttons = b->numButtons;
- if (nbuttons > 32)
+ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
evcount++;
}
if ((k = dev->key) != NULL) {
nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
- if (nkeys > 32)
+ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
evcount++;
- if (nbuttons > 0) {
- evcount++;
- }
}
if ((v = dev->valuator) != NULL) {
nval = v->numAxes;
-
- if (nval > 3)
- evcount++;
- if (nval > 6) {
- if (!(k && b))
- evcount++;
- if (nval > 9)
- evcount += ((nval - 7) / 3);
- }
+ /* first three are encoded in deviceStateNotify, then
+ * it's 6 per deviceValuator event */
+ evcount += ((nval - 3) + 6)/6;
}
- ev = sev;
- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
-
- if (b != NULL) {
- FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
- first += 3;
- nval -= 3;
- if (nbuttons > 32) {
- (ev - 1)->deviceid |= MORE_EVENTS;
- bev = (deviceButtonStateNotify *) ev++;
- bev->type = DeviceButtonStateNotify;
- bev->deviceid = dev->id;
- memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
- DOWN_LENGTH - 4);
- }
- if (nval > 0) {
- (ev - 1)->deviceid |= MORE_EVENTS;
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
- first += 3;
- nval -= 3;
- }
+ BUG_RETURN(evcount <= ARRAY_SIZE(sev));
+
+ FixDeviceStateNotify(dev, ev, k, b, v, first);
+
+ if (b != NULL && nbuttons > 32) {
+ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
+ (ev - 1)->deviceid |= MORE_EVENTS;
+ bev->type = DeviceButtonStateNotify;
+ bev->deviceid = dev->id;
+ memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
+ DOWN_LENGTH - 4);
}
- if (k != NULL) {
- FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
- first += 3;
- nval -= 3;
- if (nkeys > 32) {
- (ev - 1)->deviceid |= MORE_EVENTS;
- kev = (deviceKeyStateNotify *) ev++;
- kev->type = DeviceKeyStateNotify;
- kev->deviceid = dev->id;
- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
- }
- if (nval > 0) {
- (ev - 1)->deviceid |= MORE_EVENTS;
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
- first += 3;
- nval -= 3;
- }
+ if (k != NULL && nkeys > 32) {
+ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
+ (ev - 1)->deviceid |= MORE_EVENTS;
+ kev->type = DeviceKeyStateNotify;
+ kev->deviceid = dev->id;
+ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
}
+ first = 3;
+ nval -= 3;
while (nval > 0) {
- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
- first += 3;
- nval -= 3;
- if (nval > 0) {
- (ev - 1)->deviceid |= MORE_EVENTS;
- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
- first += 3;
- nval -= 3;
- }
+ ev->deviceid |= MORE_EVENTS;
+ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
+ first += 6;
+ nval -= 6;
}
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
--
GitLab

36
SOURCES/CVE-2024-0229-3.patch Normal file
View File

@ -0,0 +1,36 @@
From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 21 Dec 2023 13:48:10 +1000
Subject: [PATCH 4/9] Xi: when creating a new ButtonClass, set the number of
buttons
There's a racy sequence where a master device may copy the button class
from the slave, without ever initializing numButtons. This leads to a
device with zero buttons but a button class which is invalid.
Let's copy the numButtons value from the source - by definition if we
don't have a button class yet we do not have any other slave devices
with more than this number of buttons anyway.
CVE-2024-0229, ZDI-CAN-22678
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/exevents.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 54ea11a938..e161714682 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
to->button = calloc(1, sizeof(ButtonClassRec));
if (!to->button)
FatalError("[Xi] no memory for class shift.\n");
+ to->button->numButtons = from->button->numButtons;
}
else
classes->button = NULL;
--
GitLab

108
SOURCES/CVE-2024-21885.patch Normal file
View File

@ -0,0 +1,108 @@
From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu, 4 Jan 2024 10:01:24 +1000
Subject: [PATCH 5/9] Xi: flush hierarchy events after adding/removing master
devices
The `XISendDeviceHierarchyEvent()` function allocates space to store up
to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
If a device with a given ID was removed and a new device with the same
ID added both in the same operation, the single device ID will lead to
two info structures being written to `info`.
Since this case can occur for every device ID at once, a total of two
times `MAXDEVICES` info structures might be written to the allocation.
To avoid it, once one add/remove master is processed, send out the
device hierarchy event for the current state and continue. That event
thus only ever has exactly one of either added/removed in it (and
optionally slave attached/detached).
CVE-2024-21885, ZDI-CAN-22744
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index d2d985848d..72d00451e3 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
size_t len; /* length of data remaining in request */
int rc = Success;
int flags[MAXDEVICES] = { 0 };
+ enum {
+ NO_CHANGE,
+ FLUSH,
+ CHANGED,
+ } changes = NO_CHANGE;
REQUEST(xXIChangeHierarchyReq);
REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = add_master(client, c, flags);
if (rc != Success)
goto unwind;
- }
+ changes = FLUSH;
break;
+ }
case XIRemoveMaster:
{
xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = remove_master(client, r, flags);
if (rc != Success)
goto unwind;
- }
+ changes = FLUSH;
break;
+ }
case XIDetachSlave:
{
xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = detach_slave(client, c, flags);
if (rc != Success)
goto unwind;
- }
+ changes = CHANGED;
break;
+ }
case XIAttachSlave:
{
xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = attach_slave(client, c, flags);
if (rc != Success)
goto unwind;
+ changes = CHANGED;
+ break;
}
+ default:
break;
}
+ if (changes == FLUSH) {
+ XISendDeviceHierarchyEvent(flags);
+ memset(flags, 0, sizeof(flags));
+ changes = NO_CHANGE;
+ }
+
len -= any->length * 4;
any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
}
unwind:
-
- XISendDeviceHierarchyEvent(flags);
+ if (changes != NO_CHANGE)
+ XISendDeviceHierarchyEvent(flags);
return rc;
}
--
GitLab

