Compare commits
	
		
			No commits in common. "c8" and "c9s" have entirely different histories.
		
	
	
		
	
		
							
								
								
									
										38
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										38
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1 +1,37 @@ | |||||||
| SOURCES/tigervnc-1.15.0.tar.gz | tigervnc-1.0.90-20100721svn4113.tar.bz2 | ||||||
|  | /tigervnc-1.0.90-20100813svn4123.tar.bz2 | ||||||
|  | /tigervnc-1.0.90-20101208svn4225.tar.bz2 | ||||||
|  | /tigervnc-1.0.90-20110117svn4237.tar.bz2 | ||||||
|  | /tigervnc-1.0.90.tar.gz | ||||||
|  | /tigervnc-1.1.0.tar.gz | ||||||
|  | /tigervnc-1.2.80-20120905svn4996.tar.bz2 | ||||||
|  | /tigervnc-1.2.80-20121126svn5015.tar.bz2 | ||||||
|  | /tigervnc-1.2.80-20130219svn5047.tar.bz2 | ||||||
|  | /tigervnc-1.2.80-20130307svn5060.tar.bz2 | ||||||
|  | /tigervnc-1.2.80-20130314svn5065.tar.bz2 | ||||||
|  | /tigervnc-1.3.0.tar.bz2 | ||||||
|  | /tigervnc-1.3.1.tar.gz | ||||||
|  | /tigervnc-1.4.2.tar.gz | ||||||
|  | /tigervnc-1.4.3.tar.gz | ||||||
|  | /tigervnc-49d0629dd87c0eb695d72dec7481e9169f55ae9e.tar.gz | ||||||
|  | /tigervnc-1.5.0.tar.gz | ||||||
|  | /tigervnc-1.5.90.tar.gz | ||||||
|  | /tigervnc-1.6.0.tar.gz | ||||||
|  | /sources | ||||||
|  | /tigervnc-1.6.90.tar.gz | ||||||
|  | /tigervnc-1.7.0.tar.gz | ||||||
|  | /tigervnc-1.7.1.tar.gz | ||||||
|  | /tigervnc-1.7.90.tar.gz | ||||||
|  | /tigervnc-1.8.0.tar.gz | ||||||
|  | /tigervnc-1.8.90.tar.gz | ||||||
|  | /tigervnc-1.9.0.tar.gz | ||||||
|  | /tigervnc-1.9.90.tar.gz | ||||||
|  | /tigervnc-1.10.0.tar.gz | ||||||
|  | /tigervnc-1.10.1.tar.gz | ||||||
|  | /tigervnc-1.10.90.tar.gz | ||||||
|  | /tigervnc-1.11.0.tar.gz | ||||||
|  | /tigervnc-1.12.0.tar.gz | ||||||
|  | /tigervnc-1.13.1.tar.gz | ||||||
|  | /tigervnc-1.14.0.tar.gz | ||||||
|  | /tigervnc-1.14.1.tar.gz | ||||||
|  | /tigervnc-1.15.0.tar.gz | ||||||
|  | |||||||
| @ -1 +0,0 @@ | |||||||
| fec424f110bdf5032cd5eb4df2596b8251d2e1ed SOURCES/tigervnc-1.15.0.tar.gz |  | ||||||
| @ -12,7 +12,7 @@ | |||||||
| #EndSection | #EndSection | ||||||
| 
 | 
 | ||||||
| #Section "Screen" | #Section "Screen" | ||||||
| #    Identifier "Screen0" | #    Identifier "Screen0 | ||||||
| #    DefaultDepth 16 | #    DefaultDepth 16 | ||||||
| #    Option "SecurityTypes" "VncAuth" | #    Option "SecurityTypes" "VncAuth" | ||||||
| #    Option "PasswordFile" "/root/.vnc/passwd" | #    Option "PasswordFile" "/root/.vnc/passwd" | ||||||
| @ -1,53 +0,0 @@ | |||||||
| diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt
 |  | ||||||
| index 7d316e7..4f872d0 100644
 |  | ||||||
| --- a/po/CMakeLists.txt
 |  | ||||||
| +++ b/po/CMakeLists.txt
 |  | ||||||
| @@ -15,7 +15,6 @@ if (GETTEXT_XGETTEXT_EXECUTABLE)
 |  | ||||||
|      ${PROJECT_SOURCE_DIR}/vncviewer/*.h |  | ||||||
|      ${PROJECT_SOURCE_DIR}/vncviewer/*.cxx |  | ||||||
|      ${PROJECT_SOURCE_DIR}/vncviewer/*.desktop.in.in |  | ||||||
| -    ${PROJECT_SOURCE_DIR}/vncviewer/*.metainfo.xml.in
 |  | ||||||
|    ) |  | ||||||
|   |  | ||||||
|    add_custom_target(translations_update |  | ||||||
| diff --git a/vncviewer/CMakeLists.txt b/vncviewer/CMakeLists.txt
 |  | ||||||
| index 72904b2..6a39062 100644
 |  | ||||||
| --- a/vncviewer/CMakeLists.txt
 |  | ||||||
| +++ b/vncviewer/CMakeLists.txt
 |  | ||||||
| @@ -108,36 +108,6 @@ if(UNIX)
 |  | ||||||
|    add_custom_target(desktop ALL DEPENDS vncviewer.desktop) |  | ||||||
|    install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncviewer.desktop DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/applications) |  | ||||||
|   |  | ||||||
| -  if("${GETTEXT_VERSION_STRING}" VERSION_GREATER 0.19.6)
 |  | ||||||
| -    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
 |  | ||||||
| -      COMMAND ${GETTEXT_MSGFMT_EXECUTABLE}
 |  | ||||||
| -                --xml --template ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
 |  | ||||||
| -                -d ${CMAKE_SOURCE_DIR}/po -o org.tigervnc.vncviewer.metainfo.xml
 |  | ||||||
| -      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
 |  | ||||||
| -              ${po_FILES}
 |  | ||||||
| -    )
 |  | ||||||
| -  elseif(INTLTOOL_MERGE_EXECUTABLE)
 |  | ||||||
| -    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
 |  | ||||||
| -      COMMAND sed -e 's@<name>@<_name>@\;s@</name>@</_name>@'
 |  | ||||||
| -                  -e 's@<summary>@<_summary>@\;s@</summary>@</_summary>@'
 |  | ||||||
| -                  -e 's@<caption>@<_caption>@\;s@</caption>@</_caption>@'
 |  | ||||||
| -                  -e 's@<p>@<_p>@g\;s@</p>@</_p>@g'
 |  | ||||||
| -                ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in > org.tigervnc.vncviewer.metainfo.xml.intl
 |  | ||||||
| -      COMMAND ${INTLTOOL_MERGE_EXECUTABLE}
 |  | ||||||
| -                -x ${CMAKE_SOURCE_DIR}/po
 |  | ||||||
| -                org.tigervnc.vncviewer.metainfo.xml.intl org.tigervnc.vncviewer.metainfo.xml
 |  | ||||||
| -      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
 |  | ||||||
| -              ${po_FILES}
 |  | ||||||
| -    )
 |  | ||||||
| -  else()
 |  | ||||||
| -    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
 |  | ||||||
| -      COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in org.tigervnc.vncviewer.metainfo.xml
 |  | ||||||
| -      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
 |  | ||||||
| -    )
 |  | ||||||
| -  endif()
 |  | ||||||
| -  add_custom_target(appstream ALL DEPENDS org.tigervnc.vncviewer.metainfo.xml)
 |  | ||||||
| -  install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tigervnc.vncviewer.metainfo.xml DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/metainfo)
 |  | ||||||
| -
 |  | ||||||
|    foreach(res 16 22 24 32 48 64 128) |  | ||||||
|      install(FILES ../media/icons/tigervnc_${res}.png DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/${res}x${res}/apps RENAME tigervnc.png) |  | ||||||
|    endforeach() |  | ||||||
| @ -1,46 +0,0 @@ | |||||||
| From ded614e74e7175927dd2bc5ef69accaf2de29939 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| Date: Wed, 4 Dec 2024 15:49:43 +1000 |  | ||||||
| Subject: [PATCH xserver 2/2] dix: keep a ref to the rootCursor |  | ||||||
| 
 |  | ||||||
| CreateCursor returns a cursor with refcount 1 - that refcount is used by |  | ||||||
| the resource system, any caller needs to call RefCursor to get their own |  | ||||||
| reference. That happens correctly for normal cursors but for our |  | ||||||
| rootCursor we keep a variable to the cursor despite not having a ref for |  | ||||||
| ourselves. |  | ||||||
| 
 |  | ||||||
| Fix this by reffing/unreffing the rootCursor to ensure our pointer is |  | ||||||
| valid. |  | ||||||
| 
 |  | ||||||
| Related to CVE-2025-26594, ZDI-CAN-25544 |  | ||||||
| 
 |  | ||||||
| Reviewed-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| ---
 |  | ||||||
|  dix/main.c | 4 ++++ |  | ||||||
|  1 file changed, 4 insertions(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/dix/main.c b/dix/main.c
 |  | ||||||
| index aa7b020b2..0c57ba605 100644
 |  | ||||||
| --- a/dix/main.c
 |  | ||||||
| +++ b/dix/main.c
 |  | ||||||
| @@ -235,6 +235,8 @@ dix_main(int argc, char *argv[], char *envp[])
 |  | ||||||
|                         defaultCursorFont); |  | ||||||
|          } |  | ||||||
|   |  | ||||||
| +        rootCursor = RefCursor(rootCursor);
 |  | ||||||
| +
 |  | ||||||
|  #ifdef PANORAMIX |  | ||||||
|          /* |  | ||||||
|           * Consolidate window and colourmap information for each screen |  | ||||||
| @@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *envp[])
 |  | ||||||
|   |  | ||||||
|          Dispatch(); |  | ||||||
|   |  | ||||||
| +        UnrefCursor(rootCursor);
 |  | ||||||
| +
 |  | ||||||
|          UndisplayDevices(); |  | ||||||
|          DisableAllDevices(); |  | ||||||
|   |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,52 +0,0 @@ | |||||||
| From efca605c45ff51b57f136222b966ce1d610ebc33 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Wed, 27 Nov 2024 11:27:05 +0100 |  | ||||||
| Subject: [PATCH xserver 1/2] Cursor: Refuse to free the root cursor |  | ||||||
| MIME-Version: 1.0 |  | ||||||
| Content-Type: text/plain; charset=UTF-8 |  | ||||||
| Content-Transfer-Encoding: 8bit |  | ||||||
| 
 |  | ||||||
| If a cursor reference count drops to 0, the cursor is freed. |  | ||||||
| 
 |  | ||||||
| The root cursor however is referenced with a specific global variable, |  | ||||||
| and when the root cursor is freed, the global variable may still point |  | ||||||
| to freed memory. |  | ||||||
| 
 |  | ||||||
| Make sure to prevent the rootCursor from being explicitly freed by a |  | ||||||
| client. |  | ||||||
| 
 |  | ||||||
| CVE-2025-26594, ZDI-CAN-25544 |  | ||||||
| 
 |  | ||||||
| This vulnerability was discovered by: |  | ||||||
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |  | ||||||
| 
 |  | ||||||
| v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer |  | ||||||
| <peter.hutterer@who-t.net>) |  | ||||||
| v3: Return BadCursor instead of BadValue (Michel Dänzer |  | ||||||
| <michel@daenzer.net>) |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Suggested-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  dix/dispatch.c | 4 ++++ |  | ||||||
|  1 file changed, 4 insertions(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/dix/dispatch.c b/dix/dispatch.c
 |  | ||||||
| index 5f7cfe02d..d1241fa96 100644
 |  | ||||||
| --- a/dix/dispatch.c
 |  | ||||||
| +++ b/dix/dispatch.c
 |  | ||||||
| @@ -3039,6 +3039,10 @@ ProcFreeCursor(ClientPtr client)
 |  | ||||||
|      rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, |  | ||||||
|                                   client, DixDestroyAccess); |  | ||||||
|      if (rc == Success) { |  | ||||||
| +        if (pCursor == rootCursor) {
 |  | ||||||
| +            client->errorValue = stuff->id;
 |  | ||||||
| +            return BadCursor;
 |  | ||||||
| +        }
 |  | ||||||
|          FreeResource(stuff->id, RT_NONE); |  | ||||||
|          return Success; |  | ||||||
|      } |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,60 +0,0 @@ | |||||||
| From 98602942c143075ab7464f917e0fc5d31ce28c3f Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Wed, 27 Nov 2024 14:41:45 +0100 |  | ||||||
| Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbVModMaskText() |  | ||||||
| 
 |  | ||||||
| The code in XkbVModMaskText() allocates a fixed sized buffer on the |  | ||||||
| stack and copies the virtual mod name. |  | ||||||
| 
 |  | ||||||
| There's actually two issues in the code that can lead to a buffer |  | ||||||
| overflow. |  | ||||||
| 
 |  | ||||||
| First, the bound check mixes pointers and integers using misplaced |  | ||||||
| parenthesis, defeating the bound check. |  | ||||||
| 
 |  | ||||||
| But even though, if the check fails, the data is still copied, so the |  | ||||||
| stack overflow will occur regardless. |  | ||||||
| 
 |  | ||||||
| Change the logic to skip the copy entirely if the bound check fails. |  | ||||||
| 
 |  | ||||||
| CVE-2025-26595, ZDI-CAN-25545 |  | ||||||
| 
 |  | ||||||
| This vulnerability was discovered by: |  | ||||||
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  xkb/xkbtext.c | 16 ++++++++-------- |  | ||||||
|  1 file changed, 8 insertions(+), 8 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
 |  | ||||||
| index 018466420..93262528b 100644
 |  | ||||||
| --- a/xkb/xkbtext.c
 |  | ||||||
| +++ b/xkb/xkbtext.c
 |  | ||||||
| @@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb,
 |  | ||||||
|                  len = strlen(tmp) + 1 + (str == buf ? 0 : 1); |  | ||||||
|                  if (format == XkbCFile) |  | ||||||
|                      len += 4; |  | ||||||
| -                if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
 |  | ||||||
| -                    if (str != buf) {
 |  | ||||||
| -                        if (format == XkbCFile)
 |  | ||||||
| -                            *str++ = '|';
 |  | ||||||
| -                        else
 |  | ||||||
| -                            *str++ = '+';
 |  | ||||||
| -                        len--;
 |  | ||||||
| -                    }
 |  | ||||||
| +                if ((str - buf) + len > VMOD_BUFFER_SIZE)
 |  | ||||||
| +                    continue; /* Skip */
 |  | ||||||
| +                if (str != buf) {
 |  | ||||||
| +                    if (format == XkbCFile)
 |  | ||||||
| +                        *str++ = '|';
 |  | ||||||
| +                    else
 |  | ||||||
| +                        *str++ = '+';
 |  | ||||||
| +                    len--;
 |  | ||||||
|                  } |  | ||||||
|                  if (format == XkbCFile) |  | ||||||
|                      sprintf(str, "%sMask", tmp); |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,44 +0,0 @@ | |||||||
| From b41f6fce201e77a174550935330e2f7772d4adf9 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Thu, 28 Nov 2024 11:49:34 +0100 |  | ||||||
| Subject: [PATCH xserver] xkb: Fix computation of XkbSizeKeySyms |  | ||||||
| 
 |  | ||||||
| The computation of the length in XkbSizeKeySyms() differs from what is |  | ||||||
| actually written in XkbWriteKeySyms(), leading to a heap overflow. |  | ||||||
| 
 |  | ||||||
| Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() |  | ||||||
| does. |  | ||||||
| 
 |  | ||||||
| CVE-2025-26596, ZDI-CAN-25543 |  | ||||||
| 
 |  | ||||||
| This vulnerability was discovered by: |  | ||||||
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  xkb/xkb.c | 8 ++++---- |  | ||||||
|  1 file changed, 4 insertions(+), 4 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/xkb/xkb.c b/xkb/xkb.c
 |  | ||||||
| index 85659382d..744dba63d 100644
 |  | ||||||
| --- a/xkb/xkb.c
 |  | ||||||
| +++ b/xkb/xkb.c
 |  | ||||||
| @@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)
 |  | ||||||
|      len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); |  | ||||||
|      symMap = &xkb->map->key_sym_map[rep->firstKeySym]; |  | ||||||
|      for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { |  | ||||||
| -        if (symMap->offset != 0) {
 |  | ||||||
| -            nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
 |  | ||||||
| -            nSyms += nSymsThisKey;
 |  | ||||||
| -        }
 |  | ||||||
| +        nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
 |  | ||||||
| +        if (nSymsThisKey == 0)
 |  | ||||||
| +            continue;
 |  | ||||||
| +        nSyms += nSymsThisKey;
 |  | ||||||
|      } |  | ||||||
|      len += nSyms * 4; |  | ||||||
|      rep->totalSyms = nSyms; |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,41 +0,0 @@ | |||||||
| From c5114475db18f29d639537d60e135bdfc11a5d3a Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Thu, 28 Nov 2024 14:09:04 +0100 |  | ||||||
| Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbChangeTypesOfKey() |  | ||||||
| 
 |  | ||||||
| If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the |  | ||||||
| key syms to 0 but leave the key actions unchanged. |  | ||||||
| 
 |  | ||||||
| If later, the same function is called with a non-zero value for nGroups, |  | ||||||
| this will cause a buffer overflow because the key actions are of the wrong |  | ||||||
| size. |  | ||||||
| 
 |  | ||||||
| To avoid the issue, make sure to resize both the key syms and key actions |  | ||||||
| when nGroups is 0. |  | ||||||
| 
 |  | ||||||
| CVE-2025-26597, ZDI-CAN-25683 |  | ||||||
| 
 |  | ||||||
| This vulnerability was discovered by: |  | ||||||
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  xkb/XKBMisc.c | 1 + |  | ||||||
|  1 file changed, 1 insertion(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
 |  | ||||||
| index abbfed90e..fd180fad2 100644
 |  | ||||||
| --- a/xkb/XKBMisc.c
 |  | ||||||
| +++ b/xkb/XKBMisc.c
 |  | ||||||
| @@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
 |  | ||||||
|          i = XkbSetNumGroups(i, 0); |  | ||||||
|          xkb->map->key_sym_map[key].group_info = i; |  | ||||||
|          XkbResizeKeySyms(xkb, key, 0); |  | ||||||
| +        XkbResizeKeyActions(xkb, key, 0);
 |  | ||||||
|          return Success; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,115 +0,0 @@ | |||||||
| From 0f5ea9d269ac6225bcb302a1ec0f58878114da9f Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Mon, 16 Dec 2024 11:25:11 +0100 |  | ||||||
| Subject: [PATCH xserver] Xi: Fix barrier device search |  | ||||||
| 
 |  | ||||||
| The function GetBarrierDevice() would search for the pointer device |  | ||||||
| based on its device id and return the matching value, or supposedly NULL |  | ||||||
| if no match was found. |  | ||||||
| 
 |  | ||||||
| Unfortunately, as written, it would return the last element of the list |  | ||||||
| if no matching device id was found which can lead to out of bounds |  | ||||||
| memory access. |  | ||||||
| 
 |  | ||||||
| Fix the search function to return NULL if not matching device is found, |  | ||||||
| and adjust the callers to handle the case where the device cannot be |  | ||||||
| found. |  | ||||||
| 
 |  | ||||||
| CVE-2025-26598, ZDI-CAN-25740 |  | ||||||
| 
 |  | ||||||
| This vulnerability was discovered by: |  | ||||||
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  Xi/xibarriers.c | 27 +++++++++++++++++++++++---- |  | ||||||
|  1 file changed, 23 insertions(+), 4 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
 |  | ||||||
| index 80c4b5981..28bc0a24f 100644
 |  | ||||||
| --- a/Xi/xibarriers.c
 |  | ||||||
| +++ b/Xi/xibarriers.c
 |  | ||||||
| @@ -131,14 +131,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c)
 |  | ||||||
|   |  | ||||||
|  static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) |  | ||||||
|  { |  | ||||||
| -    struct PointerBarrierDevice *pbd = NULL;
 |  | ||||||
| +    struct PointerBarrierDevice *p, *pbd = NULL;
 |  | ||||||
|   |  | ||||||
| -    xorg_list_for_each_entry(pbd, &c->per_device, entry) {
 |  | ||||||
| -        if (pbd->deviceid == deviceid)
 |  | ||||||
| +    xorg_list_for_each_entry(p, &c->per_device, entry) {
 |  | ||||||
| +        if (p->deviceid == deviceid) {
 |  | ||||||
| +            pbd = p;
 |  | ||||||
|              break; |  | ||||||
| +        }
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    BUG_WARN(!pbd);
 |  | ||||||
|      return pbd; |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| @@ -339,6 +340,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
 |  | ||||||
|          double distance; |  | ||||||
|   |  | ||||||
|          pbd = GetBarrierDevice(c, dev->id); |  | ||||||
| +        if (!pbd)
 |  | ||||||
| +            continue;
 |  | ||||||
| +
 |  | ||||||
|          if (pbd->seen) |  | ||||||
|              continue; |  | ||||||
|   |  | ||||||
| @@ -447,6 +451,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
 |  | ||||||
|          nearest = &c->barrier; |  | ||||||
|   |  | ||||||
|          pbd = GetBarrierDevice(c, master->id); |  | ||||||
| +        if (!pbd)
 |  | ||||||
| +            continue;
 |  | ||||||
| +
 |  | ||||||
|          new_sequence = !pbd->hit; |  | ||||||
|   |  | ||||||
|          pbd->seen = TRUE; |  | ||||||
| @@ -487,6 +494,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
 |  | ||||||
|          int flags = 0; |  | ||||||
|   |  | ||||||
|          pbd = GetBarrierDevice(c, master->id); |  | ||||||
| +        if (!pbd)
 |  | ||||||
| +            continue;
 |  | ||||||
| +
 |  | ||||||
|          pbd->seen = FALSE; |  | ||||||
|          if (!pbd->hit) |  | ||||||
|              continue; |  | ||||||
| @@ -681,6 +691,9 @@ BarrierFreeBarrier(void *data, XID id)
 |  | ||||||
|              continue; |  | ||||||
|   |  | ||||||
|          pbd = GetBarrierDevice(c, dev->id); |  | ||||||
| +        if (!pbd)
 |  | ||||||
| +            continue;
 |  | ||||||
| +
 |  | ||||||
|          if (!pbd->hit) |  | ||||||
|              continue; |  | ||||||
|   |  | ||||||
| @@ -740,6 +753,8 @@ static void remove_master_func(void *res, XID id, void *devid)
 |  | ||||||
|      barrier = container_of(b, struct PointerBarrierClient, barrier); |  | ||||||
|   |  | ||||||
|      pbd = GetBarrierDevice(barrier, *deviceid); |  | ||||||
| +    if (!pbd)
 |  | ||||||
| +        return;
 |  | ||||||
|   |  | ||||||
|      if (pbd->hit) { |  | ||||||
|          BarrierEvent ev = { |  | ||||||
| @@ -904,6 +919,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
 |  | ||||||
|          barrier = container_of(b, struct PointerBarrierClient, barrier); |  | ||||||
|   |  | ||||||
|          pbd = GetBarrierDevice(barrier, dev->id); |  | ||||||
| +        if (!pbd) {
 |  | ||||||
| +            client->errorValue = dev->id;
 |  | ||||||
| +            return BadDevice;
 |  | ||||||
| +        }
 |  | ||||||
|   |  | ||||||
|          if (pbd->barrier_event_id == event_id) |  | ||||||
|              pbd->release_event_id = event_id; |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,124 +0,0 @@ | |||||||
| From f5ce639ff9d3af05e79efce6c51e084352d28ed1 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Mon, 13 Jan 2025 16:09:43 +0100 |  | ||||||
| Subject: [PATCH xserver 2/2] composite: initialize border clip even when |  | ||||||
|  pixmap alloc fails |  | ||||||
| 
 |  | ||||||
| If it fails to allocate the pixmap, the function compAllocPixmap() would |  | ||||||
| return early and leave the borderClip region uninitialized, which may |  | ||||||
| lead to the use of uninitialized value as reported by valgrind: |  | ||||||
| 
 |  | ||||||
|  Conditional jump or move depends on uninitialised value(s) |  | ||||||
|     at 0x4F9B33: compClipNotify (compwindow.c:317) |  | ||||||
|     by 0x484FC9: miComputeClips (mivaltree.c:476) |  | ||||||
|     by 0x48559A: miValidateTree (mivaltree.c:679) |  | ||||||
|     by 0x4F0685: MapWindow (window.c:2693) |  | ||||||
|     by 0x4A344A: ProcMapWindow (dispatch.c:922) |  | ||||||
|     by 0x4A25B5: Dispatch (dispatch.c:560) |  | ||||||
|     by 0x4B082A: dix_main (main.c:282) |  | ||||||
|     by 0x429233: main (stubmain.c:34) |  | ||||||
|   Uninitialised value was created by a heap allocation |  | ||||||
|     at 0x4841866: malloc (vg_replace_malloc.c:446) |  | ||||||
|     by 0x4F47BC: compRedirectWindow (compalloc.c:171) |  | ||||||
|     by 0x4FA8AD: compCreateWindow (compwindow.c:592) |  | ||||||
|     by 0x4EBB89: CreateWindow (window.c:925) |  | ||||||
|     by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) |  | ||||||
|     by 0x4A25B5: Dispatch (dispatch.c:560) |  | ||||||
|     by 0x4B082A: dix_main (main.c:282) |  | ||||||
|     by 0x429233: main (stubmain.c:34) |  | ||||||
| 
 |  | ||||||
|  Conditional jump or move depends on uninitialised value(s) |  | ||||||
|     at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) |  | ||||||
|     by 0x4F9255: RegionTranslate (regionstr.h:312) |  | ||||||
|     by 0x4F9B7E: compClipNotify (compwindow.c:319) |  | ||||||
|     by 0x484FC9: miComputeClips (mivaltree.c:476) |  | ||||||
|     by 0x48559A: miValidateTree (mivaltree.c:679) |  | ||||||
|     by 0x4F0685: MapWindow (window.c:2693) |  | ||||||
|     by 0x4A344A: ProcMapWindow (dispatch.c:922) |  | ||||||
|     by 0x4A25B5: Dispatch (dispatch.c:560) |  | ||||||
|     by 0x4B082A: dix_main (main.c:282) |  | ||||||
|     by 0x429233: main (stubmain.c:34) |  | ||||||
|   Uninitialised value was created by a heap allocation |  | ||||||
|     at 0x4841866: malloc (vg_replace_malloc.c:446) |  | ||||||
|     by 0x4F47BC: compRedirectWindow (compalloc.c:171) |  | ||||||
|     by 0x4FA8AD: compCreateWindow (compwindow.c:592) |  | ||||||
|     by 0x4EBB89: CreateWindow (window.c:925) |  | ||||||
|     by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) |  | ||||||
|     by 0x4A25B5: Dispatch (dispatch.c:560) |  | ||||||
|     by 0x4B082A: dix_main (main.c:282) |  | ||||||
|     by 0x429233: main (stubmain.c:34) |  | ||||||
| 
 |  | ||||||
|  Conditional jump or move depends on uninitialised value(s) |  | ||||||
|     at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) |  | ||||||
|     by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) |  | ||||||
|     by 0x4F9255: RegionTranslate (regionstr.h:312) |  | ||||||
|     by 0x4F9B7E: compClipNotify (compwindow.c:319) |  | ||||||
|     by 0x484FC9: miComputeClips (mivaltree.c:476) |  | ||||||
|     by 0x48559A: miValidateTree (mivaltree.c:679) |  | ||||||
|     by 0x4F0685: MapWindow (window.c:2693) |  | ||||||
|     by 0x4A344A: ProcMapWindow (dispatch.c:922) |  | ||||||
|     by 0x4A25B5: Dispatch (dispatch.c:560) |  | ||||||
|     by 0x4B082A: dix_main (main.c:282) |  | ||||||
|     by 0x429233: main (stubmain.c:34) |  | ||||||
|   Uninitialised value was created by a heap allocation |  | ||||||
|     at 0x4841866: malloc (vg_replace_malloc.c:446) |  | ||||||
|     by 0x4F47BC: compRedirectWindow (compalloc.c:171) |  | ||||||
|     by 0x4FA8AD: compCreateWindow (compwindow.c:592) |  | ||||||
|     by 0x4EBB89: CreateWindow (window.c:925) |  | ||||||
|     by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) |  | ||||||
|     by 0x4A25B5: Dispatch (dispatch.c:560) |  | ||||||
|     by 0x4B082A: dix_main (main.c:282) |  | ||||||
|     by 0x429233: main (stubmain.c:34) |  | ||||||
| 
 |  | ||||||
| Fix compAllocPixmap() to initialize the border clip even if the creation |  | ||||||
| of the backing pixmap has failed, to avoid depending later on |  | ||||||
| uninitialized border clip values. |  | ||||||
| 
 |  | ||||||
| Related to CVE-2025-26599, ZDI-CAN-25851 |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Acked-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  composite/compalloc.c | 11 ++++++++--- |  | ||||||
|  1 file changed, 8 insertions(+), 3 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/composite/compalloc.c b/composite/compalloc.c
 |  | ||||||
| index ecb1b6147..d1342799b 100644
 |  | ||||||
| --- a/composite/compalloc.c
 |  | ||||||
| +++ b/composite/compalloc.c
 |  | ||||||
| @@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin)
 |  | ||||||
|      int h = pWin->drawable.height + (bw << 1); |  | ||||||
|      PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); |  | ||||||
|      CompWindowPtr cw = GetCompWindow(pWin); |  | ||||||
| +    Bool status;
 |  | ||||||
|   |  | ||||||
| -    if (!pPixmap)
 |  | ||||||
| -        return FALSE;
 |  | ||||||
| +    if (!pPixmap) {
 |  | ||||||
| +        status = FALSE;
 |  | ||||||
| +        goto out;
 |  | ||||||
| +    }
 |  | ||||||
|      if (cw->update == CompositeRedirectAutomatic) |  | ||||||
|          pWin->redirectDraw = RedirectDrawAutomatic; |  | ||||||
|      else |  | ||||||
| @@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin)
 |  | ||||||
|          DamageRegister(&pWin->drawable, cw->damage); |  | ||||||
|          cw->damageRegistered = TRUE; |  | ||||||
|      } |  | ||||||
| +    status = TRUE;
 |  | ||||||
|   |  | ||||||
| +out:
 |  | ||||||
|      /* Make sure our borderClip is up to date */ |  | ||||||
|      RegionUninit(&cw->borderClip); |  | ||||||
|      RegionCopy(&cw->borderClip, &pWin->borderClip); |  | ||||||
|      cw->borderClipX = pWin->drawable.x; |  | ||||||
|      cw->borderClipY = pWin->drawable.y; |  | ||||||
|   |  | ||||||
| -    return TRUE;
 |  | ||||||
| +    return status;
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
|  void |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,62 +0,0 @@ | |||||||
| From 10a24e364ac15983051d0bb90817c88bbe107036 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Tue, 17 Dec 2024 15:19:45 +0100 |  | ||||||
| Subject: [PATCH xserver 1/2] composite: Handle failure to redirect in |  | ||||||
|  compRedirectWindow() |  | ||||||
| 
 |  | ||||||
| The function compCheckRedirect() may fail if it cannot allocate the |  | ||||||
| backing pixmap. |  | ||||||
| 
 |  | ||||||
| In that case, compRedirectWindow() will return a BadAlloc error. |  | ||||||
| 
 |  | ||||||
| However that failure code path will shortcut the validation of the |  | ||||||
| window tree marked just before, which leaves the validate data partly |  | ||||||
| initialized. |  | ||||||
| 
 |  | ||||||
| That causes a use of uninitialized pointer later. |  | ||||||
| 
 |  | ||||||
| The fix is to not shortcut the call to compHandleMarkedWindows() even in |  | ||||||
| the case of compCheckRedirect() returning an error. |  | ||||||
| 
 |  | ||||||
| CVE-2025-26599, ZDI-CAN-25851 |  | ||||||
| 
 |  | ||||||
| This vulnerability was discovered by: |  | ||||||
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Acked-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  composite/compalloc.c | 5 +++-- |  | ||||||
|  1 file changed, 3 insertions(+), 2 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/composite/compalloc.c b/composite/compalloc.c
 |  | ||||||
| index e52c009bd..ecb1b6147 100644
 |  | ||||||
| --- a/composite/compalloc.c
 |  | ||||||
| +++ b/composite/compalloc.c
 |  | ||||||
| @@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
 |  | ||||||
|      CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); |  | ||||||
|      WindowPtr pLayerWin; |  | ||||||
|      Bool anyMarked = FALSE; |  | ||||||
| +    int status = Success;
 |  | ||||||
|   |  | ||||||
|      if (pWin == cs->pOverlayWin) { |  | ||||||
|          return Success; |  | ||||||
| @@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
 |  | ||||||
|   |  | ||||||
|      if (!compCheckRedirect(pWin)) { |  | ||||||
|          FreeResource(ccw->id, RT_NONE); |  | ||||||
| -        return BadAlloc;
 |  | ||||||
| +        status = BadAlloc;
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
|      if (anyMarked) |  | ||||||
|          compHandleMarkedWindows(pWin, pLayerWin); |  | ||||||
|   |  | ||||||
| -    return Success;
 |  | ||||||
| +    return status;
 |  | ||||||
|  } |  | ||||||
|   |  | ||||||
|  void |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,64 +0,0 @@ | |||||||
| From 70ad5d36ae80f6e5a436eabfee642c2c013e51cc Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Mon, 16 Dec 2024 16:18:04 +0100 |  | ||||||
| Subject: [PATCH xserver] dix: Dequeue pending events on frozen device on |  | ||||||
|  removal |  | ||||||
| 
 |  | ||||||
| When a device is removed while still frozen, the events queued for that |  | ||||||
| device remain while the device itself is freed. |  | ||||||
| 
 |  | ||||||
| As a result, replaying the events will cause a use after free. |  | ||||||
| 
 |  | ||||||
| To avoid the issue, make sure to dequeue and free any pending events on |  | ||||||
| a frozen device when removed. |  | ||||||
| 
 |  | ||||||
| CVE-2025-26600, ZDI-CAN-25871 |  | ||||||
| 
 |  | ||||||
| This vulnerability was discovered by: |  | ||||||
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  dix/devices.c | 18 ++++++++++++++++++ |  | ||||||
|  1 file changed, 18 insertions(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/dix/devices.c b/dix/devices.c
 |  | ||||||
| index 969819534..740390207 100644
 |  | ||||||
| --- a/dix/devices.c
 |  | ||||||
| +++ b/dix/devices.c
 |  | ||||||
| @@ -966,6 +966,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
 |  | ||||||
|   |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| +static void
 |  | ||||||
| +FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
 |  | ||||||
| +{
 |  | ||||||
| +    QdEventPtr qe, tmp;
 |  | ||||||
| +
 |  | ||||||
| +    if (!dev->deviceGrab.sync.frozen)
 |  | ||||||
| +        return;
 |  | ||||||
| +
 |  | ||||||
| +    /* Dequeue any frozen pending events */
 |  | ||||||
| +    xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
 |  | ||||||
| +        if (qe->device == dev) {
 |  | ||||||
| +            xorg_list_del(&qe->next);
 |  | ||||||
| +            free(qe);
 |  | ||||||
| +        }
 |  | ||||||
| +    }
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
|  /** |  | ||||||
|   * Close down a device and free all resources. |  | ||||||
|   * Once closed down, the driver will probably not expect you that you'll ever |  | ||||||
| @@ -1030,6 +1047,7 @@ CloseDevice(DeviceIntPtr dev)
 |  | ||||||
|          free(dev->last.touches[j].valuators); |  | ||||||
|      free(dev->last.touches); |  | ||||||
|      dev->config_info = NULL; |  | ||||||
| +    FreePendingFrozenDeviceEvents(dev);
 |  | ||||||
|      dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); |  | ||||||
|      free(dev); |  | ||||||
|  } |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,80 +0,0 @@ | |||||||
| From 7dc3f11abb51cad8a59ecbff5278c8c8a318df41 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Mon, 20 Jan 2025 16:54:30 +0100 |  | ||||||
| Subject: [PATCH xserver 2/4] sync: Check values before applying changes |  | ||||||
| 
 |  | ||||||
| In SyncInitTrigger(), we would set the CheckTrigger function before |  | ||||||
| validating the counter value. |  | ||||||
| 
 |  | ||||||
| As a result, if the counter value overflowed, we would leave the |  | ||||||
| function SyncInitTrigger() with the CheckTrigger applied but without |  | ||||||
| updating the trigger object. |  | ||||||
| 
 |  | ||||||
| To avoid that issue, move the portion of code checking for the trigger |  | ||||||
| check value before updating the CheckTrigger function. |  | ||||||
| 
 |  | ||||||
| Related to CVE-2025-26601, ZDI-CAN-25870 |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  Xext/sync.c | 36 ++++++++++++++++++------------------ |  | ||||||
|  1 file changed, 18 insertions(+), 18 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/Xext/sync.c b/Xext/sync.c
 |  | ||||||
| index 4267d3af6..4eab5a6ac 100644
 |  | ||||||
| --- a/Xext/sync.c
 |  | ||||||
| +++ b/Xext/sync.c
 |  | ||||||
| @@ -351,6 +351,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
 |  | ||||||
|          } |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| +    if (changes & (XSyncCAValueType | XSyncCAValue)) {
 |  | ||||||
| +        if (pTrigger->value_type == XSyncAbsolute)
 |  | ||||||
| +            pTrigger->test_value = pTrigger->wait_value;
 |  | ||||||
| +        else {                  /* relative */
 |  | ||||||
| +            Bool overflow;
 |  | ||||||
| +
 |  | ||||||
| +            if (pCounter == NULL)
 |  | ||||||
| +                return BadMatch;
 |  | ||||||
| +
 |  | ||||||
| +            overflow = checked_int64_add(&pTrigger->test_value,
 |  | ||||||
| +                                         pCounter->value, pTrigger->wait_value);
 |  | ||||||
| +            if (overflow) {
 |  | ||||||
| +                client->errorValue = pTrigger->wait_value >> 32;
 |  | ||||||
| +                return BadValue;
 |  | ||||||
| +            }
 |  | ||||||
| +        }
 |  | ||||||
| +    }
 |  | ||||||
| +
 |  | ||||||
|      if (changes & XSyncCATestType) { |  | ||||||
|   |  | ||||||
|          if (pSync && SYNC_FENCE == pSync->type) { |  | ||||||
| @@ -379,24 +397,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
 |  | ||||||
|          } |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    if (changes & (XSyncCAValueType | XSyncCAValue)) {
 |  | ||||||
| -        if (pTrigger->value_type == XSyncAbsolute)
 |  | ||||||
| -            pTrigger->test_value = pTrigger->wait_value;
 |  | ||||||
| -        else {                  /* relative */
 |  | ||||||
| -            Bool overflow;
 |  | ||||||
| -
 |  | ||||||
| -            if (pCounter == NULL)
 |  | ||||||
| -                return BadMatch;
 |  | ||||||
| -
 |  | ||||||
| -            overflow = checked_int64_add(&pTrigger->test_value,
 |  | ||||||
| -                                         pCounter->value, pTrigger->wait_value);
 |  | ||||||
| -            if (overflow) {
 |  | ||||||
| -                client->errorValue = pTrigger->wait_value >> 32;
 |  | ||||||
| -                return BadValue;
 |  | ||||||
| -            }
 |  | ||||||
| -        }
 |  | ||||||
| -    }
 |  | ||||||
| -
 |  | ||||||
|      if (changes & XSyncCACounter) { |  | ||||||
|          if (pSync != pTrigger->pSync) { /* new counter for trigger */ |  | ||||||
|              SyncDeleteTriggerFromSyncObject(pTrigger); |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,47 +0,0 @@ | |||||||
| From 4ccaa5134482b6be9c9a7f0b66cd221ef325d082 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Mon, 20 Jan 2025 17:06:07 +0100 |  | ||||||
| Subject: [PATCH xserver 3/4] sync: Do not fail SyncAddTriggerToSyncObject() |  | ||||||
| 
 |  | ||||||
| We do not want to return a failure at the very last step in |  | ||||||
| SyncInitTrigger() after having all changes applied. |  | ||||||
| 
 |  | ||||||
| SyncAddTriggerToSyncObject() must not fail on memory allocation, if the |  | ||||||
| allocation of the SyncTriggerList fails, trigger a FatalError() instead. |  | ||||||
| 
 |  | ||||||
| Related to CVE-2025-26601, ZDI-CAN-25870 |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  Xext/sync.c | 7 +++---- |  | ||||||
|  1 file changed, 3 insertions(+), 4 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/Xext/sync.c b/Xext/sync.c
 |  | ||||||
| index 4eab5a6ac..c36de1a2e 100644
 |  | ||||||
| --- a/Xext/sync.c
 |  | ||||||
| +++ b/Xext/sync.c
 |  | ||||||
| @@ -200,8 +200,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
 |  | ||||||
|              return Success; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    if (!(pCur = malloc(sizeof(SyncTriggerList))))
 |  | ||||||
| -        return BadAlloc;
 |  | ||||||
| +    /* Failure is not an option, it's succeed or burst! */
 |  | ||||||
| +    pCur = XNFalloc(sizeof(SyncTriggerList));
 |  | ||||||
|   |  | ||||||
|      pCur->pTrigger = pTrigger; |  | ||||||
|      pCur->next = pTrigger->pSync->pTriglist; |  | ||||||
| @@ -409,8 +409,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
 |  | ||||||
|       *  a new counter on a trigger |  | ||||||
|       */ |  | ||||||
|      if (newSyncObject) { |  | ||||||
| -        if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
 |  | ||||||
| -            return rc;
 |  | ||||||
| +        SyncAddTriggerToSyncObject(pTrigger);
 |  | ||||||
|      } |  | ||||||
|      else if (pCounter && IsSystemCounter(pCounter)) { |  | ||||||
|          SyncComputeBracketValues(pCounter); |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,128 +0,0 @@ | |||||||
| From f0984082067f79b45383fa1eb889c6a901667331 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Mon, 20 Jan 2025 17:10:31 +0100 |  | ||||||
| Subject: [PATCH xserver 4/4] sync: Apply changes last in |  | ||||||
|  SyncChangeAlarmAttributes() |  | ||||||
| 
 |  | ||||||
| SyncChangeAlarmAttributes() would apply the various changes while |  | ||||||
| checking for errors. |  | ||||||
| 
 |  | ||||||
| If one of the changes triggers an error, the changes for the trigger, |  | ||||||
| counter or delta value would remain, possibly leading to inconsistent |  | ||||||
| changes. |  | ||||||
| 
 |  | ||||||
| Postpone the actual changes until we're sure nothing else can go wrong. |  | ||||||
| 
 |  | ||||||
| Related to CVE-2025-26601, ZDI-CAN-25870 |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- |  | ||||||
|  1 file changed, 27 insertions(+), 15 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/Xext/sync.c b/Xext/sync.c
 |  | ||||||
| index c36de1a2e..e282e6657 100644
 |  | ||||||
| --- a/Xext/sync.c
 |  | ||||||
| +++ b/Xext/sync.c
 |  | ||||||
| @@ -800,8 +800,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
 |  | ||||||
|      int status; |  | ||||||
|      XSyncCounter counter; |  | ||||||
|      Mask origmask = mask; |  | ||||||
| +    SyncTrigger trigger;
 |  | ||||||
| +    Bool select_events_changed = FALSE;
 |  | ||||||
| +    Bool select_events_value;
 |  | ||||||
| +    int64_t delta;
 |  | ||||||
|   |  | ||||||
| -    counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None;
 |  | ||||||
| +    trigger = pAlarm->trigger;
 |  | ||||||
| +    delta = pAlarm->delta;
 |  | ||||||
| +    counter = trigger.pSync ? trigger.pSync->id : None;
 |  | ||||||
|   |  | ||||||
|      while (mask) { |  | ||||||
|          int index2 = lowbit(mask); |  | ||||||
| @@ -817,24 +823,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
 |  | ||||||
|          case XSyncCAValueType: |  | ||||||
|              mask &= ~XSyncCAValueType; |  | ||||||
|              /* sanity check in SyncInitTrigger */ |  | ||||||
| -            pAlarm->trigger.value_type = *values++;
 |  | ||||||
| +            trigger.value_type = *values++;
 |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
|          case XSyncCAValue: |  | ||||||
|              mask &= ~XSyncCAValue; |  | ||||||
| -            pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
 |  | ||||||
| +            trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
 |  | ||||||
|              values += 2; |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
|          case XSyncCATestType: |  | ||||||
|              mask &= ~XSyncCATestType; |  | ||||||
|              /* sanity check in SyncInitTrigger */ |  | ||||||
| -            pAlarm->trigger.test_type = *values++;
 |  | ||||||
| +            trigger.test_type = *values++;
 |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
|          case XSyncCADelta: |  | ||||||
|              mask &= ~XSyncCADelta; |  | ||||||
| -            pAlarm->delta = ((int64_t)values[0] << 32) | values[1];
 |  | ||||||
| +            delta = ((int64_t)values[0] << 32) | values[1];
 |  | ||||||
|              values += 2; |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
| @@ -844,10 +850,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
 |  | ||||||
|                  client->errorValue = *values; |  | ||||||
|                  return BadValue; |  | ||||||
|              } |  | ||||||
| -            status = SyncEventSelectForAlarm(pAlarm, client,
 |  | ||||||
| -                                             (Bool) (*values++));
 |  | ||||||
| -            if (status != Success)
 |  | ||||||
| -                return status;
 |  | ||||||
| +            select_events_value = (Bool) (*values++);
 |  | ||||||
| +            select_events_changed = TRUE;
 |  | ||||||
|              break; |  | ||||||
|   |  | ||||||
|          default: |  | ||||||
| @@ -856,25 +860,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
 |  | ||||||
|          } |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| +    if (select_events_changed) {
 |  | ||||||
| +        status = SyncEventSelectForAlarm(pAlarm, client, select_events_value);
 |  | ||||||
| +        if (status != Success)
 |  | ||||||
| +            return status;
 |  | ||||||
| +    }
 |  | ||||||
| +
 |  | ||||||
|      /* "If the test-type is PositiveComparison or PositiveTransition |  | ||||||
|       *  and delta is less than zero, or if the test-type is |  | ||||||
|       *  NegativeComparison or NegativeTransition and delta is |  | ||||||
|       *  greater than zero, a Match error is generated." |  | ||||||
|       */ |  | ||||||
|      if (origmask & (XSyncCADelta | XSyncCATestType)) { |  | ||||||
| -        if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) ||
 |  | ||||||
| -              (pAlarm->trigger.test_type == XSyncPositiveTransition))
 |  | ||||||
| -             && pAlarm->delta < 0)
 |  | ||||||
| +        if ((((trigger.test_type == XSyncPositiveComparison) ||
 |  | ||||||
| +              (trigger.test_type == XSyncPositiveTransition))
 |  | ||||||
| +             && delta < 0)
 |  | ||||||
|              || |  | ||||||
| -            (((pAlarm->trigger.test_type == XSyncNegativeComparison) ||
 |  | ||||||
| -              (pAlarm->trigger.test_type == XSyncNegativeTransition))
 |  | ||||||
| -             && pAlarm->delta > 0)
 |  | ||||||
| +            (((trigger.test_type == XSyncNegativeComparison) ||
 |  | ||||||
| +              (trigger.test_type == XSyncNegativeTransition))
 |  | ||||||
| +             && delta > 0)
 |  | ||||||
|              ) { |  | ||||||
|              return BadMatch; |  | ||||||
|          } |  | ||||||
|      } |  | ||||||
|   |  | ||||||
|      /* postpone this until now, when we're sure nothing else can go wrong */ |  | ||||||
| +    pAlarm->delta = delta;
 |  | ||||||
| +    pAlarm->trigger = trigger;
 |  | ||||||
|      if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, |  | ||||||
|                                    origmask & XSyncCAAllTrigger)) != Success) |  | ||||||
|          return status; |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,66 +0,0 @@ | |||||||
| From 573a2265aacfeaddcc1bb001905a6f7d4fa15ee6 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Mon, 20 Jan 2025 16:52:01 +0100 |  | ||||||
| Subject: [PATCH xserver 1/4] sync: Do not let sync objects uninitialized |  | ||||||
| 
 |  | ||||||
| When changing an alarm, the change mask values are evaluated one after |  | ||||||
| the other, changing the trigger values as requested and eventually, |  | ||||||
| SyncInitTrigger() is called. |  | ||||||
| 
 |  | ||||||
| SyncInitTrigger() will evaluate the XSyncCACounter first and may free |  | ||||||
| the existing sync object. |  | ||||||
| 
 |  | ||||||
| Other changes are then evaluated and may trigger an error and an early |  | ||||||
| return, not adding the new sync object. |  | ||||||
| 
 |  | ||||||
| This can be used to cause a use after free when the alarm eventually |  | ||||||
| triggers. |  | ||||||
| 
 |  | ||||||
| To avoid the issue, delete the existing sync object as late as possible |  | ||||||
| only once we are sure that no further error will cause an early exit. |  | ||||||
| 
 |  | ||||||
| CVE-2025-26601, ZDI-CAN-25870 |  | ||||||
| 
 |  | ||||||
| This vulnerability was discovered by: |  | ||||||
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| ---
 |  | ||||||
|  Xext/sync.c | 13 ++++++++----- |  | ||||||
|  1 file changed, 8 insertions(+), 5 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/Xext/sync.c b/Xext/sync.c
 |  | ||||||
| index b6417b3b0..4267d3af6 100644
 |  | ||||||
| --- a/Xext/sync.c
 |  | ||||||
| +++ b/Xext/sync.c
 |  | ||||||
| @@ -330,11 +330,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
 |  | ||||||
|              client->errorValue = syncObject; |  | ||||||
|              return rc; |  | ||||||
|          } |  | ||||||
| -        if (pSync != pTrigger->pSync) { /* new counter for trigger */
 |  | ||||||
| -            SyncDeleteTriggerFromSyncObject(pTrigger);
 |  | ||||||
| -            pTrigger->pSync = pSync;
 |  | ||||||
| -            newSyncObject = TRUE;
 |  | ||||||
| -        }
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
|      /* if system counter, ask it what the current value is */ |  | ||||||
| @@ -402,6 +397,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
 |  | ||||||
|          } |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| +    if (changes & XSyncCACounter) {
 |  | ||||||
| +        if (pSync != pTrigger->pSync) { /* new counter for trigger */
 |  | ||||||
| +            SyncDeleteTriggerFromSyncObject(pTrigger);
 |  | ||||||
| +            pTrigger->pSync = pSync;
 |  | ||||||
| +            newSyncObject = TRUE;
 |  | ||||||
| +        }
 |  | ||||||
| +    }
 |  | ||||||
| +
 |  | ||||||
|      /*  we wait until we're sure there are no errors before registering |  | ||||||
|       *  a new counter on a trigger |  | ||||||
|       */ |  | ||||||
| -- 
 |  | ||||||
| 2.48.1 |  | ||||||
| 
 |  | ||||||
| @ -1,87 +0,0 @@ | |||||||
| From 53e0de91e307870b6790690bd74cf30ac501de50 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Fri, 28 Mar 2025 09:43:52 +0100 |  | ||||||
| Subject: [PATCH xserver] render: Avoid 0 or less animated cursors |  | ||||||
| MIME-Version: 1.0 |  | ||||||
| Content-Type: text/plain; charset=UTF-8 |  | ||||||
| Content-Transfer-Encoding: 8bit |  | ||||||
| 
 |  | ||||||
| Animated cursors use a series of cursors that the client can set. |  | ||||||
| 
 |  | ||||||
| By default, the Xserver assumes at least one cursor is specified |  | ||||||
| while a client may actually pass no cursor at all. |  | ||||||
| 
 |  | ||||||
| That causes an out-of-bound read creating the animated cursor and a |  | ||||||
| crash of the Xserver: |  | ||||||
| 
 |  | ||||||
|  | Invalid read of size 8 |  | ||||||
|  |    at 0x5323F4: AnimCursorCreate (animcur.c:325) |  | ||||||
|  |    by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) |  | ||||||
