Import from CS git

.gitignore

@@ -1 +1 @@
-SOURCES/tigervnc-1.11.0.tar.gz
+SOURCES/tigervnc-1.15.0.tar.gz

.tigervnc.metadata

@@ -1 +1 @@
-6f6b621a76b734888748de10c32c2b5b59d40b19 SOURCES/tigervnc-1.11.0.tar.gz
+fec424f110bdf5032cd5eb4df2596b8251d2e1ed SOURCES/tigervnc-1.15.0.tar.gz

SOURCES/HOWTO.md

@@ -1,116 +0,0 @@
-# What has changed
-The previous Tigervnc versions had a wrapper script called `vncserver` which 
-could be run as a user manually to start *Xvnc* process. The usage was quite 
-simple as you just run
-```
-$ vncserver :x [vncserver options] [Xvnc options]
-```
-and that was it. While this was working just fine, there were issues when users
-wanted to start a Tigervnc server using *systemd*. For these reasons things were 
-completely changed and there is now a new way how this all is supposed to work.
-
- # How to start Tigervnc server
- 
-## Add a user mapping
-With this you can map a user to a particular port. The mapping should be done in 
-`/etc/tigervnc/vncserver.users` configuration file. It should be pretty 
-straightforward once you open the file as there are some examples, but basically
-the mapping is in form
-```
-:x=user
-```
-For example you can have
-```
-:1=test
-:2=vncuser
-```
-
-## Configure Xvnc options
-To configure Xvnc parameters, you need to go to the same directory where you did
-the user mapping and open `vncserver-config-defaults` configuration file. This 
-file is for the default Xvnc configuration and will be applied to every user 
-unless any of the following applies:
-* The user has its own configuration in `$HOME/.vnc/config`
-* The same option with different value is configured in 
-  `vncserver-config-mandatory` configuration file, which replaces the default 
-  configuration and has even a higher priority than the per-user configuration.
-  This option is for system administrators when they want to force particular 
-  *Xvnc* options.
-
-Format of the configuration file is also quite simple as the configuration is
-in form of
-```
-option=value
-option
-```
-for example
-```
-session=gnome
-securitytypes=vncauth,tlsvnc
-desktop=sandbox
-geometry=2000x1200
-localhost
-alwaysshared
-```
-### Note:
-There is one important option you need to set and that option is the session you
-want to start. E.g when you want to start GNOME desktop, then you have to use
-```
-session=gnome
-```
-which should match the name of a session desktop file from `/usr/share/xsessions`
-directory.
-
-## Set VNC password
-You need to set a password for each user in order to be able to start the 
-Tigervnc server. In order to create a password, you just run
-```
-$ vncpasswd
-```
-as the user you will be starting the server for. 
-### Note:
-If you were using Tigervnc before for your user and you already created a 
-password, then you will have to make sure the `$HOME/.vnc` folder created by 
-`vncpasswd` will have the correct *SELinux* context. You either can delete this 
-folder and recreate it again by creating the password one more time, or 
-alternatively you can run
-```
-$ restorecon -RFv /home/<USER>/.vnc
-```
-
-## Start the Tigervnc server
-Finally you can start the server using systemd service. To do so just run
-```
-$ systemctl start vncserver@:x
-```
-as root or
-```
-$ sudo systemctl start vncserver@:x
-```
-as a regular user in case it has permissions to run `sudo`. Don't forget to 
-replace the `:x` by the actual number you configured in the user mapping file. 
-Following our example by running
-```
-$ systemctl start vncserver@:1
-```
-you will start a Tigervnc server for user `test` with a GNOME session.
-
-### Note:
-If you were previously using Tigervnc and you were used to start it using 
-*systemd* then you will need to remove previous *systemd* configuration files,
-those you most likely copied to `/etc/systemd/system/vncserver@.service`, 
-otherwise this service file will be preferred over the new one installed with
-latest Tigervnc.
-
-If you want to use a remote NFS server for the home directories on this machine,
-you must set the use_nfs_home_dirs boolean:
-```
-setsebool -P use_nfs_home_dirs on
-```
-
-# Limitations
-You will not be able to start a Tigervnc server for a user who is already
-logged into a graphical session. Avoid running the server as the `root` user as
-it's not a safe thing to do. While running the server as the `root` should work 
-in general, it's not recommended to do so and there might be some things which
-are not working properly.

SOURCES/tigervnc-1.3.1-CVE-2014-8240.patch

@@ -1,74 +0,0 @@
-diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx
-index f998c6a..fb9dbd4 100644
---- a/unix/x0vncserver/Image.cxx
-+++ b/unix/x0vncserver/Image.cxx
-@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
-   xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
-                      ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
-
-+  if (xim->bytes_per_line <= 0 ||
-+      xim->height <= 0 ||
-+      xim->height >= INT_MAX / xim->bytes_per_line) {
-+    vlog.error("Invalid display size");
-+    XDestroyImage(xim);
-+    exit(1);
-+  }
-+
-   xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
-   if (xim->data == NULL) {
-     vlog.error("malloc() failed");
-@@ -256,6 +264,17 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo)
-     return;
-   }
-
-+  if (xim->bytes_per_line <= 0 ||
-+      xim->height <= 0 ||
-+      xim->height >= INT_MAX / xim->bytes_per_line) {
-+    vlog.error("Invalid display size");
-+    XDestroyImage(xim);
-+    xim = NULL;
-+    delete shminfo;
-+    shminfo = NULL;
-+    return;
-+  }
-+
-   shminfo->shmid = shmget(IPC_PRIVATE,
-                           xim->bytes_per_line * xim->height,
-                           IPC_CREAT|0777);
-diff --git a/vncviewer/PlatformPixelBuffer.cxx b/vncviewer/PlatformPixelBuffer.cxx
-index a2b506d..9266d9f 100644
---- a/vncviewer/PlatformPixelBuffer.cxx
-+++ b/vncviewer/PlatformPixelBuffer.cxx
-@@ -49,6 +49,15 @@ PlatformPixelBuffer::PlatformPixelBuffer(int width, int height) :
-     if (!xim)
-       throw rdr::Exception("XCreateImage");
-
-+    if (xim->bytes_per_line <= 0 ||
-+       xim->height <= 0 ||
-+       xim->height >= INT_MAX / xim->bytes_per_line) {
-+      if (xim)
-+       XDestroyImage(xim);
-+      xim = NULL;
-+      throw rdr::Exception("Invalid display size");
-+    }
-+
-     xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
-     if (!xim->data)
-       throw rdr::Exception("malloc");
-@@ -152,6 +161,16 @@ bool PlatformPixelBuffer::setupShm()
-   if (!xim)
-     goto free_shminfo;
-
-+  if (xim->bytes_per_line <= 0 ||
-+      xim->height <= 0 ||
-+      xim->height >= INT_MAX / xim->bytes_per_line) {
-+    XDestroyImage(xim);
-+    xim = NULL;
-+    delete shminfo;
-+    shminfo = NULL;
-+    throw rdr::Exception("Invalid display size");
-+  }
-+
-   shminfo->shmid = shmget(IPC_PRIVATE,
-                           xim->bytes_per_line * xim->height,
-                           IPC_CREAT|0600);

SOURCES/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch

@@ -0,0 +1,27 @@
+From 313200978926cc7b7521c0d645918391b7609681 Mon Sep 17 00:00:00 2001
+From: Jan Grulich <jgrulich@redhat.com>
+Date: Thu, 27 Feb 2025 13:49:02 +0100
+Subject: [PATCH] Add SELinux policy rules allowing to access
+ /proc/sys/fs/nr_open
+
+This is needed when the nofile limit is set to unlimited, otherwise we
+will fail to start a VNC session.
+---
+ unix/vncserver/selinux/vncsession.te | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
+index d92f1bd..2ce4fc8 100644
+--- a/unix/vncserver/selinux/vncsession.te
++++ b/unix/vncserver/selinux/vncsession.te
+@@ -37,6 +37,10 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms;
+ allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+ files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+ 
++# Allow access to /proc/sys/fs/nr_open
++# Needed when the nofile limit is set to unlimited.
++kernel_read_fs_sysctls(vnc_session_t)
++
+ # Allowed to create ~/.local
+ optional_policy(`
+ 	gnome_filetrans_home_content(vnc_session_t)

SOURCES/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch

@@ -0,0 +1,47 @@
+From e652f06940f84fd8e19d7b674ae8c6000530fb40 Mon Sep 17 00:00:00 2001
+From: Jan Grulich <jgrulich@redhat.com>
+Date: Fri, 7 Feb 2025 15:32:49 +0100
+Subject: [PATCH] Add SELinux policy rules allowing to create directories under
+ /root
+
+We have policy that allows to create ~/.local or ~/.config, but we don't
+have rule that allows the same under /root directory, where we fail in
+case any of these directories doesn't exist.
+---
+ unix/vncserver/selinux/vncsession.te | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
+index d92f1bda7d..2f49717077 100644
+--- a/unix/vncserver/selinux/vncsession.te
++++ b/unix/vncserver/selinux/vncsession.te
+@@ -48,6 +48,14 @@ optional_policy(`
+ 	create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t)
+ ')
+ 
++# Allowed to create /root/.local
++optional_policy(`
++	gen_require(`
++		type admin_home_t;
++	')
++	create_dirs_pattern(vnc_session_t, admin_home_t, admin_home_t)
++')
++
+ # Manage TigerVNC files (mainly ~/.local/state/*.log)
+ create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
+ manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
+@@ -88,6 +96,7 @@ optional_policy(`
+ 	gen_require(`
+ 		attribute userdomain;
+ 		type gconf_home_t;
++		type admin_home_t;
+ 	')
+ 	userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
+ 	userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
+@@ -95,5 +104,6 @@ optional_policy(`
+ 	gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
+ 	gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
+ 	filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc")
++	filetrans_pattern(vnc_session_t, admin_home_t, vnc_home_t, dir, "tigervnc")
+ 	filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc")
+ ')

SOURCES/tigervnc-correctly-start-vncsession-as-daemon.patch

@@ -1,13 +0,0 @@
-diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
-index 2b47f5f5..f78c096f 100644
---- a/unix/vncserver/vncsession.c
-+++ b/unix/vncserver/vncsession.c
-@@ -99,7 +99,7 @@ begin_daemon(void)
-         return -1;
-     }
- 
--    if (pid == 0)
-+    if (pid != 0)
-         _exit(0);
- 
-     /* Send all stdio to /dev/null */

SOURCES/tigervnc-cursor.patch

@@ -1,12 +0,0 @@
-diff -up tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor tigervnc-1.3.0/vncviewer/Viewport.cxx
---- tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor	2013-12-17 13:28:23.170400013 +0000
-+++ tigervnc-1.3.0/vncviewer/Viewport.cxx	2013-12-17 13:29:46.095784064 +0000
-@@ -248,7 +248,7 @@ void Viewport::setCursor(int width, int height, const Point& hotspot,
-     }
-   }
-
--  if (Fl::belowmouse() == this)
-+  if (Fl::belowmouse() == this && cursor)
-     window()->cursor(cursor, cursorHotspot.x, cursorHotspot.y);
- }
-

SOURCES/tigervnc-dont-install-appstream-metadata-file.patch

@@ -0,0 +1,53 @@
+diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt
+index 7d316e7..4f872d0 100644
+--- a/po/CMakeLists.txt
++++ b/po/CMakeLists.txt
+@@ -15,7 +15,6 @@ if (GETTEXT_XGETTEXT_EXECUTABLE)
+     ${PROJECT_SOURCE_DIR}/vncviewer/*.h
+     ${PROJECT_SOURCE_DIR}/vncviewer/*.cxx
+     ${PROJECT_SOURCE_DIR}/vncviewer/*.desktop.in.in
+-    ${PROJECT_SOURCE_DIR}/vncviewer/*.metainfo.xml.in
+   )
+ 
+   add_custom_target(translations_update
+diff --git a/vncviewer/CMakeLists.txt b/vncviewer/CMakeLists.txt
+index 72904b2..6a39062 100644
+--- a/vncviewer/CMakeLists.txt
++++ b/vncviewer/CMakeLists.txt
+@@ -108,36 +108,6 @@ if(UNIX)
+   add_custom_target(desktop ALL DEPENDS vncviewer.desktop)
+   install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncviewer.desktop DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/applications)
+ 
+-  if("${GETTEXT_VERSION_STRING}" VERSION_GREATER 0.19.6)
+-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
+-      COMMAND ${GETTEXT_MSGFMT_EXECUTABLE}
+-                --xml --template ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-                -d ${CMAKE_SOURCE_DIR}/po -o org.tigervnc.vncviewer.metainfo.xml
+-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-              ${po_FILES}
+-    )
+-  elseif(INTLTOOL_MERGE_EXECUTABLE)
+-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
+-      COMMAND sed -e 's@<name>@<_name>@\;s@</name>@</_name>@'
+-                  -e 's@<summary>@<_summary>@\;s@</summary>@</_summary>@'
+-                  -e 's@<caption>@<_caption>@\;s@</caption>@</_caption>@'
+-                  -e 's@<p>@<_p>@g\;s@</p>@</_p>@g'
+-                ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in > org.tigervnc.vncviewer.metainfo.xml.intl
+-      COMMAND ${INTLTOOL_MERGE_EXECUTABLE}
+-                -x ${CMAKE_SOURCE_DIR}/po
+-                org.tigervnc.vncviewer.metainfo.xml.intl org.tigervnc.vncviewer.metainfo.xml
+-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-              ${po_FILES}
+-    )
+-  else()
+-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
+-      COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in org.tigervnc.vncviewer.metainfo.xml
+-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-    )
+-  endif()
+-  add_custom_target(appstream ALL DEPENDS org.tigervnc.vncviewer.metainfo.xml)
+-  install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tigervnc.vncviewer.metainfo.xml DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/metainfo)
+-
+   foreach(res 16 22 24 32 48 64 128)
+     install(FILES ../media/icons/tigervnc_${res}.png DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/${res}x${res}/apps RENAME tigervnc.png)
+   endforeach()