69
SOURCES/CVE-2024-21886-1.patch Normal file
View File

@ -0,0 +1,69 @@
From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
Date: Fri, 22 Dec 2023 18:28:31 +0100
Subject: [PATCH 6/9] Xi: do not keep linked list pointer during recursion
The `DisableDevice()` function is called whenever an enabled device
is disabled and it moves the device from the `inputInfo.devices` linked
list to the `inputInfo.off_devices` linked list.
However, its link/unlink operation has an issue during the recursive
call to `DisableDevice()` due to the `prev` pointer pointing to a
removed device.
This issue leads to a length mismatch between the total number of
devices and the number of device in the list, leading to a heap
overflow and, possibly, to local privilege escalation.
Simplify the code that checked whether the device passed to
`DisableDevice()` was in `inputInfo.devices` or not and find the
previous device after the recursion.
CVE-2024-21886, ZDI-CAN-22840
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
---
dix/devices.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/dix/devices.c b/dix/devices.c
index dca98c8d1b..389d28a23c 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
{
DeviceIntPtr *prev, other;
BOOL enabled;
+ BOOL dev_in_devices_list = FALSE;
int flags[MAXDEVICES] = { 0 };
if (!dev->enabled)
return TRUE;
- for (prev = &inputInfo.devices;
- *prev && (*prev != dev); prev = &(*prev)->next);
- if (*prev != dev)
+ for (other = inputInfo.devices; other; other = other->next) {
+ if (other == dev) {
+ dev_in_devices_list = TRUE;
+ break;
+ }
+ }
+
+ if (!dev_in_devices_list)
return FALSE;
TouchEndPhysicallyActiveTouches(dev);
@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
LeaveWindow(dev);
SetFocusOut(dev);
+ for (prev = &inputInfo.devices;
+ *prev && (*prev != dev); prev = &(*prev)->next);
+
*prev = dev->next;
dev->next = inputInfo.off_devices;
inputInfo.off_devices = dev;
--
GitLab

52
SOURCES/CVE-2024-21886-2.patch Normal file
View File

@ -0,0 +1,52 @@
From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 5 Jan 2024 09:40:27 +1000
Subject: [PATCH 7/9] dix: when disabling a master, float disabled slaved
devices too
Disabling a master device floats all slave devices but we didn't do this
to already-disabled slave devices. As a result those devices kept their
reference to the master device resulting in access to already freed
memory if the master device was removed before the corresponding slave
device.
And to match this behavior, also forcibly reset that pointer during
CloseDownDevices().
Related to CVE-2024-21886, ZDI-CAN-22840
---
dix/devices.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/dix/devices.c b/dix/devices.c
index 389d28a23c..84a6406d13 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
flags[other->id] |= XISlaveDetached;
}
}
+
+ for (other = inputInfo.off_devices; other; other = other->next) {
+ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
+ AttachDevice(NULL, other, NULL);
+ flags[other->id] |= XISlaveDetached;
+ }
+ }
}
else {
for (other = inputInfo.devices; other; other = other->next) {
@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
dev->master = NULL;
}
+ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
+ if (!IsMaster(dev) && !IsFloating(dev))
+ dev->master = NULL;
+ }
+
CloseDeviceList(&inputInfo.devices);
CloseDeviceList(&inputInfo.off_devices);
--
GitLab