|  |    by 0x52DC80: ProcRenderDispatch (render.c:1999) |  | ||||||
|  |    by 0x4A1E9D: Dispatch (dispatch.c:560) |  | ||||||
|  |    by 0x4B0169: dix_main (main.c:284) |  | ||||||
|  |    by 0x4287F5: main (stubmain.c:34) |  | ||||||
|  |  Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd |  | ||||||
|  |    at 0x48468D3: reallocarray (vg_replace_malloc.c:1803) |  | ||||||
|  |    by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802) |  | ||||||
|  |    by 0x52DC80: ProcRenderDispatch (render.c:1999) |  | ||||||
|  |    by 0x4A1E9D: Dispatch (dispatch.c:560) |  | ||||||
|  |    by 0x4B0169: dix_main (main.c:284) |  | ||||||
|  |    by 0x4287F5: main (stubmain.c:34) |  | ||||||
|  | |  | ||||||
|  | Invalid read of size 2 |  | ||||||
|  |    at 0x5323F7: AnimCursorCreate (animcur.c:325) |  | ||||||
|  |    by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) |  | ||||||
|  |    by 0x52DC80: ProcRenderDispatch (render.c:1999) |  | ||||||
|  |    by 0x4A1E9D: Dispatch (dispatch.c:560) |  | ||||||
|  |    by 0x4B0169: dix_main (main.c:284) |  | ||||||
|  |    by 0x4287F5: main (stubmain.c:34) |  | ||||||
|  |  Address 0x8 is not stack'd, malloc'd or (recently) free'd |  | ||||||
| 
 |  | ||||||
| To avoid the issue, check the number of cursors specified and return a |  | ||||||
| BadValue error in both the proc handler (early) and the animated cursor |  | ||||||
| creation (as this is a public function) if there is 0 or less cursor. |  | ||||||
| 
 |  | ||||||
| CVE-2025-49175 |  | ||||||
| 
 |  | ||||||
| This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and |  | ||||||
| reported by Julian Suleder via ERNW Vulnerability Disclosure. |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: José Expósito <jexposit@redhat.com> |  | ||||||
| (cherry picked from commit 9304e31035f97ddbfcc1d5f3c178da1d04a472ad) |  | ||||||
| ---
 |  | ||||||
|  render/animcur.c | 3 +++ |  | ||||||
|  render/render.c  | 2 ++ |  | ||||||
|  2 files changed, 5 insertions(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/render/animcur.c b/render/animcur.c
 |  | ||||||
| index ef27bda27..77942d846 100644
 |  | ||||||
| --- a/render/animcur.c
 |  | ||||||
| +++ b/render/animcur.c
 |  | ||||||
| @@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
 |  | ||||||
|      int rc = BadAlloc, i; |  | ||||||
|      AnimCurPtr ac; |  | ||||||
|   |  | ||||||
| +    if (ncursor <= 0)
 |  | ||||||
| +        return BadValue;
 |  | ||||||
| +
 |  | ||||||
|      for (i = 0; i < screenInfo.numScreens; i++) |  | ||||||
|          if (!GetAnimCurScreen(screenInfo.screens[i])) |  | ||||||
|              return BadImplementation; |  | ||||||
| diff --git a/render/render.c b/render/render.c
 |  | ||||||
| index 5bc2a204b..a8c2da056 100644
 |  | ||||||
| --- a/render/render.c
 |  | ||||||
| +++ b/render/render.c
 |  | ||||||
| @@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client)
 |  | ||||||
|      ncursor = |  | ||||||
|          (client->req_len - |  | ||||||
|           (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; |  | ||||||
| +    if (ncursor <= 0)
 |  | ||||||
| +        return BadValue;
 |  | ||||||
|      cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); |  | ||||||
|      if (!cursors) |  | ||||||
|          return BadAlloc; |  | ||||||
| -- 
 |  | ||||||
| 2.49.0 |  | ||||||
| 
 |  | ||||||
| @ -1,88 +0,0 @@ | |||||||
| From 57248c57e971bb7cc0ccae6de4c49a49ff13b45c Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Mon, 7 Apr 2025 16:13:34 +0200 |  | ||||||
| Subject: [PATCH xserver] os: Do not overflow the integer size with BigRequest |  | ||||||
| MIME-Version: 1.0 |  | ||||||
| Content-Type: text/plain; charset=UTF-8 |  | ||||||
| Content-Transfer-Encoding: 8bit |  | ||||||
| 
 |  | ||||||
| The BigRequest extension allows request larger than the 16-bit length |  | ||||||
| limit. |  | ||||||
| 
 |  | ||||||
| It uses integers for the request length and checks for the size not to |  | ||||||
| exceed the maxBigRequestSize limit, but does so after translating the |  | ||||||
| length to integer by multiplying the given size in bytes by 4. |  | ||||||
| 
 |  | ||||||
| In doing so, it might overflow the integer size limit before actually |  | ||||||
| checking for the overflow, defeating the purpose of the test. |  | ||||||
| 
 |  | ||||||
| To avoid the issue, make sure to check that the request size does not |  | ||||||
| overflow the maxBigRequestSize limit prior to any conversion. |  | ||||||
| 
 |  | ||||||
| The caller Dispatch() function however expects the return value to be in |  | ||||||
| bytes, so we cannot just return the converted value in case of error, as |  | ||||||
| that would also overflow the integer size. |  | ||||||
| 
 |  | ||||||
| To preserve the existing API, we use a negative value for the X11 error |  | ||||||
| code BadLength as the function only return positive values, 0 or -1 and |  | ||||||
| update the caller Dispatch() function to take that case into account to |  | ||||||
| return the error code to the offending client. |  | ||||||
| 
 |  | ||||||
| CVE-2025-49176 |  | ||||||
| 
 |  | ||||||
| This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and |  | ||||||
| reported by Julian Suleder via ERNW Vulnerability Disclosure. |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Michel Dänzer <mdaenzer@redhat.com> |  | ||||||
| (cherry picked from commit b380b0a6c2022fbd3115552b1cd88251b5268daa) |  | ||||||
| ---
 |  | ||||||
|  dix/dispatch.c | 9 +++++---- |  | ||||||
|  os/io.c        | 4 ++++ |  | ||||||
|  2 files changed, 9 insertions(+), 4 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/dix/dispatch.c b/dix/dispatch.c
 |  | ||||||
| index 6f4e349e0..15e63e22a 100644
 |  | ||||||
| --- a/dix/dispatch.c
 |  | ||||||
| +++ b/dix/dispatch.c
 |  | ||||||
| @@ -518,9 +518,10 @@ Dispatch(void)
 |  | ||||||
|   |  | ||||||
|                  /* now, finally, deal with client requests */ |  | ||||||
|                  result = ReadRequestFromClient(client); |  | ||||||
| -                if (result <= 0) {
 |  | ||||||
| -                    if (result < 0)
 |  | ||||||
| -                        CloseDownClient(client);
 |  | ||||||
| +                if (result == 0)
 |  | ||||||
| +                    break;
 |  | ||||||
| +                else if (result == -1) {
 |  | ||||||
| +                    CloseDownClient(client);
 |  | ||||||
|                      break; |  | ||||||
|                  } |  | ||||||
|   |  | ||||||
| @@ -541,7 +542,7 @@ Dispatch(void)
 |  | ||||||
|                                            client->index, |  | ||||||
|                                            client->requestBuffer); |  | ||||||
|  #endif |  | ||||||
| -                if (result > (maxBigRequestSize << 2))
 |  | ||||||
| +                if (result < 0 || result > (maxBigRequestSize << 2))
 |  | ||||||
|                      result = BadLength; |  | ||||||
|                  else { |  | ||||||
|                      result = XaceHookDispatch(client, client->majorOp); |  | ||||||
| diff --git a/os/io.c b/os/io.c
 |  | ||||||
| index 5b7fac349..5fc05821c 100644
 |  | ||||||
| --- a/os/io.c
 |  | ||||||
| +++ b/os/io.c
 |  | ||||||
| @@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client)
 |  | ||||||
|                  needed = get_big_req_len(request, client); |  | ||||||
|          } |  | ||||||
|          client->req_len = needed; |  | ||||||
| +        if (needed > MAXINT >> 2) {
 |  | ||||||
| +            /* Check for potential integer overflow */
 |  | ||||||
| +            return -(BadLength);
 |  | ||||||
| +        }
 |  | ||||||
|          needed <<= 2;           /* needed is in bytes now */ |  | ||||||
|      } |  | ||||||
|      if (gotnow < needed) { |  | ||||||
| -- 
 |  | ||||||
| 2.49.0 |  | ||||||
| 
 |  | ||||||
| @ -1,32 +0,0 @@ | |||||||
| From 6794bf46b1c76c0a424940c97be3576dc2e7e9b1 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Wed, 18 Jun 2025 08:39:02 +0200 |  | ||||||
| Subject: [PATCH] os: Check for integer overflow on BigRequest length |  | ||||||
| 
 |  | ||||||
| Check for another possible integer overflow once we get a complete xReq |  | ||||||
| with BigRequest. |  | ||||||
| 
 |  | ||||||
| Related to CVE-2025-49176 |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Suggested-by: Peter Harris <pharris2@rocketsoftware.com> |  | ||||||
| ---
 |  | ||||||
|  os/io.c | 2 ++ |  | ||||||
|  1 file changed, 2 insertions(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/os/io.c b/os/io.c
 |  | ||||||
| index e7b76b9cea..167b40a720 100644
 |  | ||||||
| --- a/os/io.c
 |  | ||||||
| +++ b/os/io.c
 |  | ||||||
| @@ -394,6 +394,8 @@ ReadRequestFromClient(ClientPtr client)
 |  | ||||||
|                      needed = get_big_req_len(request, client); |  | ||||||
|              } |  | ||||||
|              client->req_len = needed; |  | ||||||
| +            if (needed > MAXINT >> 2)
 |  | ||||||
| +                return -(BadLength);
 |  | ||||||
|              needed <<= 2; |  | ||||||
|          } |  | ||||||
|          if (gotnow < needed) { |  | ||||||
| -- 
 |  | ||||||
| GitLab |  | ||||||
| 
 |  | ||||||
| @ -1,46 +0,0 @@ | |||||||
| From 90a13c564e7b9ba5c0d8d92acac80689cd051898 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Mon, 28 Apr 2025 10:46:03 +0200 |  | ||||||
| Subject: [PATCH xserver] os: Account for bytes to ignore when sharing input |  | ||||||
|  buffer |  | ||||||
| 
 |  | ||||||
| When reading requests from the clients, the input buffer might be shared |  | ||||||
| and used between different clients. |  | ||||||
| 
 |  | ||||||
| If a given client sends a full request with non-zero bytes to ignore, |  | ||||||
| the bytes to ignore may still be non-zero even though the request is |  | ||||||
| full, in which case the buffer could be shared with another client who's |  | ||||||
| request will not be processed because of those bytes to ignore, leading |  | ||||||
| to a possible hang of the other client request. |  | ||||||
| 
 |  | ||||||
| To avoid the issue, make sure we have zero bytes to ignore left in the |  | ||||||
| input request when sharing the input buffer with another client. |  | ||||||
| 
 |  | ||||||
| CVE-2025-49178 |  | ||||||
| 
 |  | ||||||
| This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and |  | ||||||
| reported by Julian Suleder via ERNW Vulnerability Disclosure. |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| (cherry picked from commit b0c1cbf4f8e6baa372b1676d2f30512de8ab4ed3) |  | ||||||
| ---
 |  | ||||||
|  os/io.c | 2 +- |  | ||||||
|  1 file changed, 1 insertion(+), 1 deletion(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/os/io.c b/os/io.c
 |  | ||||||
| index 5fc05821c..26f9161ef 100644
 |  | ||||||
| --- a/os/io.c
 |  | ||||||
| +++ b/os/io.c
 |  | ||||||
| @@ -442,7 +442,7 @@ ReadRequestFromClient(ClientPtr client)
 |  | ||||||
|       */ |  | ||||||
|   |  | ||||||
|      gotnow -= needed; |  | ||||||
| -    if (!gotnow)
 |  | ||||||
| +    if (!gotnow && !oci->ignoreBytes)
 |  | ||||||
|          AvailableInput = oc; |  | ||||||
|      if (move_header) { |  | ||||||
|          if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { |  | ||||||
| -- 
 |  | ||||||
| 2.49.0 |  | ||||||
| 
 |  | ||||||
| @ -1,62 +0,0 @@ | |||||||
| From 9a4f3012ba5752be1634455a3f0c7c125eabb328 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Mon, 28 Apr 2025 11:47:15 +0200 |  | ||||||
| Subject: [PATCH xserver] record: Check for overflow in |  | ||||||
|  RecordSanityCheckRegisterClients() |  | ||||||
| 
 |  | ||||||
| The RecordSanityCheckRegisterClients() checks for the request length, |  | ||||||
| but does not check for integer overflow. |  | ||||||
| 
 |  | ||||||
| A client might send a very large value for either the number of clients |  | ||||||
| or the number of protocol ranges that will cause an integer overflow in |  | ||||||
| the request length computation, defeating the check for request length. |  | ||||||
| 
 |  | ||||||
| To avoid the issue, explicitly check the number of clients against the |  | ||||||
| limit of clients (which is much lower than an maximum integer value) and |  | ||||||
| the number of protocol ranges (multiplied by the record length) do not |  | ||||||
| exceed the maximum integer value. |  | ||||||
| 
 |  | ||||||
| This way, we ensure that the final computation for the request length |  | ||||||
| will not overflow the maximum integer limit. |  | ||||||
| 
 |  | ||||||
| CVE-2025-49179 |  | ||||||
| 
 |  | ||||||
| This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and |  | ||||||
| reported by Julian Suleder via ERNW Vulnerability Disclosure. |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| (cherry picked from commit ea52403bf222f8bd6ee4c509bed5e34f0c789b00) |  | ||||||
| ---
 |  | ||||||
|  record/record.c | 8 ++++++++ |  | ||||||
|  1 file changed, 8 insertions(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/record/record.c b/record/record.c
 |  | ||||||
| index e123867a7..018e53f81 100644
 |  | ||||||
| --- a/record/record.c
 |  | ||||||
| +++ b/record/record.c
 |  | ||||||
| @@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
 |  | ||||||
|  #include "inputstr.h" |  | ||||||
|  #include "eventconvert.h" |  | ||||||
|  #include "scrnintstr.h" |  | ||||||
| +#include "opaque.h"
 |  | ||||||
|   |  | ||||||
|  #include <stdio.h> |  | ||||||
|  #include <assert.h> |  | ||||||
| @@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
 |  | ||||||
|      int i; |  | ||||||
|      XID recordingClient; |  | ||||||
|   |  | ||||||
| +    /* LimitClients is 2048 at max, way less that MAXINT */
 |  | ||||||
| +    if (stuff->nClients > LimitClients)
 |  | ||||||
| +        return BadValue;
 |  | ||||||
| +
 |  | ||||||
| +    if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
 |  | ||||||
| +        return BadValue;
 |  | ||||||
| +
 |  | ||||||
|      if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != |  | ||||||
|          4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) |  | ||||||
|          return BadLength; |  | ||||||
| -- 
 |  | ||||||
| 2.49.0 |  | ||||||
| 
 |  | ||||||
| @ -1,41 +0,0 @@ | |||||||
| From 5e7a3a955853218536ba4a7e696360aab0064206 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Date: Tue, 20 May 2025 15:18:19 +0200 |  | ||||||
| Subject: [PATCH xserver 1/2] randr: Check for overflow in |  | ||||||
|  RRChangeProviderProperty() |  | ||||||
| 
 |  | ||||||
| A client might send a request causing an integer overflow when computing |  | ||||||
| the total size to allocate in RRChangeProviderProperty(). |  | ||||||
| 
 |  | ||||||
| To avoid the issue, check that total length in bytes won't exceed the |  | ||||||
| maximum integer value. |  | ||||||
| 
 |  | ||||||
| CVE-2025-49180 |  | ||||||
| 
 |  | ||||||
| This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and |  | ||||||
| reported by Julian Suleder via ERNW Vulnerability Disclosure. |  | ||||||
| 
 |  | ||||||
| Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> |  | ||||||
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |  | ||||||
| (cherry picked from commit 1b0bf563a3a76b06ddcd6fc4d8e72d81f6773699) |  | ||||||
| ---
 |  | ||||||
|  randr/rrproviderproperty.c | 3 ++- |  | ||||||
|  1 file changed, 2 insertions(+), 1 deletion(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
 |  | ||||||
| index 90c5a9a93..0aa35ad87 100644
 |  | ||||||
| --- a/randr/rrproviderproperty.c
 |  | ||||||
| +++ b/randr/rrproviderproperty.c
 |  | ||||||
| @@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
 |  | ||||||
|   |  | ||||||
|      if (mode == PropModeReplace || len > 0) { |  | ||||||
|          void *new_data = NULL, *old_data = NULL; |  | ||||||
| -
 |  | ||||||
| +        if (total_len > MAXINT / size_in_bytes)
 |  | ||||||
| +            return BadValue;
 |  | ||||||
|          total_size = total_len * size_in_bytes; |  | ||||||
|          new_value.data = (void *) malloc(total_size); |  | ||||||
|          if (!new_value.data && total_size) { |  | ||||||
| -- 
 |  | ||||||
| 2.49.0 |  | ||||||
| 
 |  | ||||||
							
								
								
									
										6
									
								
								gating.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								gating.yaml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,6 @@ | |||||||
|  | --- !Policy | ||||||
|  | product_versions: | ||||||
|  |   - rhel-9 | ||||||
|  | decision_context: osci_compose_gate | ||||||
|  | rules: | ||||||
|  |   - !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional} | ||||||
							
								
								
									
										14
									
								
								rpminspect.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								rpminspect.yaml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,14 @@ | |||||||
|  | --- | ||||||
|  | badfuncs: | ||||||
|  |   ignore: | ||||||
|  |     - /usr/lib*/xorg/modules/extensions/libvnc.so | ||||||
|  |     - /usr/bin/vncviewer | ||||||
|  |     - /usr/bin/Xvnc | ||||||
|  |     - /usr/bin/x0vncserver | ||||||
|  | runpath: | ||||||
|  |   # This is intentional, we know where we need Mesa's libGL, which will always | ||||||
|  |   # be in ${libdir} and not any third-party libGL that may be configured using | ||||||
|  |   # ld.so.conf. | ||||||
|  |   allowed_paths: | ||||||
|  |     - /usr/lib64 | ||||||
|  |     - /usr/lib | ||||||
							
								
								
									
										1
									
								
								sources
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								sources
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1 @@ | |||||||
|  | SHA512 (tigervnc-1.15.0.tar.gz) = 0b550296b5bd06ac9d63ce10861ff54d24e79b6ac1551d80e9b81845fa873d85bfd684112c66d86188c9c61fdffb9421ea8696c1c7fd15a24fb1bf6bfe6a5e05 | ||||||
							
								
								
									
										138
									
								
								tigervnc-xserver120.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										138
									
								
								tigervnc-xserver120.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,138 @@ | |||||||
|  | diff --git a/configure.ac b/configure.ac
 | ||||||
|  | index 0909cc5b4..c01873200 100644
 | ||||||
|  | --- a/configure.ac
 | ||||||
|  | +++ b/configure.ac
 | ||||||
|  | @@ -74,6 +74,7 @@ dnl forcing an entire recompile.x
 | ||||||
|  |  AC_CONFIG_HEADERS(include/version-config.h) | ||||||
|  |   | ||||||
|  |  AM_PROG_AS | ||||||
|  | +AC_PROG_CXX
 | ||||||
|  |  AC_PROG_LN_S | ||||||
|  |  LT_PREREQ([2.2]) | ||||||
|  |  LT_INIT([disable-static win32-dll]) | ||||||
|  | @@ -1735,6 +1736,14 @@ if test "x$XVFB" = xyes; then
 | ||||||
|  |  	AC_SUBST([XVFB_SYS_LIBS]) | ||||||
|  |  fi | ||||||
|  |   | ||||||
|  | +dnl Xvnc DDX
 | ||||||
|  | +AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"])
 | ||||||
|  | +AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"])
 | ||||||
|  | +
 | ||||||
|  | +PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no])
 | ||||||
|  | +if test "x$GBM" = xyes; then
 | ||||||
|  | +	AC_DEFINE(HAVE_GBM, 1, [Have GBM support])
 | ||||||
|  | +fi
 | ||||||
|  |   | ||||||
|  |  dnl Xnest DDX | ||||||
|  |   | ||||||
|  | @@ -2058,7 +2067,6 @@ if test "x$GLAMOR" = xyes; then
 | ||||||
|  |  			 [AC_DEFINE(GLAMOR_HAS_EGL_QUERY_DRIVER, 1, [Have GLAMOR_HAS_EGL_QUERY_DRIVER])], | ||||||
|  |  			 []) | ||||||
|  |   | ||||||
|  | -	PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no])
 | ||||||
|  |  	if test "x$GBM" = xyes; then | ||||||
|  |  		AC_DEFINE(GLAMOR_HAS_GBM, 1, | ||||||
|  |  			  [Build glamor with GBM-based EGL support]) | ||||||
|  | @@ -2523,6 +2531,7 @@ hw/dmx/Makefile
 | ||||||
|  |  hw/dmx/man/Makefile | ||||||
|  |  hw/vfb/Makefile | ||||||
|  |  hw/vfb/man/Makefile | ||||||
|  | +hw/vnc/Makefile
 | ||||||
|  |  hw/xnest/Makefile | ||||||
|  |  hw/xnest/man/Makefile | ||||||
|  |  hw/xwin/Makefile | ||||||
|  | diff --git a/dri3/Makefile.am b/dri3/Makefile.am
 | ||||||
|  | index e47a734e0..99c3718a5 100644
 | ||||||
|  | --- a/dri3/Makefile.am
 | ||||||
|  | +++ b/dri3/Makefile.am
 | ||||||
|  | @@ -1,7 +1,7 @@
 | ||||||
|  |  noinst_LTLIBRARIES = libdri3.la | ||||||
|  |  AM_CFLAGS = \ | ||||||
|  | -	-DHAVE_XORG_CONFIG_H \
 | ||||||
|  | -	@DIX_CFLAGS@ @XORG_CFLAGS@
 | ||||||
|  | +	@DIX_CFLAGS@ \
 | ||||||
|  | +	@LIBDRM_CFLAGS@
 | ||||||
|  | 
 | ||||||
|  |  libdri3_la_SOURCES = \ | ||||||
|  |  	dri3.h \ | ||||||
|  | diff --git a/dri3/dri3.c b/dri3/dri3.c
 | ||||||
|  | index ba32facd7..191252969 100644
 | ||||||
|  | --- a/dri3/dri3.c
 | ||||||
|  | +++ b/dri3/dri3.c
 | ||||||
|  | @@ -20,10 +20,6 @@
 | ||||||
|  |   * OF THIS SOFTWARE. | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | -#ifdef HAVE_XORG_CONFIG_H
 | ||||||
|  | -#include <xorg-config.h>
 | ||||||
|  | -#endif
 | ||||||
|  | -
 | ||||||
|  |  #include "dri3_priv.h" | ||||||
|  |   | ||||||
|  |  #include <drm_fourcc.h> | ||||||
|  | diff --git a/dri3/dri3_priv.h b/dri3/dri3_priv.h
 | ||||||
|  | index b087a9529..f319d1770 100644
 | ||||||
|  | --- a/dri3/dri3_priv.h
 | ||||||
|  | +++ b/dri3/dri3_priv.h
 | ||||||
|  | @@ -23,6 +23,7 @@
 | ||||||
|  |  #ifndef _DRI3PRIV_H_ | ||||||
|  |  #define _DRI3PRIV_H_ | ||||||
|  |   | ||||||
|  | +#include "dix-config.h"
 | ||||||
|  |  #include <X11/X.h> | ||||||
|  |  #include "scrnintstr.h" | ||||||
|  |  #include "misc.h" | ||||||
|  | diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c
 | ||||||
|  | index 958877efa..687168930 100644
 | ||||||
|  | --- a/dri3/dri3_request.c
 | ||||||
|  | +++ b/dri3/dri3_request.c
 | ||||||
|  | @@ -20,10 +20,6 @@
 | ||||||
|  |   * OF THIS SOFTWARE. | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | -#ifdef HAVE_XORG_CONFIG_H
 | ||||||
|  | -#include <xorg-config.h>
 | ||||||
|  | -#endif
 | ||||||
|  | -
 | ||||||
|  |  #include "dri3_priv.h" | ||||||
|  |  #include <syncsrv.h> | ||||||
|  |  #include <unistd.h> | ||||||
|  | diff --git a/dri3/dri3_screen.c b/dri3/dri3_screen.c
 | ||||||
|  | index b98259753..3c7e5bf60 100644
 | ||||||
|  | --- a/dri3/dri3_screen.c
 | ||||||
|  | +++ b/dri3/dri3_screen.c
 | ||||||
|  | @@ -20,10 +20,6 @@
 | ||||||
|  |   * OF THIS SOFTWARE. | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | -#ifdef HAVE_XORG_CONFIG_H
 | ||||||
|  | -#include <xorg-config.h>
 | ||||||
|  | -#endif
 | ||||||
|  | -
 | ||||||
|  |  #include "dri3_priv.h" | ||||||
|  |  #include <syncsdk.h> | ||||||
|  |  #include <misync.h> | ||||||
|  | diff --git a/hw/Makefile.am b/hw/Makefile.am
 | ||||||
|  | index 19895dc77..3ecfa8b7a 100644
 | ||||||
|  | --- a/hw/Makefile.am
 | ||||||
|  | +++ b/hw/Makefile.am
 | ||||||
|  | @@ -44,3 +44,5 @@ DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland
 | ||||||
|  |   | ||||||
|  |  relink: | ||||||
|  |  	$(AM_V_at)for i in $(SUBDIRS) ; do $(MAKE) -C $$i relink || exit 1 ; done | ||||||
|  | +
 | ||||||
|  | +SUBDIRS += vnc
 | ||||||
|  | diff --git a/include/dix-config.h.in b/include/dix-config.h.in
 | ||||||
|  | index f8fc67067..d53c4e72f 100644
 | ||||||
|  | --- a/include/dix-config.h.in
 | ||||||
|  | +++ b/include/dix-config.h.in
 | ||||||
|  | @@ -83,6 +83,9 @@
 | ||||||
|  |  /* Define to 1 if you have the <fcntl.h> header file. */ | ||||||
|  |  #undef HAVE_FCNTL_H | ||||||
|  |   | ||||||
|  | +/* Have GBM support */
 | ||||||
|  | +#undef HAVE_GBM
 | ||||||
|  | +
 | ||||||
|  |  /* Define to 1 if you have the `getdtablesize' function. */ | ||||||
|  |  #undef HAVE_GETDTABLESIZE | ||||||
|  |   | ||||||
| @ -5,12 +5,12 @@ | |||||||
| 
 | 
 | ||||||
| Name:           tigervnc | Name:           tigervnc | ||||||
| Version:        1.15.0 | Version:        1.15.0 | ||||||
| Release:        7%{?dist} | Release:        5%{?dist} | ||||||
| Summary:        A TigerVNC remote display system | Summary:        A TigerVNC remote display system | ||||||
| 
 | 
 | ||||||
| %global _hardened_build 1 | %global _hardened_build 1 | ||||||
| 
 | 
 | ||||||
| License:        GPLv2+ | License:        GPL-2.0-or-later | ||||||
| URL:            http://www.tigervnc.com | URL:            http://www.tigervnc.com | ||||||
| 
 | 
 | ||||||
| Source0:        https://github.com/TigerVNC/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz | Source0:        https://github.com/TigerVNC/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz | ||||||
| @ -25,11 +25,10 @@ Source5:        vncserver | |||||||
| Patch1:         tigervnc-use-gnome-as-default-session.patch | Patch1:         tigervnc-use-gnome-as-default-session.patch | ||||||
| # https://github.com/TigerVNC/tigervnc/pull/1425 | # https://github.com/TigerVNC/tigervnc/pull/1425 | ||||||
| Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch | Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch | ||||||
| Patch3:         tigervnc-dont-install-appstream-metadata-file.patch | # https://github.com/TigerVNC/tigervnc/pull/1792 | ||||||
|  | Patch3:         tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch | ||||||
| # Only warn about passwords longer than 8 characters, but allow them to be used as in the past | # Only warn about passwords longer than 8 characters, but allow them to be used as in the past | ||||||
| Patch4:         tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch | Patch4:         tigervnc-allow-use-of-passwords-longer-than-eight-characters.patch | ||||||
| # https://github.com/TigerVNC/tigervnc/pull/1792 |  | ||||||
| Patch5:         tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch |  | ||||||
| 
 | 
 | ||||||
| # Upstream patches | # Upstream patches | ||||||
| Patch50:        tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch | Patch50:        tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch | ||||||
| @ -42,25 +41,7 @@ Patch52:        tigervnc-dont-print-xvnc-banner-before-parsing-args.patch | |||||||
| Patch100:       0001-rpath-hack.patch | Patch100:       0001-rpath-hack.patch | ||||||
| 
 | 
 | ||||||
| # XServer patches | # XServer patches | ||||||
| Patch200:       xorg-CVE-2025-26594.patch | 
 | ||||||
| Patch201:       xorg-CVE-2025-26594-2.patch |  | ||||||
| Patch202:       xorg-CVE-2025-26595.patch |  | ||||||
| Patch203:       xorg-CVE-2025-26596.patch |  | ||||||
| Patch204:       xorg-CVE-2025-26597.patch |  | ||||||
| Patch205:       xorg-CVE-2025-26598.patch |  | ||||||
| Patch206:       xorg-CVE-2025-26599.patch |  | ||||||
| Patch207:       xorg-CVE-2025-26599-2.patch |  | ||||||
| Patch208:       xorg-CVE-2025-26600.patch |  | ||||||
| Patch209:       xorg-CVE-2025-26601.patch |  | ||||||
| Patch210:       xorg-CVE-2025-26601-2.patch |  | ||||||
| Patch211:       xorg-CVE-2025-26601-3.patch |  | ||||||
| Patch212:       xorg-CVE-2025-26601-4.patch |  | ||||||
| Patch213:       xorg-CVE-2025-49175.patch |  | ||||||
| Patch214:       xorg-CVE-2025-49176-1.patch |  | ||||||
| Patch215:       xorg-CVE-2025-49176-2.patch |  | ||||||
| Patch216:       xorg-CVE-2025-49178.patch |  | ||||||
| Patch217:       xorg-CVE-2025-49179.patch |  | ||||||
| Patch218:       xorg-CVE-2025-49180.patch |  | ||||||
| 
 | 
 | ||||||
| BuildRequires:  make | BuildRequires:  make | ||||||
| BuildRequires:  gcc-c++ | BuildRequires:  gcc-c++ | ||||||
| @ -113,7 +94,7 @@ BuildRequires:  xorg-x11-xtrans-devel | |||||||
| BuildRequires:  libselinux-devel | BuildRequires:  libselinux-devel | ||||||
| BuildRequires:  selinux-policy-devel | BuildRequires:  selinux-policy-devel | ||||||
| 
 | 
 | ||||||
| # For RHEL-91104 | # For RHEL-34880 | ||||||
| BuildRequires:  pkgconfig(dbus-1) >= 1.0 | BuildRequires:  pkgconfig(dbus-1) >= 1.0 | ||||||
| BuildRequires:  pkgconfig(libsystemd) >= 209 | BuildRequires:  pkgconfig(libsystemd) >= 209 | ||||||
| BuildRequires:  pkgconfig(libudev) >= 143 | BuildRequires:  pkgconfig(libudev) >= 143 | ||||||
| @ -222,33 +203,13 @@ for all in `find . -type f -perm -001`; do | |||||||
| done | done | ||||||
| %patch -P100 -p1 -b .rpath | %patch -P100 -p1 -b .rpath | ||||||
| cat ../xserver120.patch | patch -p1 | cat ../xserver120.patch | patch -p1 | ||||||
| 
 |  | ||||||
| %patch -P200 -p1 -b .xorg-CVE-2025-26594 |  | ||||||
| %patch -P201 -p1 -b .xorg-CVE-2025-26594-2 |  | ||||||
| %patch -P202 -p1 -b .xorg-CVE-2025-26595 |  | ||||||
| %patch -P203 -p1 -b .xorg-CVE-2025-26596 |  | ||||||
| %patch -P204 -p1 -b .xorg-CVE-2025-26597 |  | ||||||
| %patch -P205 -p1 -b .xorg-CVE-2025-26598 |  | ||||||
| %patch -P206 -p1 -b .xorg-CVE-2025-26599 |  | ||||||
| %patch -P207 -p1 -b .xorg-CVE-2025-26599-2 |  | ||||||
| %patch -P208 -p1 -b .xorg-CVE-2025-26600 |  | ||||||
| %patch -P209 -p1 -b .xorg-CVE-2025-26601 |  | ||||||
| %patch -P210 -p1 -b .xorg-CVE-2025-26601-2 |  | ||||||
| %patch -P211 -p1 -b .xorg-CVE-2025-26601-3 |  | ||||||
| %patch -P212 -p1 -b .xorg-CVE-2025-26601-4 |  | ||||||
| %patch -P213 -p1 -b .xorg-CVE-2025-49175 |  | ||||||
| %patch -P214 -p1 -b .xorg-CVE-2025-49176-1 |  | ||||||
| %patch -P215 -p1 -b .xorg-CVE-2025-49176-2 |  | ||||||
| %patch -P216 -p1 -b .xorg-CVE-2025-49178 |  | ||||||
| %patch -P217 -p1 -b .xorg-CVE-2025-49179 |  | ||||||
| %patch -P218 -p1 -b .xorg-CVE-2025-49180 |  | ||||||
| popd | popd | ||||||
| 
 | 
 | ||||||
|  | # Tigervnc patches | ||||||
| %patch -P1 -p1 -b .use-gnome-as-default-session | %patch -P1 -p1 -b .use-gnome-as-default-session | ||||||
| %patch -P2 -p1 -b .vncsession-restore-script-systemd-service | %patch -P2 -p1 -b .vncsession-restore-script-systemd-service | ||||||
| %patch -P3 -p1 -b .dont-install-appstream-metadata-file.patch | %patch -P3 -p1 -b .add-option-allowing-to-connect-only-user-owning-session | ||||||
| %patch -P4 -p1 -b .allow-use-of-passwords-longer-than-eight-characters | %patch -P4 -p1 -b .allow-use-of-passwords-longer-than-eight-characters | ||||||
| %patch -P5 -p1 -b .add-option-allowing-to-connect-only-user-owning-session |  | ||||||
| 
 | 
 | ||||||
| # Upstream patches | # Upstream patches | ||||||
| %patch -P50 -p1 -b .add-selinux-policy-rules-allowing-create-dirs-under-root-dir | %patch -P50 -p1 -b .add-selinux-policy-rules-allowing-create-dirs-under-root-dir | ||||||
| @ -265,10 +226,20 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic" | |||||||
| %endif | %endif | ||||||
| export CXXFLAGS="$CFLAGS -std=c++11" | export CXXFLAGS="$CFLAGS -std=c++11" | ||||||
| 
 | 
 | ||||||
| %{cmake} . | %define __cmake_builddir %{_target_platform} | ||||||
| make %{?_smp_mflags} | 
 | ||||||
|  | mkdir -p %{%__cmake_builddir} | ||||||
|  | 
 | ||||||
|  | %cmake | ||||||
|  | 
 | ||||||
|  | %cmake_build | ||||||
| 
 | 
 | ||||||
| pushd unix/xserver | pushd unix/xserver | ||||||
|  | 
 | ||||||
|  | %if 0%{?fedora} > 32 || 0%{?rhel} >= 9 | ||||||
|  | sed -i 's@TIGERVNC_BUILDDIR=${top_builddir}/\.\./\.\.@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am | ||||||
|  | %endif | ||||||
|  | 
 | ||||||
| autoreconf -fiv | autoreconf -fiv | ||||||
| %configure \ | %configure \ | ||||||
|         --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \ |         --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \ | ||||||
| @ -290,7 +261,11 @@ make %{?_smp_mflags} | |||||||
| popd | popd | ||||||
| 
 | 
 | ||||||
| # Build icons | # Build icons | ||||||
|  | %if 0%{?fedora} > 32 || 0%{?rhel} >= 9 | ||||||
|  | pushd %{_target_platform}/media | ||||||
|  | %else | ||||||
| pushd media | pushd media | ||||||
|  | %endif | ||||||
| make | make | ||||||
| popd | popd | ||||||
| 
 | 
 | ||||||
| @ -299,24 +274,22 @@ pushd unix/vncserver/selinux | |||||||
| make | make | ||||||
| popd | popd | ||||||
| 
 | 
 | ||||||
| 
 |  | ||||||
| %install | %install | ||||||
| %make_install | %cmake_install | ||||||
|  | rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT} | ||||||
| 
 | 
 | ||||||
| pushd unix/xserver/hw/vnc | pushd unix/xserver/hw/vnc | ||||||
| make install DESTDIR=%{buildroot} | %make_install | ||||||
| popd | popd | ||||||
| 
 | 
 | ||||||
|  | # Install systemd unit file | ||||||
| pushd unix/vncserver/selinux | pushd unix/vncserver/selinux | ||||||
| make install DESTDIR=%{buildroot} | make install DESTDIR=%{buildroot} | ||||||
| popd | popd | ||||||
| 
 | 
 | ||||||
| 
 |  | ||||||
| # Install systemd unit file | # Install systemd unit file | ||||||
| install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service | install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service | ||||||
| install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket | install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket | ||||||
| # Install old vncserver script |  | ||||||
| install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver |  | ||||||
| 
 | 
 | ||||||
| # Install desktop stuff | # Install desktop stuff | ||||||
| mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps | mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps | ||||||
| @ -327,6 +300,21 @@ install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps | |||||||
| done | done | ||||||
| popd | popd | ||||||
| 
 | 
 | ||||||
|  | appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/org.tigervnc.vncviewer.metainfo.xml | ||||||
|  | desktop-file-validate %{buildroot}%{_datadir}/applications/vncviewer.desktop | ||||||
|  | 
 | ||||||
|  | %if 0%{?rhel} > 9 | ||||||
|  | # Install a replacement for /usr/bin/vncserver which will tell the user to read the | ||||||
|  | # HOWTO.md file | ||||||
|  | cat <<EOF > %{buildroot}/%{_bindir}/vncserver | ||||||
|  | #!/bin/bash | ||||||
|  | echo "vncserver has been replaced by a systemd unit." | ||||||
|  | echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information." | ||||||
|  | EOF | ||||||
|  | chmod +x %{buildroot}/%{_bindir}/vncserver | ||||||
|  | %else | ||||||
|  | install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver | ||||||
|  | %endif | ||||||
| 
 | 
 | ||||||
| %find_lang %{name} %{name}.lang | %find_lang %{name} %{name}.lang | ||||||
| 
 | 
 | ||||||
| @ -366,6 +354,7 @@ fi | |||||||
| %{_bindir}/vncviewer | %{_bindir}/vncviewer | ||||||
| %{_datadir}/applications/* | %{_datadir}/applications/* | ||||||
| %{_mandir}/man1/vncviewer.1* | %{_mandir}/man1/vncviewer.1* | ||||||
|  | %{_datadir}/metainfo/org.tigervnc.vncviewer.metainfo.xml | ||||||
| 
 | 
 | ||||||
| %files server | %files server | ||||||
| %config(noreplace) %{_sysconfdir}/pam.d/tigervnc | %config(noreplace) %{_sysconfdir}/pam.d/tigervnc | ||||||
| @ -409,315 +398,373 @@ fi | |||||||
| %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} | %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
| * Wed Jun 18 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-7 | * Mon Jun 23 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-5 | ||||||
| - Additional fix to CVE-2025-49176: xorg-x11-server: Integer Overflow in Big Requests Extension |  | ||||||
|   Resolves: RHEL-97294 |  | ||||||
| 
 |  | ||||||
| * Tue Jun 17 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-6 |  | ||||||
| - Fix CVE-2025-49175: xorg-x11-server: Out-of-Bounds Read in X Rendering Extension Animated Cursors | - Fix CVE-2025-49175: xorg-x11-server: Out-of-Bounds Read in X Rendering Extension Animated Cursors | ||||||
|   Resolves: RHEL-97268 |   Resolves: RHEL-97284 | ||||||
|  | 
 | ||||||
| - Fix CVE-2025-49176: xorg-x11-server: Integer Overflow in Big Requests Extension | - Fix CVE-2025-49176: xorg-x11-server: Integer Overflow in Big Requests Extension | ||||||
|   Resolves: RHEL-97294 |   Resolves: RHEL-97303 | ||||||
|  | 
 | ||||||
| - Fix CVE-2025-49178: xorg-x11-server: Unprocessed Client Request Due to Bytes to Ignore | - Fix CVE-2025-49178: xorg-x11-server: Unprocessed Client Request Due to Bytes to Ignore | ||||||
|   Resolves: RHEL-97364 |   Resolves: RHEL-97379 | ||||||
|  | 
 | ||||||
| - Fix CVE-2025-49179: xorg-x11-server: Integer overflow in X Record extension | - Fix CVE-2025-49179: xorg-x11-server: Integer overflow in X Record extension | ||||||
|   Resolves: RHEL-97397 |   Resolves: RHEL-97414 | ||||||
|  | 
 | ||||||
| - Fix CVE-2025-49180: xorg-x11-server: Integer Overflow in X Resize, Rotate and Reflect (RandR) Extension | - Fix CVE-2025-49180: xorg-x11-server: Integer Overflow in X Resize, Rotate and Reflect (RandR) Extension | ||||||
|   Resolves: RHEL-97232 |   Resolves: RHEL-97429 | ||||||
| 
 | 
 | ||||||
| * Tue May 27 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-5 | * Tue May 27 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-4 | ||||||
| - Fix broken authentication with x0vncserver | - Fix broken authentication with x0vncserver | ||||||
|   Resolves: RHEL-93729 |   Resolves: RHEL-93573 | ||||||
| 
 |  | ||||||
| * Thu May 15 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-4 |  | ||||||
| - Add option "ApproveLoggedUserOnly" allowing to connect only the user |  | ||||||
|   owning the running session |  | ||||||
|   Resolves: RHEL-91104 |  | ||||||
| 
 | 
 | ||||||
| * Wed Apr 30 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-3 | * Wed Apr 30 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-3 | ||||||
| - Only warn about 8 characters limit, but let it proceed | - Only warn about 8 characters limit, but let it proceed | ||||||
|   Resolves: RHEL-89430 |   Resolves: RHEL-89432 | ||||||
| 
 | 
 | ||||||
| * Wed Apr 16 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-2 | * Wed Apr 16 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-2 | ||||||
| - Fix inetd mode not working | - Fix inetd mode not working | ||||||
|   Resolves: RHEL-86513 |   Resolves: RHEL-86511 | ||||||
| 
 | 
 | ||||||
| * Wed Feb 26 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-1 | * Fri Mar 07 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-1 | ||||||
| - 1.15.0 | - 1.15.0 | ||||||
|   Resolves: RHEL-79161 |   Resolves: RHEL-78617 | ||||||
|   Resolves: RHEL-79982 | - Add SELinux policy rules allowing to access /proc/sys/fs/nr_open | ||||||
| 
 |   Resolves: RHEL-77973 | ||||||
| * Wed Feb 26 2025 Jan Grulich <jgrulich@redhat.com> - 1.13.1-15 | - Add SELinux policy rules allowing to create directories under /root | ||||||
|  |   Resolves: RHEL-77975 | ||||||
| - Fix CVE-2025-26594 xorg-x11-server Use-after-free of the root cursor | - Fix CVE-2025-26594 xorg-x11-server Use-after-free of the root cursor | ||||||
|   Resolves: RHEL-79397 |   Resolves: RHEL-80208 | ||||||
| - Fix CVE-2025-26595 xorg-x11-server Buffer overflow in XkbVModMaskText() | - Fix CVE-2025-26595 xorg-x11-server Buffer overflow in XkbVModMaskText() | ||||||
|   Resolves: RHEL-79401 |   Resolves: RHEL-80189 | ||||||
| - Fix CVE-2025-26596 xorg-x11-server Heap overflow in XkbWriteKeySyms() | - Fix CVE-2025-26596 xorg-x11-server Heap overflow in XkbWriteKeySyms() | ||||||
|   Resolves: RHEL-79386 |   Resolves: RHEL-80194 | ||||||
| - Fix CVE-2025-26597 xorg-x11-server Buffer overflow in XkbChangeTypesOfKey() | - Fix CVE-2025-26597 xorg-x11-server Buffer overflow in XkbChangeTypesOfKey() | ||||||
|   Resolves: RHEL-79380 |   Resolves: RHEL-80196 | ||||||
| - Fix CVE-2025-26598 xorg-x11-server Out-of-bounds write in CreatePointerBarrierClient() | - Fix CVE-2025-26598 xorg-x11-server Out-of-bounds write in CreatePointerBarrierClient() | ||||||
|   Resolves: RHEL-79369 |   Resolves: RHEL-80197 | ||||||
| - Fix CVE-2025-26599 xorg-x11-server Use of uninitialized pointer in compRedirectWindow() | - Fix CVE-2025-26599 xorg-x11-server Use of uninitialized pointer in compRedirectWindow() | ||||||
|   Resolves: RHEL-79364 |   Resolves: RHEL-80206 | ||||||
| - Fix CVE-2025-26600 xorg-x11-server Use-after-free in PlayReleasedEvents() | - Fix CVE-2025-26600 xorg-x11-server Use-after-free in PlayReleasedEvents() | ||||||
|   Resolves: RHEL-79360 |   Resolves: RHEL-80205 | ||||||
| - Fix CVE-2025-26601 xorg-x11-server Use-after-free in SyncInitTrigger() | - Fix CVE-2025-26601 xorg-x11-server Use-after-free in SyncInitTrigger() | ||||||
|   Resolves: RHEL-79348 |   Resolves: RHEL-80209 | ||||||
| 
 | 
 | ||||||
| * Thu Oct 31 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-14 | * Tue Jan 21 2025 Jan Grulich <jgrulich@redhat.com> - 1.14.1-4 | ||||||
|  | - Fix crash in clipboard support in x0vncserver | ||||||
|  |   Resolves: RHEL-74216 | ||||||
|  | 
 | ||||||
|  | * Thu Jan 16 2025 Jan Grulich <jgrulich@redhat.com> - 1.14.1-3 | ||||||
|  | - Add clipboard support to x0vncserver | ||||||
|  |   Resolves: RHEL-74216 | ||||||
|  | 
 | ||||||
|  | * Thu Oct 31 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.1-2 | ||||||
| - Fix CVE-2024-9632: xorg-x11-server: heap-based buffer overflow privilege escalation vulnerability | - Fix CVE-2024-9632: xorg-x11-server: heap-based buffer overflow privilege escalation vulnerability | ||||||
|   Resolves: RHEL-61999 |   Resolves: RHEL-62001 | ||||||
| 
 | 
 | ||||||
| * Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-13 | * Wed Oct 23 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.1-1 | ||||||
|  | - 1.14.1 | ||||||
|  |   Resolves: RHEL-45316 | ||||||
|  | 
 | ||||||
|  | * Mon Oct 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-6 | ||||||
|  | - Make "ApproveLoggedUserOnly" to ignore "closing" sessions | ||||||
|  |   Resolves: RHEL-34880 | ||||||
|  | 
 | ||||||
|  | * Fri Oct 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-5 | ||||||
|  | - Fix "ApproveLoggedUserOnly" option not working in some setups | ||||||
|  |   Resolves: RHEL-34880 | ||||||
|  | 
 | ||||||
|  | * Fri Sep 27 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-4 | ||||||
|  | - Add option "ApproveLoggedUserOnly" allowing to connect only the user | ||||||
|  |   owning the running session | ||||||
|  |   Resolves: RHEL-34880 | ||||||
|  | 
 | ||||||
|  | * Wed Sep 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-3 | ||||||
|  | - Move old log to log.old if present (fix patch) | ||||||
|  |   Resolves: RHEL-54294 | ||||||
|  | 
 | ||||||
|  | * Tue Aug 20 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-2 | ||||||
|  | - 1.14.0 | ||||||
|  |   Resolves: RHEL-45316 | ||||||
|  | - Move old log to log.old if present | ||||||
|  |   Resolves: RHEL-54294 | ||||||
|  | - Fix shared memory leak | ||||||
|  |   Resolves: RHEL-55768 | ||||||
|  | 
 | ||||||
|  | * Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11 | ||||||
| - vncsession: use /bin/sh if the user shell is not set | - vncsession: use /bin/sh if the user shell is not set | ||||||
|   Resolves: RHEL-52827 |   Resolves: RHEL-50679 | ||||||
| 
 | 
 | ||||||
| * Fri Jul 12 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-12 | * Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10 | ||||||
| - Fix FTBS: drop already applied Xorg patches |  | ||||||
|   Resolves: RHEL-46696 |  | ||||||
| 
 |  | ||||||
| * Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11 |  | ||||||
| - vncconfig: add option to force view-only remote client connections | - vncconfig: add option to force view-only remote client connections | ||||||
|   Resolves: RHEL-11908 |   Resolves: RHEL-12144 | ||||||
| 
 | 
 | ||||||
| * Mon Apr 15 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10 | * Tue Apr 16 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9 | ||||||
| - Drop patches that are already part of xorg-x11-server |  | ||||||
|   Resolves: RHEL-30755 |  | ||||||
|   Resolves: RHEL-30767 |  | ||||||
|   Resolves: RHEL-30761 |  | ||||||
| 
 |  | ||||||
| * Thu Apr 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9 |  | ||||||
| - Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents | - Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents | ||||||
|   Resolves: RHEL-30755 |   Resolves: RHEL-30756 | ||||||
| - Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs | - Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs | ||||||
|   Resolves: RHEL-30767 |   Resolves: RHEL-30768 | ||||||
| - Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice | - Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice | ||||||
|   Resolves: RHEL-30761 |   Resolves: RHEL-30762 | ||||||
| 
 | 
 | ||||||
| * Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8 | * Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8 | ||||||
| - Fix copy/paste error in the DeviceStateNotify | - Fix copy/paste error in the DeviceStateNotify | ||||||
|   Resolves: RHEL-20530 |   Resolves: RHEL-20533 | ||||||
| 
 | 
 | ||||||
| * Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7 | * Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7 | ||||||
| - Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice | - Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice | ||||||
|   Resolves: RHEL-20388 |   Resolves: RHEL-20389 | ||||||
| - Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent | - Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent | ||||||
|   Resolves: RHEL-20382 |   Resolves: RHEL-20383 | ||||||
| - Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access | - Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access | ||||||
|   Resolves: RHEL-20530 |   Resolves: RHEL-20533 | ||||||
| - Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer | - Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer | ||||||
|   Resolves: RHEL-21214 |   Resolves: RHEL-21213 | ||||||
| 
 | 
 | ||||||
| * Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6 | * Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6 | ||||||
| - Use dup() to get available file descriptor when using -inetd option | - Use dup() to get available file descriptor when using -inetd option | ||||||
|   Resolves: RHEL-21000 |   Resolves: RHEL-19858 | ||||||
| 
 | 
 | ||||||
| * Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5 | * Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5 | ||||||
| - Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions | - Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions | ||||||
|   Resolves: RHEL-18410 |   Resolves: RHEL-18414 | ||||||
| - Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty | - Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty | ||||||
|   Resolves: RHEL-18422 |   Resolves: RHEL-18426 | ||||||
| 
 | 
 | ||||||
| * Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4 | * Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4 | ||||||
| - Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow | - Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow | ||||||
|   Resolves: RHEL-15236 |   Resolves: RHEL-15237 | ||||||
| 
 | 
 | ||||||
| - Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty | - Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty | ||||||
|   Resolves: RHEL-15230 |   Resolves: RHEL-15249 | ||||||
| 
 | 
 | ||||||
| * Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3 | * Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3 | ||||||
| - Support username alias in PlainUsers | - Support username alias in PlainUsers | ||||||
|   Resolves: RHEL-4258 |   Resolves: RHEL-8430 | ||||||
| 
 | 
 | ||||||
| * Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2 | * Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2 | ||||||
| - xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege | - xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege | ||||||
|   Escalation Vulnerability |   Escalation Vulnerability | ||||||
|   Resolves: bz#2180306 |   Resolves: bz#2180310 | ||||||
| 
 | 
 | ||||||
| * Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1 | * Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1 | ||||||
| - 1.13.1 | - 1.13.1 | ||||||
|   Resolves: bz#2175748 |   Resolves: bz#2175732 | ||||||
| - Restore "--fallbacktofreeport" option in the vncserver script |  | ||||||
|   Resolves: bz#2174398 |  | ||||||
| 
 | 
 | ||||||
| * Thu Dec 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9 | * Tue Feb 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-12 | ||||||
| - Bump build version to fix upgrade path | - SELinux: allow vncsession create .vnc directory | ||||||
|   Resolves: bz#1437569 |   Resolves: bz#2164703 | ||||||
| 
 | 
 | ||||||
| * Fri Nov 18 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8 | * Wed Feb 15 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-11 | ||||||
|  | - Add sanity check when cleaning up keymap changes | ||||||
|  |   Resolves: bz#2169965 | ||||||
|  | 
 | ||||||
|  | * Mon Feb 06 2023 Jan Grulich <jgrulich@redhat.com> - 1.12.0-10 | ||||||
|  | - xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation | ||||||
|  |   Resolves: bz#2167061 | ||||||
|  | 
 | ||||||
|  | * Tue Dec 20 2022 Tomas Popela <tpopela@redhat.com> - 1.12.0-9 | ||||||
|  | - Rebuild for xorg-x11-server CVE-2022-46340 follow up fix | ||||||
|  | 
 | ||||||
|  | * Fri Dec 16 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8 | ||||||
|  | - Rebuild for xorg-x11-server CVEs | ||||||
|  |   Resolves: CVE-2022-4283 (bz#2154234) | ||||||
|  |   Resolves: CVE-2022-46340 (bz#2154221) | ||||||
|  |   Resolves: CVE-2022-46341 (bz#2154224) | ||||||
|  |   Resolves: CVE-2022-46342 (bz#2154226) | ||||||
|  |   Resolves: CVE-2022-46343 (bz#2154228) | ||||||
|  |   Resolves: CVE-2022-46344 (bz#2154230) | ||||||
|  | 
 | ||||||
|  | * Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7 | ||||||
| - x0vncserver: add new keysym in case we don't find matching keycode | - x0vncserver: add new keysym in case we don't find matching keycode | ||||||
|   Resolves: bz#1437569 |   + actually apply the patch | ||||||
|  |   Resolves: bz#2119017 | ||||||
| 
 | 
 | ||||||
| * Wed Aug 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7 | * Thu Dec 01 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6 | ||||||
|  | - x0vncserver: add new keysym in case we don't find matching keycode | ||||||
|  |   Resolves: bz#2119017 | ||||||
|  | 
 | ||||||
|  | * Mon Oct 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5 | ||||||
| - x0vncserver: fix ghost cursor in zaphod mode (better version) | - x0vncserver: fix ghost cursor in zaphod mode (better version) | ||||||
|   Resolves: bz#2109679 |   Resolves: bz#2119016 | ||||||
| 
 | 
 | ||||||
| * Wed Aug 17 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6 | * Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4 | ||||||
| - x0vncserver: fix ghost cursor in zaphod mode | - Add BR: libXdamage, libXfixes, libXrandr | ||||||
|   Resolves: bz#2109679 |   Resolves: bz#2091833 | ||||||
| 
 | 
 | ||||||
| * Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5 | * Tue Apr 05 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3 | ||||||
| - BR: libXdamage, libXfixes, libXrandr | - Do not run systemd_preun on Xvnc service file | ||||||
|   Resolves: bz#2088733 |   Resolves: bz#2048011 | ||||||
| 
 | 
 | ||||||
| * Tue Feb 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4 | * Mon Apr 04 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2 | ||||||
|  | - Drop unexisting option from the old vncserver script | ||||||
|  |   Resolves: bz#2021893 | ||||||
|  | 
 | ||||||
|  | * Wed Mar 23 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1 | ||||||
|  | - 1.12.0 + sync with Fedora | ||||||
|  |   Resolves: bz#2048011 | ||||||
|  |   Resolves: bz#2021893 | ||||||
|  | 
 | ||||||
|  | * Mon Feb 07 2022 Jan Grulich <jgrulich@redhat.com> - 1.11.0-21 | ||||||
| - Added vncsession-restore script for SELinux policy migration | - Added vncsession-restore script for SELinux policy migration | ||||||
|   Fix SELinux context for root user |   Fix SELinux context for root user | ||||||
|   Resolves: bz#2021892 |   Resolves: bz#2049506 | ||||||
| 
 | 
 | ||||||
| * Fri Jan 21 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3 | * Fri Nov 26 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-20 | ||||||
| - Fix crash in vncviewer | - Rebuild for absence in RHEL 9.0 | ||||||
|   Resolves: bz#2021892 |   Resolves: bz#1985858 | ||||||
| 
 | 
 | ||||||
| * Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2 | * Mon Aug 16 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-19 | ||||||
| - Remove unavailable option from vncserver script | - Sync upstream patches + drop unused patches | ||||||
|   Resolves: bz#2021892 |   Resolves: bz#1985858 | ||||||
| 
 | 
 | ||||||
| * Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1 | * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-18 | ||||||
| - 1.12.0 | - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags | ||||||
|   Resolves: bz#2021892 |   Related: rhbz#1991688 | ||||||
| 
 | 
 | ||||||
| * Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9 | * Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-17 | ||||||
| - Fix logout from VNC session using vncserver | - Fix logout from VNC session using vncserver | ||||||
|   Resolves: bz#1983706 |   Resolves: bz#1983704 | ||||||
| 
 | 
 | ||||||
| * Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8 | * Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-16 | ||||||
| - Run all SELinux RPM macros on correct package | - Bump version for rebuild (binutils) | ||||||
|   Resolves: bz#1907963 |   Resolves: bz#1961488 | ||||||
| 
 | 
 | ||||||
| * Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-7 | * Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-14 | ||||||
| - SELinux improvements | - SELinux improvements | ||||||
|   Resolves: bz#1907963 |   Resolves: bz#1961488 | ||||||
| 
 | 
 | ||||||
| * Tue Dec 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6 | - Fix endianness issue on s390x | ||||||
| - Use GNOME as default session |   Resolves: bz#1963029 | ||||||
|   Resolves: bz#1853608 |  | ||||||
| 
 | 
 | ||||||
| * Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5 | * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.11.0-13 | ||||||
| - Make sure we log properly output to journal (actually log to syslog) | - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 | ||||||
|   Resolves: bz#1841537 |  | ||||||
| 
 | 
 | ||||||
| * Thu Dec 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4 | * Mon Mar 08 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-12 | ||||||
| - Make sure we log properly output to journal | - Include RHEL8 patches | ||||||
|   Resolves: bz#1841537 |  | ||||||
| 
 | 
 | ||||||
| * Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3 | * Fri Mar 05 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-11 | ||||||
| - vncserver: ignore new "session" parameter from the new systemd support | - Enable old vncserver script for RHEL 9 | ||||||
|   Resolves: bz#1897504 |  | ||||||
| 
 | 
 | ||||||
| * Wed Nov 18 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2 | * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.11.0-10 | ||||||
| - Revert removal of vncserver | - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild | ||||||
|   Resolves: bz#1897504 |  | ||||||
| - Correctly start vncsession as a daemon |  | ||||||
|   Resolves: bz#1897498 |  | ||||||
| 
 | 
 | ||||||
| * Tue Oct 20 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1 | * Thu Dec 10 07:45:46 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9 | ||||||
| - Update to 1.11.0 | - vncserver: ignore new session parameter from the new systemd support | ||||||
|   Resolves: bz#1880985 |  | ||||||
| - Backport fix to allow Tigervnc use boolean values in config files |  | ||||||
|   Resolves: bz#1883415 |  | ||||||
| 
 | 
 | ||||||
| * Wed Sep 30 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-8 | * Fri Nov 13 14:08:29 CET 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8 | ||||||
| - Tolerate specifying -BoolParam 0 and similar | - Use /run instead of /var/run which is just a symlink | ||||||
|   Resolves: bz#1883415 |  | ||||||
| 
 | 
 | ||||||
| * Wed Jul 08 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-7 | * Thu Nov 05 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.11.0-7 | ||||||
| - Enable server module on s390x | - Require xkbcomp directly, not xorg-x11-xkb-utils. The latter has had | ||||||
|   Resolves: bz#1854925 |   Provides xkbcomp for years. | ||||||
| 
 | 
 | ||||||
| * Fri Jul 03 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-6 | * Tue Sep 29 13:12:22 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6 | ||||||
| - Remove trailing spaces in user name | - Backport upstream fix allowing Tigervnc to specify boolean valus in configuration | ||||||
|   Resolves: bz#1852432 | - Revert removal of vncserver for F32 and F33 | ||||||
| 
 | 
 | ||||||
| * Thu Jun 25 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5 | * Thu Sep 24 07:14:06 CEST 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-5 | ||||||
| - Install the HOWTO file to correct location | - Actually install the HOWTO.md file | ||||||
|  | 
 | ||||||
|  | * Wed Sep 23 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-4 | ||||||
|  | - Call systemd macros on correct service file | ||||||
|  | 
 | ||||||
|  | * Tue Sep 22 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-3 | ||||||
|  | - Do not overwrite libvnc.conf config file | ||||||
|  | 
 | ||||||
|  | * Thu Sep 17 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-2 | ||||||
| - Add /usr/bin/vncserver file informing users to read the HOWTO.md file | - Add /usr/bin/vncserver file informing users to read the HOWTO.md file | ||||||
|   Resolves: bz#1790443 |  | ||||||
| 
 | 
 | ||||||
| * Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-4 | * Wed Sep 09 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-1 | ||||||
| - Improve SELinux policy | - 1.11.0 | ||||||
|   Resolves: bz#1790443 |  | ||||||
| 
 | 
 | ||||||
| * Mon Jun 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-3 | * Mon Aug 24 2020 Jan Grulich <jgrulich@redhat.com. - 1.10.90-1 | ||||||
| - Add a HOWTO.md file with instructions how to start VNC server | - Update to 1.10.90 (1.11.0 beta) | ||||||
|   Resolves: bz#1790443 |  | ||||||
| 
 | 
 | ||||||
| * Tue May 26 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2 | * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-9 | ||||||
| - Make the systemd service run also for root user | - Second attempt - Rebuilt for | ||||||
|   Resolves: bz#1790443 |   https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild | ||||||
| 
 | 
 | ||||||
| * Mon Apr 27 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1 | * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-8 | ||||||
|  | - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild | ||||||
|  | 
 | ||||||
|  | * Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-7 | ||||||
|  | - Use make macros | ||||||
|  | - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro | ||||||
|  | 
 | ||||||
|  | * Sat Jul 11 2020 Jiri Vanek <jvanek@redhat.com> - 1.10.1-6 | ||||||
|  | - Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11 | ||||||
|  | 
 | ||||||
|  | * Sun Apr 19 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-5 | ||||||
|  | - Requires: dbus-x11 | ||||||
|  |   Resolves: bz#1825331 | ||||||
|  | 
 | ||||||
|  | * Fri Mar 13 2020 Olivier Fourdan <ofourdan@redhat.com> - 1.10.1-4 | ||||||
|  | - Fix build with xserver 1.20.7 | ||||||
|  | 
 | ||||||
|  | * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-3 | ||||||
|  | - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild | ||||||
|  | 
 | ||||||
|  | * Mon Jan 13 2020 Jan Grulich <jgrulich@redhat.com> - 1.10.1-2 | ||||||
|  | - Build with -std=c++11 | ||||||
|  | 
 | ||||||
|  | * Fri Dec 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.1-1 | ||||||
| - Update to 1.10.1 | - Update to 1.10.1 | ||||||
|   Resolves: bz#1806992 |  | ||||||
| 
 | 
 | ||||||
| - Add proper systemd support | * Tue Dec 10 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-2 | ||||||
|   Resolves: bz#1790443 | - Properly install systemd files | ||||||
| 
 | 
 | ||||||
| * Tue Jan 28 2020 Jan Grulich <jgrulich@redhat.com> - 1.9.0-13 | * Mon Nov 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.10.0-1 | ||||||
| - Bump build because of z-stream | - Update to 1.10.0 | ||||||
|   Resolves: bz#1671714 |  | ||||||
| 
 | 
 | ||||||
| * Wed Dec 11 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-12 | * Fri Oct 18 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.90-1 | ||||||
| - Fix installation of systemd files | - Update to 1.9.90 (1.10 beta) | ||||||
|   Resolves: bz#1671714 | - Add systemd user service file | ||||||
|  | - Use a wrapper for systemd system service file to workaround systemd limitations | ||||||
| 
 | 
 | ||||||
| * Wed Nov 20 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-11 | * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-7 | ||||||
| - Use wrapper script to workaround systemd issues | - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild | ||||||
|   Resolves: bz#1671714 |  | ||||||
| 
 | 
 | ||||||
| * Fri Jul 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-10 | * Fri Jul 19 2019 Dan Horák <dan[at]danny.cz> - 1.9.0-6 | ||||||
| - Do not return returncode indicating error when running "vncserver -list" | - drop the s390x special handling (related #1727029) | ||||||
|   Resolves: bz#1727860 |  | ||||||
| 
 | 
 | ||||||
| * Fri Feb 08 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-9 | * Wed Jun 12 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5 | ||||||
| - Make tigervnc systemd service a user service | - Add missing arguments to systemd_postun scriptlets | ||||||
|   Resolves: bz#1639846 |   Resolves: bz#1716411 | ||||||
| 
 | 
 | ||||||
| * Mon Jan 21 2019 Jan Grulich <jgrulich@redhat.com> - 1.9.0-8 | * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-4 | ||||||
| - Kill the session automatically only when Gnome is installed | - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild | ||||||
|   Resolves: bz#1665876 |  | ||||||
| 
 | 
 | ||||||
| * Tue Nov 20 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-7 | * Tue Sep 25 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3 | ||||||
| - Improve coverity scan fixes |  | ||||||
|   Resolves: bz#1602714 |  | ||||||
| 
 |  | ||||||
|   Inform whether view-only password is used or not |  | ||||||
|   Resolves: bz#1639169 |  | ||||||
| 
 |  | ||||||
|   Backport fixes from RHEL 7 |  | ||||||
|   Resolves: bz#1651254 |  | ||||||
| 
 |  | ||||||
| * Tue Oct 09 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-6 |  | ||||||
| - Do not crash passwd when using malloc perturb checks | - Do not crash passwd when using malloc perturb checks | ||||||
|   Resolves: bz#1637086 |   Resolves: bz#1631483 | ||||||
| 
 |  | ||||||
| * Mon Oct 08 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-5 |  | ||||||
| - Improve coverity scan fixes |  | ||||||
|   Resolves: bz#1602714 |  | ||||||
| 
 |  | ||||||
| * Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-4 |  | ||||||
| - Improve coverity scan fixes |  | ||||||
|   Resolves: bz#1602714 |  | ||||||
| 
 |  | ||||||
| * Wed Oct 03 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-3 |  | ||||||
| - Fix some coverity scan issues |  | ||||||
|   Resolves: bz#1602714 |  | ||||||
| 
 | 
 | ||||||
| * Wed Aug 01 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-2 | * Wed Aug 01 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-2 | ||||||
| - Remove dependency on initscripts | - Ignore buttons in mouse leave events | ||||||
|  |   Resolves: bz#1609516 | ||||||
| 
 | 
 | ||||||
| * Tue Jul 17 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-1 | * Tue Jul 17 2018 Jan Grulich <jgrulich@redhat.com> - 1.9.0-1 | ||||||
| - Update to 1.9.0 + sync with Fedora | - Update to 1.9.0 | ||||||
| 
 | 
 | ||||||
| * Tue Jun 12 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-10 | * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.90-3 | ||||||
| - Fix GLX initialization with Xorg 1.20 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild | ||||||
| 
 | 
 | ||||||
| * Tue May 29 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-9 | * Wed Jul  4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.90-2 | ||||||
| - Build against Xorg 1.20 | - Clean up spec: use macros consistenly, drop old sys-v migrations | ||||||
|  | - Drop ancient obsolete/provides | ||||||
| 
 | 
 | ||||||
| * Mon May 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-8 | * Thu Jun 14 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.90-1 | ||||||
| - Drop BR: ImageMagick | - Update to 1.8.90 | ||||||
|  | 
 | ||||||
|  | * Wed Jun 13 2018 Jan Grulich <jgrulich@redhat.com> - 1.8.0-10 | ||||||
|  | - Fix tigervnc systemd unit file | ||||||
|  |   Resolves: bz#1583159 | ||||||
|  | 
 | ||||||
|  | * Wed Jun 06 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-9 | ||||||
|  | - Fix GLX initialization with 1.20 | ||||||
|  | 
 | ||||||
|  | * Wed Apr 04 2018 Adam Jackson <ajax@redhat.com> - 1.8.0-8 | ||||||
|  | - Rebuild for xserver 1.20 | ||||||
| 
 | 
 | ||||||
| * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-7 | * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.0-7 | ||||||
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild | ||||||
							
								
								
									
										204
									
								
								vncserver.man
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										204
									
								
								vncserver.man
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,204 @@ | |||||||
|  | .TH vncserver 1 "" "TigerVNC" "Virtual Network Computing" | ||||||
|  | .SH NAME | ||||||
|  | vncserver \- start or stop a VNC server | ||||||
|  | .SH SYNOPSIS | ||||||
|  | .B vncserver | ||||||
|  | .RI [: display# ] | ||||||
|  | .RB [ \-name | ||||||
|  | .IR desktop-name ] | ||||||
|  | .RB [ \-geometry | ||||||
|  | .IR width x height ] | ||||||
|  | .RB [ \-depth | ||||||
|  | .IR depth ] | ||||||
|  | .RB [ \-pixelformat | ||||||
|  | .IR format ] | ||||||
|  | .RB [ \-fp | ||||||
|  | .IR font-path ] | ||||||
|  | .RB [ \-fg ] | ||||||
|  | .RB [ \-autokill ] | ||||||
|  | .RB [ \-noxstartup ] | ||||||
|  | .RB [ \-xstartup | ||||||
|  | .IR script ] | ||||||
|  | .RI [ Xvnc-options... ] | ||||||
|  | .br | ||||||
|  | .BI "vncserver \-kill :" display# | ||||||
|  | .br | ||||||
|  | .BI "vncserver \-list" | ||||||
|  | .SH DESCRIPTION | ||||||
|  | .B vncserver | ||||||
|  | is used to start a VNC (Virtual Network Computing) desktop. | ||||||
|  | .B vncserver | ||||||
|  | is a Perl script which simplifies the process of starting an Xvnc server.  It | ||||||
|  | runs Xvnc with appropriate options and starts a window manager on the VNC | ||||||
|  | desktop. | ||||||
|  | 
 | ||||||
|  | .B vncserver | ||||||
|  | can be run with no options at all. In this case it will choose the first | ||||||
|  | available display number (usually :1), start Xvnc with that display number, | ||||||
|  | and start the default window manager in the Xvnc session.  You can also | ||||||
|  | specify the display number, in which case vncserver will attempt to start | ||||||
|  | Xvnc with that display number and exit if the display number is not | ||||||
|  | available.  For example: | ||||||
|  | 
 | ||||||
|  | .RS | ||||||
|  | vncserver :13 | ||||||
|  | .RE | ||||||
|  | 
 | ||||||
|  | Editing the file $HOME/.vnc/xstartup allows you to change the applications run | ||||||
|  | at startup (but note that this will not affect an existing VNC session.) | ||||||
|  | 
 | ||||||
|  | .SH OPTIONS | ||||||
|  | You can get a list of options by passing \fB\-h\fP as an option to vncserver. | ||||||
|  | In addition to the options listed below, any unrecognised options will be | ||||||
|  | passed to Xvnc - see the Xvnc man page, or "Xvnc \-help", for details. | ||||||
|  | 
 | ||||||
|  | .TP | ||||||
|  | .B \-name \fIdesktop-name\fP | ||||||
|  | Each VNC desktop has a name which may be displayed by the viewer. The desktop | ||||||
|  | name defaults to "\fIhost\fP:\fIdisplay#\fP (\fIusername\fP)", but you can | ||||||
|  | change it with this option.  The desktop name option is passed to the xstartup | ||||||
|  | script via the $VNCDESKTOP environment variable, which allows you to run a | ||||||
|  | different set of applications depending on the name of the desktop. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-geometry \fIwidth\fPx\fIheight\fP | ||||||
|  | Specify the size of the VNC desktop to be created. Default is 1024x768. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-depth \fIdepth\fP | ||||||
|  | Specify the pixel depth (in bits) of the VNC desktop to be created. Default is | ||||||
|  | 24.  Other possible values are 8, 15 and 16 - anything else is likely to cause | ||||||
|  | strange behaviour by applications. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-pixelformat \fIformat\fP | ||||||
|  | Specify pixel format for Xvnc to use (BGRnnn or RGBnnn).  The default for | ||||||
|  | depth 8 is BGR233 (meaning the most significant two bits represent blue, the | ||||||
|  | next three green, and the least significant three represent red), the default | ||||||
|  | for depth 16 is RGB565, and the default for depth 24 is RGB888. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-cc 3 | ||||||
|  | As an alternative to the default TrueColor visual, this allows you to run an | ||||||
|  | Xvnc server with a PseudoColor visual (i.e. one which uses a color map or | ||||||
|  | palette), which can be useful for running some old X applications which only | ||||||
|  | work on such a display.  Values other than 3 (PseudoColor) and 4 (TrueColor) | ||||||
|  | for the \-cc option may result in strange behaviour, and PseudoColor desktops | ||||||
|  | must have an 8-bit depth. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-kill :\fIdisplay#\fP | ||||||
|  | This kills a VNC desktop previously started with vncserver.  It does this by | ||||||
|  | killing the Xvnc process, whose process ID is stored in the file | ||||||
|  | "$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.pid".  The | ||||||
|  | .B \-kill | ||||||
|  | option ignores anything preceding the first colon (":") in the display | ||||||
|  | argument.  Thus, you can invoke "vncserver \-kill $DISPLAY", for example at the | ||||||
|  | end of your xstartup file after a particular application exits. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-fp \fIfont-path\fP | ||||||
|  | If the vncserver script detects that the X Font Server (XFS) is running, it | ||||||
|  | will attempt to start Xvnc and configure Xvnc to use XFS for font handling. | ||||||
|  | Otherwise, if XFS is not running, the vncserver script will attempt to start | ||||||
|  | Xvnc and allow Xvnc to use its own preferred method of font handling (which may | ||||||
|  | be a hard-coded font path or, on more recent systems, a font catalog.)  In | ||||||
|  | any case, if Xvnc fails to start, the vncserver script will then attempt to | ||||||
|  | determine an appropriate X font path for this system and start Xvnc using | ||||||
|  | that font path. | ||||||
|  | 
 | ||||||
|  | The | ||||||
|  | .B \-fp | ||||||
|  | argument allows you to override the above fallback logic and specify a font | ||||||
|  | path for Xvnc to use. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-fg | ||||||
|  | Runs Xvnc as a foreground process.  This has two effects: (1) The VNC server | ||||||
|  | can be aborted with CTRL-C, and (2) the VNC server will exit as soon as the | ||||||
|  | user logs out of the window manager in the VNC session.  This may be necessary | ||||||
|  | when launching TigerVNC from within certain grid computing environments. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-autokill | ||||||
|  | Automatically kill Xvnc whenever the xstartup script exits.  In most cases, | ||||||
|  | this has the effect of terminating Xvnc when the user logs out of the window | ||||||
|  | manager. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-noxstartup | ||||||
|  | Do not run the %HOME/.vnc/xstartup script after launching Xvnc.  This | ||||||
|  | option allows you to manually start a window manager in your TigerVNC session. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-xstartup \fIscript\fP | ||||||
|  | Run a custom startup script, instead of %HOME/.vnc/xstartup, after launching | ||||||
|  | Xvnc. This is useful to run full-screen applications. | ||||||
|  | . | ||||||
|  | .TP | ||||||
|  | .B \-list | ||||||
|  | Lists all VNC desktops started by vncserver. | ||||||
|  | 
 | ||||||
|  | .SH FILES | ||||||
|  | Several VNC-related files are found in the directory $HOME/.vnc: | ||||||
|  | .TP | ||||||
|  | $HOME/.vnc/xstartup | ||||||
|  | A shell script specifying X applications to be run when a VNC desktop is | ||||||
|  | started.  If this file does not exist, then vncserver will create a default | ||||||
|  | xstartup script which attempts to launch your chosen window manager. | ||||||
|  | .TP | ||||||
|  | /etc/tigervnc/vncserver-config-defaults | ||||||
|  | The optional system-wide equivalent of $HOME/.vnc/config. If this file exists | ||||||
|  | and defines options to be passed to Xvnc, they will be used as defaults for | ||||||
|  | users. The user's $HOME/.vnc/config overrides settings configured in this file. | ||||||
|  | The overall configuration file load order is: this file, $HOME/.vnc/config, | ||||||
|  | and then /etc/tigervnc/vncserver-config-mandatory. None are required to exist. | ||||||
|  | .TP | ||||||
|  | /etc/tigervnc/vncserver-config-mandatory | ||||||
|  | The optional system-wide equivalent of $HOME/.vnc/config. If this file exists | ||||||
|  | and defines options to be passed to Xvnc, they will override any of the same | ||||||
|  | options defined in a user's $HOME/.vnc/config. This file offers a mechanism | ||||||
|  | to establish some basic form of system-wide policy. WARNING! There is | ||||||
|  | nothing stopping users from constructing their own vncserver-like script | ||||||
|  | that calls Xvnc directly to bypass any options defined in | ||||||
|  | /etc/tigervnc/vncserver-config-mandatory.  Likewise, any CLI arguments passed | ||||||
|  | to vncserver will override ANY config file setting of the same name. The | ||||||
|  | overall configuration file load order is: | ||||||
|  | /etc/tigervnc/vncserver-config-defaults, $HOME/.vnc/config, and then this file. | ||||||
|  | None are required to exist. | ||||||
|  | .TP | ||||||
|  | $HOME/.vnc/config | ||||||
|  | An optional server config file wherein options to be passed to Xvnc are listed | ||||||
|  | to avoid hard-coding them to the physical invocation. List options in this file | ||||||
|  | one per line. For those requiring an argument, simply separate the option from | ||||||
|  | the argument with an equal sign, for example: "geometry=2000x1200" or | ||||||
|  | "securitytypes=vncauth,tlsvnc". Options without an argument are simply listed | ||||||
|  | as a single word, for example: "localhost" or "alwaysshared". | ||||||
|  | .TP | ||||||
|  | $HOME/.vnc/passwd | ||||||
|  | The VNC password file. | ||||||
|  | .TP | ||||||
|  | $HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.log | ||||||
|  | The log file for Xvnc and applications started in xstartup. | ||||||
|  | .TP | ||||||
|  | $HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.pid | ||||||
|  | Identifies the Xvnc process ID, used by the | ||||||
|  | .B \-kill | ||||||
|  | option. | ||||||
|  | 
 | ||||||
|  | .SH SEE ALSO | ||||||
|  | .BR vncviewer (1), | ||||||
|  | .BR vncpasswd (1), | ||||||
|  | .BR vncconfig (1), | ||||||
|  | .BR Xvnc (1) | ||||||
|  | .br | ||||||
|  | https://www.tigervnc.org | ||||||
|  | 
 | ||||||
|  | .SH AUTHOR | ||||||
|  | Tristan Richardson, RealVNC Ltd., D. R. Commander and others. | ||||||
|  | 
 | ||||||
|  | VNC was originally developed by the RealVNC team while at Olivetti | ||||||
|  | Research Ltd / AT&T Laboratories Cambridge.  TightVNC additions were | ||||||
|  | implemented by Constantin Kaplinsky. Many other people have since | ||||||
|  | participated in development, testing and support. This manual is part | ||||||
|  | of the TigerVNC software suite. | ||||||
| @ -32,7 +32,7 @@ | |||||||
| Description=XVNC Per-Connection Daemon | Description=XVNC Per-Connection Daemon | ||||||
| 
 | 
 | ||||||
| [Service] | [Service] | ||||||
| ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None -Log *:syslog:30 | ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None | ||||||
| User=nobody | User=nobody | ||||||
| StandardInput=socket | StandardInput=socket | ||||||
| StandardError=syslog | StandardError=syslog | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user