SOURCES/tigervnc-getmaster.patch

@@ -1,88 +0,0 @@
-diff --git a/unix/xserver/hw/vnc/InputXKB.c b/unix/xserver/hw/vnc/InputXKB.c
-index f84a6e4..4eac939 100644
---- a/unix/xserver/hw/vnc/InputXKB.c
-+++ b/unix/xserver/hw/vnc/InputXKB.c
-@@ -226,10 +226,7 @@ void vncPrepareInputDevices(void)
- 
- unsigned vncGetKeyboardState(void)
- {
--	DeviceIntPtr master;
--
--	master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
--	return XkbStateFieldFromRec(&master->key->xkbInfo->state);
-+	return XkbStateFieldFromRec(&vncKeyboardDev->master->key->xkbInfo->state);
- }
- 
- unsigned vncGetLevelThreeMask(void)
-@@ -250,7 +247,7 @@ unsigned vncGetLevelThreeMask(void)
- 			return 0;
- 	}
- 
--	xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
-+	xkb = vncKeyboardDev->master->key->xkbInfo->desc;
- 
- 	act = XkbKeyActionPtr(xkb, keycode, state);
- 	if (act == NULL)
-@@ -275,7 +272,7 @@ KeyCode vncPressShift(void)
- 	if (state & ShiftMask)
- 		return 0;
- 
--	xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
-+	xkb = vncKeyboardDev->master->key->xkbInfo->desc;
- 	for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
- 		XkbAction *act;
- 		unsigned char mask;
-@@ -315,7 +312,7 @@ size_t vncReleaseShift(KeyCode *keys, size_t maxKeys)
- 
- 	count = 0;
- 
--	master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
-+	master = vncKeyboardDev->master;
- 	xkb = master->key->xkbInfo->desc;
- 	for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
- 		XkbAction *act;
-@@ -371,7 +368,7 @@ KeyCode vncPressLevelThree(void)
- 			return 0;
- 	}
- 
--	xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
-+	xkb = vncKeyboardDev->master->key->xkbInfo->desc;
- 
- 	act = XkbKeyActionPtr(xkb, keycode, state);
- 	if (act == NULL)
-@@ -402,7 +399,7 @@ size_t vncReleaseLevelThree(KeyCode *keys, size_t maxKeys)
- 
- 	count = 0;
- 
--	master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
-+	master = vncKeyboardDev->master;
- 	xkb = master->key->xkbInfo->desc;
- 	for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
- 		XkbAction *act;
-@@ -447,7 +444,7 @@ KeyCode vncKeysymToKeycode(KeySym keysym, unsigned state, unsigned *new_state)
- 		*new_state = state;
- 
- 	fallback = 0;
--	xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
-+	xkb = vncKeyboardDev->master->key->xkbInfo->desc;
- 	for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
- 		unsigned int state_out;
- 		KeySym dummy;
-@@ -551,7 +548,7 @@ int vncIsAffectedByNumLock(KeyCode keycode)
- 	if (numlock_keycode == 0)
- 		return 0;
- 
--	xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
-+	xkb = vncKeyboardDev->master->key->xkbInfo->desc;
- 
- 	act = XkbKeyActionPtr(xkb, numlock_keycode, state);
- 	if (act == NULL)
-@@ -585,7 +582,7 @@ KeyCode vncAddKeysym(KeySym keysym, unsigned state)
- 	KeySym *syms;
- 	KeySym upper, lower;
- 
--	master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
-+	master = vncKeyboardDev->master;
- 	xkb = master->key->xkbInfo->desc;
- 	for (key = xkb->max_key_code; key >= xkb->min_key_code; key--) {
- 		if (XkbKeyNumGroups(xkb, key) == 0)

SOURCES/tigervnc-let-user-know-about-not-using-view-only-password.patch

@@ -1,13 +0,0 @@
-diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx
-index 16c925ee..6398121e 100644
---- a/unix/vncpasswd/vncpasswd.cxx
-+++ b/unix/vncpasswd/vncpasswd.cxx
-@@ -150,6 +150,8 @@ int main(int argc, char** argv)
-     char yesno[3];
-     if (fgets(yesno, 3, stdin) != NULL && (yesno[0] == 'y' || yesno[0] == 'Y')) {
-       obfuscatedReadOnly = readpassword();
-+    } else {
-+      fprintf(stderr, "A view-only password is not used\n");
-     }
-
-     FILE* fp = fopen(fname,"w");

SOURCES/tigervnc-passwd-crash-with-malloc-checks.patch

@@ -1,41 +0,0 @@
-diff --git a/common/rfb/Password.cxx b/common/rfb/Password.cxx
-index e4a508c..f555c57 100644
---- a/common/rfb/Password.cxx
-+++ b/common/rfb/Password.cxx
-@@ -55,7 +55,7 @@ PlainPasswd::~PlainPasswd() {
- 
- void PlainPasswd::replaceBuf(char* b) {
-   if (buf)
--    memset(buf, 0, strlen(buf));
-+    memset(buf, 0, length ? length : strlen(buf));
-   CharArray::replaceBuf(b);
- }
- 
-diff --git a/common/rfb/util.h b/common/rfb/util.h
-index 3100f90..764692a 100644
---- a/common/rfb/util.h
-+++ b/common/rfb/util.h
-@@ -51,16 +51,21 @@ namespace rfb {
-     CharArray() : buf(0) {}
-     CharArray(char* str) : buf(str) {} // note: assumes ownership
-     CharArray(size_t len) {
-+      length = len;
-       buf = new char[len]();
-     }
-     ~CharArray() {
--      delete [] buf;
-+      if (buf) {
-+        delete [] buf;
-+        buf = nullptr;
-+      }
-     }
-     void format(const char *fmt, ...) __printf_attr(2, 3);
-     // Get the buffer pointer & clear it (i.e. caller takes ownership)
-     char* takeBuf() {char* tmp = buf; buf = 0; return tmp;}
--    void replaceBuf(char* b) {delete [] buf; buf = b;}
-+    void replaceBuf(char* b) {if (buf) delete [] buf; buf = b;}
-     char* buf;
-+    size_t length = 0;
-   private:
-     CharArray(const CharArray&);
-     CharArray& operator=(const CharArray&);

SOURCES/tigervnc-selinux-missing-compression-and-correct-location.patch

@@ -1,39 +0,0 @@
-From 6125695b80f6a43002f454786115b0a6c1730831 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Mon, 17 May 2021 13:44:32 +0200
-Subject: [PATCH] SELinux: Add missing compression and install policy to
- correct directory
-
----
- unix/vncserver/selinux/Makefile | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile
-index 7497bf846..b23f20f60 100644
---- a/unix/vncserver/selinux/Makefile
-+++ b/unix/vncserver/selinux/Makefile
-@@ -10,15 +10,18 @@
- PREFIX=/usr
- DATADIR=$(PREFIX)/share
- 
--all: vncsession.pp
-+all: vncsession.pp.bz2
-+
-+%.pp.bz2: %.pp
-+	bzip2 -9 $^
- 
- %.pp: %.te
- 	make -f $(DATADIR)/selinux/devel/Makefile $@
- 
- clean:
--	rm -f *.pp
-+	rm -f *.pp *.pp.bz2
- 	rm -rf tmp
- 
--install: vncsession.pp
--	mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages
--	install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp
-+install: vncsession.pp.bz2
-+	mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages/targeted/
-+	install vncsession.pp.bz2 $(DESTDIR)$(DATADIR)/selinux/packages/targeted/vncsession.pp.bz2
-

SOURCES/tigervnc-selinux-policy-improvements.patch

@@ -1,183 +0,0 @@
-From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Tue, 18 May 2021 12:23:15 +0200
-Subject: [PATCH] selinux: Fix issues reported by SELint
-
-Style guide [1] issues only. No impact on policy functionality.
-
-[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
----
- unix/vncserver/selinux/vncsession.te | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
-index a773fed39..63ad8a85f 100644
---- a/unix/vncserver/selinux/vncsession.te
-+++ b/unix/vncserver/selinux/vncsession.te
-@@ -17,7 +17,7 @@
- #  USA.
- #
-
--policy_module(vncsession, 1.0.0);
-+policy_module(vncsession, 1.0.0)
-
- gen_require(`
-     attribute userdomain;
-@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t)
- userdom_spec_domtrans_all_users(vnc_session_t)
- userdom_signal_all_users(vnc_session_t)
-
--allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
--allow vnc_session_t self:process { getcap setsched setexec setrlimit };
-+allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
-+allow vnc_session_t self:process { getcap setexec setrlimit setsched };
- allow vnc_session_t self:fifo_file rw_fifo_file_perms;
-
- manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t)
-
- mcs_process_set_categories(vnc_session_t)
- mcs_killall(vnc_session_t)
--
-From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Tue, 18 May 2021 13:31:53 +0200
-Subject: [PATCH] selinux: further style and comprehensibility improvements
-
-Sections and rules blocks reordered according to the Style guide.
-
-https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
----
- unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++-----------
- 1 file changed, 36 insertions(+), 23 deletions(-)
-
-diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
-index 63ad8a85f..86fd6e5ef 100644
---- a/unix/vncserver/selinux/vncsession.te
-+++ b/unix/vncserver/selinux/vncsession.te
-@@ -20,48 +20,61 @@
- policy_module(vncsession, 1.0.0)
-
- gen_require(`
--    attribute userdomain;
--    type xdm_home_t;
-+	attribute userdomain;
-+	type xdm_home_t;
- ')
-
--type vnc_session_exec_t;
--corecmd_executable_file(vnc_session_exec_t)
- type vnc_session_t;
-+type vnc_session_exec_t;
- init_daemon_domain(vnc_session_t, vnc_session_exec_t)
--auth_login_pgm_domain(vnc_session_t)
-+can_exec(vnc_session_t, vnc_session_exec_t)
-
- type vnc_session_var_run_t;
- files_pid_file(vnc_session_var_run_t)
--allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
--files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
--
--auth_write_login_records(vnc_session_t)
--
--can_exec(vnc_session_t, vnc_session_exec_t)
--
--userdom_spec_domtrans_all_users(vnc_session_t)
--userdom_signal_all_users(vnc_session_t)
-
- allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
- allow vnc_session_t self:process { getcap setexec setrlimit setsched };
- allow vnc_session_t self:fifo_file rw_fifo_file_perms;
-
-+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
-+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-+
- manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
- manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
- manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
- manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
--userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
--userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
--
--# This also affects other tools, e.g. vncpasswd
--userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
--userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
--
--miscfiles_read_localization(vnc_session_t)
-
- kernel_read_kernel_sysctls(vnc_session_t)
-
--logging_append_all_logs(vnc_session_t)
-+corecmd_executable_file(vnc_session_exec_t)
-
- mcs_process_set_categories(vnc_session_t)
- mcs_killall(vnc_session_t)
-+
-+optional_policy(`
-+	auth_login_pgm_domain(vnc_session_t)
-+	auth_write_login_records(vnc_session_t)
-+')
-+
-+optional_policy(`
-+	logging_append_all_logs(vnc_session_t)
-+')
-+
-+optional_policy(`
-+	miscfiles_read_localization(vnc_session_t)
-+')
-+
-+optional_policy(`
-+	userdom_spec_domtrans_all_users(vnc_session_t)
-+	userdom_signal_all_users(vnc_session_t)
-+
-+	userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-+	userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-+
-+	# This also affects other tools, e.g. vncpasswd
-+	gen_require(`
-+		attribute userdomain;
-+	')
-+	userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-+	userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-+')
-From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Tue, 18 May 2021 13:39:11 +0200
-Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally
-
-The permissions set to manage directories and files with the nfs_t type
-is allowed when the use_nfs_home_dirs boolean is turned on.
-
-Resolves: https://github.com/TigerVNC/tigervnc/issues/1189
----
- unix/vncserver/selinux/vncsession.te | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
-index 86fd6e5ef..46e699117 100644
---- a/unix/vncserver/selinux/vncsession.te
-+++ b/unix/vncserver/selinux/vncsession.te
-@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t)
- mcs_process_set_categories(vnc_session_t)
- mcs_killall(vnc_session_t)
-
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_manage_nfs_dirs(vnc_session_t)
-+	fs_manage_nfs_files(vnc_session_t)
-+')
-+
- optional_policy(`
- 	auth_login_pgm_domain(vnc_session_t)
- 	auth_write_login_records(vnc_session_t)
-diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
-index 46e69911..f1108ec8 100644
---- a/unix/vncserver/selinux/vncsession.te
-+++ b/unix/vncserver/selinux/vncsession.te
-@@ -20,7 +20,6 @@
- policy_module(vncsession, 1.0.0)
-
- gen_require(`
--	attribute userdomain;
- 	type xdm_home_t;
- ')
-

SOURCES/tigervnc-systemd-service.patch

@@ -1,47 +0,0 @@
-From 40f104ffe1e36df9613f8d316f616fb2b089cc86 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Tue, 29 Sep 2020 13:37:16 +0200
-Subject: [PATCH] Use /run instead of /var/run which is just a symlink
-
----
- unix/vncserver/selinux/vncsession.fc | 2 +-
- unix/vncserver/vncserver@.service.in | 2 +-
- unix/vncserver/vncsession.c          | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
-index 121cdd237..ae768baa4 100644
---- a/unix/vncserver/selinux/vncsession.fc
-+++ b/unix/vncserver/selinux/vncsession.fc
-@@ -23,4 +23,4 @@ HOME_ROOT/\.vnc(/.*)?      gen_context(system_u:object_r:xdm_home_t,s0)
- /usr/sbin/vncsession			--	gen_context(system_u:object_r:vnc_session_exec_t,s0)
- /usr/libexec/vncsession-start		--	gen_context(system_u:object_r:vnc_session_exec_t,s0)
- 
--/var/run/vncsession-:[0-9]*\.pid	--      gen_context(system_u:object_r:vnc_session_var_run_t,s0)
-+/run/vncsession-:[0-9]*\.pid	--      gen_context(system_u:object_r:vnc_session_var_run_t,s0)
-diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
-index 584ecf4b1..5624dff76 100644
---- a/unix/vncserver/vncserver@.service.in
-+++ b/unix/vncserver/vncserver@.service.in
-@@ -36,7 +36,7 @@ After=syslog.target network.target
- [Service]
- Type=forking
- ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
--PIDFile=/var/run/vncsession-%i.pid
-+PIDFile=/run/vncsession-%i.pid
- SELinuxContext=system_u:system_r:vnc_session_t:s0
- 
- [Install]
-diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
-index 3e0c98f0f..2b47f5f55 100644
---- a/unix/vncserver/vncsession.c
-+++ b/unix/vncserver/vncsession.c
-@@ -543,7 +543,7 @@ main(int argc, char **argv)
-     }
- 
-     snprintf(pid_file, sizeof(pid_file),
--             "/var/run/vncsession-%s.pid", display);
-+             "/run/vncsession-%s.pid", display);
-     f = fopen(pid_file, "w");
-     if (f == NULL) {
-         syslog(LOG_ERR, "Failure creating pid file \"%s\": %s",

SOURCES/tigervnc-tolerate-specifying-boolparam.patch

@@ -1,149 +0,0 @@
-From 38c6848b30cb1908171f2b4628e345fbf6727b39 Mon Sep 17 00:00:00 2001
-From: Pierre Ossman <ossman@cendio.se>
-Date: Fri, 18 Sep 2020 10:44:32 +0200
-Subject: [PATCH] Tolerate specifying -BoolParam 0 and similar
-
-This is needed by vncserver which doesn't know which parameters are
-boolean, and it cannot use the -Param=Value form as that isn't tolerated
-by the Xorg code.
----
- unix/vncserver/vncserver.in    |  8 ++++----
- unix/xserver/hw/vnc/RFBGlue.cc | 16 ++++++++++++++++
- unix/xserver/hw/vnc/RFBGlue.h  |  1 +
- unix/xserver/hw/vnc/xvnc.c     | 14 ++++++++++++++
- vncviewer/vncviewer.cxx        | 20 ++++++++++++++++++++
- 5 files changed, 55 insertions(+), 4 deletions(-)
-
-diff --git a/unix/vncserver/vncserver.in b/unix/vncserver/vncserver.in
-index 25fbbd315..261b258f1 100755
---- a/unix/vncserver/vncserver.in
-+++ b/unix/vncserver/vncserver.in
-@@ -107,7 +107,7 @@ $default_opts{rfbwait} = 30000;
- $default_opts{rfbauth} = "$vncUserDir/passwd";
- $default_opts{rfbport} = $vncPort;
- $default_opts{fp} = $fontPath if ($fontPath);
--$default_opts{pn} = "";
-+$default_opts{pn} = undef;
- 
- # Load user-overrideable system defaults
- LoadConfig($vncSystemConfigDefaultsFile);
-@@ -242,13 +242,13 @@ push(@cmd, "@CMAKE_INSTALL_FULL_BINDIR@/Xvnc", ":$displayNumber");
- 
- foreach my $k (sort keys %config) {
-   push(@cmd, "-$k");
--  push(@cmd, $config{$k}) if $config{$k};
-+  push(@cmd, $config{$k}) if defined($config{$k});
-   delete $default_opts{$k}; # file options take precedence
- }
- 
- foreach my $k (sort keys %default_opts) {
-   push(@cmd, "-$k");
--  push(@cmd, $default_opts{$k}) if $default_opts{$k};
-+  push(@cmd, $default_opts{$k}) if defined($default_opts{$k});
- }
- 
- warn "\nNew '$desktopName' desktop is $host:$displayNumber\n\n";
-@@ -291,7 +291,7 @@ sub LoadConfig {
-           # current config file being loaded defined the logical opposite setting
-           # (NeverShared vs. AlwaysShared, etc etc).
-           $toggle = lc($1); # must normalize key case
--          $config{$toggle} = $k;
-+          $config{$toggle} = undef;
-         }
-       }
-       close(IN);
-diff --git a/unix/xserver/hw/vnc/RFBGlue.cc b/unix/xserver/hw/vnc/RFBGlue.cc
-index f108fae43..7c32bea8f 100644
---- a/unix/xserver/hw/vnc/RFBGlue.cc
-+++ b/unix/xserver/hw/vnc/RFBGlue.cc
-@@ -143,6 +143,22 @@ const char* vncGetParamDesc(const char *name)
-   return param->getDescription();
- }
- 
-+int vncIsParamBool(const char *name)
-+{
-+  VoidParameter *param;
-+  BoolParameter *bparam;
-+
-+  param = rfb::Configuration::getParam(name);
-+  if (param == NULL)
-+    return false;
-+
-+  bparam = dynamic_cast<BoolParameter*>(param);
-+  if (bparam == NULL)
-+    return false;
-+
-+  return true;
-+}
-+
- int vncGetParamCount(void)
- {
-   int count;
-diff --git a/unix/xserver/hw/vnc/RFBGlue.h b/unix/xserver/hw/vnc/RFBGlue.h
-index 112405b84..695cea105 100644
---- a/unix/xserver/hw/vnc/RFBGlue.h
-+++ b/unix/xserver/hw/vnc/RFBGlue.h
-@@ -41,6 +41,7 @@ int vncSetParam(const char *name, const char *value);
- int vncSetParamSimple(const char *nameAndValue);
- char* vncGetParam(const char *name);
- const char* vncGetParamDesc(const char *name);
-+int vncIsParamBool(const char *name);
- 
- int vncGetParamCount(void);
- char *vncGetParamList(void);
-diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
-index 4eb0b0b13..5744acac8 100644
---- a/unix/xserver/hw/vnc/xvnc.c
-+++ b/unix/xserver/hw/vnc/xvnc.c
-@@ -618,6 +618,20 @@ ddxProcessArgument(int argc, char *argv[], int i)
-         exit(0);
-     }
- 
-+    /* We need to resolve an ambiguity for booleans */
-+    if (argv[i][0] == '-' && i+1 < argc &&
-+        vncIsParamBool(&argv[i][1])) {
-+        if ((strcasecmp(argv[i+1], "0") == 0) ||
-+            (strcasecmp(argv[i+1], "1") == 0) ||
-+            (strcasecmp(argv[i+1], "true") == 0) ||
-+            (strcasecmp(argv[i+1], "false") == 0) ||
-+            (strcasecmp(argv[i+1], "yes") == 0) ||
-+            (strcasecmp(argv[i+1], "no") == 0)) {
-+            vncSetParam(&argv[i][1], argv[i+1]);
-+            return 2;
-+        }
-+    }
-+
-     if (vncSetParamSimple(argv[i]))
- 	return 1;
-     
-diff --git a/vncviewer/vncviewer.cxx b/vncviewer/vncviewer.cxx
-index d4dd3063c..77ba3d3f4 100644
---- a/vncviewer/vncviewer.cxx
-+++ b/vncviewer/vncviewer.cxx
-@@ -556,6 +556,26 @@ int main(int argc, char** argv)
-   }
- 
-   for (int i = 1; i < argc;) {
-+    /* We need to resolve an ambiguity for booleans */
-+    if (argv[i][0] == '-' && i+1 < argc) {
-+        VoidParameter *param;
-+
-+        param = Configuration::getParam(&argv[i][1]);
-+        if ((param != NULL) &&
-+            (dynamic_cast<BoolParameter*>(param) != NULL)) {
-+          if ((strcasecmp(argv[i+1], "0") == 0) ||
-+              (strcasecmp(argv[i+1], "1") == 0) ||
-+              (strcasecmp(argv[i+1], "true") == 0) ||
-+              (strcasecmp(argv[i+1], "false") == 0) ||
-+              (strcasecmp(argv[i+1], "yes") == 0) ||
-+              (strcasecmp(argv[i+1], "no") == 0)) {
-+              param->setParam(argv[i+1]);
-+              i += 2;
-+              continue;
-+          }
-+      }
-+    }
-+
-     if (Configuration::setParam(argv[i])) {
-       i++;
-       continue;

SOURCES/tigervnc-utilize-system-crypto-policies.patch

@@ -1,13 +0,0 @@
-diff --git a/common/rfb/Security.cxx b/common/rfb/Security.cxx
-index e623ab5..4987b29 100644
---- a/common/rfb/Security.cxx
-+++ b/common/rfb/Security.cxx
-@@ -52,7 +52,7 @@ static LogWriter vlog("Security");
- #ifdef HAVE_GNUTLS
- StringParameter Security::GnuTLSPriority("GnuTLSPriority",
-   "GnuTLS priority string that controls the TLS session’s handshake algorithms",
--  "NORMAL");
-+  "@SYSTEM");
- #endif
-
- Security::Security()