77
SOURCES/dix-fix-use-after-free-in-input-device-shutdown.patch Normal file
View File

@ -0,0 +1,77 @@
From 1801fe0ac3926882d47d7e1ad6c0518a2cdffd41 Mon Sep 17 00:00:00 2001
From: Povilas Kanapickas <povilas@radix.lt>
Date: Sun, 19 Dec 2021 18:11:07 +0200
Subject: [PATCH] dix: Fix use after free in input device shutdown
This fixes access to freed heap memory via dev->master. E.g. when
running BarrierNotify.ReceivesNotifyEvents/7 test from
xorg-integration-tests:
==24736==ERROR: AddressSanitizer: heap-use-after-free on address
0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
READ of size 4 at 0x619000065020 thread T0
#0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
#1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
#2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
../../../Xi/xichangehierarchy.c:95
#4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
../../../hw/xfree86/common/xf86Xinput.c:1142
#6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
#7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
#8 0x55c450e837ef in dix_main ../../../dix/main.c:302
#9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
#11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)
0x619000065020 is located 160 bytes inside of 912-byte region
[0x619000064f80,0x619000065310)
freed by thread T0 here:
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
#2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
../../../hw/xfree86/common/xf86Xinput.c:1142
#4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
#5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
#6 0x55c450e837ef in dix_main ../../../dix/main.c:302
#7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
previously allocated by thread T0 here:
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
#1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
#2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
#3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
../../../Xi/xichangehierarchy.c:465
#5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
#6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
#7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
#8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
The problem is caused by dev->master being not reset when disabling the
device, which then causes dangling pointer when the master device itself
is being deleted when exiting whole server.
Note that RecalculateMasterButtons() requires dev->master to be still
valid, so we can reset it only at the end of function.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
---
dix/devices.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/dix/devices.c b/dix/devices.c
index e62c34c55e..5f9ce1678f 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -520,6 +520,7 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
}
RecalculateMasterButtons(dev);
+ dev->master = NULL;
return TRUE;
}
--
GitLab

51
SOURCES/tigervnc-dont-install-appstream-metadata-file.patch
View File

@ -1,51 +0,0 @@
diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt
index 052cfb3..c84fb0e 100644
--- a/po/CMakeLists.txt
+++ b/po/CMakeLists.txt
@@ -14,7 +14,6 @@ if (GETTEXT_XGETTEXT_EXECUTABLE)
${PROJECT_SOURCE_DIR}/vncviewer/*.h
${PROJECT_SOURCE_DIR}/vncviewer/*.cxx
${PROJECT_SOURCE_DIR}/vncviewer/*.desktop.in.in
- ${PROJECT_SOURCE_DIR}/vncviewer/*.metainfo.xml.in
)
add_custom_target(translations_update
diff --git a/vncviewer/CMakeLists.txt b/vncviewer/CMakeLists.txt
index 15eac66..450b732 100644
--- a/vncviewer/CMakeLists.txt
+++ b/vncviewer/CMakeLists.txt
@@ -100,34 +100,6 @@ if(UNIX)
add_custom_target(desktop ALL DEPENDS vncviewer.desktop)
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncviewer.desktop DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/applications)
- if("${GETTEXT_VERSION_STRING}" VERSION_GREATER 0.19.6)
- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
- COMMAND ${GETTEXT_MSGFMT_EXECUTABLE}
- --xml --template ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
- -d ${CMAKE_SOURCE_DIR}/po -o org.tigervnc.vncviewer.metainfo.xml
- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
- )
- elseif(INTLTOOL_MERGE_EXECUTABLE)
- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
- COMMAND sed -e 's@<name>@<_name>@\;s@</name>@</_name>@'
- -e 's@<summary>@<_summary>@\;s@</summary>@</_summary>@'
- -e 's@<caption>@<_caption>@\;s@</caption>@</_caption>@'
- -e 's@<p>@<_p>@g\;s@</p>@</_p>@g'
- ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in > org.tigervnc.vncviewer.metainfo.xml.intl
- COMMAND ${INTLTOOL_MERGE_EXECUTABLE}
- -x ${CMAKE_SOURCE_DIR}/po
- org.tigervnc.vncviewer.metainfo.xml.intl org.tigervnc.vncviewer.metainfo.xml
- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
- )
- else()
- add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
- COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in org.tigervnc.vncviewer.metainfo.xml
- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
- )
- endif()
- add_custom_target(appstream ALL DEPENDS org.tigervnc.vncviewer.metainfo.xml)
- install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tigervnc.vncviewer.metainfo.xml DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/metainfo)
-
foreach(res 16 22 24 32 48 64 128)
install(FILES ../media/icons/tigervnc_${res}.png DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/${res}x${res}/apps RENAME tigervnc.png)
endforeach()

