15 changed files with 1375 additions and 337 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/tigervnc-1.15.0.tar.gz
+SOURCES/tigervnc-1.14.1.tar.gz
--- a/.tigervnc.metadata
+++ b/.tigervnc.metadata
@ -1 +1 @@
-fec424f110bdf5032cd5eb4df2596b8251d2e1ed SOURCES/tigervnc-1.15.0.tar.gz
+bc3c8bc9f454eb307011cd5965251f4a28040a25 SOURCES/tigervnc-1.14.1.tar.gz
--- a/SOURCES/10-libvnc.conf
+++ b/SOURCES/10-libvnc.conf
@ -12,7 +12,7 @@
 #EndSection

 #Section "Screen"
-#    Identifier "Screen0"
+#    Identifier "Screen0
 #    DefaultDepth 16
 #    Option "SecurityTypes" "VncAuth"
 #    Option "PasswordFile" "/root/.vnc/passwd"
--- a/SOURCES/tigervnc-add-clipboard-support-to-x0vncserver.patch
+++ b/SOURCES/tigervnc-add-clipboard-support-to-x0vncserver.patch
@ -0,0 +1,543 @@
+From c23be952f50ba34c49134b6280ce503f154dc9bc Mon Sep 17 00:00:00 2001
+From: Gaurav Ujjwal <gujjwal00@gmail.com>
+Date: Wed, 25 Sep 2024 21:21:26 +0530
+Subject: [PATCH] Add clipboard support to x0vncserver
+
+---
+ unix/tx/TXWindow.cxx             |  13 ++-
+ unix/tx/TXWindow.h               |   3 +-
+ unix/x0vncserver/CMakeLists.txt  |   1 +
+ unix/x0vncserver/XDesktop.cxx    |  49 +++++++-
+ unix/x0vncserver/XDesktop.h      |  13 ++-
+ unix/x0vncserver/XSelection.cxx  | 195 +++++++++++++++++++++++++++++++
+ unix/x0vncserver/XSelection.h    |  58 +++++++++
+ unix/x0vncserver/x0vncserver.cxx |   5 -
+ unix/x0vncserver/x0vncserver.man |  21 ++++
+ 9 files changed, 344 insertions(+), 14 deletions(-)
+ create mode 100644 unix/x0vncserver/XSelection.cxx
+ create mode 100644 unix/x0vncserver/XSelection.h
+
+diff --git a/unix/tx/TXWindow.cxx b/unix/tx/TXWindow.cxx
+index ee097e4..b10ed84 100644
+--- a/unix/tx/TXWindow.cxx
+++ b/unix/tx/TXWindow.cxx
+@@ -36,7 +36,7 @@ std::list<TXWindow*> windows;
+ 
+ Atom wmProtocols, wmDeleteWindow, wmTakeFocus;
+ Atom xaTIMESTAMP, xaTARGETS, xaSELECTION_TIME, xaSELECTION_STRING;
+-Atom xaCLIPBOARD;
+Atom xaCLIPBOARD, xaUTF8_STRING, xaINCR;
+ unsigned long TXWindow::black, TXWindow::white;
+ unsigned long TXWindow::defaultFg, TXWindow::defaultBg;
+ unsigned long TXWindow::lightBg, TXWindow::darkBg;
+@@ -65,6 +65,8 @@ void TXWindow::init(Display* dpy, const char* defaultWindowClass_)
+   xaSELECTION_TIME = XInternAtom(dpy, "SELECTION_TIME", False);
+   xaSELECTION_STRING = XInternAtom(dpy, "SELECTION_STRING", False);
+   xaCLIPBOARD = XInternAtom(dpy, "CLIPBOARD", False);
+  xaUTF8_STRING = XInternAtom(dpy, "UTF8_STRING", False);
+  xaINCR = XInternAtom(dpy, "INCR", False);
+   XColor cols[6];
+   cols[0].red = cols[0].green = cols[0].blue = 0x0000;
+   cols[1].red = cols[1].green = cols[1].blue = 0xbbbb;
+@@ -462,17 +464,18 @@ void TXWindow::handleXEvent(XEvent* ev)
+       } else {
+         se.property = ev->xselectionrequest.property;
+         if (se.target == xaTARGETS) {
+-          Atom targets[2];
+          Atom targets[3];
+           targets[0] = xaTIMESTAMP;
+           targets[1] = XA_STRING;
+          targets[2] = xaUTF8_STRING;
+           XChangeProperty(dpy, se.requestor, se.property, XA_ATOM, 32,
+-                          PropModeReplace, (unsigned char*)targets, 2);
+                          PropModeReplace, (unsigned char*)targets, 3);
+         } else if (se.target == xaTIMESTAMP) {
+           Time t = selectionOwnTime[se.selection];
+           XChangeProperty(dpy, se.requestor, se.property, XA_INTEGER, 32,
+                           PropModeReplace, (unsigned char*)&t, 1);
+-        } else if (se.target == XA_STRING) {
+-          if (!selectionRequest(se.requestor, se.selection, se.property))
+        } else if (se.target == XA_STRING || se.target == xaUTF8_STRING) {
+          if (!selectionRequest(se.requestor, se.selection, se.target, se.property))
+             se.property = None;
+         } else {
+           se.property = None;
+diff --git a/unix/tx/TXWindow.h b/unix/tx/TXWindow.h
+index 223c07a..32ae9a3 100644
+--- a/unix/tx/TXWindow.h
+++ b/unix/tx/TXWindow.h
+@@ -155,6 +155,7 @@ public:
+   // returning true if successful, false otherwise.
+   virtual bool selectionRequest(Window /*requestor*/,
+                                 Atom /*selection*/,
+                                Atom /*target*/,
+                                 Atom /*property*/) { return false;}
+ 
+   // Static methods
+@@ -224,6 +225,6 @@ private:
+ 
+ extern Atom wmProtocols, wmDeleteWindow, wmTakeFocus;
+ extern Atom xaTIMESTAMP, xaTARGETS, xaSELECTION_TIME, xaSELECTION_STRING;
+-extern Atom xaCLIPBOARD;
+extern Atom xaCLIPBOARD, xaUTF8_STRING, xaINCR;
+ 
+ #endif
+diff --git a/unix/x0vncserver/CMakeLists.txt b/unix/x0vncserver/CMakeLists.txt
+index 5ce9577..9d6d213 100644
+--- a/unix/x0vncserver/CMakeLists.txt
+++ b/unix/x0vncserver/CMakeLists.txt
+@@ -11,6 +11,7 @@ add_executable(x0vncserver
+   XPixelBuffer.cxx
+   XDesktop.cxx
+   RandrGlue.c
+  XSelection.cxx
+   ../vncconfig/QueryConnectDialog.cxx
+ )
+ 
+diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
+index 1e52987..db5b6ae 100644
+--- a/unix/x0vncserver/XDesktop.cxx
+++ b/unix/x0vncserver/XDesktop.cxx
+@@ -43,6 +43,7 @@
+ #endif
+ #ifdef HAVE_XFIXES
+ #include <X11/extensions/Xfixes.h>
+#include <X11/Xatom.h>
+ #endif
+ #ifdef HAVE_XRANDR
+ #include <X11/extensions/Xrandr.h>
+@@ -81,7 +82,7 @@ static const char * ledNames[XDESKTOP_N_LEDS] = {
+ 
+ XDesktop::XDesktop(Display* dpy_, Geometry *geometry_)
+   : dpy(dpy_), geometry(geometry_), pb(0), server(0),
+-    queryConnectDialog(0), queryConnectSock(0),
+    queryConnectDialog(0), queryConnectSock(0), selection(dpy_, this),
+     oldButtonMask(0), haveXtest(false), haveDamage(false),
+     maxButtons(0), running(false), ledMasks(), ledState(0),
+     codeMap(0), codeMapLen(0)
+@@ -179,10 +180,15 @@ XDesktop::XDesktop(Display* dpy_, Geometry *geometry_)
+   if (XFixesQueryExtension(dpy, &xfixesEventBase, &xfixesErrorBase)) {
+     XFixesSelectCursorInput(dpy, DefaultRootWindow(dpy),
+                             XFixesDisplayCursorNotifyMask);
+
+    XFixesSelectSelectionInput(dpy, DefaultRootWindow(dpy), XA_PRIMARY,
+                               XFixesSetSelectionOwnerNotifyMask);
+    XFixesSelectSelectionInput(dpy, DefaultRootWindow(dpy), xaCLIPBOARD,
+                               XFixesSetSelectionOwnerNotifyMask);
+   } else {
+ #endif
+     vlog.info("XFIXES extension not present");
+-    vlog.info("Will not be able to display cursors");
+    vlog.info("Will not be able to display cursors or monitor clipboard");
+ #ifdef HAVE_XFIXES
+   }
+ #endif
+@@ -892,6 +898,20 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) {
+       return false;
+ 
+     return setCursor();
+  }
+  else if (ev->type == xfixesEventBase + XFixesSelectionNotify) {
+    XFixesSelectionNotifyEvent* sev = (XFixesSelectionNotifyEvent*)ev;
+
+    if (!running)
+      return true;
+
+    if (sev->subtype != XFixesSetSelectionOwnerNotify)
+      return false;
+
+    selection.handleSelectionOwnerChange(sev->owner, sev->selection,
+                                         sev->timestamp);
+
+    return true;
+ #endif
+ #ifdef HAVE_XRANDR
+   } else if (ev->type == Expose) {
+@@ -1039,3 +1059,28 @@ bool XDesktop::setCursor()
+   return true;
+ }
+ #endif
+
+// X selection availability changed, let VNC clients know
+void XDesktop::handleXSelectionAnnounce(bool available) {
+  server->announceClipboard(available);
+}
+
+// A VNC client wants data, send request to selection owner
+void XDesktop::handleClipboardRequest() { 
+  selection.requestSelectionData(); 
+}
+
+// Data is available, send it to clients
+void XDesktop::handleXSelectionData(const char* data) {
+  server->sendClipboardData(data);
+}
+
+// When a client says it has clipboard data, request it 
+void XDesktop::handleClipboardAnnounce(bool available) {
+   if(available) server->requestClipboard();
+}
+
+// Client has sent the data
+void XDesktop::handleClipboardData(const char* data) {
+  if (data) selection.handleClientClipboardData(data);
+}
+diff --git a/unix/x0vncserver/XDesktop.h b/unix/x0vncserver/XDesktop.h
+index 4777a65..bc8d2a9 100644
+--- a/unix/x0vncserver/XDesktop.h
+++ b/unix/x0vncserver/XDesktop.h
+@@ -32,6 +32,8 @@
+ 
+ #include <vncconfig/QueryConnectDialog.h>
+ 
+#include "XSelection.h"
+
+ class Geometry;
+ class XPixelBuffer;
+ 
+@@ -46,7 +48,8 @@ struct AddedKeySym
+ 
+ class XDesktop : public rfb::SDesktop,
+                  public TXGlobalEventHandler,
+-                 public QueryResultCallback
+                 public QueryResultCallback,
+                 public XSelectionHandler
+ {
+ public:
+   XDesktop(Display* dpy_, Geometry *geometry);
+@@ -65,6 +68,13 @@ public:
+   virtual void clientCutText(const char* str);
+   virtual unsigned int setScreenLayout(int fb_width, int fb_height,
+                                        const rfb::ScreenSet& layout);
+  void handleClipboardRequest() override;
+  void handleClipboardAnnounce(bool available) override;
+  void handleClipboardData(const char* data) override;
+
+  // -=- XSelectionHandler interface
+  void handleXSelectionAnnounce(bool available) override;
+  void handleXSelectionData(const char* data) override;
+ 
+   // -=- TXGlobalEventHandler interface
+   virtual bool handleGlobalEvent(XEvent* ev);
+@@ -80,6 +90,7 @@ protected:
+   rfb::VNCServer* server;
+   QueryConnectDialog* queryConnectDialog;
+   network::Socket* queryConnectSock;
+  XSelection selection;
+   int oldButtonMask;
+   bool haveXtest;
+   bool haveDamage;
+diff --git a/unix/x0vncserver/XSelection.cxx b/unix/x0vncserver/XSelection.cxx
+new file mode 100644
+index 0000000..72dd537
+--- /dev/null
+++ b/unix/x0vncserver/XSelection.cxx
+@@ -0,0 +1,195 @@
+/* Copyright (C) 2024 Gaurav Ujjwal.  All Rights Reserved.
+ *
+ * This is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this software; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
+ * USA.
+ */
+
+#include <X11/Xatom.h>
+#include <rfb/Configuration.h>
+#include <rfb/LogWriter.h>
+#include <rfb/util.h>
+#include <x0vncserver/XSelection.h>
+
+rfb::BoolParameter setPrimary("SetPrimary",
+                              "Set the PRIMARY as well as the CLIPBOARD selection",
+                              true);
+rfb::BoolParameter sendPrimary("SendPrimary",
+                               "Send the PRIMARY as well as the CLIPBOARD selection",
+                               true);
+
+static rfb::LogWriter vlog("XSelection");
+
+XSelection::XSelection(Display* dpy_, XSelectionHandler* handler_)
+    : TXWindow(dpy_, 1, 1, nullptr), handler(handler_), announcedSelection(None)
+{
+  probeProperty = XInternAtom(dpy, "TigerVNC_ProbeProperty", False);
+  transferProperty = XInternAtom(dpy, "TigerVNC_TransferProperty", False);
+  timestampProperty = XInternAtom(dpy, "TigerVNC_TimestampProperty", False);
+  setName("TigerVNC Clipboard (x0vncserver)");
+  addEventMask(PropertyChangeMask); // Required for PropertyNotify events
+}
+
+static Bool PropertyEventMatcher(Display* /* dpy */, XEvent* ev, XPointer prop)
+{
+  if (ev->type == PropertyNotify && ev->xproperty.atom == *((Atom*)prop))
+    return True;
+  else
+    return False;
+}
+
+Time XSelection::getXServerTime()
+{
+  XEvent ev;
+  uint8_t data = 0;
+
+  // Trigger a PropertyNotify event to extract server time
+  XChangeProperty(dpy, win(), timestampProperty, XA_STRING, 8, PropModeReplace,
+                  &data, sizeof(data));
+  XIfEvent(dpy, &ev, &PropertyEventMatcher, (XPointer)&timestampProperty);
+  return ev.xproperty.time;
+}
+
+// Takes ownership of selections, backed by given data.
+void XSelection::handleClientClipboardData(const char* data)
+{
+  vlog.debug("Received client clipboard data, taking selection ownership");
+
+  Time time = getXServerTime();
+  ownSelection(xaCLIPBOARD, time);
+  if (!selectionOwner(xaCLIPBOARD))
+    vlog.error("Unable to own CLIPBOARD selection");
+
+  if (setPrimary) {
+    ownSelection(XA_PRIMARY, time);
+    if (!selectionOwner(XA_PRIMARY))
+      vlog.error("Unable to own PRIMARY selection");
+  }
+
+  if (selectionOwner(xaCLIPBOARD) || selectionOwner(XA_PRIMARY))
+    clientData = data;
+}
+
+// We own the selection and another X app has asked for data
+bool XSelection::selectionRequest(Window requestor, Atom selection, Atom target,
+                                  Atom property)
+{
+  if (clientData.empty() || requestor == win() || !selectionOwner(selection))
+    return false;
+
+  if (target == XA_STRING) {
+    std::string latin1 = rfb::utf8ToLatin1(clientData.data(), clientData.length());
+    XChangeProperty(dpy, requestor, property, XA_STRING, 8, PropModeReplace,
+                    (unsigned char*)latin1.data(), latin1.length());
+    return true;
+  }
+
+  if (target == xaUTF8_STRING) {
+    XChangeProperty(dpy, requestor, property, xaUTF8_STRING, 8, PropModeReplace,
+                    (unsigned char*)clientData.data(), clientData.length());
+    return true;
+  }
+
+  return false;
+}
+
+// Selection-owner change implies a change in selection data.
+void XSelection::handleSelectionOwnerChange(Window owner, Atom selection, Time time)
+{
+  if (selection != XA_PRIMARY && selection != xaCLIPBOARD)
+    return;
+  if (selection == XA_PRIMARY && !sendPrimary)
+    return;
+
+  if (selection == announcedSelection)
+    announceSelection(None);
+
+  if (owner == None || owner == win())
+    return;
+
+  if (!selectionOwner(XA_PRIMARY) && !selectionOwner(xaCLIPBOARD))
+    clientData = "";
+
+  XConvertSelection(dpy, selection, xaTARGETS, probeProperty, win(), time);
+}
+
+void XSelection::announceSelection(Atom selection)
+{
+  announcedSelection = selection;
+  handler->handleXSelectionAnnounce(selection != None);
+}
+
+void XSelection::requestSelectionData()
+{
+  if (announcedSelection != None)
+    XConvertSelection(dpy, announcedSelection, xaTARGETS, transferProperty, win(),
+                      CurrentTime);
+}
+
+// Some information about selection is received from current owner
+void XSelection::selectionNotify(XSelectionEvent* ev, Atom type, int format,
+                                 int nitems, void* data)
+{
+  if (!ev || !data || type == None)
+    return;
+
+  if (ev->target == xaTARGETS) {
+    if (format != 32 || type != XA_ATOM)
+      return;
+
+    Atom* targets = (Atom*)data;
+    bool utf8Supported = false;
+    bool stringSupported = false;
+
+    for (int i = 0; i < nitems; i++) {
+      if (targets[i] == xaUTF8_STRING)
+        utf8Supported = true;
+      else if (targets[i] == XA_STRING)
+        stringSupported = true;
+    }
+
+    if (ev->property == probeProperty) {
+      // Only probing for now, will issue real request when client asks for data
+      if (stringSupported || utf8Supported)
+        announceSelection(ev->selection);
+      return;
+    }
+
+    // Prefer UTF-8 if available
+    if (utf8Supported)
+      XConvertSelection(dpy, ev->selection, xaUTF8_STRING, transferProperty, win(),
+                        ev->time);
+    else if (stringSupported)
+      XConvertSelection(dpy, ev->selection, XA_STRING, transferProperty, win(),
+                        ev->time);
+  } else if (ev->target == xaUTF8_STRING || ev->target == XA_STRING) {
+    if (type == xaINCR) {
+      // Incremental transfer is not supported
+      vlog.debug("Selected data is too big!");
+      return;
+    }
+
+    if (format != 8)
+      return;
+
+    if (type == xaUTF8_STRING) {
+      std::string result = rfb::convertLF((char*)data, nitems);
+      handler->handleXSelectionData(result.c_str());
+    } else if (type == XA_STRING) {
+      std::string result = rfb::convertLF((char*)data, nitems);
+      result = rfb::latin1ToUTF8(result.data(), result.length());
+      handler->handleXSelectionData(result.c_str());
+    }
+  }
+}
+\ No newline at end of file
+diff --git a/unix/x0vncserver/XSelection.h b/unix/x0vncserver/XSelection.h
+new file mode 100644
+index 0000000..fbe1f29
+--- /dev/null
+++ b/unix/x0vncserver/XSelection.h
+@@ -0,0 +1,58 @@
+/* Copyright (C) 2024 Gaurav Ujjwal.  All Rights Reserved.
+ *
+ * This is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this software; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
+ * USA.
+ */
+
+#ifndef __XSELECTION_H__
+#define __XSELECTION_H__
+
+#include <string>
+#include <tx/TXWindow.h>
+
+class XSelectionHandler
+{
+public:
+  virtual void handleXSelectionAnnounce(bool available) = 0;
+  virtual void handleXSelectionData(const char* data) = 0;
+};
+
+class XSelection : TXWindow
+{
+public:
+  XSelection(Display* dpy_, XSelectionHandler* handler_);
+
+  void handleSelectionOwnerChange(Window owner, Atom selection, Time time);
+  void requestSelectionData();
+  void handleClientClipboardData(const char* data);
+
+private:
+  XSelectionHandler* handler;
+  Atom probeProperty;
+  Atom transferProperty;
+  Atom timestampProperty;
+  Atom announcedSelection;
+  std::string clientData; // Always in UTF-8
+
+  Time getXServerTime();
+  void announceSelection(Atom selection);
+
+  bool selectionRequest(Window requestor, Atom selection, Atom target,
+                        Atom property) override;
+  void selectionNotify(XSelectionEvent* ev, Atom type, int format, int nitems,