SOURCES/tigervnc-vncsession-restore-script-systemd-service.patch

@@ -0,0 +1,113 @@
+From 1919a8ab86c99b47ba86dc697abcdf3343b0aafa Mon Sep 17 00:00:00 2001
+From: Jan Grulich <jgrulich@redhat.com>
+Date: Tue, 1 Feb 2022 14:31:05 +0100
+Subject: Add vncsession-restore script to restore SELinux context
+
+The vncsession-restore script is used in the ExecStartPre option
+for systemd service file in order to properly start the session
+in case the policy is updated (e.g. after Tigervnc update).
+
+diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
+index ae69dc09..04eb6fc4 100644
+--- a/unix/vncserver/CMakeLists.txt
++++ b/unix/vncserver/CMakeLists.txt
+@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c)
+ target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
+ 
+ configure_file(vncserver@.service.in vncserver@.service @ONLY)
++configure_file(vncsession-restore.in vncsession-restore @ONLY)
+ configure_file(vncsession-start.in vncsession-start @ONLY)
+ configure_file(vncserver.in vncserver @ONLY)
+ configure_file(vncsession.man.in vncsession.man @ONLY)
+@@ -20,4 +21,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})
+ if(INSTALL_SYSTEMD_UNITS)
+   install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR})
+   install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
++  install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
+ endif()
+diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
+index 39f81b73..a83e05a3 100644
+--- a/unix/vncserver/vncserver@.service.in
++++ b/unix/vncserver/vncserver@.service.in
+@@ -35,6 +35,7 @@ After=syslog.target network.target
+ 
+ [Service]
+ Type=forking
++ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i
+ ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
+ PIDFile=/run/vncsession-%i.pid
+ SELinuxContext=system_u:system_r:vnc_session_t:s0
+diff --git a/unix/vncserver/vncsession-restore.in b/unix/vncserver/vncsession-restore.in
+new file mode 100644
+index 00000000..d3abc57d
+--- /dev/null
++++ b/unix/vncserver/vncsession-restore.in
+@@ -0,0 +1,68 @@
++#!/bin/bash
++#
++#  Copyright 2022 Jan Grulich <jgrulich@redhat.com>
++#
++#  This is free software; you can redistribute it and/or modify
++#  it under the terms of the GNU General Public License as published by
++#  the Free Software Foundation; either version 2 of the License, or
++#  (at your option) any later version.
++#
++#  This software is distributed in the hope that it will be useful,
++#  but WITHOUT ANY WARRANTY; without even the implied warranty of
++#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++#  GNU General Public License for more details.
++#
++#  You should have received a copy of the GNU General Public License
++#  along with this software; if not, write to the Free Software
++#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
++#  USA.
++#
++
++USERSFILE="@CMAKE_INSTALL_FULL_SYSCONFDIR@/tigervnc/vncserver.users"
++
++if [ $# -ne 1 ]; then
++	echo "Syntax:" >&2
++	echo "    $0 <display>" >&2
++	exit 1
++fi
++
++if [ ! -f "${USERSFILE}" ]; then
++	echo "Users file ${USERSFILE} missing" >&2
++	exit 1
++fi
++
++DISPLAY="$1"
++
++USER=`grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g'`
++
++if [ -z "${USER}" ]; then
++	echo "No user configured for display ${DISPLAY}" >&2
++	exit 1
++fi
++
++USER_HOMEDIR=`getent passwd ${USER} | cut -f6 -d:`
++
++if [ -z "${USER_HOMEDIR}" ]; then
++	echo "Failed to get home directory for ${USER}" >&2
++	exit 1
++fi
++
++if [ ! -d "${USER_HOMEDIR}/.vnc" ]; then
++	exit 0
++fi
++
++MATCHPATHCON=`which matchpathcon`
++
++if [ $? -eq 0 ]; then
++	${MATCHPATHCON} -V "${USER_HOMEDIR}/.vnc" &>/dev/null
++	if [ $? -eq 0 ]; then
++		exit 0
++	fi
++fi
++
++RESTORECON=`which restorecon`
++
++if [ $? -eq 0 ]; then
++	exec "${RESTORECON}" -R "${USER_HOMEDIR}/.vnc" >&2
++	return $?
++fi

SOURCES/tigervnc-working-tls-on-fips-systems.patch

@@ -1,13 +0,0 @@
-diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
-index b946022..2daefa2 100644
---- a/common/rfb/SSecurityTLS.cxx
-+++ b/common/rfb/SSecurityTLS.cxx
-@@ -186,7 +186,7 @@ void SSecurityTLS::setParams(gnutls_session_t session)
-   if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
-     throw AuthFailureException("gnutls_dh_params_init failed");
-
--  if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
-+  if (gnutls_dh_params_generate2(dh_params, gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM)) != GNUTLS_E_SUCCESS)
-     throw AuthFailureException("gnutls_dh_params_generate2 failed");
-
-   if (anon) {

SOURCES/tigervnc-xserver120.patch

@@ -1,91 +0,0 @@
-diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac
---- xserver/configure.ac.xserver116-rebased	2016-09-29 13:14:45.595441590 +0200
-+++ xserver/configure.ac	2016-09-29 13:14:45.631442006 +0200
-@@ -74,6 +74,7 @@ dnl forcing an entire recompile.x
- AC_CONFIG_HEADERS(include/version-config.h)
-
- AM_PROG_AS
-+AC_PROG_CXX
- AC_PROG_LN_S
- LT_PREREQ([2.2])
- LT_INIT([disable-static win32-dll])
-@@ -1863,6 +1864,10 @@ if test "x$XVFB" = xyes; then
- 	AC_SUBST([XVFB_SYS_LIBS])
- fi
-
-+dnl Xvnc DDX
-+AC_SUBST([XVNC_CPPFLAGS], ["-DHAVE_DIX_CONFIG_H $XSERVER_CFLAGS"])
-+AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"])
-+AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"])
-
- dnl Xnest DDX
-
-@@ -1898,6 +1903,8 @@ if test "x$XORG" = xauto; then
- fi
- AC_MSG_RESULT([$XORG])
-
-+AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version])
-+
- if test "x$XORG" = xyes; then
- 	XORG_DDXINCS='-I$(top_srcdir)/hw/xfree86 -I$(top_srcdir)/hw/xfree86/include -I$(top_srcdir)/hw/xfree86/common'
- 	XORG_OSINCS='-I$(top_srcdir)/hw/xfree86/os-support -I$(top_srcdir)/hw/xfree86/os-support/bus -I$(top_srcdir)/os'
-@@ -2116,7 +2123,6 @@ if test "x$XORG" = xyes; then
- 	AC_DEFINE(XORG_SERVER, 1, [Building Xorg server])
- 	AC_DEFINE(XORGSERVER, 1, [Building Xorg server])
- 	AC_DEFINE(XFree86Server, 1, [Building XFree86 server])
--	AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version])
- 	AC_DEFINE(NEED_XF86_TYPES, 1, [Need XFree86 typedefs])
- 	AC_DEFINE(NEED_XF86_PROTOTYPES, 1, [Need XFree86 helper functions])
- 	AC_DEFINE(__XSERVERNAME__, "Xorg", [Name of X server])
-@@ -2691,6 +2697,7 @@ hw/dmx/Makefile
- hw/dmx/man/Makefile
- hw/vfb/Makefile
- hw/vfb/man/Makefile
-+hw/vnc/Makefile
- hw/xnest/Makefile
- hw/xnest/man/Makefile
- hw/xwin/Makefile
-diff -up xserver/hw/Makefile.am.xserver116-rebased xserver/hw/Makefile.am
---- xserver/hw/Makefile.am.xserver116-rebased	2016-09-29 13:14:45.601441659 +0200
-+++ xserver/hw/Makefile.am	2016-09-29 13:14:45.631442006 +0200
-@@ -38,7 +38,8 @@ SUBDIRS =			\
- 	$(DMX_SUBDIRS)		\
- 	$(KDRIVE_SUBDIRS)	\
- 	$(XQUARTZ_SUBDIRS)	\
--	$(XWAYLAND_SUBDIRS)
-+	$(XWAYLAND_SUBDIRS)	\
-+	vnc
-
- DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland
-
-diff --git xserver/mi/miinitext.c xserver/mi/miinitext.c
-index 5596e21..003fc3c 100644
---- xserver/mi/miinitext.c
-+++ xserver/mi/miinitext.c
-@@ -107,8 +107,15 @@ SOFTWARE.
- #include "os.h"
- #include "globals.h"
-
-+#ifdef TIGERVNC
-+extern void vncExtensionInit(INITARGS);
-+#endif
-+
- /* List of built-in (statically linked) extensions */
- static const ExtensionModule staticExtensions[] = {
-+#ifdef TIGERVNC
-+    {vncExtensionInit, "VNC-EXTENSION", NULL},
-+#endif
-     {GEExtensionInit, "Generic Event Extension", &noGEExtension},
-     {ShapeExtensionInit, "SHAPE", NULL},
- #ifdef MITSHM
---- xserver/include/os.h~	2016-10-03 09:07:29.000000000 +0200
-+++ xserver/include/os.h	2016-10-03 14:13:00.013654506 +0200
-@@ -621,7 +621,7 @@
- extern _X_EXPORT void
- LogClose(enum ExitCode error);
- extern _X_EXPORT Bool
--LogSetParameter(LogParameter param, int value);
-+LogSetParameter(enum _LogParameter param, int value);
- extern _X_EXPORT void
- LogVWrite(int verb, const char *f, va_list args)
- _X_ATTRIBUTE_PRINTF(2, 0);

SOURCES/vncserver

@@ -121,7 +121,7 @@ if ($fontPath eq "") {
 # Check command line options
 
 &ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1,
-	      "-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1);
+	      "-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1,"-fallbacktofreeport",0);
 
 &Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'});
 
@@ -168,7 +168,13 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) {
     $displayNumber = $1;
     shift(@ARGV);
     if (!&CheckDisplayNumber($displayNumber)) {
-	die "A VNC server is already running as :$displayNumber\n";
+        if ($opt{'-fallbacktofreeport'}) {
+            warn "A VNC server is already running as :$displayNumber\n";
+            $displayNumber = &GetDisplayNumber();
+            warn "Using port :$displayNumber as fallback\n";
+        } else {
+            die "A VNC server is already running as :$displayNumber\n";
+        }
     }
 } elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) {
     &Usage();
@@ -194,7 +200,6 @@ $default_opts{auth} = &quotedString($xauthorityFile);
 $default_opts{geometry} = $geometry if ($geometry);
 $default_opts{depth} = $depth if ($depth);
 $default_opts{pixelformat} = $pixelformat if ($pixelformat);
-$default_opts{rfbwait} = 30000;
 $default_opts{rfbauth} = "$vncUserDir/passwd";
 $default_opts{rfbport} = $vncPort;
 $default_opts{fp} = $fontPath if ($fontPath);
@@ -675,6 +680,7 @@ sub Usage
 	"                 [-autokill]\n".
 	"                 [-noxstartup]\n".
 	"                 [-xstartup <file>]\n".
+	"                 [-fallbacktofreeport]\n".
 	"                 <Xvnc-options>...\n\n".
 	"       $prog -kill <X-display>\n\n".
 	"       $prog -list\n\n");
@@ -892,6 +898,6 @@ sub SanityCheck
 
 sub NotifyAboutDeprecation
 {
-    warn "\nWARNING: vncserver has been replaced by a systemd unit and is about to be removed in future releases.\n";
+    warn "\nWARNING: vncserver has been replaced by a systemd unit and is now considered deprecated and removed in upstream.\n";
     warn "Please read /usr/share/doc/tigervnc/HOWTO.md for more information.\n";
 }

SOURCES/vncserver.man

@@ -1,204 +0,0 @@
-.TH vncserver 1 "" "TigerVNC" "Virtual Network Computing"
-.SH NAME
-vncserver \- start or stop a VNC server
-.SH SYNOPSIS
-.B vncserver
-.RI [: display# ]
-.RB [ \-name
-.IR desktop-name ]
-.RB [ \-geometry
-.IR width x height ]
-.RB [ \-depth
-.IR depth ]
-.RB [ \-pixelformat
-.IR format ]
-.RB [ \-fp
-.IR font-path ]
-.RB [ \-fg ]
-.RB [ \-autokill ]
-.RB [ \-noxstartup ]
-.RB [ \-xstartup
-.IR script ]
-.RI [ Xvnc-options... ]
-.br
-.BI "vncserver \-kill :" display#
-.br
-.BI "vncserver \-list"
-.SH DESCRIPTION
-.B vncserver
-is used to start a VNC (Virtual Network Computing) desktop.
-.B vncserver
-is a Perl script which simplifies the process of starting an Xvnc server.  It
-runs Xvnc with appropriate options and starts a window manager on the VNC
-desktop.
-
-.B vncserver
-can be run with no options at all. In this case it will choose the first
-available display number (usually :1), start Xvnc with that display number,
-and start the default window manager in the Xvnc session.  You can also
-specify the display number, in which case vncserver will attempt to start
-Xvnc with that display number and exit if the display number is not
-available.  For example:
-
-.RS
-vncserver :13
-.RE
-
-Editing the file $HOME/.vnc/xstartup allows you to change the applications run
-at startup (but note that this will not affect an existing VNC session.)
-
-.SH OPTIONS
-You can get a list of options by passing \fB\-h\fP as an option to vncserver.
-In addition to the options listed below, any unrecognised options will be
-passed to Xvnc - see the Xvnc man page, or "Xvnc \-help", for details.
-
-.TP
-.B \-name \fIdesktop-name\fP
-Each VNC desktop has a name which may be displayed by the viewer. The desktop
-name defaults to "\fIhost\fP:\fIdisplay#\fP (\fIusername\fP)", but you can
-change it with this option.  The desktop name option is passed to the xstartup
-script via the $VNCDESKTOP environment variable, which allows you to run a
-different set of applications depending on the name of the desktop.
-.
-.TP
-.B \-geometry \fIwidth\fPx\fIheight\fP
-Specify the size of the VNC desktop to be created. Default is 1024x768.
-.
-.TP
-.B \-depth \fIdepth\fP
-Specify the pixel depth (in bits) of the VNC desktop to be created. Default is
-24.  Other possible values are 8, 15 and 16 - anything else is likely to cause
-strange behaviour by applications.
-.
-.TP
-.B \-pixelformat \fIformat\fP
-Specify pixel format for Xvnc to use (BGRnnn or RGBnnn).  The default for
-depth 8 is BGR233 (meaning the most significant two bits represent blue, the
-next three green, and the least significant three represent red), the default
-for depth 16 is RGB565, and the default for depth 24 is RGB888.
-.
-.TP
-.B \-cc 3
-As an alternative to the default TrueColor visual, this allows you to run an
-Xvnc server with a PseudoColor visual (i.e. one which uses a color map or
-palette), which can be useful for running some old X applications which only
-work on such a display.  Values other than 3 (PseudoColor) and 4 (TrueColor)
-for the \-cc option may result in strange behaviour, and PseudoColor desktops
-must have an 8-bit depth.
-.
-.TP
-.B \-kill :\fIdisplay#\fP
-This kills a VNC desktop previously started with vncserver.  It does this by
-killing the Xvnc process, whose process ID is stored in the file
-"$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.pid".  The
-.B \-kill
-option ignores anything preceding the first colon (":") in the display
-argument.  Thus, you can invoke "vncserver \-kill $DISPLAY", for example at the
-end of your xstartup file after a particular application exits.
-.
-.TP
-.B \-fp \fIfont-path\fP
-If the vncserver script detects that the X Font Server (XFS) is running, it
-will attempt to start Xvnc and configure Xvnc to use XFS for font handling.
-Otherwise, if XFS is not running, the vncserver script will attempt to start
-Xvnc and allow Xvnc to use its own preferred method of font handling (which may
-be a hard-coded font path or, on more recent systems, a font catalog.)  In
-any case, if Xvnc fails to start, the vncserver script will then attempt to
-determine an appropriate X font path for this system and start Xvnc using
-that font path.
-
-The
-.B \-fp
-argument allows you to override the above fallback logic and specify a font
-path for Xvnc to use.
-.
-.TP
-.B \-fg
-Runs Xvnc as a foreground process.  This has two effects: (1) The VNC server
-can be aborted with CTRL-C, and (2) the VNC server will exit as soon as the
-user logs out of the window manager in the VNC session.  This may be necessary
-when launching TigerVNC from within certain grid computing environments.
-.
-.TP
-.B \-autokill
-Automatically kill Xvnc whenever the xstartup script exits.  In most cases,
-this has the effect of terminating Xvnc when the user logs out of the window
-manager.
-.
-.TP
-.B \-noxstartup
-Do not run the %HOME/.vnc/xstartup script after launching Xvnc.  This
-option allows you to manually start a window manager in your TigerVNC session.
-.
-.TP
-.B \-xstartup \fIscript\fP
-Run a custom startup script, instead of %HOME/.vnc/xstartup, after launching
-Xvnc. This is useful to run full-screen applications.
-.
-.TP
-.B \-list
-Lists all VNC desktops started by vncserver.
-
-.SH FILES
-Several VNC-related files are found in the directory $HOME/.vnc:
-.TP
-$HOME/.vnc/xstartup
-A shell script specifying X applications to be run when a VNC desktop is
-started.  If this file does not exist, then vncserver will create a default
-xstartup script which attempts to launch your chosen window manager.
-.TP
-/etc/tigervnc/vncserver-config-defaults
-The optional system-wide equivalent of $HOME/.vnc/config. If this file exists
-and defines options to be passed to Xvnc, they will be used as defaults for
-users. The user's $HOME/.vnc/config overrides settings configured in this file.
-The overall configuration file load order is: this file, $HOME/.vnc/config,
-and then /etc/tigervnc/vncserver-config-mandatory. None are required to exist.
-.TP
-/etc/tigervnc/vncserver-config-mandatory
-The optional system-wide equivalent of $HOME/.vnc/config. If this file exists
-and defines options to be passed to Xvnc, they will override any of the same
-options defined in a user's $HOME/.vnc/config. This file offers a mechanism
-to establish some basic form of system-wide policy. WARNING! There is
-nothing stopping users from constructing their own vncserver-like script
-that calls Xvnc directly to bypass any options defined in
-/etc/tigervnc/vncserver-config-mandatory.  Likewise, any CLI arguments passed
-to vncserver will override ANY config file setting of the same name. The
-overall configuration file load order is:
-/etc/tigervnc/vncserver-config-defaults, $HOME/.vnc/config, and then this file.
-None are required to exist.
-.TP
-$HOME/.vnc/config
-An optional server config file wherein options to be passed to Xvnc are listed
-to avoid hard-coding them to the physical invocation. List options in this file
-one per line. For those requiring an argument, simply separate the option from
-the argument with an equal sign, for example: "geometry=2000x1200" or
-"securitytypes=vncauth,tlsvnc". Options without an argument are simply listed
-as a single word, for example: "localhost" or "alwaysshared".
-.TP
-$HOME/.vnc/passwd
-The VNC password file.
-.TP
-$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.log
-The log file for Xvnc and applications started in xstartup.
-.TP
-$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.pid
-Identifies the Xvnc process ID, used by the
-.B \-kill
-option.
-
-.SH SEE ALSO
-.BR vncviewer (1),
-.BR vncpasswd (1),
-.BR vncconfig (1),
-.BR Xvnc (1)
-.br
-https://www.tigervnc.org
-
-.SH AUTHOR
-Tristan Richardson, RealVNC Ltd., D. R. Commander and others.
-
-VNC was originally developed by the RealVNC team while at Olivetti
-Research Ltd / AT&T Laboratories Cambridge.  TightVNC additions were
-implemented by Constantin Kaplinsky. Many other people have since
-participated in development, testing and support. This manual is part
-of the TigerVNC software suite.

SOURCES/xorg-CVE-2025-26594-2.patch

@@ -0,0 +1,46 @@
+From ded614e74e7175927dd2bc5ef69accaf2de29939 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 4 Dec 2024 15:49:43 +1000
+Subject: [PATCH xserver 2/2] dix: keep a ref to the rootCursor
+
+CreateCursor returns a cursor with refcount 1 - that refcount is used by
+the resource system, any caller needs to call RefCursor to get their own
+reference. That happens correctly for normal cursors but for our
+rootCursor we keep a variable to the cursor despite not having a ref for
+ourselves.
+
+Fix this by reffing/unreffing the rootCursor to ensure our pointer is
+valid.
+
+Related to CVE-2025-26594, ZDI-CAN-25544
+
+Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
+---
+ dix/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dix/main.c b/dix/main.c
+index aa7b020b2..0c57ba605 100644
+--- a/dix/main.c
++++ b/dix/main.c
+@@ -235,6 +235,8 @@ dix_main(int argc, char *argv[], char *envp[])
+                        defaultCursorFont);
+         }
+ 
++        rootCursor = RefCursor(rootCursor);
++
+ #ifdef PANORAMIX
+         /*
+          * Consolidate window and colourmap information for each screen
+@@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *envp[])
+ 
+         Dispatch();
+ 
++        UnrefCursor(rootCursor);
++
+         UndisplayDevices();
+         DisableAllDevices();
+ 
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26594.patch

@@ -0,0 +1,52 @@
+From efca605c45ff51b57f136222b966ce1d610ebc33 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 27 Nov 2024 11:27:05 +0100
+Subject: [PATCH xserver 1/2] Cursor: Refuse to free the root cursor
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a cursor reference count drops to 0, the cursor is freed.
+
+The root cursor however is referenced with a specific global variable,
+and when the root cursor is freed, the global variable may still point
+to freed memory.
+
+Make sure to prevent the rootCursor from being explicitly freed by a
+client.
+
+CVE-2025-26594, ZDI-CAN-25544
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
+<peter.hutterer@who-t.net>)
+v3: Return BadCursor instead of BadValue (Michel Dänzer
+<michel@daenzer.net>)
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dix/dispatch.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 5f7cfe02d..d1241fa96 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -3039,6 +3039,10 @@ ProcFreeCursor(ClientPtr client)
+     rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR,
+                                  client, DixDestroyAccess);
+     if (rc == Success) {
++        if (pCursor == rootCursor) {
++            client->errorValue = stuff->id;
++            return BadCursor;
++        }
+         FreeResource(stuff->id, RT_NONE);
+         return Success;
+     }
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26595.patch

@@ -0,0 +1,60 @@
+From 98602942c143075ab7464f917e0fc5d31ce28c3f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 27 Nov 2024 14:41:45 +0100
+Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbVModMaskText()
+
+The code in XkbVModMaskText() allocates a fixed sized buffer on the
+stack and copies the virtual mod name.
+
+There's actually two issues in the code that can lead to a buffer
+overflow.
+
+First, the bound check mixes pointers and integers using misplaced
+parenthesis, defeating the bound check.
+
+But even though, if the check fails, the data is still copied, so the
+stack overflow will occur regardless.
+
+Change the logic to skip the copy entirely if the bound check fails.
+
+CVE-2025-26595, ZDI-CAN-25545
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkbtext.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
+index 018466420..93262528b 100644
+--- a/xkb/xkbtext.c
++++ b/xkb/xkbtext.c
+@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb,
+                 len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+                 if (format == XkbCFile)
+                     len += 4;
+-                if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
+-                    if (str != buf) {
+-                        if (format == XkbCFile)
+-                            *str++ = '|';
+-                        else
+-                            *str++ = '+';
+-                        len--;
+-                    }
++                if ((str - buf) + len > VMOD_BUFFER_SIZE)
++                    continue; /* Skip */
++                if (str != buf) {
++                    if (format == XkbCFile)
++                        *str++ = '|';
++                    else
++                        *str++ = '+';
++                    len--;
+                 }
+                 if (format == XkbCFile)
+                     sprintf(str, "%sMask", tmp);
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26596.patch

@@ -0,0 +1,44 @@
+From b41f6fce201e77a174550935330e2f7772d4adf9 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Thu, 28 Nov 2024 11:49:34 +0100
+Subject: [PATCH xserver] xkb: Fix computation of XkbSizeKeySyms
+
+The computation of the length in XkbSizeKeySyms() differs from what is
+actually written in XkbWriteKeySyms(), leading to a heap overflow.
+
+Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
+does.
+
+CVE-2025-26596, ZDI-CAN-25543
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 85659382d..744dba63d 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)
+     len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);
+     symMap = &xkb->map->key_sym_map[rep->firstKeySym];
+     for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {
+-        if (symMap->offset != 0) {
+-            nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
+-            nSyms += nSymsThisKey;
+-        }
++        nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
++        if (nSymsThisKey == 0)
++            continue;
++        nSyms += nSymsThisKey;
+     }
+     len += nSyms * 4;
+     rep->totalSyms = nSyms;
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26597.patch

@@ -0,0 +1,41 @@
+From c5114475db18f29d639537d60e135bdfc11a5d3a Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Thu, 28 Nov 2024 14:09:04 +0100
+Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbChangeTypesOfKey()
+
+If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
+key syms to 0 but leave the key actions unchanged.
+
+If later, the same function is called with a non-zero value for nGroups,
+this will cause a buffer overflow because the key actions are of the wrong
+size.
+
+To avoid the issue, make sure to resize both the key syms and key actions
+when nGroups is 0.
+
+CVE-2025-26597, ZDI-CAN-25683
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/XKBMisc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
+index abbfed90e..fd180fad2 100644
+--- a/xkb/XKBMisc.c
++++ b/xkb/XKBMisc.c
+@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
+         i = XkbSetNumGroups(i, 0);
+         xkb->map->key_sym_map[key].group_info = i;
+         XkbResizeKeySyms(xkb, key, 0);
++        XkbResizeKeyActions(xkb, key, 0);
+         return Success;
+     }
+ 
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26598.patch

@@ -0,0 +1,115 @@
+From 0f5ea9d269ac6225bcb302a1ec0f58878114da9f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 16 Dec 2024 11:25:11 +0100
+Subject: [PATCH xserver] Xi: Fix barrier device search
+
+The function GetBarrierDevice() would search for the pointer device
+based on its device id and return the matching value, or supposedly NULL
+if no match was found.
+
+Unfortunately, as written, it would return the last element of the list
+if no matching device id was found which can lead to out of bounds
+memory access.
+
+Fix the search function to return NULL if not matching device is found,
+and adjust the callers to handle the case where the device cannot be
+found.
+
+CVE-2025-26598, ZDI-CAN-25740
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/xibarriers.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
+index 80c4b5981..28bc0a24f 100644
+--- a/Xi/xibarriers.c
++++ b/Xi/xibarriers.c
+@@ -131,14 +131,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c)
+ 
+ static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid)
+ {
+-    struct PointerBarrierDevice *pbd = NULL;
++    struct PointerBarrierDevice *p, *pbd = NULL;
+ 
+-    xorg_list_for_each_entry(pbd, &c->per_device, entry) {
+-        if (pbd->deviceid == deviceid)
++    xorg_list_for_each_entry(p, &c->per_device, entry) {
++        if (p->deviceid == deviceid) {
++            pbd = p;
+             break;
++        }
+     }
+ 
+-    BUG_WARN(!pbd);
+     return pbd;
+ }
+ 
+@@ -339,6 +340,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
+         double distance;
+ 
+         pbd = GetBarrierDevice(c, dev->id);
++        if (!pbd)
++            continue;
++
+         if (pbd->seen)
+             continue;
+ 
+@@ -447,6 +451,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
+         nearest = &c->barrier;
+ 
+         pbd = GetBarrierDevice(c, master->id);
++        if (!pbd)
++            continue;
++
+         new_sequence = !pbd->hit;
+ 
+         pbd->seen = TRUE;
+@@ -487,6 +494,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
+         int flags = 0;
+ 
+         pbd = GetBarrierDevice(c, master->id);
++        if (!pbd)
++            continue;
++
+         pbd->seen = FALSE;
+         if (!pbd->hit)
+             continue;
+@@ -681,6 +691,9 @@ BarrierFreeBarrier(void *data, XID id)
+             continue;
+ 
+         pbd = GetBarrierDevice(c, dev->id);
++        if (!pbd)
++            continue;
++
+         if (!pbd->hit)
+             continue;
+ 
+@@ -740,6 +753,8 @@ static void remove_master_func(void *res, XID id, void *devid)
+     barrier = container_of(b, struct PointerBarrierClient, barrier);
+ 
+     pbd = GetBarrierDevice(barrier, *deviceid);
++    if (!pbd)
++        return;
+ 
+     if (pbd->hit) {
+         BarrierEvent ev = {
+@@ -904,6 +919,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
+         barrier = container_of(b, struct PointerBarrierClient, barrier);
+ 
+         pbd = GetBarrierDevice(barrier, dev->id);
++        if (!pbd) {
++            client->errorValue = dev->id;
++            return BadDevice;
++        }
+ 
+         if (pbd->barrier_event_id == event_id)
+             pbd->release_event_id = event_id;
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26599-2.patch

@@ -0,0 +1,124 @@
+From f5ce639ff9d3af05e79efce6c51e084352d28ed1 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Jan 2025 16:09:43 +0100
+Subject: [PATCH xserver 2/2] composite: initialize border clip even when
+ pixmap alloc fails
+
+If it fails to allocate the pixmap, the function compAllocPixmap() would
+return early and leave the borderClip region uninitialized, which may
+lead to the use of uninitialized value as reported by valgrind:
+
+ Conditional jump or move depends on uninitialised value(s)
+    at 0x4F9B33: compClipNotify (compwindow.c:317)
+    by 0x484FC9: miComputeClips (mivaltree.c:476)
+    by 0x48559A: miValidateTree (mivaltree.c:679)
+    by 0x4F0685: MapWindow (window.c:2693)
+    by 0x4A344A: ProcMapWindow (dispatch.c:922)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+  Uninitialised value was created by a heap allocation
+    at 0x4841866: malloc (vg_replace_malloc.c:446)
+    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
+    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
+    by 0x4EBB89: CreateWindow (window.c:925)
+    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+
+ Conditional jump or move depends on uninitialised value(s)
+    at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
+    by 0x4F9255: RegionTranslate (regionstr.h:312)
+    by 0x4F9B7E: compClipNotify (compwindow.c:319)
+    by 0x484FC9: miComputeClips (mivaltree.c:476)
+    by 0x48559A: miValidateTree (mivaltree.c:679)
+    by 0x4F0685: MapWindow (window.c:2693)
+    by 0x4A344A: ProcMapWindow (dispatch.c:922)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+  Uninitialised value was created by a heap allocation
+    at 0x4841866: malloc (vg_replace_malloc.c:446)
+    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
+    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
+    by 0x4EBB89: CreateWindow (window.c:925)
+    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+
+ Conditional jump or move depends on uninitialised value(s)
+    at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
+    by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
+    by 0x4F9255: RegionTranslate (regionstr.h:312)
+    by 0x4F9B7E: compClipNotify (compwindow.c:319)
+    by 0x484FC9: miComputeClips (mivaltree.c:476)
+    by 0x48559A: miValidateTree (mivaltree.c:679)
+    by 0x4F0685: MapWindow (window.c:2693)
+    by 0x4A344A: ProcMapWindow (dispatch.c:922)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+  Uninitialised value was created by a heap allocation
+    at 0x4841866: malloc (vg_replace_malloc.c:446)
+    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
+    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
+    by 0x4EBB89: CreateWindow (window.c:925)
+    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+
+Fix compAllocPixmap() to initialize the border clip even if the creation
+of the backing pixmap has failed, to avoid depending later on
+uninitialized border clip values.
+
+Related to CVE-2025-26599, ZDI-CAN-25851
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ composite/compalloc.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/composite/compalloc.c b/composite/compalloc.c
+index ecb1b6147..d1342799b 100644
+--- a/composite/compalloc.c
++++ b/composite/compalloc.c
+@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin)
+     int h = pWin->drawable.height + (bw << 1);
+     PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h);
+     CompWindowPtr cw = GetCompWindow(pWin);
++    Bool status;
+ 
+-    if (!pPixmap)
+-        return FALSE;
++    if (!pPixmap) {
++        status = FALSE;
++        goto out;
++    }
+     if (cw->update == CompositeRedirectAutomatic)
+         pWin->redirectDraw = RedirectDrawAutomatic;
+     else
+@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin)
+         DamageRegister(&pWin->drawable, cw->damage);
+         cw->damageRegistered = TRUE;
+     }
++    status = TRUE;
+ 
++out:
+     /* Make sure our borderClip is up to date */
+     RegionUninit(&cw->borderClip);
+     RegionCopy(&cw->borderClip, &pWin->borderClip);
+     cw->borderClipX = pWin->drawable.x;
+     cw->borderClipY = pWin->drawable.y;
+ 
+-    return TRUE;
++    return status;
+ }
+ 
+ void
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26599.patch

@@ -0,0 +1,62 @@
+From 10a24e364ac15983051d0bb90817c88bbe107036 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Tue, 17 Dec 2024 15:19:45 +0100
+Subject: [PATCH xserver 1/2] composite: Handle failure to redirect in
+ compRedirectWindow()
+
+The function compCheckRedirect() may fail if it cannot allocate the
+backing pixmap.
+
+In that case, compRedirectWindow() will return a BadAlloc error.
+
+However that failure code path will shortcut the validation of the
+window tree marked just before, which leaves the validate data partly
+initialized.
+
+That causes a use of uninitialized pointer later.
+
+The fix is to not shortcut the call to compHandleMarkedWindows() even in
+the case of compCheckRedirect() returning an error.
+
+CVE-2025-26599, ZDI-CAN-25851
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ composite/compalloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/composite/compalloc.c b/composite/compalloc.c
+index e52c009bd..ecb1b6147 100644
+--- a/composite/compalloc.c
++++ b/composite/compalloc.c
+@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
+     CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
+     WindowPtr pLayerWin;
+     Bool anyMarked = FALSE;
++    int status = Success;
+ 
+     if (pWin == cs->pOverlayWin) {
+         return Success;
+@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
+ 
+     if (!compCheckRedirect(pWin)) {
+         FreeResource(ccw->id, RT_NONE);
+-        return BadAlloc;
++        status = BadAlloc;
+     }
+ 
+     if (anyMarked)
+         compHandleMarkedWindows(pWin, pLayerWin);
+ 
+-    return Success;
++    return status;
+ }
+ 
+ void
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26600.patch

@@ -0,0 +1,64 @@
+From 70ad5d36ae80f6e5a436eabfee642c2c013e51cc Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 16 Dec 2024 16:18:04 +0100
+Subject: [PATCH xserver] dix: Dequeue pending events on frozen device on
+ removal
+
+When a device is removed while still frozen, the events queued for that
+device remain while the device itself is freed.
+
+As a result, replaying the events will cause a use after free.
+
+To avoid the issue, make sure to dequeue and free any pending events on
+a frozen device when removed.
+
+CVE-2025-26600, ZDI-CAN-25871
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dix/devices.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index 969819534..740390207 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -966,6 +966,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
+ 
+ }
+ 
++static void
++FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
++{
++    QdEventPtr qe, tmp;
++
++    if (!dev->deviceGrab.sync.frozen)
++        return;
++
++    /* Dequeue any frozen pending events */
++    xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
++        if (qe->device == dev) {
++            xorg_list_del(&qe->next);
++            free(qe);
++        }
++    }
++}
++
+ /**
+  * Close down a device and free all resources.
+  * Once closed down, the driver will probably not expect you that you'll ever
+@@ -1030,6 +1047,7 @@ CloseDevice(DeviceIntPtr dev)
+         free(dev->last.touches[j].valuators);
+     free(dev->last.touches);
+     dev->config_info = NULL;
++    FreePendingFrozenDeviceEvents(dev);
+     dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
+     free(dev);
+ }
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26601-2.patch

@@ -0,0 +1,80 @@
+From 7dc3f11abb51cad8a59ecbff5278c8c8a318df41 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 16:54:30 +0100
+Subject: [PATCH xserver 2/4] sync: Check values before applying changes
+
+In SyncInitTrigger(), we would set the CheckTrigger function before
+validating the counter value.
+
+As a result, if the counter value overflowed, we would leave the
+function SyncInitTrigger() with the CheckTrigger applied but without
+updating the trigger object.
+
+To avoid that issue, move the portion of code checking for the trigger
+check value before updating the CheckTrigger function.
+
+Related to CVE-2025-26601, ZDI-CAN-25870
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/sync.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/Xext/sync.c b/Xext/sync.c
+index 4267d3af6..4eab5a6ac 100644
+--- a/Xext/sync.c
++++ b/Xext/sync.c
+@@ -351,6 +351,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+         }
+     }
+ 
++    if (changes & (XSyncCAValueType | XSyncCAValue)) {
++        if (pTrigger->value_type == XSyncAbsolute)
++            pTrigger->test_value = pTrigger->wait_value;
++        else {                  /* relative */
++            Bool overflow;
++
++            if (pCounter == NULL)
++                return BadMatch;
++
++            overflow = checked_int64_add(&pTrigger->test_value,
++                                         pCounter->value, pTrigger->wait_value);
++            if (overflow) {
++                client->errorValue = pTrigger->wait_value >> 32;
++                return BadValue;
++            }
++        }
++    }
++
+     if (changes & XSyncCATestType) {
+ 
+         if (pSync && SYNC_FENCE == pSync->type) {
+@@ -379,24 +397,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+         }
+     }
+ 
+-    if (changes & (XSyncCAValueType | XSyncCAValue)) {
+-        if (pTrigger->value_type == XSyncAbsolute)
+-            pTrigger->test_value = pTrigger->wait_value;
+-        else {                  /* relative */
+-            Bool overflow;
+-
+-            if (pCounter == NULL)
+-                return BadMatch;
+-
+-            overflow = checked_int64_add(&pTrigger->test_value,
+-                                         pCounter->value, pTrigger->wait_value);
+-            if (overflow) {
+-                client->errorValue = pTrigger->wait_value >> 32;
+-                return BadValue;
+-            }
+-        }
+-    }
+-
+     if (changes & XSyncCACounter) {
+         if (pSync != pTrigger->pSync) { /* new counter for trigger */
+             SyncDeleteTriggerFromSyncObject(pTrigger);
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26601-3.patch

@@ -0,0 +1,47 @@
+From 4ccaa5134482b6be9c9a7f0b66cd221ef325d082 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 17:06:07 +0100
+Subject: [PATCH xserver 3/4] sync: Do not fail SyncAddTriggerToSyncObject()
+
+We do not want to return a failure at the very last step in
+SyncInitTrigger() after having all changes applied.
+
+SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
+allocation of the SyncTriggerList fails, trigger a FatalError() instead.
+
+Related to CVE-2025-26601, ZDI-CAN-25870
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/sync.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/Xext/sync.c b/Xext/sync.c
+index 4eab5a6ac..c36de1a2e 100644
+--- a/Xext/sync.c
++++ b/Xext/sync.c
+@@ -200,8 +200,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
+             return Success;
+     }
+ 
+-    if (!(pCur = malloc(sizeof(SyncTriggerList))))
+-        return BadAlloc;
++    /* Failure is not an option, it's succeed or burst! */
++    pCur = XNFalloc(sizeof(SyncTriggerList));
+ 
+     pCur->pTrigger = pTrigger;
+     pCur->next = pTrigger->pSync->pTriglist;
+@@ -409,8 +409,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+      *  a new counter on a trigger
+      */
+     if (newSyncObject) {
+-        if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
+-            return rc;
++        SyncAddTriggerToSyncObject(pTrigger);
+     }
+     else if (pCounter && IsSystemCounter(pCounter)) {
+         SyncComputeBracketValues(pCounter);
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26601-4.patch

@@ -0,0 +1,128 @@
+From f0984082067f79b45383fa1eb889c6a901667331 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 17:10:31 +0100
+Subject: [PATCH xserver 4/4] sync: Apply changes last in
+ SyncChangeAlarmAttributes()
+
+SyncChangeAlarmAttributes() would apply the various changes while
+checking for errors.
+
+If one of the changes triggers an error, the changes for the trigger,
+counter or delta value would remain, possibly leading to inconsistent
+changes.
+
+Postpone the actual changes until we're sure nothing else can go wrong.
+
+Related to CVE-2025-26601, ZDI-CAN-25870
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/sync.c | 42 +++++++++++++++++++++++++++---------------
+ 1 file changed, 27 insertions(+), 15 deletions(-)
+
+diff --git a/Xext/sync.c b/Xext/sync.c
+index c36de1a2e..e282e6657 100644
+--- a/Xext/sync.c
++++ b/Xext/sync.c
+@@ -800,8 +800,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+     int status;
+     XSyncCounter counter;
+     Mask origmask = mask;
++    SyncTrigger trigger;
++    Bool select_events_changed = FALSE;
++    Bool select_events_value;
++    int64_t delta;
+ 
+-    counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None;
++    trigger = pAlarm->trigger;
++    delta = pAlarm->delta;
++    counter = trigger.pSync ? trigger.pSync->id : None;
+ 
+     while (mask) {
+         int index2 = lowbit(mask);
+@@ -817,24 +823,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+         case XSyncCAValueType:
+             mask &= ~XSyncCAValueType;
+             /* sanity check in SyncInitTrigger */
+-            pAlarm->trigger.value_type = *values++;
++            trigger.value_type = *values++;
+             break;
+ 
+         case XSyncCAValue:
+             mask &= ~XSyncCAValue;
+-            pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
++            trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
+             values += 2;
+             break;
+ 
+         case XSyncCATestType:
+             mask &= ~XSyncCATestType;
+             /* sanity check in SyncInitTrigger */
+-            pAlarm->trigger.test_type = *values++;
++            trigger.test_type = *values++;
+             break;
+ 
+         case XSyncCADelta:
+             mask &= ~XSyncCADelta;
+-            pAlarm->delta = ((int64_t)values[0] << 32) | values[1];
++            delta = ((int64_t)values[0] << 32) | values[1];
+             values += 2;
+             break;
+ 
+@@ -844,10 +850,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+                 client->errorValue = *values;
+                 return BadValue;
+             }
+-            status = SyncEventSelectForAlarm(pAlarm, client,
+-                                             (Bool) (*values++));
+-            if (status != Success)
+-                return status;
++            select_events_value = (Bool) (*values++);
++            select_events_changed = TRUE;
+             break;
+ 
+         default:
+@@ -856,25 +860,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+         }
+     }
+ 
++    if (select_events_changed) {
++        status = SyncEventSelectForAlarm(pAlarm, client, select_events_value);
++        if (status != Success)
++            return status;
++    }
++
+     /* "If the test-type is PositiveComparison or PositiveTransition
+      *  and delta is less than zero, or if the test-type is
+      *  NegativeComparison or NegativeTransition and delta is
+      *  greater than zero, a Match error is generated."
+      */
+     if (origmask & (XSyncCADelta | XSyncCATestType)) {
+-        if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) ||
+-              (pAlarm->trigger.test_type == XSyncPositiveTransition))
+-             && pAlarm->delta < 0)
++        if ((((trigger.test_type == XSyncPositiveComparison) ||
++              (trigger.test_type == XSyncPositiveTransition))
++             && delta < 0)
+             ||
+-            (((pAlarm->trigger.test_type == XSyncNegativeComparison) ||
+-              (pAlarm->trigger.test_type == XSyncNegativeTransition))
+-             && pAlarm->delta > 0)
++            (((trigger.test_type == XSyncNegativeComparison) ||
++              (trigger.test_type == XSyncNegativeTransition))
++             && delta > 0)
+             ) {
+             return BadMatch;
+         }
+     }
+ 
+     /* postpone this until now, when we're sure nothing else can go wrong */
++    pAlarm->delta = delta;
++    pAlarm->trigger = trigger;
+     if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter,
+                                   origmask & XSyncCAAllTrigger)) != Success)
+         return status;
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26601.patch

@@ -0,0 +1,66 @@
+From 573a2265aacfeaddcc1bb001905a6f7d4fa15ee6 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 16:52:01 +0100
+Subject: [PATCH xserver 1/4] sync: Do not let sync objects uninitialized
+
+When changing an alarm, the change mask values are evaluated one after
+the other, changing the trigger values as requested and eventually,
+SyncInitTrigger() is called.
+
+SyncInitTrigger() will evaluate the XSyncCACounter first and may free
+the existing sync object.
+
+Other changes are then evaluated and may trigger an error and an early
+return, not adding the new sync object.
+
+This can be used to cause a use after free when the alarm eventually
+triggers.
+
+To avoid the issue, delete the existing sync object as late as possible
+only once we are sure that no further error will cause an early exit.
+
+CVE-2025-26601, ZDI-CAN-25870
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/sync.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/Xext/sync.c b/Xext/sync.c
+index b6417b3b0..4267d3af6 100644
+--- a/Xext/sync.c
++++ b/Xext/sync.c
+@@ -330,11 +330,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+             client->errorValue = syncObject;
+             return rc;
+         }
+-        if (pSync != pTrigger->pSync) { /* new counter for trigger */
+-            SyncDeleteTriggerFromSyncObject(pTrigger);
+-            pTrigger->pSync = pSync;
+-            newSyncObject = TRUE;
+-        }
+     }
+ 
+     /* if system counter, ask it what the current value is */
+@@ -402,6 +397,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+         }
+     }
+ 
++    if (changes & XSyncCACounter) {
++        if (pSync != pTrigger->pSync) { /* new counter for trigger */
++            SyncDeleteTriggerFromSyncObject(pTrigger);
++            pTrigger->pSync = pSync;
++            newSyncObject = TRUE;
++        }
++    }
++
+     /*  we wait until we're sure there are no errors before registering
+      *  a new counter on a trigger
+      */
+-- 
+2.48.1
+

SPECS/tigervnc.spec

@@ -4,8 +4,8 @@
 %global modulename vncsession
 
 Name:           tigervnc
-Version:        1.11.0
-Release:        9%{?dist}
+Version:        1.15.0
+Release:        1%{?dist}
 Summary:        A TigerVNC remote display system
 
 %global _hardened_build 1
@@ -13,57 +13,94 @@ Summary:        A TigerVNC remote display system
 License:        GPLv2+
 URL:            http://www.tigervnc.com
 
-Source0:        %{name}-%{version}.tar.gz
+Source0:        https://github.com/TigerVNC/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        xvnc.service
 Source2:        xvnc.socket
 Source3:        10-libvnc.conf
-Source4:        HOWTO.md
 
 # Backwards compatibility
 Source5:        vncserver
-Source6:        vncserver.man
 
-Patch2:         tigervnc-getmaster.patch
-Patch5:         tigervnc-cursor.patch
-Patch6:         tigervnc-1.3.1-CVE-2014-8240.patch
-Patch8:         tigervnc-let-user-know-about-not-using-view-only-password.patch
-Patch9:         tigervnc-working-tls-on-fips-systems.patch
-Patch11:        tigervnc-utilize-system-crypto-policies.patch
-Patch12:        tigervnc-passwd-crash-with-malloc-checks.patch
-Patch13:        tigervnc-use-gnome-as-default-session.patch
+# Downstream patches
+Patch1:         tigervnc-use-gnome-as-default-session.patch
+# https://github.com/TigerVNC/tigervnc/pull/1425
+Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
+Patch3:         tigervnc-dont-install-appstream-metadata-file.patch
 
 # Upstream patches
-Patch50:        tigervnc-tolerate-specifying-boolparam.patch
-Patch51:        tigervnc-systemd-service.patch
-Patch52:        tigervnc-correctly-start-vncsession-as-daemon.patch
-Patch53:        tigervnc-selinux-missing-compression-and-correct-location.patch
-Patch54:        tigervnc-selinux-policy-improvements.patch
+Patch50:        tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch
+Patch51:        tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch
+
+# Upstreamable patches
 
-# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
-Patch100:       tigervnc-xserver120.patch
 # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
-Patch101:       0001-rpath-hack.patch
+Patch100:       0001-rpath-hack.patch
 
+# XServer patches
+Patch200:       xorg-CVE-2025-26594.patch
+Patch201:       xorg-CVE-2025-26594-2.patch
+Patch202:       xorg-CVE-2025-26595.patch
+Patch203:       xorg-CVE-2025-26596.patch
+Patch204:       xorg-CVE-2025-26597.patch
+Patch205:       xorg-CVE-2025-26598.patch
+Patch206:       xorg-CVE-2025-26599.patch
+Patch207:       xorg-CVE-2025-26599-2.patch
+Patch208:       xorg-CVE-2025-26600.patch
+Patch209:       xorg-CVE-2025-26601.patch
+Patch210:       xorg-CVE-2025-26601-2.patch
+Patch211:       xorg-CVE-2025-26601-3.patch
+Patch212:       xorg-CVE-2025-26601-4.patch
+
+BuildRequires:  make
 BuildRequires:  gcc-c++
-BuildRequires:  libX11-devel, automake, autoconf, libtool, gettext, gettext-autopoint
-BuildRequires:  libXext-devel, xorg-x11-server-source, libXi-devel
-BuildRequires:  xorg-x11-xtrans-devel, xorg-x11-util-macros, libXtst-devel
-BuildRequires:  libxkbfile-devel, openssl-devel, libpciaccess-devel
-BuildRequires:  mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils
-BuildRequires:  freetype-devel, libXdmcp-devel, libxshmfence-devel
-BuildRequires:  libjpeg-turbo-devel, gnutls-devel, pam-devel
-BuildRequires:  libdrm-devel, libXt-devel, pixman-devel
-BuildRequires:  systemd, cmake, desktop-file-utils, selinux-policy-devel
-%if 0%{?fedora} > 24 || 0%{?rhel} >= 7
-BuildRequires:  libXfont2-devel
-%else
-BuildRequires:  libXfont-devel
-%endif
+BuildRequires:  gettext
+BuildRequires:  cmake
+
+BuildRequires:  gnutls-devel
+BuildRequires:  desktop-file-utils
+BuildRequires:  libappstream-glib
+BuildRequires:  libjpeg-turbo-devel
+BuildRequires:  openssl-devel
+BuildRequires:  pam-devel
+BuildRequires:  zlib-devel
 
 # TigerVNC 1.4.x requires fltk 1.3.3 for keyboard handling support
 # See https://github.com/TigerVNC/tigervnc/issues/8, also bug #1208814
 BuildRequires:  fltk-devel >= 1.3.3
+BuildRequires:  libX11-devel
+BuildRequires:  libXext-devel
+BuildRequires:  libXi-devel
+BuildRequires:  libXrandr-devel
+BuildRequires:  libXrender-devel
+BuildRequires:  pixman-devel
+
+# X11/graphics dependencies
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gettext-autopoint
+BuildRequires:  libXdamage-devel
+BuildRequires:  libXdmcp-devel
+BuildRequires:  libXfixes-devel
+BuildRequires:  libXfont2-devel
+BuildRequires:  libXinerama-devel
+BuildRequires:  libXt-devel
+BuildRequires:  libXtst-devel
+BuildRequires:  libdrm-devel
+BuildRequires:  mesa-libgbm-devel
+BuildRequires:  libtool
+BuildRequires:  libxkbfile-devel
+BuildRequires:  libxshmfence-devel
+BuildRequires:  mesa-libGL-devel
+BuildRequires:  pkgconfig(fontutil)
+BuildRequires:  pkgconfig(xkbcomp)
 BuildRequires:  xorg-x11-server-devel
+BuildRequires:  xorg-x11-server-source
+BuildRequires:  xorg-x11-util-macros
+BuildRequires:  xorg-x11-xtrans-devel
+
+# SELinux
+BuildRequires:  libselinux-devel
+BuildRequires:  selinux-policy-devel
 
 Requires(post): coreutils
 Requires(postun):coreutils
@@ -71,6 +108,7 @@ Requires(postun):coreutils
 Requires:       hicolor-icon-theme
 Requires:       tigervnc-license
 Requires:       tigervnc-icons
+Requires:       which
 
 %description
 Virtual Network Computing (VNC) is a remote display system which
@@ -101,11 +139,16 @@ X session.
 
 %package server-minimal
 Summary:        A minimal installation of TigerVNC server
-Requires(post): chkconfig
-Requires(preun):chkconfig
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+Requires(post): systemd
 
-Requires:       mesa-dri-drivers, xkeyboard-config, xorg-x11-xkb-utils
-Requires:       tigervnc-license, dbus-x11
+Requires:       dbus-x11
+Requires:       mesa-dri-drivers
+Requires:       tigervnc-license
+Requires:       xkbcomp
+Requires:       xkeyboard-config
 
 %description server-minimal
 The VNC system allows you to access the same desktop from a wide
@@ -143,6 +186,10 @@ BuildRequires:  selinux-policy-devel
 Requires:       selinux-policy-%{selinuxtype}
 Requires(post): selinux-policy-%{selinuxtype}
 BuildRequires:  selinux-policy-devel
+# Required for matchpathcon
+Requires:       libselinux-utils
+# Required for restorecon
+Requires:       policycoreutils
 %{?selinux_requires}
 
 %description selinux
@@ -157,38 +204,33 @@ pushd unix/xserver
 for all in `find . -type f -perm -001`; do
         chmod -x "$all"
 done
-%patch100 -p1 -b .xserver120-rebased
-%patch101 -p1 -b .rpath
+%patch -P100 -p1 -b .rpath
+cat ../xserver120.patch | patch -p1
+
+%patch -P200 -p1 -b .xorg-CVE-2025-26594
+%patch -P201 -p1 -b .xorg-CVE-2025-26594-2
+%patch -P202 -p1 -b .xorg-CVE-2025-26595
+%patch -P203 -p1 -b .xorg-CVE-2025-26596
+%patch -P204 -p1 -b .xorg-CVE-2025-26597
+%patch -P205 -p1 -b .xorg-CVE-2025-26598
+%patch -P206 -p1 -b .xorg-CVE-2025-26599
+%patch -P207 -p1 -b .xorg-CVE-2025-26599-2
+%patch -P208 -p1 -b .xorg-CVE-2025-26600
+%patch -P209 -p1 -b .xorg-CVE-2025-26601
+%patch -P210 -p1 -b .xorg-CVE-2025-26601-2
+%patch -P211 -p1 -b .xorg-CVE-2025-26601-3
+%patch -P212 -p1 -b .xorg-CVE-2025-26601-4
 popd
 
-# libvnc.so: don't use unexported GetMaster function (bug #744881 again).
-%patch2 -p1 -b .getmaster
-
-# Fixed viewer crash when cursor has not been set (bug #1051333).
-%patch5 -p1 -b .cursor
-
-# CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based
-# buffer overflow in screen size handling
-%patch6 -p1 -b .tigervnc-1.3.1-CVE-2014-8240
-
-# Bug 1447555 - view-only accepts enter, unclear whether default password is generated or not
-%patch8 -p1 -b .let-user-know-about-not-using-view-only-password
-
-# Bug 1492107 - VNC cannot be used when FIPS is enabled because DH_BITS is too low
-%patch9 -p1 -b .working-tls-on-fips-systems
-
-# Utilize system-wide crypto policies
-%patch11 -p1 -b .utilize-system-crypto-policies.patch
-
-%patch12 -p1 -b .passwd-crash-with-malloc-checks
-%patch13 -p1 -b .use-gnome-as-default-session
+%patch -P1 -p1 -b .use-gnome-as-default-session
+%patch -P2 -p1 -b .vncsession-restore-script-systemd-service
+%patch -P3 -p1 -b .dont-install-appstream-metadata-file.patch
 
 # Upstream patches
-%patch50 -p1 -b .tolerate-specifying-boolparam
-%patch51 -p1 -b .systemd-service
-%patch52 -p1 -b .correctly-start-vncsession-as-daemon
-%patch53 -p1 -b .selinux-missing-compression-and-correct-location
-%patch54 -p1 -b .selinux-policy-improvements
+%patch -P50 -p1 -b .add-selinux-policy-rules-allowing-create-dirs-under-root-dir
+%patch -P51 -p1 -b .add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open
+
+# Upstreamable patches
 
 %build
 %ifarch sparcv9 sparc64 s390 s390x
@@ -196,7 +238,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fPIC"
 %else
 export CFLAGS="$RPM_OPT_FLAGS -fpic"
 %endif
-export CXXFLAGS="$CFLAGS"
+export CXXFLAGS="$CFLAGS -std=c++11"
 
 %{cmake} .
 make %{?_smp_mflags}
@@ -207,15 +249,12 @@ autoreconf -fiv
         --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
         --disable-xwin --disable-xephyr --disable-kdrive --disable-xwayland \
         --with-pic --disable-static \
-        --with-default-font-path="catalogue:%{_sysconfdir}/X11/fontpath.d,built-ins" \
-        --with-fontdir=%{_datadir}/X11/fonts \
+        --with-default-font-path="catalogue:/etc/X11/fontpath.d,built-ins" \
         --with-xkb-output=%{_localstatedir}/lib/xkb \
-        --enable-install-libxf86config \
-        --enable-glx --disable-dri --enable-dri2 --disable-dri3 \
+        --enable-glx --disable-dri --enable-dri2 --enable-dri3 \
         --disable-unit-tests \
         --disable-config-hal \
         --disable-config-udev \
-        --with-dri-driver-path=%{_libdir}/dri \
         --without-dtrace \
         --disable-devel-docs \
         --disable-selective-werror
@@ -249,20 +288,18 @@ popd
 # Install systemd unit file
 install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service
 install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket
+# Install old vncserver script
+install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
 
 # Install desktop stuff
 mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps
 
 pushd media/icons
-for s in 16 24 48; do
+for s in 16 22 24 32 48 64 128; do
 install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps/tigervnc.png
 done
 popd
 
-rm -f %{buildroot}/%{_mandir}/man8/vncserver.8
-
-install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
-install -m 644 %{SOURCE6} %{buildroot}/%{_mandir}/man8/vncserver.8
 
 %find_lang %{name} %{name}.lang
 
@@ -272,18 +309,15 @@ rm -f  %{buildroot}%{_libdir}/xorg/modules/extensions/libvnc.la
 mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/
 install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
 
-install -m 644 %{SOURCE4} %{buildroot}/%{_docdir}/tigervnc/HOWTO.md
-
 %post server
-%systemd_post xvnc.service
+%systemd_post xvnc@.service
 %systemd_post xvnc.socket
 
 %preun server
-%systemd_preun xvnc.service
 %systemd_preun xvnc.socket
 
 %postun server
-%systemd_postun xvnc.service
+%systemd_postun xvnc@.service
 %systemd_postun xvnc.socket
 
 %pre selinux
@@ -314,11 +348,12 @@ fi
 %{_unitdir}/vncserver@.service
 %{_unitdir}/xvnc@.service
 %{_unitdir}/xvnc.socket
-%{_bindir}/x0vncserver
 %{_bindir}/vncserver
+%{_bindir}/x0vncserver
 %{_sbindir}/vncsession
 %{_libexecdir}/vncserver
 %{_libexecdir}/vncsession-start
+%{_libexecdir}/vncsession-restore
 %{_mandir}/man1/x0vncserver.1*
 %{_mandir}/man8/vncserver.8*
 %{_mandir}/man8/vncsession.8*
@@ -334,7 +369,7 @@ fi
 
 %files server-module
 %{_libdir}/xorg/modules/extensions/libvnc.so
-%config %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
+%config(noreplace) %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
 
 %files license
 %{_docdir}/tigervnc/LICENCE.TXT
@@ -344,9 +379,145 @@ fi
 
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
-%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
+* Wed Feb 26 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-1
+- 1.15.0
+  Resolves: RHEL-79161
+  Resolves: RHEL-79982
+
+* Wed Feb 26 2025 Jan Grulich <jgrulich@redhat.com> - 1.13.1-15
+- Fix CVE-2025-26594 xorg-x11-server Use-after-free of the root cursor
+  Resolves: RHEL-79397
+- Fix CVE-2025-26595 xorg-x11-server Buffer overflow in XkbVModMaskText()
+  Resolves: RHEL-79401
+- Fix CVE-2025-26596 xorg-x11-server Heap overflow in XkbWriteKeySyms()
+  Resolves: RHEL-79386
+- Fix CVE-2025-26597 xorg-x11-server Buffer overflow in XkbChangeTypesOfKey()
+  Resolves: RHEL-79380
+- Fix CVE-2025-26598 xorg-x11-server Out-of-bounds write in CreatePointerBarrierClient()
+  Resolves: RHEL-79369
+- Fix CVE-2025-26599 xorg-x11-server Use of uninitialized pointer in compRedirectWindow()
+  Resolves: RHEL-79364
+- Fix CVE-2025-26600 xorg-x11-server Use-after-free in PlayReleasedEvents()
+  Resolves: RHEL-79360
+- Fix CVE-2025-26601 xorg-x11-server Use-after-free in SyncInitTrigger()
+  Resolves: RHEL-79348
+
+* Thu Oct 31 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-14
+- Fix CVE-2024-9632: xorg-x11-server: heap-based buffer overflow privilege escalation vulnerability
+  Resolves: RHEL-61999
+
+* Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-13
+- vncsession: use /bin/sh if the user shell is not set
+  Resolves: RHEL-52827
+
+* Fri Jul 12 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-12
+- Fix FTBS: drop already applied Xorg patches
+  Resolves: RHEL-46696
+
+* Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
+- vncconfig: add option to force view-only remote client connections
+  Resolves: RHEL-11908
+
+* Mon Apr 15 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
+- Drop patches that are already part of xorg-x11-server
+  Resolves: RHEL-30755
+  Resolves: RHEL-30767
+  Resolves: RHEL-30761
+
+* Thu Apr 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
+- Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
+  Resolves: RHEL-30755
+- Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs
+  Resolves: RHEL-30767
+- Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
+  Resolves: RHEL-30761
+
+* Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
+- Fix copy/paste error in the DeviceStateNotify
+  Resolves: RHEL-20530
+
+* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
+- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
+  Resolves: RHEL-20388
+- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
+  Resolves: RHEL-20382
+- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
+  Resolves: RHEL-20530
+- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
+  Resolves: RHEL-21214
+
+* Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
+- Use dup() to get available file descriptor when using -inetd option
+  Resolves: RHEL-21000
+
+* Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5
+- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions
+  Resolves: RHEL-18410
+- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
+  Resolves: RHEL-18422
+
+* Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4
+- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
+  Resolves: RHEL-15236
+
+- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty
+  Resolves: RHEL-15230
+
+* Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
+- Support username alias in PlainUsers
+  Resolves: RHEL-4258
+
+* Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
+- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
+  Escalation Vulnerability
+  Resolves: bz#2180306
+
+* Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1
+- 1.13.1
+  Resolves: bz#2175748
+- Restore "--fallbacktofreeport" option in the vncserver script
+  Resolves: bz#2174398
+
+* Thu Dec 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9
+- Bump build version to fix upgrade path
+  Resolves: bz#1437569
+
+* Fri Nov 18 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-8
+- x0vncserver: add new keysym in case we don't find matching keycode
+  Resolves: bz#1437569
+
+* Wed Aug 24 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-7
+- x0vncserver: fix ghost cursor in zaphod mode (better version)
+  Resolves: bz#2109679
+
+* Wed Aug 17 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-6
+- x0vncserver: fix ghost cursor in zaphod mode
+  Resolves: bz#2109679
+
+* Tue May 31 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-5
+- BR: libXdamage, libXfixes, libXrandr
+  Resolves: bz#2088733
+
+* Tue Feb 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
+- Added vncsession-restore script for SELinux policy migration
+  Fix SELinux context for root user
+  Resolves: bz#2021892
+
+* Fri Jan 21 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
+- Fix crash in vncviewer
+  Resolves: bz#2021892
+
+* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
+- Remove unavailable option from vncserver script
+  Resolves: bz#2021892
+
+* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
+- 1.12.0
+  Resolves: bz#2021892
+
 * Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
 - Fix logout from VNC session using vncserver
   Resolves: bz#1983706