135
SOURCES/tigervnc-support-username-alias-in-plainusers.patch
View File

@ -1,135 +0,0 @@
diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
index 6f65e87..3142ba3 100644
--- a/common/rfb/SSecurityPlain.cxx
+++ b/common/rfb/SSecurityPlain.cxx
@@ -27,6 +27,8 @@
#include <rdr/InStream.h>
#if !defined(WIN32) && !defined(__APPLE__)
#include <rfb/UnixPasswordValidator.h>
+#include <unistd.h>
+#include <pwd.h>
#endif
#ifdef WIN32
#include <rfb/WinPasswdValidator.h>
@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers
bool PasswordValidator::validUser(const char* username)
{
- CharArray users(plainUsers.getValueStr()), user;
+ std::vector<std::string> users;
- while (users.buf) {
- strSplit(users.buf, ',', &user.buf, &users.buf);
-#ifdef WIN32
- if (0 == stricmp(user.buf, "*"))
- return true;
- if (0 == stricmp(user.buf, username))
- return true;
-#else
- if (!strcmp(user.buf, "*"))
- return true;
- if (!strcmp(user.buf, username))
- return true;
+ users = split(plainUsers, ',');
+
+ for (size_t i = 0; i < users.size(); i++) {
+ if (users[i] == "*")
+ return true;
+#if !defined(WIN32) && !defined(__APPLE__)
+ if (users[i] == "%u") {
+ struct passwd *pw = getpwnam(username);
+ if (pw && pw->pw_uid == getuid())
+ return true;
+ }
#endif
+ if (users[i] == username)
+ return true;
}
return false;
}
diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
index 649eb0b..cce73a0 100644
--- a/common/rfb/util.cxx
+++ b/common/rfb/util.cxx
@@ -99,6 +99,26 @@ namespace rfb {
return false;
}
+ std::vector<std::string> split(const char* src,
+ const char delimiter)
+ {
+ std::vector<std::string> out;
+ const char *start, *stop;
+
+ start = src;
+ do {
+ stop = strchr(start, delimiter);
+ if (stop == NULL) {
+ out.push_back(start);
+ } else {
+ out.push_back(std::string(start, stop-start));
+ start = stop + 1;
+ }
+ } while (stop != NULL);
+
+ return out;
+ }
+
bool strContains(const char* src, char c) {
int l=strlen(src);
for (int i=0; i<l; i++)
diff --git a/common/rfb/util.h b/common/rfb/util.h
index f0ac9ef..ed15c28 100644
--- a/common/rfb/util.h
+++ b/common/rfb/util.h
@@ -27,6 +27,9 @@
#include <limits.h>
#include <string.h>
+#include <string>
+#include <vector>
+
struct timeval;
#ifdef __GNUC__
@@ -76,6 +79,10 @@ namespace rfb {
// that part of the string. Obviously, setting both to 0 is not useful...
bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false);
+ // Splits a string with the specified delimiter
+ std::vector<std::string> split(const char* src,
+ const char delimiter);
+
// Returns true if src contains c
bool strContains(const char* src, char c);
diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
index c36ae34..78db730 100644
--- a/unix/x0vncserver/x0vncserver.man
+++ b/unix/x0vncserver/x0vncserver.man
@@ -125,8 +125,8 @@ parameter instead.
.B \-PlainUsers \fIuser-list\fP
A comma separated list of user names that are allowed to authenticate via
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
-to allow any user to authenticate using this security type. Default is to
-deny all users.
+to allow any user to authenticate using this security type. Specify \fB%u\fP
+to allow the user of the server process. Default is to deny all users.
.
.TP
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
index ea87dea..e9fb654 100644
--- a/unix/xserver/hw/vnc/Xvnc.man
+++ b/unix/xserver/hw/vnc/Xvnc.man
@@ -200,8 +200,8 @@ parameter instead.
.B \-PlainUsers \fIuser-list\fP
A comma separated list of user names that are allowed to authenticate via
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
-to allow any user to authenticate using this security type. Default is to
-deny all users.
+to allow any user to authenticate using this security type. Specify \fB%u\fP
+to allow the user of the server process. Default is to deny all users.
.
.TP
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP

17
SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch
View File

@ -1,17 +0,0 @@
diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
index f8141959..c5c36539 100644
--- a/unix/xserver/hw/vnc/xvnc.c
+++ b/unix/xserver/hw/vnc/xvnc.c
@@ -366,8 +366,10 @@ ddxProcessArgument(int argc, char *argv[], int i)
if (strcmp(argv[i], "-inetd") == 0) {
int nullfd;
- dup2(0, 3);
- vncInetdSock = 3;
+ if ((vncInetdSock = dup(0)) == -1)
+ FatalError
+ ("Xvnc error: failed to allocate a new file descriptor for -inetd: %s\n", strerror(errno));
+
/* Avoid xserver >= 1.19's epoll-fd becoming fd 2 / stderr only to be
replaced by /dev/null by OsInit() because the pollfd is not

72
SOURCES/xorg-CVE-2024-31083-followup.patch
View File

@ -1,72 +0,0 @@
From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 5 Apr 2024 15:24:49 +0200
Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
then frees it using FreeGlyph() to decrease the reference count, after
AddGlyph() has increased it.
AddGlyph() however may chose to reuse an existing glyph if it's already
in the glyphSet, and free the glyph that was given, in which case the
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
already freed glyph, as reported by ASan:
READ of size 4 thread T0
#0 in FreeGlyph xserver/render/glyph.c:252
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
#2 in Dispatch xserver/dix/dispatch.c:546
#3 in dix_main xserver/dix/main.c:271
#4 in main xserver/dix/stubmain.c:34
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 in __libc_start_main_impl ../csu/libc-start.c:360
#7 (/usr/bin/Xwayland+0x44fe4)
Address is located 0 bytes inside of 64-byte region
freed by thread T0 here:
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
#2 in AddGlyph xserver/render/glyph.c:295
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
#4 in Dispatch xserver/dix/dispatch.c:546
#5 in dix_main xserver/dix/main.c:271
#6 in main xserver/dix/stubmain.c:34
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
#1 in AllocateGlyph xserver/render/glyph.c:355
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
#3 in Dispatch xserver/dix/dispatch.c:546
#4 in dix_main xserver/dix/main.c:271
#5 in main xserver/dix/stubmain.c:34
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
To avoid that, make sure not to free the given glyph in AddGlyph().
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
---
render/glyph.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/render/glyph.c b/render/glyph.c
index 13991f8a1..5fa7f3b5b 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
TRUE, glyph->sha1);
if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
- FreeGlyphPicture(glyph);
- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
glyph = gr->glyph;
}
else if (gr->glyph != glyph) {
--
2.44.0

2
SOURCES/xvnc.service
View File

@ -32,7 +32,7 @@
Description=XVNC Per-Connection Daemon
[Service]
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None -Log *:syslog:30
ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None
User=nobody
StandardInput=socket
StandardError=syslog

480
SPECS/tigervnc.spec
View File

@ -5,12 +5,12 @@
Name: tigervnc
Version: 1.13.1
Release: 10%{?dist}
Release: 3%{?dist}.6.alma.1
Summary: A TigerVNC remote display system
%global _hardened_build 1
License: GPLv2+
License: GPL-2.0-or-later
URL: http://www.tigervnc.com
Source0: %{name}-%{version}.tar.gz
@ -24,22 +24,37 @@ Source5: vncserver
# Downstream patches
Patch1: tigervnc-use-gnome-as-default-session.patch
Patch2: tigervnc-vncsession-restore-script-systemd-service.patch
Patch3: tigervnc-dont-install-appstream-metadata-file.patch
# https://gitlab.com/redhat/centos-stream/rpms/tigervnc/-/commit/75082cdb91390f66637d1dcacbb291181afbc9af
Patch3: tigervnc-dont-get-pointer-position-for-floating-device.patch
# Upstream patches
Patch50: tigervnc-support-username-alias-in-plainusers.patch
Patch51: tigervnc-use-dup-to-get-available-fd-for-inetd.patch
# Upstreamable patches
Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
Patch100: tigervnc-xserver120.patch
# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
Patch101: 0001-rpath-hack.patch
# XServer patches
Patch200: xorg-CVE-2024-31083-followup.patch
# Patches were taken from:
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
Patch102: CVE-2023-5367.patch
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
Patch103: CVE-2023-5380.patch
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
Patch104: CVE-2023-6377.patch
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
Patch105: CVE-2023-6478.patch
# https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3
Patch106: CVE-2023-6816.patch
# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1245?commit_id=ece23be888a93b741aa1209d1dbf64636109d6a5
Patch107: CVE-2024-0229-1.patch
Patch108: CVE-2024-0229-2.patch
Patch109: CVE-2024-0229-3.patch
Patch110: CVE-2024-21885.patch
Patch111: CVE-2024-21886-1.patch
Patch112: CVE-2024-21886-2.patch
Patch113: dix-fix-use-after-free-in-input-device-shutdown.patch
BuildRequires: make
BuildRequires: gcc-c++
@ -125,10 +140,12 @@ X session.
%package server-minimal
Summary: A minimal installation of TigerVNC server
Requires(post): chkconfig
Requires(preun):chkconfig
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Requires(post): systemd
Requires: mesa-dri-drivers, xkeyboard-config, xorg-x11-xkb-utils
Requires: mesa-dri-drivers, xkeyboard-config, xkbcomp
Requires: tigervnc-license, dbus-x11
%description server-minimal
@ -164,6 +181,9 @@ This package contains icons for TigerVNC viewer
Summary: SELinux module for TigerVNC
BuildArch: noarch
BuildRequires: selinux-policy-devel
BuildRequires: pkgconfig(systemd)
BuildRequires: selinux-policy
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
@ -171,7 +191,15 @@ BuildRequires: selinux-policy-devel
Requires: libselinux-utils
# Required for restorecon
Requires: policycoreutils
%{?selinux_requires}
Requires: libselinux-utils
Requires: selinux-policy
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-base
Requires(post): selinux-policy-%{selinuxtype}
Requires(post): libselinux-utils
Requires(post): policycoreutils
Requires(post): policycoreutils-python-utils
%description selinux
This package provides the SELinux policy module to ensure TigerVNC
@ -187,19 +215,26 @@ for all in `find . -type f -perm -001`; do
done
%patch100 -p1 -b .xserver120-rebased
%patch101 -p1 -b .rpath
%patch200 -p1 -b .xorg-CVE-2024-31083-followup
%patch102 -p1 -b .CVE-2023-5367
%patch103 -p1 -b .CVE-2023-5380
%patch104 -p1 -b .CVE-2023-6377
%patch105 -p1 -b .CVE-2023-6478
%patch106 -p1 -b .CVE-2023-6816
%patch107 -p1 -b .CVE-2024-0229-1
%patch108 -p1 -b .CVE-2024-0229-2
%patch109 -p1 -b .CVE-2024-0229-3
%patch110 -p1 -b .CVE-2024-21885
%patch111 -p1 -b .CVE-2024-21886-1
%patch112 -p1 -b .CVE-2024-21886-2
%patch113 -p1 -b .dix-fix-use-after-free-in-input-device-shutdown
popd
%patch1 -p1 -b .use-gnome-as-default-session
%patch2 -p1 -b .vncsession-restore-script-systemd-service
%patch3 -p1 -b .dont-install-appstream-metadata-file.patch
%patch3 -p1 -b .dont-get-pointer-position-for-floating-device
# Upstream patches
%patch50 -p1 -b .support-username-alias-in-plainusers
%patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd
# Upstreamable patches
%patch80 -p1 -b .dont-get-pointer-position-for-floating-device
%build
%ifarch sparcv9 sparc64 s390 s390x
@ -207,12 +242,22 @@ export CFLAGS="$RPM_OPT_FLAGS -fPIC"
%else
export CFLAGS="$RPM_OPT_FLAGS -fpic"
%endif
export CXXFLAGS="$CFLAGS"
export CXXFLAGS="$CFLAGS -std=c++11"
%{cmake} .
make %{?_smp_mflags}
%define __cmake_builddir %{_target_platform}
mkdir -p %{%__cmake_builddir}
%cmake
%cmake_build
pushd unix/xserver
%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
sed -i 's@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am
%endif
autoreconf -fiv
%configure \
--disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
@ -235,7 +280,11 @@ make %{?_smp_mflags}
popd
# Build icons
%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
pushd %{_target_platform}/media
%else
pushd media
%endif
make
popd
@ -244,19 +293,19 @@ pushd unix/vncserver/selinux
make
popd
%install
%make_install
%cmake_install
rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT}
pushd unix/xserver/hw/vnc