+                       void* data) override;
+};
+
+#endif
+diff --git a/unix/x0vncserver/x0vncserver.cxx b/unix/x0vncserver/x0vncserver.cxx
+index d2999e2..b31450b 100644
+--- a/unix/x0vncserver/x0vncserver.cxx
+++ b/unix/x0vncserver/x0vncserver.cxx
+@@ -281,11 +281,6 @@ int main(int argc, char** argv)
+ 
+   Configuration::enableServerParams();
+ 
+-  // FIXME: We don't support clipboard yet
+-  Configuration::removeParam("AcceptCutText");
+-  Configuration::removeParam("SendCutText");
+-  Configuration::removeParam("MaxCutText");
+-
+   // Assume different defaults when socket activated
+   if (hasSystemdListeners())
+     rfbport.setParam(-1);
+diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
+index 347e50e..5bc8807 100644
+--- a/unix/x0vncserver/x0vncserver.man
+++ b/unix/x0vncserver/x0vncserver.man
+@@ -222,6 +222,27 @@ Accept pointer movement and button events from clients. Default is on.
+ Accept requests to resize the size of the desktop. Default is on.
+ .
+ .TP
+.B \-AcceptCutText
+Accept clipboard updates from clients. Default is on.
+.
+.TP
+.B \-SetPrimary
+Set the PRIMARY as well as the CLIPBOARD selection. Default is on.
+.
+.TP
+.B \-MaxCutText \fIbytes\fP
+The maximum permitted size of an incoming clipboard update.
+Default is \fB262144\fP.
+.
+.TP
+.B \-SendCutText
+Send clipboard changes to clients. Default is on.
+.
+.TP
+.B \-SendPrimary
+Send the PRIMARY as well as the CLIPBOARD selection to clients. Default is on.
+.
+.TP
+ .B \-RemapKeys \fImapping
+ Sets up a keyboard mapping.
+ .I mapping
--- a/SOURCES/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch
+++ b/SOURCES/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch
@ -0,0 +1,238 @@
+From 8ac9bf0c061666d89d345a3d7149e1ef9c771655 Mon Sep 17 00:00:00 2001
+From: Jan Grulich <jgrulich@redhat.com>
+Date: Mon, 29 Jul 2024 14:31:14 +0200
+Subject: [PATCH] Add option allowing to connect only the user owning the
+ running session
+
+Checks, whether the user who is trying to authenticate is already logged
+into the running session in order to allow or reject the connection.
+This is expected to be used with 'plain' security type in combination
+with 'PlainUsers=*' option allowing everyone to connect to the session.
+---
+ common/rfb/VNCServerST.cxx            |   7 --
+ unix/xserver/hw/vnc/XserverDesktop.cc | 120 +++++++++++++++++++++++++-
+ unix/xserver/hw/vnc/XserverDesktop.h  |   7 ++
+ 3 files changed, 126 insertions(+), 8 deletions(-)
+
+diff --git a/common/rfb/VNCServerST.cxx b/common/rfb/VNCServerST.cxx
+index 3831812..736a563 100644
+--- a/common/rfb/VNCServerST.cxx
+++ b/common/rfb/VNCServerST.cxx
+@@ -696,13 +696,6 @@ void VNCServerST::queryConnection(VNCSConnectionST* client,
+     return;
+   }
+ 
+-  // - Are we configured to do queries?
+-  if (!rfb::Server::queryConnect &&
+-      !client->getSock()->requiresQuery()) {
+-    approveConnection(client->getSock(), true, NULL);
+-    return;
+-  }
+-
+   // - Does the client have the right to bypass the query?
+   if (client->accessCheck(AccessNoQuery))
+   {
+diff --git a/unix/xserver/hw/vnc/XserverDesktop.cc b/unix/xserver/hw/vnc/XserverDesktop.cc
+index d4ee16b..fe86d36 100644
+--- a/unix/xserver/hw/vnc/XserverDesktop.cc
+++ b/unix/xserver/hw/vnc/XserverDesktop.cc
+@@ -52,6 +52,11 @@
+ #include "XorgGlue.h"
+ #include "vncInput.h"
+ 
+#if HAVE_SYSTEMD_DAEMON
+#  include <pwd.h>
+#  include <systemd/sd-login.h>
+#endif
+
+ extern "C" {
+ void vncSetGlueContext(int screenIndex);
+ void vncPresentMscEvent(uint64_t id, uint64_t msc);
+@@ -71,7 +76,15 @@ IntParameter queryConnectTimeout("QueryConnectTimeout",
+                                  "Accept Connection dialog before "
+                                  "rejecting the connection",
+                                  10);
+-
+#ifdef HAVE_SYSTEMD_DAEMON
+BoolParameter approveLoggedUserOnly
+("ApproveLoggedUserOnly",
+ "Approve only the user who is currently logged into the session."
+ "This is expected to be combined with 'plain' security type and with "
+ "'PlainUsers=*' option allowing everyone to connect to the session."
+ "Default is off.",
+  false);
+#endif
+ 
+ XserverDesktop::XserverDesktop(int screenIndex_,
+                                std::list<network::SocketListener*> listeners_,
+@@ -168,11 +181,134 @@ void XserverDesktop::init(rfb::VNCServer* vs)
+   // ready state
+ }
+ 
+#ifdef HAVE_SYSTEMD_DAEMON
+bool XserverDesktop::checkUserLogged(const char* userName)
+{
+  bool ret = false;
+  bool noUserSession = true;
+  int res;
+  char **sessions;
+
+  res = sd_get_sessions(&sessions);
+  if (res < 0) {
+    vlog.debug("logind: failed to get sessions");
+    return false;
+  }
+
+  if (sessions != nullptr && sessions[0] != nullptr) {
+    for (int i = 0; sessions[i]; i++) {
+      uid_t uid;
+      char *clazz;
+      char *display;
+      char *type;
+      char *state;
+
+      res = sd_session_get_type(sessions[i], &type);
+      if (res < 0) {
+        vlog.debug("logind: failed to determine session type");
+        break;
+      }
+
+      if (strcmp(type, "x11") != 0) {
+        free(type);
+        continue;
+      }
+      free(type);
+
+      res = sd_session_get_display(sessions[i], &display);
+      if (res < 0) {
+        vlog.debug("logind: failed to determine display of session");
+        break;
+      }
+
+      std::string serverDisplay = ":" + std::to_string(screenIndex);
+      std::string serverDisplayIPv4 = "127.0.0.1:" + std::to_string(screenIndex);
+      std::string serverDisplayIPv6 = "::1:" + std::to_string(screenIndex);
+      if ((strcmp(display, serverDisplay.c_str()) != 0) &&
+          (strcmp(display, serverDisplayIPv4.c_str()) != 0) &&
+          (strcmp(display, serverDisplayIPv6.c_str()) != 0)) {
+        free(display);
+        continue;
+      }
+      free(display);
+
+      res = sd_session_get_class(sessions[i], &clazz);
+      if (res < 0) {
+        vlog.debug("logind: failed to determine session class");
+        break;
+      }
+
+      res = sd_session_get_state(sessions[i], &state);
+      if (res < 0) {
+        vlog.debug("logind: failed to determine session state");
+        break;
+      }
+
+      if (strcmp(state, "closing") == 0) {
+          free(state);
+          continue;
+      }
+      free(state);
+
+      res = sd_session_get_uid(sessions[i], &uid);
+      if (res < 0) {
+        vlog.debug("logind: failed to determine user id of session");
+        break;
+      }
+
+      if (uid != 0 && strcmp(clazz, "user") == 0) {
+        noUserSession = false;
+      }
+      free(clazz);
+
+      struct passwd *pw = getpwnam(userName);
+      if (!pw) {
+        vlog.debug("logind: user not found");
+        break;
+      }
+
+      if (uid == pw->pw_uid) {
+        ret = true;
+        break;
+      }
+    }
+  }
+
+  if (sessions) {
+    for (int i = 0; sessions[i]; i ++) {
+      free(sessions[i]);
+    }
+
+    free (sessions);
+  }
+
+  // If we didn't find a matching user, we can still allow the user
+  // to log in if there is no user session yet.
+  return !ret ? noUserSession : ret;
+}
+#endif
+
+ void XserverDesktop::queryConnection(network::Socket* sock,
+                                      const char* userName)
+ {
+   int count;
+ 
+#ifdef HAVE_SYSTEMD_DAEMON
+  // - Only owner of the session can be approved
+  if (approveLoggedUserOnly && !checkUserLogged(userName)) {
+    server->approveConnection(sock, false,
+                              "The user is not owner of the running session");
+    return;
+  }
+#endif
+
+  // - Are we configured to do queries?
+  if (!rfb::Server::queryConnect &&
+      !sock->requiresQuery()) {
+    server->approveConnection(sock, true, nullptr);
+    return;
+  }
+
+   if (queryConnectTimer.isStarted()) {
+     server->approveConnection(sock, false, "Another connection is currently being queried.");
+     return;
+diff --git a/unix/xserver/hw/vnc/XserverDesktop.h b/unix/xserver/hw/vnc/XserverDesktop.h
+index e604295..aed188e 100644
+--- a/unix/xserver/hw/vnc/XserverDesktop.h
+++ b/unix/xserver/hw/vnc/XserverDesktop.h
+@@ -108,6 +108,13 @@ public:
+   virtual void grabRegion(const rfb::Region& r);
+ 
+ protected:
+#ifdef HAVE_SYSTEMD_DAEMON
+  // - Check whether user is logged into a session
+  //   Returns true if user is already logged or there is no
+  //   user session at all.
+  bool checkUserLogged(const char* userName);
+#endif
+
+   bool handleListenerEvent(int fd,
+                            std::list<network::SocketListener*>* sockets,
+                            rfb::VNCServer* sockserv);
+diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
+index b9c429f..e4822f6 100644
+--- a/unix/xserver/hw/vnc/Xvnc.man
+++ b/unix/xserver/hw/vnc/Xvnc.man
+@@ -204,6 +204,13 @@ to allow any user to authenticate using this security type. Specify \fB%u\fP
+ to allow the user of the server process. Default is to deny all users.
+ .
+ .TP
+.B \-ApproveLoggedUserOnly
+Approve only the user who is currently logged into the session.
+This is expected to be combined with "Plain" security type and with
+"PlainUsers=*" option allowing everyone to connect to the session.
+Default is off.
+.
+.TP
+ .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
+ PAM service name to use when authentication users using any of the "Plain"
+ security types. Default is \fBvnc\fP.
--- a/SOURCES/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch
+++ b/SOURCES/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch
@ -1,27 +0,0 @@
-From 313200978926cc7b7521c0d645918391b7609681 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Thu, 27 Feb 2025 13:49:02 +0100
-Subject: [PATCH] Add SELinux policy rules allowing to access
- /proc/sys/fs/nr_open
-
-This is needed when the nofile limit is set to unlimited, otherwise we
-will fail to start a VNC session.
---
- unix/vncserver/selinux/vncsession.te | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
-index d92f1bd..2ce4fc8 100644
--- a/unix/vncserver/selinux/vncsession.te
-+++ b/unix/vncserver/selinux/vncsession.te
-@@ -37,6 +37,10 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms;
- allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
- files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
- 
-+# Allow access to /proc/sys/fs/nr_open
-+# Needed when the nofile limit is set to unlimited.
-+kernel_read_fs_sysctls(vnc_session_t)
-+
- # Allowed to create ~/.local
- optional_policy(`
- 	gnome_filetrans_home_content(vnc_session_t)
--- a/SOURCES/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch
+++ b/SOURCES/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch
@ -1,47 +0,0 @@
-From e652f06940f84fd8e19d7b674ae8c6000530fb40 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Fri, 7 Feb 2025 15:32:49 +0100
-Subject: [PATCH] Add SELinux policy rules allowing to create directories under
- /root
-
-We have policy that allows to create ~/.local or ~/.config, but we don't
-have rule that allows the same under /root directory, where we fail in
-case any of these directories doesn't exist.
---
- unix/vncserver/selinux/vncsession.te | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
-index d92f1bda7d..2f49717077 100644
--- a/unix/vncserver/selinux/vncsession.te
-+++ b/unix/vncserver/selinux/vncsession.te
-@@ -48,6 +48,14 @@ optional_policy(`
- 	create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t)
- ')
- 
-+# Allowed to create /root/.local
-+optional_policy(`
-+	gen_require(`
-+		type admin_home_t;
-+	')
-+	create_dirs_pattern(vnc_session_t, admin_home_t, admin_home_t)
-+')
-+
- # Manage TigerVNC files (mainly ~/.local/state/*.log)
- create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
- manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
-@@ -88,6 +96,7 @@ optional_policy(`
- 	gen_require(`
- 		attribute userdomain;
- 		type gconf_home_t;
-+		type admin_home_t;
- 	')
- 	userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
- 	userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
-@@ -95,5 +104,6 @@ optional_policy(`
- 	gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
- 	gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
- 	filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc")
-+	filetrans_pattern(vnc_session_t, admin_home_t, vnc_home_t, dir, "tigervnc")
- 	filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc")
- ')
--- a/SOURCES/tigervnc-avoid-invalid-xfree-for-xclasshint.patch
+++ b/SOURCES/tigervnc-avoid-invalid-xfree-for-xclasshint.patch
@ -0,0 +1,24 @@
+From 6c8387018b130eb4ef69ea377e9154ba04f0fd50 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <ossman@cendio.se>
+Date: Tue, 22 Oct 2024 09:58:27 +0200
+Subject: [PATCH] Avoid invalid XFree for XClassHint
+
+It seems XGetClassHint() doesn't set the pointers to NULL if there is no
+name, so we need to make sure it is cleared beforehand. Otherwise we can
+get an invalid pointer given to XFree().
+---
+ unix/tx/TXWindow.cxx | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/unix/tx/TXWindow.cxx b/unix/tx/TXWindow.cxx
+index b6a29d679..639c13827 100644
+--- a/unix/tx/TXWindow.cxx
+++ b/unix/tx/TXWindow.cxx
+@@ -313,6 +313,7 @@ void TXWindow::toplevel(const char* name, TXDeleteWindowCallback* dwc_,
+ void TXWindow::setName(const char* name)
+ {
+   XClassHint classHint;
+  memset(&classHint, 0, sizeof(classHint));
+   XGetClassHint(dpy, win(), &classHint);
+   XFree(classHint.res_name);
+   classHint.res_name = (char*)name;
--- a/SOURCES/tigervnc-do-proper-toplevel-window-setup-for-selection-window.patch
+++ b/SOURCES/tigervnc-do-proper-toplevel-window-setup-for-selection-window.patch
@ -0,0 +1,22 @@
+From 9e15952d02e01b8e19e7459bcabcd47dc63a1726 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <ossman@cendio.se>
+Date: Tue, 22 Oct 2024 09:59:30 +0200
+Subject: [PATCH] Do proper top level window setup for selection window
+
+---
+ unix/x0vncserver/XSelection.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/unix/x0vncserver/XSelection.cxx b/unix/x0vncserver/XSelection.cxx
+index 72dd537f4..c724d2ac4 100644
+--- a/unix/x0vncserver/XSelection.cxx
+++ b/unix/x0vncserver/XSelection.cxx
+@@ -37,7 +37,7 @@ XSelection::XSelection(Display* dpy_, XSelectionHandler* handler_)
+   probeProperty = XInternAtom(dpy, "TigerVNC_ProbeProperty", False);
+   transferProperty = XInternAtom(dpy, "TigerVNC_TransferProperty", False);
+   timestampProperty = XInternAtom(dpy, "TigerVNC_TimestampProperty", False);
+-  setName("TigerVNC Clipboard (x0vncserver)");
+  toplevel("TigerVNC Clipboard (x0vncserver)");
+   addEventMask(PropertyChangeMask); // Required for PropertyNotify events
+ }
+ 
--- a/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch
+++ b/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch
@ -0,0 +1,13 @@
+diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c
+index b3d0926d..d36a096f 100644
+--- a/unix/xserver/hw/vnc/vncInput.c
+++ b/unix/xserver/hw/vnc/vncInput.c
+@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y)
+ 
+ void vncGetPointerPos(int *x, int *y)
+ {
+-	if (vncPointerDev != NULL) {
+	if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) {
+ 		ScreenPtr ptrScreen;
+ 
+ 		miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY);
--- a/SOURCES/tigervnc-dont-install-appstream-metadata-file.patch
+++ b/SOURCES/tigervnc-dont-install-appstream-metadata-file.patch
@ -1,53 +0,0 @@
-diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt
-index 7d316e7..4f872d0 100644
--- a/po/CMakeLists.txt
-+++ b/po/CMakeLists.txt
-@@ -15,7 +15,6 @@ if (GETTEXT_XGETTEXT_EXECUTABLE)
-     ${PROJECT_SOURCE_DIR}/vncviewer/*.h
-     ${PROJECT_SOURCE_DIR}/vncviewer/*.cxx
-     ${PROJECT_SOURCE_DIR}/vncviewer/*.desktop.in.in
-    ${PROJECT_SOURCE_DIR}/vncviewer/*.metainfo.xml.in
-   )
- 
-   add_custom_target(translations_update
-diff --git a/vncviewer/CMakeLists.txt b/vncviewer/CMakeLists.txt
-index 72904b2..6a39062 100644
--- a/vncviewer/CMakeLists.txt
-+++ b/vncviewer/CMakeLists.txt
-@@ -108,36 +108,6 @@ if(UNIX)
-   add_custom_target(desktop ALL DEPENDS vncviewer.desktop)
-   install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncviewer.desktop DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/applications)
- 
-  if("${GETTEXT_VERSION_STRING}" VERSION_GREATER 0.19.6)
-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
-      COMMAND ${GETTEXT_MSGFMT_EXECUTABLE}
-                --xml --template ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
-                -d ${CMAKE_SOURCE_DIR}/po -o org.tigervnc.vncviewer.metainfo.xml
-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
-              ${po_FILES}
-    )
-  elseif(INTLTOOL_MERGE_EXECUTABLE)
-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
-      COMMAND sed -e 's@<name>@<_name>@\;s@</name>@</_name>@'
-                  -e 's@<summary>@<_summary>@\;s@</summary>@</_summary>@'
-                  -e 's@<caption>@<_caption>@\;s@</caption>@</_caption>@'
-                  -e 's@<p>@<_p>@g\;s@</p>@</_p>@g'
-                ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in > org.tigervnc.vncviewer.metainfo.xml.intl
-      COMMAND ${INTLTOOL_MERGE_EXECUTABLE}
-                -x ${CMAKE_SOURCE_DIR}/po
-                org.tigervnc.vncviewer.metainfo.xml.intl org.tigervnc.vncviewer.metainfo.xml
-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
-              ${po_FILES}
-    )
-  else()
-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
-      COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in org.tigervnc.vncviewer.metainfo.xml
-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
-    )
-  endif()
-  add_custom_target(appstream ALL DEPENDS org.tigervnc.vncviewer.metainfo.xml)
-  install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tigervnc.vncviewer.metainfo.xml DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/metainfo)
-
-   foreach(res 16 22 24 32 48 64 128)
-     install(FILES ../media/icons/tigervnc_${res}.png DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/${res}x${res}/apps RENAME tigervnc.png)
-   endforeach()
--- a/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch
+++ b/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch
@ -0,0 +1,94 @@
+From e26bc65b92d1e43570619deadf20b965e0952fef Mon Sep 17 00:00:00 2001
+From: Pat Riehecky <riehecky@fnal.gov>
+Date: Wed, 31 Jul 2024 14:43:46 -0500
+Subject: [PATCH] vncsession: Move existing log to log.old if present
+
+---
+ unix/vncserver/vncsession.c | 47 ++++++++++++++++++++++++++++---------
+ 1 file changed, 36 insertions(+), 11 deletions(-)
+
+diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
+index 98a0432aa..a10e0789e 100644
+--- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c
+@@ -393,8 +393,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
+     int fd;
+     long hostlen;
+     char* hostname = NULL, *xdgstate;
+-    char logfile[PATH_MAX], legacy[PATH_MAX];
+    char logdir[PATH_MAX], logfile[PATH_MAX], logfile_old[PATH_MAX], legacy[PATH_MAX];
+     struct stat st;
+    size_t fmt_len;
+ 
+     fd = open("/dev/null", O_RDONLY);
+     if (fd == -1) {
+@@ -408,15 +409,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
+     close(fd);
+ 
+     xdgstate = getenvp("XDG_STATE_HOME", envp);
+-    if (xdgstate != NULL && xdgstate[0] == '/')
+-        snprintf(logfile, sizeof(logfile), "%s/tigervnc", xdgstate);
+-    else
+-        snprintf(logfile, sizeof(logfile), "%s/.local/state/tigervnc", homedir);
+    if (xdgstate != NULL && xdgstate[0] == '/') {
+        fmt_len = snprintf(logdir, sizeof(logdir), "%s/tigervnc", xdgstate);
+        if (fmt_len >= sizeof(logdir)) {
+            syslog(LOG_CRIT, "Log dir path too long");
+            _exit(EX_OSERR);
+        }
+    } else {
+        fmt_len = snprintf(logdir, sizeof(logdir), "%s/.local/state/tigervnc", homedir);
+        if (fmt_len >= sizeof(logdir)) {
+            syslog(LOG_CRIT, "Log dir path too long");
+            _exit(EX_OSERR);
+        }
+    }
+ 
+     snprintf(legacy, sizeof(legacy), "%s/.vnc", homedir);
+-    if (stat(logfile, &st) != 0 && stat(legacy, &st) == 0) {
+    if (stat(logdir, &st) != 0 && stat(legacy, &st) == 0) {
+         syslog(LOG_WARNING, "~/.vnc is deprecated, please consult 'man vncsession' for paths to migrate to.");
+-        strcpy(logfile, legacy);
+        strcpy(logdir, legacy);
+ 
+ #ifdef HAVE_SELINUX
+         /* this is only needed to handle historical type changes for the legacy dir */
+@@ -431,9 +441,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
+ #endif
+     }
+ 
+-    if (mkdir_p(logfile, 0755) == -1) {
+    if (mkdir_p(logdir, 0755) == -1) {
+         if (errno != EEXIST) {
+-            syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
+            syslog(LOG_CRIT, "Failure creating \"%s\": %s", logdir, strerror(errno));
+             _exit(EX_OSERR);
+         }
+     }
+@@ -450,9 +460,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
+         _exit(EX_OSERR);
+     }
+ 
+-    snprintf(logfile + strlen(logfile), sizeof(logfile) - strlen(logfile), "/%s%s.log",
+-             hostname, display);
+    fmt_len = snprintf(logfile, sizeof(logfile), "/%s/%s%s.log", logdir, hostname, display);
+    if (fmt_len >= sizeof(logfile)) {
+        syslog(LOG_CRIT, "Log path too long");
+        _exit(EX_OSERR);
+    }
+    fmt_len = snprintf(logfile_old, sizeof(logfile_old), "/%s/%s%s.log.old", logdir, hostname, display);
+    if (fmt_len >= sizeof(logfile)) {
+        syslog(LOG_CRIT, "Log.old path too long");
+        _exit(EX_OSERR);
+    }
+     free(hostname);
+
+    if (stat(logfile, &st) == 0) {
+        if (rename(logfile, logfile_old) != 0) {
+            syslog(LOG_CRIT, "Failure renaming log file \"%s\" to \"%s\": %s", logfile, logfile_old, strerror(errno));
+            _exit(EX_OSERR);
+        }
+    }
+     fd = open(logfile, O_CREAT | O_WRONLY | O_TRUNC, 0644);
+     if (fd == -1) {
+         syslog(LOG_CRIT, "Failure creating log file \"%s\": %s", logfile, strerror(errno));
--- a/SOURCES/tigervnc-xserver120.patch
+++ b/SOURCES/tigervnc-xserver120.patch
@ -0,0 +1,138 @@
+diff --git a/configure.ac b/configure.ac
+index 0909cc5b4..c01873200 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -74,6 +74,7 @@ dnl forcing an entire recompile.x
+ AC_CONFIG_HEADERS(include/version-config.h)
+ 
+ AM_PROG_AS
+AC_PROG_CXX
+ AC_PROG_LN_S
+ LT_PREREQ([2.2])
+ LT_INIT([disable-static win32-dll])
+@@ -1735,6 +1736,14 @@ if test "x$XVFB" = xyes; then
+ 	AC_SUBST([XVFB_SYS_LIBS])
+ fi
+ 
+dnl Xvnc DDX
+AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"])
+AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"])
+
+PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no])
+if test "x$GBM" = xyes; then
+	AC_DEFINE(HAVE_GBM, 1, [Have GBM support])
+fi
+ 
+ dnl Xnest DDX
+ 
+@@ -2058,7 +2067,6 @@ if test "x$GLAMOR" = xyes; then
+ 			 [AC_DEFINE(GLAMOR_HAS_EGL_QUERY_DRIVER, 1, [Have GLAMOR_HAS_EGL_QUERY_DRIVER])],
+ 			 [])
+ 
+-	PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no])
+ 	if test "x$GBM" = xyes; then
+ 		AC_DEFINE(GLAMOR_HAS_GBM, 1,
+ 			  [Build glamor with GBM-based EGL support])
+@@ -2523,6 +2531,7 @@ hw/dmx/Makefile
+ hw/dmx/man/Makefile
+ hw/vfb/Makefile
+ hw/vfb/man/Makefile
+hw/vnc/Makefile
+ hw/xnest/Makefile
+ hw/xnest/man/Makefile
+ hw/xwin/Makefile
+diff --git a/dri3/Makefile.am b/dri3/Makefile.am
+index e47a734e0..99c3718a5 100644
+--- a/dri3/Makefile.am
+++ b/dri3/Makefile.am
+@@ -1,7 +1,7 @@
+ noinst_LTLIBRARIES = libdri3.la
+ AM_CFLAGS = \
+-	-DHAVE_XORG_CONFIG_H \
+-	@DIX_CFLAGS@ @XORG_CFLAGS@
+	@DIX_CFLAGS@ \
+	@LIBDRM_CFLAGS@
+
+ libdri3_la_SOURCES = \
+ 	dri3.h \
+diff --git a/dri3/dri3.c b/dri3/dri3.c
+index ba32facd7..191252969 100644
+--- a/dri3/dri3.c
+++ b/dri3/dri3.c
+@@ -20,10 +20,6 @@
+  * OF THIS SOFTWARE.
+  */
+ 
+-#ifdef HAVE_XORG_CONFIG_H
+-#include <xorg-config.h>
+-#endif
+-
+ #include "dri3_priv.h"
+ 
+ #include <drm_fourcc.h>
+diff --git a/dri3/dri3_priv.h b/dri3/dri3_priv.h
+index b087a9529..f319d1770 100644
+--- a/dri3/dri3_priv.h
+++ b/dri3/dri3_priv.h
+@@ -23,6 +23,7 @@
+ #ifndef _DRI3PRIV_H_
+ #define _DRI3PRIV_H_
+ 
+#include "dix-config.h"
+ #include <X11/X.h>
+ #include "scrnintstr.h"
+ #include "misc.h"
+diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c
+index 958877efa..687168930 100644
+--- a/dri3/dri3_request.c
+++ b/dri3/dri3_request.c
+@@ -20,10 +20,6 @@
+  * OF THIS SOFTWARE.
+  */
+ 
+-#ifdef HAVE_XORG_CONFIG_H
+-#include <xorg-config.h>
+-#endif
+-
+ #include "dri3_priv.h"
+ #include <syncsrv.h>
+ #include <unistd.h>
+diff --git a/dri3/dri3_screen.c b/dri3/dri3_screen.c
+index b98259753..3c7e5bf60 100644
+--- a/dri3/dri3_screen.c
+++ b/dri3/dri3_screen.c
+@@ -20,10 +20,6 @@
+  * OF THIS SOFTWARE.
+  */
+ 
+-#ifdef HAVE_XORG_CONFIG_H
+-#include <xorg-config.h>
+-#endif
+-
+ #include "dri3_priv.h"
+ #include <syncsdk.h>
+ #include <misync.h>
+diff --git a/hw/Makefile.am b/hw/Makefile.am
+index 19895dc77..3ecfa8b7a 100644
+--- a/hw/Makefile.am
+++ b/hw/Makefile.am
+@@ -44,3 +44,5 @@ DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland
+ 
+ relink:
+ 	$(AM_V_at)for i in $(SUBDIRS) ; do $(MAKE) -C $$i relink || exit 1 ; done
+
+SUBDIRS += vnc
+diff --git a/include/dix-config.h.in b/include/dix-config.h.in
+index f8fc67067..d53c4e72f 100644
+--- a/include/dix-config.h.in
+++ b/include/dix-config.h.in
+@@ -83,6 +83,9 @@
+ /* Define to 1 if you have the <fcntl.h> header file. */
+ #undef HAVE_FCNTL_H
+ 
+/* Have GBM support */
+#undef HAVE_GBM
+
+ /* Define to 1 if you have the `getdtablesize' function. */
+ #undef HAVE_GETDTABLESIZE
+ 
--- a/SOURCES/xvnc.service
+++ b/SOURCES/xvnc.service
@ -32,7 +32,7 @@
 Description=XVNC Per-Connection Daemon

 [Service]
-ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None -Log *:syslog:30
+ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None
 User=nobody
 StandardInput=socket
 StandardError=syslog
--- a/SPECS/tigervnc.spec
+++ b/SPECS/tigervnc.spec
@ -4,16 +4,16 @@
 %global modulename vncsession

 Name:           tigervnc
-Version:        1.15.0
-Release:        1%{?dist}
+Version:        1.14.1
+Release:        5%{?dist}
 Summary:        A TigerVNC remote display system

 %global _hardened_build 1

-License:        GPLv2+
+License:        GPL-2.0-or-later
 URL:            http://www.tigervnc.com

-Source0:        https://github.com/TigerVNC/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source0:        %{name}-%{version}.tar.gz
 Source1:        xvnc.service
 Source2:        xvnc.socket
 Source3:        10-libvnc.conf
@ -25,16 +25,22 @@ Source5:        vncserver
 Patch1:         tigervnc-use-gnome-as-default-session.patch
 # https://github.com/TigerVNC/tigervnc/pull/1425
 Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
-Patch3:         tigervnc-dont-install-appstream-metadata-file.patch
+# https://github.com/TigerVNC/tigervnc/pull/1792
+Patch3:         tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch

 # Upstream patches
-Patch50:        tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch
-Patch51:        tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch
+Patch50:        tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch
+Patch51:        tigervnc-add-clipboard-support-to-x0vncserver.patch
+Patch52:        tigervnc-do-proper-toplevel-window-setup-for-selection-window.patch
+Patch53:        tigervnc-avoid-invalid-xfree-for-xclasshint.patch

 # Upstreamable patches
+Patch80:        tigervnc-dont-get-pointer-position-for-floating-device.patch

+# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
+Patch100:       tigervnc-xserver120.patch
 # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
-Patch100:       0001-rpath-hack.patch
+Patch101:       0001-rpath-hack.patch

 # XServer patches
 Patch200:       xorg-CVE-2025-26594.patch
@ -102,13 +108,17 @@ BuildRequires:  xorg-x11-xtrans-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  selinux-policy-devel

+# For RHEL-34880
+BuildRequires:  pkgconfig(dbus-1) >= 1.0
+BuildRequires:  pkgconfig(libsystemd) >= 209
+BuildRequires:  pkgconfig(libudev) >= 143
+
 Requires(post): coreutils
 Requires(postun):coreutils

 Requires:       hicolor-icon-theme
 Requires:       tigervnc-license
 Requires:       tigervnc-icons
-Requires:       which

 %description
 Virtual Network Computing (VNC) is a remote display system which
@ -144,11 +154,8 @@ Requires(preun): systemd
 Requires(postun): systemd
 Requires(post): systemd

-Requires:       dbus-x11
-Requires:       mesa-dri-drivers
-Requires:       tigervnc-license
-Requires:       xkbcomp
-Requires:       xkeyboard-config
+Requires:       mesa-dri-drivers, xkeyboard-config, xkbcomp
+Requires:       tigervnc-license, dbus-x11

 %description server-minimal
 The VNC system allows you to access the same desktop from a wide
@ -204,8 +211,9 @@ pushd unix/xserver
 for all in `find . -type f -perm -001`; do
        chmod -x "$all"
 done
-%patch -P100 -p1 -b .rpath
-cat ../xserver120.patch | patch -p1
+# Xorg patches
+%patch -P100 -p1 -b .xserver120-rebased
+%patch -P101 -p1 -b .rpath

 %patch -P200 -p1 -b .xorg-CVE-2025-26594
 %patch -P201 -p1 -b .xorg-CVE-2025-26594-2
@ -222,15 +230,19 @@ cat ../xserver120.patch | patch -p1
 %patch -P212 -p1 -b .xorg-CVE-2025-26601-4
 popd

+# Tigervnc patches
 %patch -P1 -p1 -b .use-gnome-as-default-session
 %patch -P2 -p1 -b .vncsession-restore-script-systemd-service
-%patch -P3 -p1 -b .dont-install-appstream-metadata-file.patch
+%patch -P3 -p1 -b .add-option-allowing-to-connect-only-user-owning-session

 # Upstream patches
-%patch -P50 -p1 -b .add-selinux-policy-rules-allowing-create-dirs-under-root-dir
-%patch -P51 -p1 -b .add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open
+%patch -P50 -p1 -b .vncsession-move-existing-log-to-log-old-if-present
+%patch -P51 -p1 -b .add-clipboard-support-to-x0vncserver
+%patch -P52 -p1 -b .do-proper-toplevel-window-setup-for-selection-window
+%patch -P53 -p1 -b .avoid-invalid-xfree-for-xclasshint

 # Upstreamable patches
+%patch -P80 -p1 -b .dont-get-pointer-position-for-floating-device

 %build
 %ifarch sparcv9 sparc64 s390 s390x
@ -240,30 +252,48 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic"
 %endif
 export CXXFLAGS="$CFLAGS -std=c++11"

-%{cmake} .
-make %{?_smp_mflags}
+%define __cmake_builddir %{_target_platform}
+
+mkdir -p %{%__cmake_builddir}
+
+%cmake
+
+%cmake_build

 pushd unix/xserver
+
+%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
+sed -i 's@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am
+%endif
+
 autoreconf -fiv
 %configure \
        --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
        --disable-xwin --disable-xephyr --disable-kdrive --disable-xwayland \
        --with-pic --disable-static \
-        --with-default-font-path="catalogue:/etc/X11/fontpath.d,built-ins" \
+        --with-default-font-path="catalogue:%{_sysconfdir}/X11/fontpath.d,built-ins" \
+        --with-fontdir=%{_datadir}/X11/fonts \
        --with-xkb-output=%{_localstatedir}/lib/xkb \
+        --enable-install-libxf86config \
        --enable-glx --disable-dri --enable-dri2 --enable-dri3 \
        --disable-unit-tests \
        --disable-config-hal \
        --disable-config-udev \
        --without-dtrace \
        --disable-devel-docs \
-        --disable-selective-werror
+        --disable-selective-werror \
+        --enable-systemd-logind \
+        --enable-config-udev

 make %{?_smp_mflags}
 popd

 # Build icons
+%if 0%{?fedora} > 32 || 0%{?rhel} >= 9
+pushd %{_target_platform}/media
+%else
 pushd media
+%endif
 make
 popd

@ -272,24 +302,22 @@ pushd unix/vncserver/selinux
 make
 popd

-
 %install
-%make_install
+%cmake_install
+rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT}

 pushd unix/xserver/hw/vnc
-make install DESTDIR=%{buildroot}
+%make_install
 popd

+# Install systemd unit file
 pushd unix/vncserver/selinux
 make install DESTDIR=%{buildroot}
 popd

-
 # Install systemd unit file
 install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service
 install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket
-# Install old vncserver script
-install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver

 # Install desktop stuff
 mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps
@ -300,6 +328,21 @@ install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps
 done
 popd

+appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/org.tigervnc.vncviewer.metainfo.xml
+desktop-file-validate %{buildroot}%{_datadir}/applications/vncviewer.desktop
+
+%if 0%{?rhel} > 9
+# Install a replacement for /usr/bin/vncserver which will tell the user to read the
+# HOWTO.md file
+cat <<EOF > %{buildroot}/%{_bindir}/vncserver
+#!/bin/bash
+echo "vncserver has been replaced by a systemd unit."
+echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information."
+EOF
+chmod +x %{buildroot}/%{_bindir}/vncserver
+%else
+install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
+%endif

 %find_lang %{name} %{name}.lang

@ -339,6 +382,7 @@ fi
 %{_bindir}/vncviewer
 %{_datadir}/applications/*
 %{_mandir}/man1/vncviewer.1*
+%{_datadir}/metainfo/org.tigervnc.vncviewer.metainfo.xml

 %files server
 %config(noreplace) %{_sysconfdir}/pam.d/tigervnc
@ -382,282 +426,331 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

 %changelog
-* Wed Feb 26 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-1
- 1.15.0
-  Resolves: RHEL-79161
-  Resolves: RHEL-79982
-
-* Wed Feb 26 2025 Jan Grulich <jgrulich@redhat.com> - 1.13.1-15
+* Tue Apr 01 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1.14.1-5
 - Fix CVE-2025-26594 xorg-x11-server Use-after-free of the root cursor
-  Resolves: RHEL-79397
 - Fix CVE-2025-26595 xorg-x11-server Buffer overflow in XkbVModMaskText()
-  Resolves: RHEL-79401
 - Fix CVE-2025-26596 xorg-x11-server Heap overflow in XkbWriteKeySyms()
-  Resolves: RHEL-79386
 - Fix CVE-2025-26597 xorg-x11-server Buffer overflow in XkbChangeTypesOfKey()
-  Resolves: RHEL-79380
 - Fix CVE-2025-26598 xorg-x11-server Out-of-bounds write in CreatePointerBarrierClient()
-  Resolves: RHEL-79369
 - Fix CVE-2025-26599 xorg-x11-server Use of uninitialized pointer in compRedirectWindow()
-  Resolves: RHEL-79364
 - Fix CVE-2025-26600 xorg-x11-server Use-after-free in PlayReleasedEvents()
-  Resolves: RHEL-79360
 - Fix CVE-2025-26601 xorg-x11-server Use-after-free in SyncInitTrigger()
-  Resolves: RHEL-79348

-* Thu Oct 31 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-14
+* Tue Jan 21 2025 Jan Grulich <jgrulich@redhat.com> - 1.14.1-4
+- Fix crash in clipboard support in x0vncserver
+  Resolves: RHEL-74216
+
+* Thu Jan 16 2025 Jan Grulich <jgrulich@redhat.com> - 1.14.1-3
+- Add clipboard support to x0vncserver
+  Resolves: RHEL-74216
+
+* Thu Oct 31 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.1-2
 - Fix CVE-2024-9632: xorg-x11-server: heap-based buffer overflow privilege escalation vulnerability
-  Resolves: RHEL-61999
+  Resolves: RHEL-62001

-* Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-13
+* Wed Oct 23 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.1-1
+- 1.14.1
+  Resolves: RHEL-45316
+
+* Mon Oct 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-6
+- Make "ApproveLoggedUserOnly" to ignore "closing" sessions
+  Resolves: RHEL-34880
+
+* Fri Oct 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-5
+- Fix "ApproveLoggedUserOnly" option not working in some setups
+  Resolves: RHEL-34880
+
+* Fri Sep 27 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-4
+- Add option "ApproveLoggedUserOnly" allowing to connect only the user
+  owning the running session
+  Resolves: RHEL-34880
+
+* Wed Sep 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-3
+- Move old log to log.old if present (fix patch)
+  Resolves: RHEL-54294
+
+* Tue Aug 20 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-2
+- 1.14.0
+  Resolves: RHEL-45316
+- Move old log to log.old if present
+  Resolves: RHEL-54294
+- Fix shared memory leak
+  Resolves: RHEL-55768
+
+* Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
 - vncsession: use /bin/sh if the user shell is not set
-  Resolves: RHEL-52827
+  Resolves: RHEL-50679

-* Fri Jul 12 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-12
- Fix FTBS: drop already applied Xorg patches
-  Resolves: RHEL-46696
-
-* Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
+* Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
 - vncconfig: add option to force view-only remote client connections
-  Resolves: RHEL-11908
+  Resolves: RHEL-12144

-* Mon Apr 15 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
- Drop patches that are already part of xorg-x11-server
-  Resolves: RHEL-30755
-  Resolves: RHEL-30767
-  Resolves: RHEL-30761
-
-* Thu Apr 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
+* Tue Apr 16 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
 - Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
-  Resolves: RHEL-30755
+  Resolves: RHEL-30756
 - Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs
-  Resolves: RHEL-30767
+  Resolves: RHEL-30768
 - Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
-  Resolves: RHEL-30761
+  Resolves: RHEL-30762

 * Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
 - Fix copy/paste error in the DeviceStateNotify
-  Resolves: RHEL-20530
+  Resolves: RHEL-20533

 * Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
 - Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
-  Resolves: RHEL-20388
+  Resolves: RHEL-20389
 - Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
-  Resolves: RHEL-20382
+  Resolves: RHEL-20383
 - Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
-  Resolves: RHEL-20530
+  Resolves: RHEL-20533
 - Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
-  Resolves: RHEL-21214
+  Resolves: RHEL-21213

 * Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
 - Use dup() to get available file descriptor when using -inetd option
-  Resolves: RHEL-21000
+  Resolves: RHEL-19858

 * Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5
 - Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions
-  Resolves: RHEL-18410
+  Resolves: RHEL-18414
 - Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
-  Resolves: RHEL-18422
+  Resolves: RHEL-18426

 * Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4
 - Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
-  Resolves: RHEL-15236
+  Resolves: RHEL-15237

 - Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty
-  Resolves: RHEL-15230
+  Resolves: RHEL-15249

 * Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
 - Support username alias in PlainUsers
-  Resolves: RHEL-4258
+  Resolves: RHEL-8430

 * Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
 - xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
  Escalation Vulnerability
-  Resolves: bz#2180306
+  Resolves: bz#2180310

 * Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1
 - 1.13.1
-  Resolves: bz#2175748
- Restore "--fallbacktofreeport" option in the vncserver script
-  Resolves: bz#2174398
+  Resolves: bz#2175732

-* Thu Dec 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9
- Bump build version to fix upgrade path
-  Resolves: bz#1437569
+* Tue Feb 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-12
+- SELinux: allow vncsession create .vnc directory
+  Resolves: bz#2164703

-* Fri Nov 18 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
+* Wed Feb 15 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-11
+- Add sanity check when cleaning up keymap changes
+  Resolves: bz#2169965
+
+* Mon Feb 06 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-10
+- xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation
+  Resolves: bz#2167061
+
+* Tue Dec 20 2022 Tomas Popela <tpopela@redhat.com> - 1.12.0-9
+- Rebuild for xorg-x11-server CVE-2022-46340 follow up fix
+
+* Fri Dec 16 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
+- Rebuild for xorg-x11-server CVEs
+  Resolves: CVE-2022-4283 (bz#2154234)
+  Resolves: CVE-2022-46340 (bz#2154221)
+  Resolves: CVE-2022-46341 (bz#2154224)
+  Resolves: CVE-2022-46342 (bz#2154226)
+  Resolves: CVE-2022-46343 (bz#2154228)
+  Resolves: CVE-2022-46344 (bz#2154230)
+
+* Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
 - x0vncserver: add new keysym in case we don't find matching keycode
-  Resolves: bz#1437569
+  + actually apply the patch
+  Resolves: bz#2119017

-* Wed Aug 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
+* Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
+- x0vncserver: add new keysym in case we don't find matching keycode
+  Resolves: bz#2119017
+
+* Mon Oct 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
 - x0vncserver: fix ghost cursor in zaphod mode (better version)
-  Resolves: bz#2109679
+  Resolves: bz#2119016

-* Wed Aug 17 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
- x0vncserver: fix ghost cursor in zaphod mode
-  Resolves: bz#2109679
+* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
+- Add BR: libXdamage, libXfixes, libXrandr
+  Resolves: bz#2091833

-* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
- BR: libXdamage, libXfixes, libXrandr
-  Resolves: bz#2088733
+* Tue Apr 05 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
+- Do not run systemd_preun on Xvnc service file
+  Resolves: bz#2048011

-* Tue Feb 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
+* Mon Apr 04 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
+- Drop unexisting option from the old vncserver script
+  Resolves: bz#2021893
+
+* Wed Mar 23 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
+- 1.12.0 + sync with Fedora
+  Resolves: bz#2048011
+  Resolves: bz#2021893
+
+* Mon Feb 07 2022 Jan Grulich <jgrulich@redhat.com> - 1.11.0-21
 - Added vncsession-restore script for SELinux policy migration
  Fix SELinux context for root user
-  Resolves: bz#2021892
+  Resolves: bz#2049506

-* Fri Jan 21 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
- Fix crash in vncviewer
-  Resolves: bz#2021892
+* Fri Nov 26 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-20
+- Rebuild for absence in RHEL 9.0
+  Resolves: bz#1985858

-* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
- Remove unavailable option from vncserver script
-  Resolves: bz#2021892
+* Mon Aug 16 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-19
+- Sync upstream patches + drop unused patches
+  Resolves: bz#1985858

-* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
- 1.12.0
-  Resolves: bz#2021892
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-18
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688

-* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
+* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-17
 - Fix logout from VNC session using vncserver
-  Resolves: bz#1983706
+  Resolves: bz#1983704

-* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
- Run all SELinux RPM macros on correct package
-  Resolves: bz#1907963
+* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-16
+- Bump version for rebuild (binutils)
+  Resolves: bz#1961488

-* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-7
+* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-14
 - SELinux improvements
-  Resolves: bz#1907963
+  Resolves: bz#1961488

-* Tue Dec 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
- Use GNOME as default session
-  Resolves: bz#1853608
+- Fix endianness issue on s390x
+  Resolves: bz#1963029

-* Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5
- Make sure we log properly output to journal (actually log to syslog)
-  Resolves: bz#1841537
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-13
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

-* Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4
- Make sure we log properly output to journal
-  Resolves: bz#1841537
+* Mon Mar 08 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-12
+- Include RHEL8 patches

-* Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3
- vncserver: ignore new "session" parameter from the new systemd support
-  Resolves: bz#1897504
+* Fri Mar 05 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-11
+- Enable old vncserver script for RHEL 9

-* Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2
- Revert removal of vncserver
-  Resolves: bz#1897504
- Correctly start vncsession as a daemon
-  Resolves: bz#1897498
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.11.0-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

-* Tue Oct 20 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1
- Update to 1.11.0
-  Resolves: bz#1880985
- Backport fix to allow Tigervnc use boolean values in config files
-  Resolves: bz#1883415
+* Thu Dec 10 07:45:46 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
+- vncserver: ignore new session parameter from the new systemd support

-* Wed Sep 30 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-8
- Tolerate specifying -BoolParam 0 and similar
-  Resolves: bz#1883415
+* Fri Nov 13 14:08:29 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
+- Use /run instead of /var/run which is just a symlink

-* Wed Jul 08 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-7
- Enable server module on s390x
-  Resolves: bz#1854925
+* Thu Nov 05 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.11.0-7
+- Require xkbcomp directly, not xorg-x11-xkb-utils. The latter has had
+  Provides xkbcomp for years.

-* Fri Jul 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-6
- Remove trailing spaces in user name
-  Resolves: bz#1852432
+* Tue Sep 29 13:12:22 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
+- Backport upstream fix allowing Tigervnc to specify boolean valus in configuration
+- Revert removal of vncserver for F32 and F33

-* Thu Jun 25 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5
- Install the HOWTO file to correct location
+* Thu Sep 24 07:14:06 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5
+- Actually install the HOWTO.md file
+
+* Wed Sep 23 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4
+- Call systemd macros on correct service file
+
+* Tue Sep 22 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3
+- Do not overwrite libvnc.conf config file
+
+* Thu Sep 17 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2
 - Add /usr/bin/vncserver file informing users to read the HOWTO.md file
-  Resolves: bz#1790443

-* Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-4
- Improve SELinux policy
-  Resolves: bz#1790443
+* Wed Sep 09 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1
+- 1.11.0

-* Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-3
- Add a HOWTO.md file with instructions how to start VNC server
-  Resolves: bz#1790443
+* Mon Aug 24 2020 Jan Grulich <jgrulich@redhat.com. - 1.10.90-1
+- Update to 1.10.90 (1.11.0 beta)

-* Tue May 26 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2
- Make the systemd service run also for root user
-  Resolves: bz#1790443
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-9
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

-* Mon Apr 27 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-7
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Sat Jul 11 2020 Jiri Vanek <jvanek@redhat.com> - 1.10.1-6
+- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
+
+* Sun Apr 19 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5
+- Requires: dbus-x11
+  Resolves: bz#1825331
+
+* Fri Mar 13 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.10.1-4
+- Fix build with xserver 1.20.7
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Jan 13 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2
+- Build with -std=c++11
+
+* Fri Dec 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1
 - Update to 1.10.1
-  Resolves: bz#1806992

- Add proper systemd support
-  Resolves: bz#1790443
+* Tue Dec 10 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-2
+- Properly install systemd files

-* Tue Jan 28 2020 Jan Grulich <jgrulich@redhat.com> - 1.9.0-13
- Bump build because of z-stream
-  Resolves: bz#1671714
+* Mon Nov 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-1
+- Update to 1.10.0

-* Wed Dec 11 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-12
- Fix installation of systemd files
-  Resolves: bz#1671714
+* Fri Oct 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.90-1
+- Update to 1.9.90 (1.10 beta)
+- Add systemd user service file
+- Use a wrapper for systemd system service file to workaround systemd limitations

-* Wed Nov 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-11
- Use wrapper script to workaround systemd issues
-  Resolves: bz#1671714
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

-* Fri Jul 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-10
- Do not return returncode indicating error when running "vncserver -list"
-  Resolves: bz#1727860
+* Fri Jul 19 2019 Dan Horák <dan[at]danny.cz> - 1.9.0-6
+- drop the s390x special handling (related #1727029)

-* Fri Feb 08 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-9
- Make tigervnc systemd service a user service
-  Resolves: bz#1639846
+* Wed Jun 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5
+- Add missing arguments to systemd_postun scriptlets
+  Resolves: bz#1716411

-* Mon Jan 21 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-8
- Kill the session automatically only when Gnome is installed
-  Resolves: bz#1665876
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

-* Tue Nov 20 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-7
- Improve coverity scan fixes
-  Resolves: bz#1602714
-
-  Inform whether view-only password is used or not
-  Resolves: bz#1639169
-
-  Backport fixes from RHEL 7
-  Resolves: bz#1651254
-
-* Tue Oct 09 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-6
+* Tue Sep 25 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
 - Do not crash passwd when using malloc perturb checks
-  Resolves: bz#1637086
-
-* Mon Oct 08 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5
- Improve coverity scan fixes
-  Resolves: bz#1602714
-
-* Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-4
- Improve coverity scan fixes
-  Resolves: bz#1602714
-
-* Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3
- Fix some coverity scan issues
-  Resolves: bz#1602714
+  Resolves: bz#1631483

 * Wed Aug 01 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-2
- Remove dependency on initscripts
+- Ignore buttons in mouse leave events
+  Resolves: bz#1609516

 * Tue Jul 17 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-1
- Update to 1.9.0 + sync with Fedora
+- Update to 1.9.0

-* Tue Jun 12 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-10
- Fix GLX initialization with Xorg 1.20
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.90-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

-* Tue May 29 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-9
- Build against Xorg 1.20
+* Wed Jul  4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.90-2
+- Clean up spec: use macros consistenly, drop old sys-v migrations
+- Drop ancient obsolete/provides

-* Mon May 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-8
- Drop BR: ImageMagick
+* Thu Jun 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.90-1
+- Update to 1.8.90
+
+* Wed Jun 13 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-10
+- Fix tigervnc systemd unit file
+  Resolves: bz#1583159
+
+* Wed Jun 06 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-9
+- Fix GLX initialization with 1.20
+
+* Wed Apr 04 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-8
+- Rebuild for xserver 1.20

 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild