SOURCES/xorg-CVE-2024-0229-followup.patch

@@ -0,0 +1,32 @@
+From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 22 Jan 2024 14:22:12 +1000
+Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
+ event
+
+Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 7b7ba1098b..c1e6ac600e 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+     ev->first_valuator = first;
+     switch (ev->num_valuators) {
+     case 6:
+-        ev->valuator2 = v->axisVal[first + 5];
++        ev->valuator5 = v->axisVal[first + 5];
+     case 5:
+-        ev->valuator2 = v->axisVal[first + 4];
++        ev->valuator4 = v->axisVal[first + 4];
+     case 4:
+-        ev->valuator2 = v->axisVal[first + 3];
++        ev->valuator3 = v->axisVal[first + 3];
+     case 3:
+         ev->valuator2 = v->axisVal[first + 2];
+     case 2:
+--
+GitLab

SOURCES/xorg-CVE-2024-31083-followup.patch

@@ -1,72 +0,0 @@
-From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Fri, 5 Apr 2024 15:24:49 +0200
-Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
-
-ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
-then frees it using FreeGlyph() to decrease the reference count, after
-AddGlyph() has increased it.
-
-AddGlyph() however may chose to reuse an existing glyph if it's already
-in the glyphSet, and free the glyph that was given, in which case the
-caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
-already freed glyph, as reported by ASan:
-
-  READ of size 4 thread T0
-    #0 in FreeGlyph xserver/render/glyph.c:252
-    #1 in ProcRenderAddGlyphs xserver/render/render.c:1174
-    #2 in Dispatch xserver/dix/dispatch.c:546
-    #3 in dix_main xserver/dix/main.c:271
-    #4 in main xserver/dix/stubmain.c:34
-    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-    #6 in __libc_start_main_impl ../csu/libc-start.c:360
-    #7  (/usr/bin/Xwayland+0x44fe4)
-  Address is located 0 bytes inside of 64-byte region
-  freed by thread T0 here:
-    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
-    #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
-    #2 in AddGlyph xserver/render/glyph.c:295
-    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
-    #4 in Dispatch xserver/dix/dispatch.c:546
-    #5 in dix_main xserver/dix/main.c:271
-    #6 in main xserver/dix/stubmain.c:34
-    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-  previously allocated by thread T0 here:
-    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
-    #1 in AllocateGlyph xserver/render/glyph.c:355
-    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
-    #3 in Dispatch xserver/dix/dispatch.c:546
-    #4 in dix_main xserver/dix/main.c:271
-    #5 in main xserver/dix/stubmain.c:34
-    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
-  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
-
-To avoid that, make sure not to free the given glyph in AddGlyph().
-
-v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
-v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
-
-Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
-Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
----
- render/glyph.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/render/glyph.c b/render/glyph.c
-index 13991f8a1..5fa7f3b5b 100644
---- a/render/glyph.c
-+++ b/render/glyph.c
-@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id)
-     gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature,
-                       TRUE, glyph->sha1);
-     if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) {
--        FreeGlyphPicture(glyph);
--        dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH);
-         glyph = gr->glyph;
-     }
-     else if (gr->glyph != glyph) {
--- 
-2.44.0
-

SPECS/tigervnc.spec

@@ -5,7 +5,7 @@
 
 Name:           tigervnc
 Version:        1.13.1
-Release:        10%{?dist}
+Release:        8%{?dist}
 Summary:        A TigerVNC remote display system
 
 %global _hardened_build 1
@@ -39,7 +39,9 @@ Patch100:       tigervnc-xserver120.patch
 Patch101:       0001-rpath-hack.patch
 
 # XServer patches
-Patch200:       xorg-CVE-2024-31083-followup.patch
+# CVE-2024-0229
+# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1251
+Patch200:       xorg-CVE-2024-0229-followup.patch
 
 BuildRequires:  make
 BuildRequires:  gcc-c++
@@ -187,7 +189,7 @@ for all in `find . -type f -perm -001`; do
 done
 %patch100 -p1 -b .xserver120-rebased
 %patch101 -p1 -b .rpath
-%patch200 -p1 -b .xorg-CVE-2024-31083-followup
+%patch200 -p1 -b .xorg-CVE-2024-0229-followup
 popd
 
 %patch1 -p1 -b .use-gnome-as-default-session
@@ -354,20 +356,6 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
-* Mon Apr 15 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
-- Drop patches that are already part of xorg-x11-server
-  Resolves: RHEL-30755
-  Resolves: RHEL-30767
-  Resolves: RHEL-30761
-
-* Thu Apr 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
-- Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
-  Resolves: RHEL-30755
-- Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs
-  Resolves: RHEL-30767
-- Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
-  Resolves: RHEL-30761
-
 * Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
 - Fix copy/paste error in the DeviceStateNotify
   Resolves: RHEL-20530