make install DESTDIR=%{buildroot}
%make_install
popd
# Install systemd unit file
pushd unix/vncserver/selinux
make install DESTDIR=%{buildroot}
popd
# Install systemd unit file
install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service
install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket
@ -270,7 +319,21 @@ install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps
done
popd
appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/org.tigervnc.vncviewer.metainfo.xml
desktop-file-validate %{buildroot}%{_datadir}/applications/vncviewer.desktop
%if 0%{?rhel} > 9
# Install a replacement for /usr/bin/vncserver which will tell the user to read the
# HOWTO.md file
cat <<EOF > %{buildroot}/%{_bindir}/vncserver
#!/bin/bash
echo "vncserver has been replaced by a systemd unit."
echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information."
EOF
chmod +x %{buildroot}/%{_bindir}/vncserver
%else
install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
%endif
%find_lang %{name} %{name}.lang
@ -281,15 +344,14 @@ mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
%post server
%systemd_post xvnc.service
%systemd_post xvnc@.service
%systemd_post xvnc.socket
%preun server
%systemd_preun xvnc.service
%systemd_preun xvnc.socket
%postun server
%systemd_postun xvnc.service
%systemd_postun xvnc@.service
%systemd_postun xvnc.socket
%pre selinux
@ -311,6 +373,7 @@ fi
%{_bindir}/vncviewer
%{_datadir}/applications/*
%{_mandir}/man1/vncviewer.1*
%{_datadir}/metainfo/org.tigervnc.vncviewer.metainfo.xml
%files server
%config(noreplace) %{_sysconfdir}/pam.d/tigervnc
@ -320,8 +383,8 @@ fi
%{_unitdir}/vncserver@.service
%{_unitdir}/xvnc@.service
%{_unitdir}/xvnc.socket
%{_bindir}/x0vncserver
%{_bindir}/vncserver
%{_bindir}/x0vncserver
%{_sbindir}/vncsession
%{_libexecdir}/vncserver
%{_libexecdir}/vncsession-start
@ -341,7 +404,7 @@ fi
%files server-module
%{_libdir}/xorg/modules/extensions/libvnc.so
%config %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
%config(noreplace) %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
%files license
%{_docdir}/tigervnc/LICENCE.TXT
@ -354,243 +417,236 @@ fi
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog
* Mon Apr 15 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
- Drop patches that are already part of xorg-x11-server
Resolves: RHEL-30755
Resolves: RHEL-30767
Resolves: RHEL-30761
* Tue Jan 30 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-3.3.alma.1
- CVE-2023-6816, CVE-2024-0029, CVE-2024-21885, CVE-2024-21886
- dix: Fix use after free in input device shutdown
* Thu Apr 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
- Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
Resolves: RHEL-30755
- Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs
Resolves: RHEL-30767
- Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
Resolves: RHEL-30761
* Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
- Fix copy/paste error in the DeviceStateNotify
Resolves: RHEL-20530
* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
Resolves: RHEL-20388
- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
Resolves: RHEL-20382
- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
Resolves: RHEL-20530
- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
Resolves: RHEL-21214
* Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
- Use dup() to get available file descriptor when using -inetd option
Resolves: RHEL-21000
* Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5
- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions
Resolves: RHEL-18410
- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
Resolves: RHEL-18422
* Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4
- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
Resolves: RHEL-15236
- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty
Resolves: RHEL-15230
* Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
- Support username alias in PlainUsers
Resolves: RHEL-4258
* Wed Jan 03 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1.13.1-3.3.alma.1
- CVE-2023-5367, CVE-2023-5380, CVE-2023-6377, CVE-2023-6478
* Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
Escalation Vulnerability
Resolves: bz#2180306
Resolves: bz#2180310
* Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1
- 1.13.1
Resolves: bz#2175748
- Restore "--fallbacktofreeport" option in the vncserver script
Resolves: bz#2174398
Resolves: bz#2175732
* Thu Dec 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9
- Bump build version to fix upgrade path
Resolves: bz#1437569
* Tue Feb 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-12
- SELinux: allow vncsession create .vnc directory
Resolves: bz#2164703
* Fri Nov 18 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
* Wed Feb 15 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-11
- Add sanity check when cleaning up keymap changes
Resolves: bz#2169965
* Mon Feb 06 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-10
- xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation
Resolves: bz#2167061
* Tue Dec 20 2022 Tomas Popela <tpopela@redhat.com> - 1.12.0-9
- Rebuild for xorg-x11-server CVE-2022-46340 follow up fix
* Fri Dec 16 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
- Rebuild for xorg-x11-server CVEs
Resolves: CVE-2022-4283 (bz#2154234)
Resolves: CVE-2022-46340 (bz#2154221)
Resolves: CVE-2022-46341 (bz#2154224)
Resolves: CVE-2022-46342 (bz#2154226)
Resolves: CVE-2022-46343 (bz#2154228)
Resolves: CVE-2022-46344 (bz#2154230)
* Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
- x0vncserver: add new keysym in case we don't find matching keycode
Resolves: bz#1437569
+ actually apply the patch
Resolves: bz#2119017
* Wed Aug 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
* Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
- x0vncserver: add new keysym in case we don't find matching keycode
Resolves: bz#2119017
* Mon Oct 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
- x0vncserver: fix ghost cursor in zaphod mode (better version)
Resolves: bz#2109679
Resolves: bz#2119016
* Wed Aug 17 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
- x0vncserver: fix ghost cursor in zaphod mode
Resolves: bz#2109679
* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
- Add BR: libXdamage, libXfixes, libXrandr
Resolves: bz#2091833
* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
- BR: libXdamage, libXfixes, libXrandr
Resolves: bz#2088733
* Tue Apr 05 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
- Do not run systemd_preun on Xvnc service file
Resolves: bz#2048011
* Tue Feb 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
* Mon Apr 04 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
- Drop unexisting option from the old vncserver script
Resolves: bz#2021893
* Wed Mar 23 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
- 1.12.0 + sync with Fedora
Resolves: bz#2048011
Resolves: bz#2021893
* Mon Feb 07 2022 Jan Grulich <jgrulich@redhat.com> - 1.11.0-21
- Added vncsession-restore script for SELinux policy migration
Fix SELinux context for root user
Resolves: bz#2021892
Resolves: bz#2049506
* Fri Jan 21 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
- Fix crash in vncviewer
Resolves: bz#2021892
* Fri Nov 26 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-20
- Rebuild for absence in RHEL 9.0
Resolves: bz#1985858
* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
- Remove unavailable option from vncserver script
Resolves: bz#2021892
* Mon Aug 16 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-19
- Sync upstream patches + drop unused patches
Resolves: bz#1985858
* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
- 1.12.0
Resolves: bz#2021892
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-18
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-17
- Fix logout from VNC session using vncserver
Resolves: bz#1983706
Resolves: bz#1983704
* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
- Run all SELinux RPM macros on correct package
Resolves: bz#1907963
* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-16
- Bump version for rebuild (binutils)
Resolves: bz#1961488
* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-7
* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-14
- SELinux improvements
Resolves: bz#1907963
Resolves: bz#1961488
* Tue Dec 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
- Use GNOME as default session
Resolves: bz#1853608
- Fix endianness issue on s390x
Resolves: bz#1963029
* Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5
- Make sure we log properly output to journal (actually log to syslog)
Resolves: bz#1841537
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-13
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4
- Make sure we log properly output to journal
Resolves: bz#1841537
* Mon Mar 08 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-12
- Include RHEL8 patches
* Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3
- vncserver: ignore new "session" parameter from the new systemd support
Resolves: bz#1897504
* Fri Mar 05 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-11
- Enable old vncserver script for RHEL 9
* Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2
- Revert removal of vncserver
Resolves: bz#1897504
- Correctly start vncsession as a daemon
Resolves: bz#1897498
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.11.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Oct 20 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1
- Update to 1.11.0
Resolves: bz#1880985
- Backport fix to allow Tigervnc use boolean values in config files
Resolves: bz#1883415
* Thu Dec 10 07:45:46 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
- vncserver: ignore new session parameter from the new systemd support
* Wed Sep 30 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-8
- Tolerate specifying -BoolParam 0 and similar
Resolves: bz#1883415
* Fri Nov 13 14:08:29 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
- Use /run instead of /var/run which is just a symlink
* Wed Jul 08 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-7
- Enable server module on s390x
Resolves: bz#1854925
* Thu Nov 05 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.11.0-7
- Require xkbcomp directly, not xorg-x11-xkb-utils. The latter has had
Provides xkbcomp for years.
* Fri Jul 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-6
- Remove trailing spaces in user name
Resolves: bz#1852432
* Tue Sep 29 13:12:22 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
- Backport upstream fix allowing Tigervnc to specify boolean valus in configuration
- Revert removal of vncserver for F32 and F33
* Thu Jun 25 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5
- Install the HOWTO file to correct location
* Thu Sep 24 07:14:06 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5
- Actually install the HOWTO.md file
* Wed Sep 23 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4
- Call systemd macros on correct service file
* Tue Sep 22 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3
- Do not overwrite libvnc.conf config file
* Thu Sep 17 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2
- Add /usr/bin/vncserver file informing users to read the HOWTO.md file
Resolves: bz#1790443
* Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-4
- Improve SELinux policy
Resolves: bz#1790443
* Wed Sep 09 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1
- 1.11.0
* Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-3
- Add a HOWTO.md file with instructions how to start VNC server
Resolves: bz#1790443
* Mon Aug 24 2020 Jan Grulich <jgrulich@redhat.com. - 1.10.90-1
- Update to 1.10.90 (1.11.0 beta)
* Tue May 26 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2
- Make the systemd service run also for root user
Resolves: bz#1790443
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-9
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Apr 27 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-7
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Sat Jul 11 2020 Jiri Vanek <jvanek@redhat.com> - 1.10.1-6
- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
* Sun Apr 19 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5
- Requires: dbus-x11
Resolves: bz#1825331
* Fri Mar 13 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.10.1-4
- Fix build with xserver 1.20.7
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Jan 13 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2
- Build with -std=c++11
* Fri Dec 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1
- Update to 1.10.1
Resolves: bz#1806992
- Add proper systemd support
Resolves: bz#1790443
* Tue Dec 10 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-2
- Properly install systemd files
* Tue Jan 28 2020 Jan Grulich <jgrulich@redhat.com> - 1.9.0-13
- Bump build because of z-stream
Resolves: bz#1671714
* Mon Nov 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-1
- Update to 1.10.0
* Wed Dec 11 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-12
- Fix installation of systemd files
Resolves: bz#1671714
* Fri Oct 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.90-1
- Update to 1.9.90 (1.10 beta)
- Add systemd user service file
- Use a wrapper for systemd system service file to workaround systemd limitations
* Wed Nov 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-11
- Use wrapper script to workaround systemd issues
Resolves: bz#1671714
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jul 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-10
- Do not return returncode indicating error when running "vncserver -list"
Resolves: bz#1727860
* Fri Jul 19 2019 Dan Horák <dan[at]danny.cz> - 1.9.0-6
- drop the s390x special handling (related #1727029)
* Fri Feb 08 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-9
- Make tigervnc systemd service a user service
Resolves: bz#1639846
* Wed Jun 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5
- Add missing arguments to systemd_postun scriptlets
Resolves: bz#1716411
* Mon Jan 21 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-8
- Kill the session automatically only when Gnome is installed
Resolves: bz#1665876
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Nov 20 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-7
- Improve coverity scan fixes
Resolves: bz#1602714
Inform whether view-only password is used or not
Resolves: bz#1639169
Backport fixes from RHEL 7
Resolves: bz#1651254
* Tue Oct 09 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-6
* Tue Sep 25 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
- Do not crash passwd when using malloc perturb checks
Resolves: bz#1637086
* Mon Oct 08 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5
- Improve coverity scan fixes
Resolves: bz#1602714
* Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-4
- Improve coverity scan fixes
Resolves: bz#1602714
* Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
- Fix some coverity scan issues
Resolves: bz#1602714
Resolves: bz#1631483
* Wed Aug 01 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-2
- Remove dependency on initscripts
- Ignore buttons in mouse leave events
Resolves: bz#1609516
* Tue Jul 17 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-1
- Update to 1.9.0 + sync with Fedora
- Update to 1.9.0
* Tue Jun 12 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-10
- Fix GLX initialization with Xorg 1.20
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.90-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue May 29 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-9
- Build against Xorg 1.20
* Wed Jul 4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.90-2
- Clean up spec: use macros consistenly, drop old sys-v migrations
- Drop ancient obsolete/provides
* Mon May 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-8
- Drop BR: ImageMagick
* Thu Jun 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.90-1
- Update to 1.8.90
* Wed Jun 13 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-10
- Fix tigervnc systemd unit file
Resolves: bz#1583159
* Wed Jun 06 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-9
- Fix GLX initialization with 1.20
* Wed Apr 04 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-8
- Rebuild for xserver 1.20
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild