.gitignore

@@ -1 +1 @@
-SOURCES/tigervnc-1.12.0.tar.gz
+SOURCES/tigervnc-1.15.0.tar.gz

.tigervnc.metadata

@@ -1 +1 @@
-44db63993d8ad04f730b0b48e8aca32933bff15a SOURCES/tigervnc-1.12.0.tar.gz
+fec424f110bdf5032cd5eb4df2596b8251d2e1ed SOURCES/tigervnc-1.15.0.tar.gz

SOURCES/tigervnc-add-new-keycodes-for-unknown-keysyms.patch

@@ -1,199 +0,0 @@
-From ccbd491fa48f1c43daeb1a6c5ee91a1a8fa3db88 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Tue, 9 Aug 2022 14:31:07 +0200
-Subject: [PATCH] x0vncserver: add new keysym in case we don't find a matching
- keycode
-
-We might often fail to find a matching X11 keycode when the client has
-a different keyboard layout and end up with no key event. To avoid a
-failure we add it as a new keysym/keycode pair so the next time a keysym
-from the client that is unknown to the server is send, we will find a
-match and proceed with key event. This is same behavior used in Xvnc or
-x11vnc, although Xvnc has more advanced mapping from keysym to keycode.
----
- unix/x0vncserver/XDesktop.cxx | 121 +++++++++++++++++++++++++++++++++-
- unix/x0vncserver/XDesktop.h   |   4 ++
- 2 files changed, 122 insertions(+), 3 deletions(-)
-
-diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
-index f2046e43e..933998f05 100644
---- a/unix/x0vncserver/XDesktop.cxx
-+++ b/unix/x0vncserver/XDesktop.cxx
-@@ -31,6 +31,7 @@
- #include <x0vncserver/XDesktop.h>
-
- #include <X11/XKBlib.h>
-+#include <X11/Xutil.h>
- #ifdef HAVE_XTEST
- #include <X11/extensions/XTest.h>
- #endif
-@@ -50,6 +51,7 @@ void vncSetGlueContext(Display *dpy, void *res);
- #include <x0vncserver/Geometry.h>
- #include <x0vncserver/XPixelBuffer.h>
-
-+using namespace std;
- using namespace rfb;
-
- extern const unsigned short code_map_qnum_to_xorgevdev[];
-@@ -264,6 +266,9 @@ void XDesktop::start(VNCServer* vs) {
- void XDesktop::stop() {
-   running = false;
-
-+  // Delete added keycodes
-+  deleteAddedKeysyms(dpy);
-+
- #ifdef HAVE_XDAMAGE
-   if (haveDamage)
-     XDamageDestroy(dpy, damage);
-@@ -383,6 +388,118 @@ KeyCode XDesktop::XkbKeysymToKeycode(Display* dpy, KeySym keysym) {
- }
- #endif
-
-+KeyCode XDesktop::addKeysym(Display* dpy, KeySym keysym)
-+{
-+  int types[1];
-+  unsigned int key;
-+  XkbDescPtr xkb;
-+  XkbMapChangesRec changes;
-+  KeySym *syms;
-+  KeySym upper, lower;
-+
-+  xkb = XkbGetMap(dpy, XkbAllComponentsMask, XkbUseCoreKbd);
-+
-+  if (!xkb)
-+    return 0;
-+
-+  for (key = xkb->max_key_code; key >= xkb->min_key_code; key--) {
-+    if (XkbKeyNumGroups(xkb, key) == 0)
-+      break;
-+  }
-+
-+  if (key < xkb->min_key_code)
-+    return 0;
-+
-+  memset(&changes, 0, sizeof(changes));
-+
-+  XConvertCase(keysym, &lower, &upper);
-+
-+  if (upper == lower)
-+    types[XkbGroup1Index] = XkbOneLevelIndex;
-+  else
-+    types[XkbGroup1Index] = XkbAlphabeticIndex;
-+
-+  XkbChangeTypesOfKey(xkb, key, 1, XkbGroup1Mask, types, &changes);
-+
-+  syms = XkbKeySymsPtr(xkb,key);
-+  if (upper == lower)
-+    syms[0] = keysym;
-+  else {
-+    syms[0] = lower;
-+    syms[1] = upper;
-+  }
-+
-+  changes.changed |= XkbKeySymsMask;
-+  changes.first_key_sym = key;
-+  changes.num_key_syms = 1;
-+
-+  if (XkbChangeMap(dpy, xkb, &changes)) {
-+    vlog.info("Added unknown keysym %s to keycode %d", XKeysymToString(keysym), key);
-+    addedKeysyms[keysym] = key;
-+    return key;
-+  }
-+
-+  return 0;
-+}
-+
-+void XDesktop::deleteAddedKeysyms(Display* dpy) {
-+  XkbDescPtr xkb;
-+  xkb = XkbGetMap(dpy, XkbAllComponentsMask, XkbUseCoreKbd);
-+
-+  if (!xkb)
-+    return;
-+
-+  XkbMapChangesRec changes;
-+  memset(&changes, 0, sizeof(changes));
-+
-+  KeyCode lowestKeyCode = xkb->max_key_code;
-+  KeyCode highestKeyCode = xkb->min_key_code;
-+  std::map<KeySym, KeyCode>::iterator it;
-+  for (it = addedKeysyms.begin(); it != addedKeysyms.end(); it++) {
-+    if (XkbKeyNumGroups(xkb, it->second) != 0) {
-+      // Check if we are removing keysym we added ourself
-+      if (XkbKeysymToKeycode(dpy, it->first) != it->second)
-+        continue;
-+
-+      XkbChangeTypesOfKey(xkb, it->second, 0, XkbGroup1Mask, NULL, &changes);
-+
-+      if (it->second < lowestKeyCode)
-+        lowestKeyCode = it->second;
-+
-+      if (it->second > highestKeyCode)
-+        highestKeyCode = it->second;
-+    }
-+  }
-+
-+  changes.changed |= XkbKeySymsMask;
-+  changes.first_key_sym = lowestKeyCode;
-+  changes.num_key_syms = highestKeyCode - lowestKeyCode + 1;
-+  XkbChangeMap(dpy, xkb, &changes);
-+
-+  addedKeysyms.clear();
-+}
-+
-+KeyCode XDesktop::keysymToKeycode(Display* dpy, KeySym keysym) {
-+  int keycode = 0;
-+
-+  // XKeysymToKeycode() doesn't respect state, so we have to use
-+  // something slightly more complex
-+  keycode = XkbKeysymToKeycode(dpy, keysym);
-+
-+  if (keycode != 0)
-+    return keycode;
-+
-+  // TODO: try to further guess keycode with all possible mods as Xvnc does
-+
-+  keycode = addKeysym(dpy, keysym);
-+
-+  if (keycode == 0)
-+    vlog.error("Failure adding new keysym 0x%lx", keysym);
-+
-+  return keycode;
-+}
-+
-+
- void XDesktop::keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down) {
- #ifdef HAVE_XTEST
-   int keycode = 0;
-@@ -398,9 +515,7 @@ void XDesktop::keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down) {
-     if (pressedKeys.find(keysym) != pressedKeys.end())
-       keycode = pressedKeys[keysym];
-     else {
--      // XKeysymToKeycode() doesn't respect state, so we have to use
--      // something slightly more complex
--      keycode = XkbKeysymToKeycode(dpy, keysym);
-+      keycode = keysymToKeycode(dpy, keysym);
-     }
-   }
-
-diff --git a/unix/x0vncserver/XDesktop.h b/unix/x0vncserver/XDesktop.h
-index 840d43316..6ebcd9f8a 100644
---- a/unix/x0vncserver/XDesktop.h
-+++ b/unix/x0vncserver/XDesktop.h
-@@ -55,6 +55,9 @@ class XDesktop : public rfb::SDesktop,
-                                const char* userName);
-   virtual void pointerEvent(const rfb::Point& pos, int buttonMask);
-   KeyCode XkbKeysymToKeycode(Display* dpy, KeySym keysym);
-+  KeyCode addKeysym(Display* dpy, KeySym keysym);
-+  void deleteAddedKeysyms(Display* dpy);
-+  KeyCode keysymToKeycode(Display* dpy, KeySym keysym);
-   virtual void keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down);
-   virtual void clientCutText(const char* str);
-   virtual unsigned int setScreenLayout(int fb_width, int fb_height,
-@@ -78,6 +81,7 @@ class XDesktop : public rfb::SDesktop,
-   bool haveXtest;
-   bool haveDamage;
-   int maxButtons;
-+  std::map<KeySym, KeyCode> addedKeysyms;
-   std::map<KeySym, KeyCode> pressedKeys;
-   bool running;
- #ifdef HAVE_XDAMAGE

SOURCES/tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch

@@ -0,0 +1,27 @@
+From 313200978926cc7b7521c0d645918391b7609681 Mon Sep 17 00:00:00 2001
+From: Jan Grulich <jgrulich@redhat.com>
+Date: Thu, 27 Feb 2025 13:49:02 +0100
+Subject: [PATCH] Add SELinux policy rules allowing to access
+ /proc/sys/fs/nr_open
+
+This is needed when the nofile limit is set to unlimited, otherwise we
+will fail to start a VNC session.
+---
+ unix/vncserver/selinux/vncsession.te | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
+index d92f1bd..2ce4fc8 100644
+--- a/unix/vncserver/selinux/vncsession.te
++++ b/unix/vncserver/selinux/vncsession.te
+@@ -37,6 +37,10 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms;
+ allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+ files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+ 
++# Allow access to /proc/sys/fs/nr_open
++# Needed when the nofile limit is set to unlimited.
++kernel_read_fs_sysctls(vnc_session_t)
++
+ # Allowed to create ~/.local
+ optional_policy(`
+ 	gnome_filetrans_home_content(vnc_session_t)

SOURCES/tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch

@@ -0,0 +1,47 @@
+From e652f06940f84fd8e19d7b674ae8c6000530fb40 Mon Sep 17 00:00:00 2001
+From: Jan Grulich <jgrulich@redhat.com>
+Date: Fri, 7 Feb 2025 15:32:49 +0100
+Subject: [PATCH] Add SELinux policy rules allowing to create directories under
+ /root
+
+We have policy that allows to create ~/.local or ~/.config, but we don't
+have rule that allows the same under /root directory, where we fail in
+case any of these directories doesn't exist.
+---
+ unix/vncserver/selinux/vncsession.te | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
+index d92f1bda7d..2f49717077 100644
+--- a/unix/vncserver/selinux/vncsession.te
++++ b/unix/vncserver/selinux/vncsession.te
+@@ -48,6 +48,14 @@ optional_policy(`
+ 	create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t)
+ ')
+ 
++# Allowed to create /root/.local
++optional_policy(`
++	gen_require(`
++		type admin_home_t;
++	')
++	create_dirs_pattern(vnc_session_t, admin_home_t, admin_home_t)
++')
++
+ # Manage TigerVNC files (mainly ~/.local/state/*.log)
+ create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
+ manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
+@@ -88,6 +96,7 @@ optional_policy(`
+ 	gen_require(`
+ 		attribute userdomain;
+ 		type gconf_home_t;
++		type admin_home_t;
+ 	')
+ 	userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
+ 	userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
+@@ -95,5 +104,6 @@ optional_policy(`
+ 	gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
+ 	gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
+ 	filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc")
++	filetrans_pattern(vnc_session_t, admin_home_t, vnc_home_t, dir, "tigervnc")
+ 	filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc")
+ ')

SOURCES/tigervnc-dont-install-appstream-metadata-file.patch

@@ -0,0 +1,53 @@
+diff --git a/po/CMakeLists.txt b/po/CMakeLists.txt
+index 7d316e7..4f872d0 100644
+--- a/po/CMakeLists.txt
++++ b/po/CMakeLists.txt
+@@ -15,7 +15,6 @@ if (GETTEXT_XGETTEXT_EXECUTABLE)
+     ${PROJECT_SOURCE_DIR}/vncviewer/*.h
+     ${PROJECT_SOURCE_DIR}/vncviewer/*.cxx
+     ${PROJECT_SOURCE_DIR}/vncviewer/*.desktop.in.in
+-    ${PROJECT_SOURCE_DIR}/vncviewer/*.metainfo.xml.in
+   )
+ 
+   add_custom_target(translations_update
+diff --git a/vncviewer/CMakeLists.txt b/vncviewer/CMakeLists.txt
+index 72904b2..6a39062 100644
+--- a/vncviewer/CMakeLists.txt
++++ b/vncviewer/CMakeLists.txt
+@@ -108,36 +108,6 @@ if(UNIX)
+   add_custom_target(desktop ALL DEPENDS vncviewer.desktop)
+   install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncviewer.desktop DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/applications)
+ 
+-  if("${GETTEXT_VERSION_STRING}" VERSION_GREATER 0.19.6)
+-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
+-      COMMAND ${GETTEXT_MSGFMT_EXECUTABLE}
+-                --xml --template ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-                -d ${CMAKE_SOURCE_DIR}/po -o org.tigervnc.vncviewer.metainfo.xml
+-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-              ${po_FILES}
+-    )
+-  elseif(INTLTOOL_MERGE_EXECUTABLE)
+-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
+-      COMMAND sed -e 's@<name>@<_name>@\;s@</name>@</_name>@'
+-                  -e 's@<summary>@<_summary>@\;s@</summary>@</_summary>@'
+-                  -e 's@<caption>@<_caption>@\;s@</caption>@</_caption>@'
+-                  -e 's@<p>@<_p>@g\;s@</p>@</_p>@g'
+-                ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in > org.tigervnc.vncviewer.metainfo.xml.intl
+-      COMMAND ${INTLTOOL_MERGE_EXECUTABLE}
+-                -x ${CMAKE_SOURCE_DIR}/po
+-                org.tigervnc.vncviewer.metainfo.xml.intl org.tigervnc.vncviewer.metainfo.xml
+-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-              ${po_FILES}
+-    )
+-  else()
+-    add_custom_command(OUTPUT org.tigervnc.vncviewer.metainfo.xml
+-      COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in org.tigervnc.vncviewer.metainfo.xml
+-      DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/org.tigervnc.vncviewer.metainfo.xml.in
+-    )
+-  endif()
+-  add_custom_target(appstream ALL DEPENDS org.tigervnc.vncviewer.metainfo.xml)
+-  install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.tigervnc.vncviewer.metainfo.xml DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/metainfo)
+-
+   foreach(res 16 22 24 32 48 64 128)
+     install(FILES ../media/icons/tigervnc_${res}.png DESTINATION ${CMAKE_INSTALL_FULL_DATADIR}/icons/hicolor/${res}x${res}/apps RENAME tigervnc.png)
+   endforeach()

SOURCES/tigervnc-fix-ghost-cursor-in-zaphod-mode.patch

@@ -1,117 +0,0 @@
-From f783d5c8b567199178b6690f347e060a69d2aa36 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Thu, 11 Aug 2022 13:15:29 +0200
-Subject: [PATCH] x0vncserver: update/display cursor only on correct screen in
- zaphod mode
-
-We have to check whether we update cursor position/shape only in case
-the cursor is on our display, otherwise in zaphod mode, ie. when having
-two instances of x0vncserver on screens :0.0 and :0.1 we would be having
-the cursor duplicated and actually not funcional (aka ghost cursor) as
-it would be actually not present. We also additionally watch EnterNotify
-and LeaveNotify events in order to show/hide cursor accordingly.
-
-Change made with help from Olivier Fourdan <ofourdan@redhat.com>
----
- unix/x0vncserver/XDesktop.cxx | 60 +++++++++++++++++++++++++++++++----
- 1 file changed, 53 insertions(+), 7 deletions(-)
-
-diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx
-index f2046e43e..f07fd78bf 100644
---- a/unix/x0vncserver/XDesktop.cxx
-+++ b/unix/x0vncserver/XDesktop.cxx
-@@ -192,7 +192,8 @@ XDesktop::XDesktop(Display* dpy_, Geometry *geometry_)
-                    RRScreenChangeNotifyMask | RRCrtcChangeNotifyMask);
-     /* Override TXWindow::init input mask */
-     XSelectInput(dpy, DefaultRootWindow(dpy),
--                 PropertyChangeMask | StructureNotifyMask | ExposureMask);
-+                 PropertyChangeMask | StructureNotifyMask |
-+                 ExposureMask | EnterWindowMask | LeaveWindowMask);
-   } else {
- #endif
-     vlog.info("RANDR extension not present");
-@@ -217,11 +218,13 @@ void XDesktop::poll() {
-     Window root, child;
-     int x, y, wx, wy;
-     unsigned int mask;
--    XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
--                  &x, &y, &wx, &wy, &mask);
--    x -= geometry->offsetLeft();
--    y -= geometry->offsetTop();
--    server->setCursorPos(rfb::Point(x, y), false);
-+
-+    if (XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
-+                      &x, &y, &wx, &wy, &mask)) {
-+      x -= geometry->offsetLeft();
-+      y -= geometry->offsetTop();
-+      server->setCursorPos(rfb::Point(x, y), false);
-+    }
-   }
- }
-
-@@ -253,7 +256,14 @@ void XDesktop::start(VNCServer* vs) {
- #endif
-
- #ifdef HAVE_XFIXES
--  setCursor();
-+  Window root, child;
-+  int x, y, wx, wy;
-+  unsigned int mask;
-+  // Check whether the cursor is initially on our screen
-+  if (XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
-+                    &x, &y, &wx, &wy, &mask))
-+    setCursor();
-+
- #endif
-
-   server->setLEDState(ledState);
-@@ -701,6 +711,15 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) {
-     if (cev->subtype != XFixesDisplayCursorNotify)
-       return false;
-
-+    Window root, child;
-+    int x, y, wx, wy;
-+    unsigned int mask;
-+
-+    // Check whether the cursor is initially on our screen
-+    if (!XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child,
-+                      &x, &y, &wx, &wy, &mask))
-+      return false;
-+
-     return setCursor();
- #endif
- #ifdef HAVE_XRANDR
-@@ -753,6 +772,33 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) {
-
-     return true;
- #endif
-+#ifdef HAVE_XFIXES
-+  } else if (ev->type == EnterNotify) {
-+    XCrossingEvent* cev;
-+
-+    if (!running)
-+      return true;
-+
-+    cev = (XCrossingEvent*)ev;
-+
-+    if (cev->window != cev->root)
-+      return false;
-+
-+    return setCursor();
-+  } else if (ev->type == LeaveNotify) {
-+    XCrossingEvent* cev;
-+
-+    if (!running)
-+      return true;
-+
-+    cev = (XCrossingEvent*)ev;
-+
-+    if (cev->window == cev->root)
-+      return false;
-+
-+    server->setCursor(0, 0, Point(), NULL);
-+    return true;
-+#endif
-   }
-
-   return false;

SOURCES/tigervnc-fix-typo-in-mirror-monitor-detection.patch

@@ -1,34 +0,0 @@
-From 2daf4126882f82b6e392dfbae87205dbdc559c3d Mon Sep 17 00:00:00 2001
-From: Pierre Ossman <ossman@cendio.se>
-Date: Thu, 23 Dec 2021 15:58:00 +0100
-Subject: [PATCH] Fix typo in mirror monitor detection
-
-Bug introduced in fb561eb but still somehow passed manual testing.
-Resulted in some stray reads off the end of the stack, which were
-hopefully harmless.
----
- vncviewer/MonitorIndicesParameter.cxx | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/vncviewer/MonitorIndicesParameter.cxx b/vncviewer/MonitorIndicesParameter.cxx
-index 5130831cb..4ac74dd1a 100644
---- a/vncviewer/MonitorIndicesParameter.cxx
-+++ b/vncviewer/MonitorIndicesParameter.cxx
-@@ -211,13 +211,13 @@ std::vector<MonitorIndicesParameter::Monitor> MonitorIndicesParameter::fetchMoni
-         // Only keep a single entry for mirrored screens
-         match = false;
-         for (int j = 0; j < ((int) monitors.size()); j++) {
--            if (monitors[i].x != monitor.x)
-+            if (monitors[j].x != monitor.x)
-                 continue;
--            if (monitors[i].y != monitor.y)
-+            if (monitors[j].y != monitor.y)
-                 continue;
--            if (monitors[i].w != monitor.w)
-+            if (monitors[j].w != monitor.w)
-                 continue;
--            if (monitors[i].h != monitor.h)
-+            if (monitors[j].h != monitor.h)
-                 continue;
-
-             match = true;

SOURCES/tigervnc-root-user-selinux-context.patch

@@ -1,25 +0,0 @@
-From faf81b4b238e24fe29eb53f885a25367e212dd7b Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Mon, 7 Feb 2022 10:45:41 +0100
-Subject: [PATCH] SELinux: use /root/.vnc in file context specification
-
-Instead of HOME_ROOT/.vnc, /root/.vnc should be used
-for user root's home to specify default file context
-as HOME_ROOT actually means base for home dirs (usually /home).
----
- unix/vncserver/selinux/vncsession.fc | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
-index 6aaf4b1f4..bc81f8f25 100644
---- a/unix/vncserver/selinux/vncsession.fc
-+++ b/unix/vncserver/selinux/vncsession.fc
-@@ -18,7 +18,7 @@
- #
-
- HOME_DIR/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
--HOME_ROOT/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
-+/root/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
-
- /usr/sbin/vncsession			--	gen_context(system_u:object_r:vnc_session_exec_t,s0)
- /usr/libexec/vncsession-start		--	gen_context(system_u:object_r:vnc_session_exec_t,s0)

SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch

@@ -1,81 +0,0 @@
-From d2d52704624ce841f4a392fccd82079d87ff13b6 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Thu, 11 Nov 2021 13:52:41 +0100
-Subject: [PATCH] SELinux: restore SELinux context in case of different
- policies
-
----
- CMakeLists.txt                | 13 +++++++++++++
- unix/vncserver/CMakeLists.txt |  2 +-
- unix/vncserver/vncsession.c   | 16 ++++++++++++++++
- 3 files changed, 30 insertions(+), 1 deletion(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 50247c7da..1708eb3d8 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE)
-   endif()
- endif()
-
-+# Check for SELinux library
-+if(UNIX AND NOT APPLE)
-+  check_include_files(selinux/selinux.h HAVE_SELINUX_H)
-+  if(HAVE_SELINUX_H)
-+    set(CMAKE_REQUIRED_LIBRARIES -lselinux)
-+    set(CMAKE_REQUIRED_LIBRARIES)
-+    set(SELINUX_LIBS selinux)
-+    add_definitions("-DHAVE_SELINUX")
-+  else()
-+    message(WARNING "Could not find SELinux development files")
-+  endif()
-+endif()
-+
- # Generate config.h and make sure the source finds it
- configure_file(config.h.in config.h)
- add_definitions(-DHAVE_CONFIG_H)
-diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
-index f65ccc7db..ae69dc098 100644
---- a/unix/vncserver/CMakeLists.txt
-+++ b/unix/vncserver/CMakeLists.txt
-@@ -1,5 +1,5 @@
- add_executable(vncsession vncsession.c)
--target_link_libraries(vncsession ${PAM_LIBS})
-+target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
-
- configure_file(vncserver@.service.in vncserver@.service @ONLY)
- configure_file(vncsession-start.in vncsession-start @ONLY)
-diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
-index 3573e5e9b..f6d2fd59e 100644
---- a/unix/vncserver/vncsession.c
-+++ b/unix/vncserver/vncsession.c
-@@ -37,6 +37,11 @@
- #include <sys/types.h>
- #include <sys/wait.h>
-
-+#ifdef HAVE_SELINUX
-+#include <selinux/selinux.h>
-+#include <selinux/restorecon.h>
-+#endif
-+
- extern char **environ;
-
- // PAM service name
-@@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display)
-             syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
-             _exit(EX_OSERR);
-         }
-+
-+#ifdef HAVE_SELINUX
-+        int result;
-+        if (selinux_file_context_verify(logfile, 0) == 0) {
-+            result = selinux_restorecon(logfile, SELINUX_RESTORECON_RECURSE);
-+
-+            if (result < 0) {
-+                syslog(LOG_WARNING, "Failure restoring SELinux context for \"%s\": %s", logfile, strerror(errno));
-+            }
-+        }
-+#endif
-     }
-
-     hostlen = sysconf(_SC_HOST_NAME_MAX);

SOURCES/tigervnc-xserver120.patch

@@ -1,91 +0,0 @@
-diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac
---- xserver/configure.ac.xserver116-rebased	2016-09-29 13:14:45.595441590 +0200
-+++ xserver/configure.ac	2016-09-29 13:14:45.631442006 +0200
-@@ -74,6 +74,7 @@ dnl forcing an entire recompile.x
- AC_CONFIG_HEADERS(include/version-config.h)
-
- AM_PROG_AS
-+AC_PROG_CXX
- AC_PROG_LN_S
- LT_PREREQ([2.2])
- LT_INIT([disable-static win32-dll])
-@@ -1863,6 +1864,10 @@ if test "x$XVFB" = xyes; then
- 	AC_SUBST([XVFB_SYS_LIBS])
- fi
-
-+dnl Xvnc DDX
-+AC_SUBST([XVNC_CPPFLAGS], ["-DHAVE_DIX_CONFIG_H $XSERVER_CFLAGS"])
-+AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"])
-+AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"])
-
- dnl Xnest DDX
-
-@@ -1898,6 +1903,8 @@ if test "x$XORG" = xauto; then
- fi
- AC_MSG_RESULT([$XORG])
-
-+AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version])
-+
- if test "x$XORG" = xyes; then
- 	XORG_DDXINCS='-I$(top_srcdir)/hw/xfree86 -I$(top_srcdir)/hw/xfree86/include -I$(top_srcdir)/hw/xfree86/common'
- 	XORG_OSINCS='-I$(top_srcdir)/hw/xfree86/os-support -I$(top_srcdir)/hw/xfree86/os-support/bus -I$(top_srcdir)/os'
-@@ -2116,7 +2123,6 @@ if test "x$XORG" = xyes; then
- 	AC_DEFINE(XORG_SERVER, 1, [Building Xorg server])
- 	AC_DEFINE(XORGSERVER, 1, [Building Xorg server])
- 	AC_DEFINE(XFree86Server, 1, [Building XFree86 server])
--	AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version])
- 	AC_DEFINE(NEED_XF86_TYPES, 1, [Need XFree86 typedefs])
- 	AC_DEFINE(NEED_XF86_PROTOTYPES, 1, [Need XFree86 helper functions])
- 	AC_DEFINE(__XSERVERNAME__, "Xorg", [Name of X server])
-@@ -2691,6 +2697,7 @@ hw/dmx/Makefile
- hw/dmx/man/Makefile
- hw/vfb/Makefile
- hw/vfb/man/Makefile
-+hw/vnc/Makefile
- hw/xnest/Makefile
- hw/xnest/man/Makefile
- hw/xwin/Makefile
-diff -up xserver/hw/Makefile.am.xserver116-rebased xserver/hw/Makefile.am
---- xserver/hw/Makefile.am.xserver116-rebased	2016-09-29 13:14:45.601441659 +0200
-+++ xserver/hw/Makefile.am	2016-09-29 13:14:45.631442006 +0200
-@@ -38,7 +38,8 @@ SUBDIRS =			\
- 	$(DMX_SUBDIRS)		\
- 	$(KDRIVE_SUBDIRS)	\
- 	$(XQUARTZ_SUBDIRS)	\
--	$(XWAYLAND_SUBDIRS)
-+	$(XWAYLAND_SUBDIRS)	\
-+	vnc
-
- DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland
-
-diff --git xserver/mi/miinitext.c xserver/mi/miinitext.c
-index 5596e21..003fc3c 100644
---- xserver/mi/miinitext.c
-+++ xserver/mi/miinitext.c
-@@ -107,8 +107,15 @@ SOFTWARE.
- #include "os.h"
- #include "globals.h"
-
-+#ifdef TIGERVNC
-+extern void vncExtensionInit(INITARGS);
-+#endif
-+
- /* List of built-in (statically linked) extensions */
- static const ExtensionModule staticExtensions[] = {
-+#ifdef TIGERVNC
-+    {vncExtensionInit, "VNC-EXTENSION", NULL},
-+#endif
-     {GEExtensionInit, "Generic Event Extension", &noGEExtension},
-     {ShapeExtensionInit, "SHAPE", NULL},
- #ifdef MITSHM
---- xserver/include/os.h~	2016-10-03 09:07:29.000000000 +0200
-+++ xserver/include/os.h	2016-10-03 14:13:00.013654506 +0200
-@@ -621,7 +621,7 @@
- extern _X_EXPORT void
- LogClose(enum ExitCode error);
- extern _X_EXPORT Bool
--LogSetParameter(LogParameter param, int value);
-+LogSetParameter(enum _LogParameter param, int value);
- extern _X_EXPORT void
- LogVWrite(int verb, const char *f, va_list args)
- _X_ATTRIBUTE_PRINTF(2, 0);

SOURCES/vncserver

@@ -121,7 +121,7 @@ if ($fontPath eq "") {
 # Check command line options
 
 &ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1,
-	      "-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1);
+	      "-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1,"-fallbacktofreeport",0);
 
 &Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'});
 
@@ -168,8 +168,13 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) {
     $displayNumber = $1;
     shift(@ARGV);
     if (!&CheckDisplayNumber($displayNumber)) {
-        warn "A VNC server is already running as :$displayNumber\n";
-        $displayNumber = &GetDisplayNumber();
+        if ($opt{'-fallbacktofreeport'}) {
+            warn "A VNC server is already running as :$displayNumber\n";
+            $displayNumber = &GetDisplayNumber();
+            warn "Using port :$displayNumber as fallback\n";
+        } else {
+            die "A VNC server is already running as :$displayNumber\n";
+        }
     }
 } elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) {
     &Usage();
@@ -675,6 +680,7 @@ sub Usage
 	"                 [-autokill]\n".
 	"                 [-noxstartup]\n".
 	"                 [-xstartup <file>]\n".
+	"                 [-fallbacktofreeport]\n".
 	"                 <Xvnc-options>...\n\n".
 	"       $prog -kill <X-display>\n\n".
 	"       $prog -list\n\n");

SOURCES/xorg-CVE-2025-26594-2.patch

@@ -0,0 +1,46 @@
+From ded614e74e7175927dd2bc5ef69accaf2de29939 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 4 Dec 2024 15:49:43 +1000
+Subject: [PATCH xserver 2/2] dix: keep a ref to the rootCursor
+
+CreateCursor returns a cursor with refcount 1 - that refcount is used by
+the resource system, any caller needs to call RefCursor to get their own
+reference. That happens correctly for normal cursors but for our
+rootCursor we keep a variable to the cursor despite not having a ref for
+ourselves.
+
+Fix this by reffing/unreffing the rootCursor to ensure our pointer is
+valid.
+
+Related to CVE-2025-26594, ZDI-CAN-25544
+
+Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
+---
+ dix/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dix/main.c b/dix/main.c
+index aa7b020b2..0c57ba605 100644
+--- a/dix/main.c
++++ b/dix/main.c
+@@ -235,6 +235,8 @@ dix_main(int argc, char *argv[], char *envp[])
+                        defaultCursorFont);
+         }
+ 
++        rootCursor = RefCursor(rootCursor);
++
+ #ifdef PANORAMIX
+         /*
+          * Consolidate window and colourmap information for each screen
+@@ -275,6 +277,8 @@ dix_main(int argc, char *argv[], char *envp[])
+ 
+         Dispatch();
+ 
++        UnrefCursor(rootCursor);
++
+         UndisplayDevices();
+         DisableAllDevices();
+ 
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26594.patch

@@ -0,0 +1,52 @@
+From efca605c45ff51b57f136222b966ce1d610ebc33 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 27 Nov 2024 11:27:05 +0100
+Subject: [PATCH xserver 1/2] Cursor: Refuse to free the root cursor
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a cursor reference count drops to 0, the cursor is freed.
+
+The root cursor however is referenced with a specific global variable,
+and when the root cursor is freed, the global variable may still point
+to freed memory.
+
+Make sure to prevent the rootCursor from being explicitly freed by a
+client.
+
+CVE-2025-26594, ZDI-CAN-25544
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
+<peter.hutterer@who-t.net>)
+v3: Return BadCursor instead of BadValue (Michel Dänzer
+<michel@daenzer.net>)
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dix/dispatch.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 5f7cfe02d..d1241fa96 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -3039,6 +3039,10 @@ ProcFreeCursor(ClientPtr client)
+     rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR,
+                                  client, DixDestroyAccess);
+     if (rc == Success) {
++        if (pCursor == rootCursor) {
++            client->errorValue = stuff->id;
++            return BadCursor;
++        }
+         FreeResource(stuff->id, RT_NONE);
+         return Success;
+     }
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26595.patch

@@ -0,0 +1,60 @@
+From 98602942c143075ab7464f917e0fc5d31ce28c3f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 27 Nov 2024 14:41:45 +0100
+Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbVModMaskText()
+
+The code in XkbVModMaskText() allocates a fixed sized buffer on the
+stack and copies the virtual mod name.
+
+There's actually two issues in the code that can lead to a buffer
+overflow.
+
+First, the bound check mixes pointers and integers using misplaced
+parenthesis, defeating the bound check.
+
+But even though, if the check fails, the data is still copied, so the
+stack overflow will occur regardless.
+
+Change the logic to skip the copy entirely if the bound check fails.
+
+CVE-2025-26595, ZDI-CAN-25545
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkbtext.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
+index 018466420..93262528b 100644
+--- a/xkb/xkbtext.c
++++ b/xkb/xkbtext.c
+@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb,
+                 len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+                 if (format == XkbCFile)
+                     len += 4;
+-                if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
+-                    if (str != buf) {
+-                        if (format == XkbCFile)
+-                            *str++ = '|';
+-                        else
+-                            *str++ = '+';
+-                        len--;
+-                    }
++                if ((str - buf) + len > VMOD_BUFFER_SIZE)
++                    continue; /* Skip */
++                if (str != buf) {
++                    if (format == XkbCFile)
++                        *str++ = '|';
++                    else
++                        *str++ = '+';
++                    len--;
+                 }
+                 if (format == XkbCFile)
+                     sprintf(str, "%sMask", tmp);
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26596.patch

@@ -0,0 +1,44 @@
+From b41f6fce201e77a174550935330e2f7772d4adf9 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Thu, 28 Nov 2024 11:49:34 +0100
+Subject: [PATCH xserver] xkb: Fix computation of XkbSizeKeySyms
+
+The computation of the length in XkbSizeKeySyms() differs from what is
+actually written in XkbWriteKeySyms(), leading to a heap overflow.
+
+Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms()
+does.
+
+CVE-2025-26596, ZDI-CAN-25543
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 85659382d..744dba63d 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep)
+     len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc);
+     symMap = &xkb->map->key_sym_map[rep->firstKeySym];
+     for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) {
+-        if (symMap->offset != 0) {
+-            nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
+-            nSyms += nSymsThisKey;
+-        }
++        nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width;
++        if (nSymsThisKey == 0)
++            continue;
++        nSyms += nSymsThisKey;
+     }
+     len += nSyms * 4;
+     rep->totalSyms = nSyms;
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26597.patch

@@ -0,0 +1,41 @@
+From c5114475db18f29d639537d60e135bdfc11a5d3a Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Thu, 28 Nov 2024 14:09:04 +0100
+Subject: [PATCH xserver] xkb: Fix buffer overflow in XkbChangeTypesOfKey()
+
+If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the
+key syms to 0 but leave the key actions unchanged.
+
+If later, the same function is called with a non-zero value for nGroups,
+this will cause a buffer overflow because the key actions are of the wrong
+size.
+
+To avoid the issue, make sure to resize both the key syms and key actions
+when nGroups is 0.
+
+CVE-2025-26597, ZDI-CAN-25683
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/XKBMisc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c
+index abbfed90e..fd180fad2 100644
+--- a/xkb/XKBMisc.c
++++ b/xkb/XKBMisc.c
+@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb,
+         i = XkbSetNumGroups(i, 0);
+         xkb->map->key_sym_map[key].group_info = i;
+         XkbResizeKeySyms(xkb, key, 0);
++        XkbResizeKeyActions(xkb, key, 0);
+         return Success;
+     }
+ 
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26598.patch

@@ -0,0 +1,115 @@
+From 0f5ea9d269ac6225bcb302a1ec0f58878114da9f Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 16 Dec 2024 11:25:11 +0100
+Subject: [PATCH xserver] Xi: Fix barrier device search
+
+The function GetBarrierDevice() would search for the pointer device
+based on its device id and return the matching value, or supposedly NULL
+if no match was found.
+
+Unfortunately, as written, it would return the last element of the list
+if no matching device id was found which can lead to out of bounds
+memory access.
+
+Fix the search function to return NULL if not matching device is found,
+and adjust the callers to handle the case where the device cannot be
+found.
+
+CVE-2025-26598, ZDI-CAN-25740
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/xibarriers.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
+index 80c4b5981..28bc0a24f 100644
+--- a/Xi/xibarriers.c
++++ b/Xi/xibarriers.c
+@@ -131,14 +131,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c)
+ 
+ static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid)
+ {
+-    struct PointerBarrierDevice *pbd = NULL;
++    struct PointerBarrierDevice *p, *pbd = NULL;
+ 
+-    xorg_list_for_each_entry(pbd, &c->per_device, entry) {
+-        if (pbd->deviceid == deviceid)
++    xorg_list_for_each_entry(p, &c->per_device, entry) {
++        if (p->deviceid == deviceid) {
++            pbd = p;
+             break;
++        }
+     }
+ 
+-    BUG_WARN(!pbd);
+     return pbd;
+ }
+ 
+@@ -339,6 +340,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev,
+         double distance;
+ 
+         pbd = GetBarrierDevice(c, dev->id);
++        if (!pbd)
++            continue;
++
+         if (pbd->seen)
+             continue;
+ 
+@@ -447,6 +451,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
+         nearest = &c->barrier;
+ 
+         pbd = GetBarrierDevice(c, master->id);
++        if (!pbd)
++            continue;
++
+         new_sequence = !pbd->hit;
+ 
+         pbd->seen = TRUE;
+@@ -487,6 +494,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen,
+         int flags = 0;
+ 
+         pbd = GetBarrierDevice(c, master->id);
++        if (!pbd)
++            continue;
++
+         pbd->seen = FALSE;
+         if (!pbd->hit)
+             continue;
+@@ -681,6 +691,9 @@ BarrierFreeBarrier(void *data, XID id)
+             continue;
+ 
+         pbd = GetBarrierDevice(c, dev->id);
++        if (!pbd)
++            continue;
++
+         if (!pbd->hit)
+             continue;
+ 
+@@ -740,6 +753,8 @@ static void remove_master_func(void *res, XID id, void *devid)
+     barrier = container_of(b, struct PointerBarrierClient, barrier);
+ 
+     pbd = GetBarrierDevice(barrier, *deviceid);
++    if (!pbd)
++        return;
+ 
+     if (pbd->hit) {
+         BarrierEvent ev = {
+@@ -904,6 +919,10 @@ ProcXIBarrierReleasePointer(ClientPtr client)
+         barrier = container_of(b, struct PointerBarrierClient, barrier);
+ 
+         pbd = GetBarrierDevice(barrier, dev->id);
++        if (!pbd) {
++            client->errorValue = dev->id;
++            return BadDevice;
++        }
+ 
+         if (pbd->barrier_event_id == event_id)
+             pbd->release_event_id = event_id;
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26599-2.patch

@@ -0,0 +1,124 @@
+From f5ce639ff9d3af05e79efce6c51e084352d28ed1 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Jan 2025 16:09:43 +0100
+Subject: [PATCH xserver 2/2] composite: initialize border clip even when
+ pixmap alloc fails
+
+If it fails to allocate the pixmap, the function compAllocPixmap() would
+return early and leave the borderClip region uninitialized, which may
+lead to the use of uninitialized value as reported by valgrind:
+
+ Conditional jump or move depends on uninitialised value(s)
+    at 0x4F9B33: compClipNotify (compwindow.c:317)
+    by 0x484FC9: miComputeClips (mivaltree.c:476)
+    by 0x48559A: miValidateTree (mivaltree.c:679)
+    by 0x4F0685: MapWindow (window.c:2693)
+    by 0x4A344A: ProcMapWindow (dispatch.c:922)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+  Uninitialised value was created by a heap allocation
+    at 0x4841866: malloc (vg_replace_malloc.c:446)
+    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
+    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
+    by 0x4EBB89: CreateWindow (window.c:925)
+    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+
+ Conditional jump or move depends on uninitialised value(s)
+    at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233)
+    by 0x4F9255: RegionTranslate (regionstr.h:312)
+    by 0x4F9B7E: compClipNotify (compwindow.c:319)
+    by 0x484FC9: miComputeClips (mivaltree.c:476)
+    by 0x48559A: miValidateTree (mivaltree.c:679)
+    by 0x4F0685: MapWindow (window.c:2693)
+    by 0x4A344A: ProcMapWindow (dispatch.c:922)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+  Uninitialised value was created by a heap allocation
+    at 0x4841866: malloc (vg_replace_malloc.c:446)
+    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
+    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
+    by 0x4EBB89: CreateWindow (window.c:925)
+    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+
+ Conditional jump or move depends on uninitialised value(s)
+    at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241)
+    by 0x48EEE33: pixman_region_translate (pixman-region.c:2225)
+    by 0x4F9255: RegionTranslate (regionstr.h:312)
+    by 0x4F9B7E: compClipNotify (compwindow.c:319)
+    by 0x484FC9: miComputeClips (mivaltree.c:476)
+    by 0x48559A: miValidateTree (mivaltree.c:679)
+    by 0x4F0685: MapWindow (window.c:2693)
+    by 0x4A344A: ProcMapWindow (dispatch.c:922)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+  Uninitialised value was created by a heap allocation
+    at 0x4841866: malloc (vg_replace_malloc.c:446)
+    by 0x4F47BC: compRedirectWindow (compalloc.c:171)
+    by 0x4FA8AD: compCreateWindow (compwindow.c:592)
+    by 0x4EBB89: CreateWindow (window.c:925)
+    by 0x4A2E6E: ProcCreateWindow (dispatch.c:768)
+    by 0x4A25B5: Dispatch (dispatch.c:560)
+    by 0x4B082A: dix_main (main.c:282)
+    by 0x429233: main (stubmain.c:34)
+
+Fix compAllocPixmap() to initialize the border clip even if the creation
+of the backing pixmap has failed, to avoid depending later on
+uninitialized border clip values.
+
+Related to CVE-2025-26599, ZDI-CAN-25851
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ composite/compalloc.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/composite/compalloc.c b/composite/compalloc.c
+index ecb1b6147..d1342799b 100644
+--- a/composite/compalloc.c
++++ b/composite/compalloc.c
+@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin)
+     int h = pWin->drawable.height + (bw << 1);
+     PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h);
+     CompWindowPtr cw = GetCompWindow(pWin);
++    Bool status;
+ 
+-    if (!pPixmap)
+-        return FALSE;
++    if (!pPixmap) {
++        status = FALSE;
++        goto out;
++    }
+     if (cw->update == CompositeRedirectAutomatic)
+         pWin->redirectDraw = RedirectDrawAutomatic;
+     else
+@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin)
+         DamageRegister(&pWin->drawable, cw->damage);
+         cw->damageRegistered = TRUE;
+     }
++    status = TRUE;
+ 
++out:
+     /* Make sure our borderClip is up to date */
+     RegionUninit(&cw->borderClip);
+     RegionCopy(&cw->borderClip, &pWin->borderClip);
+     cw->borderClipX = pWin->drawable.x;
+     cw->borderClipY = pWin->drawable.y;
+ 
+-    return TRUE;
++    return status;
+ }
+ 
+ void
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26599.patch

@@ -0,0 +1,62 @@
+From 10a24e364ac15983051d0bb90817c88bbe107036 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Tue, 17 Dec 2024 15:19:45 +0100
+Subject: [PATCH xserver 1/2] composite: Handle failure to redirect in
+ compRedirectWindow()
+
+The function compCheckRedirect() may fail if it cannot allocate the
+backing pixmap.
+
+In that case, compRedirectWindow() will return a BadAlloc error.
+
+However that failure code path will shortcut the validation of the
+window tree marked just before, which leaves the validate data partly
+initialized.
+
+That causes a use of uninitialized pointer later.
+
+The fix is to not shortcut the call to compHandleMarkedWindows() even in
+the case of compCheckRedirect() returning an error.
+
+CVE-2025-26599, ZDI-CAN-25851
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ composite/compalloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/composite/compalloc.c b/composite/compalloc.c
+index e52c009bd..ecb1b6147 100644
+--- a/composite/compalloc.c
++++ b/composite/compalloc.c
+@@ -138,6 +138,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
+     CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen);
+     WindowPtr pLayerWin;
+     Bool anyMarked = FALSE;
++    int status = Success;
+ 
+     if (pWin == cs->pOverlayWin) {
+         return Success;
+@@ -216,13 +217,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update)
+ 
+     if (!compCheckRedirect(pWin)) {
+         FreeResource(ccw->id, RT_NONE);
+-        return BadAlloc;
++        status = BadAlloc;
+     }
+ 
+     if (anyMarked)
+         compHandleMarkedWindows(pWin, pLayerWin);
+ 
+-    return Success;
++    return status;
+ }
+ 
+ void
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26600.patch

@@ -0,0 +1,64 @@
+From 70ad5d36ae80f6e5a436eabfee642c2c013e51cc Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 16 Dec 2024 16:18:04 +0100
+Subject: [PATCH xserver] dix: Dequeue pending events on frozen device on
+ removal
+
+When a device is removed while still frozen, the events queued for that
+device remain while the device itself is freed.
+
+As a result, replaying the events will cause a use after free.
+
+To avoid the issue, make sure to dequeue and free any pending events on
+a frozen device when removed.
+
+CVE-2025-26600, ZDI-CAN-25871
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dix/devices.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index 969819534..740390207 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -966,6 +966,23 @@ FreeAllDeviceClasses(ClassesPtr classes)
+ 
+ }
+ 
++static void
++FreePendingFrozenDeviceEvents(DeviceIntPtr dev)
++{
++    QdEventPtr qe, tmp;
++
++    if (!dev->deviceGrab.sync.frozen)
++        return;
++
++    /* Dequeue any frozen pending events */
++    xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) {
++        if (qe->device == dev) {
++            xorg_list_del(&qe->next);
++            free(qe);
++        }
++    }
++}
++
+ /**
+  * Close down a device and free all resources.
+  * Once closed down, the driver will probably not expect you that you'll ever
+@@ -1030,6 +1047,7 @@ CloseDevice(DeviceIntPtr dev)
+         free(dev->last.touches[j].valuators);
+     free(dev->last.touches);
+     dev->config_info = NULL;
++    FreePendingFrozenDeviceEvents(dev);
+     dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE);
+     free(dev);
+ }
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26601-2.patch

@@ -0,0 +1,80 @@
+From 7dc3f11abb51cad8a59ecbff5278c8c8a318df41 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 16:54:30 +0100
+Subject: [PATCH xserver 2/4] sync: Check values before applying changes
+
+In SyncInitTrigger(), we would set the CheckTrigger function before
+validating the counter value.
+
+As a result, if the counter value overflowed, we would leave the
+function SyncInitTrigger() with the CheckTrigger applied but without
+updating the trigger object.
+
+To avoid that issue, move the portion of code checking for the trigger
+check value before updating the CheckTrigger function.
+
+Related to CVE-2025-26601, ZDI-CAN-25870
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/sync.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/Xext/sync.c b/Xext/sync.c
+index 4267d3af6..4eab5a6ac 100644
+--- a/Xext/sync.c
++++ b/Xext/sync.c
+@@ -351,6 +351,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+         }
+     }
+ 
++    if (changes & (XSyncCAValueType | XSyncCAValue)) {
++        if (pTrigger->value_type == XSyncAbsolute)
++            pTrigger->test_value = pTrigger->wait_value;
++        else {                  /* relative */
++            Bool overflow;
++
++            if (pCounter == NULL)
++                return BadMatch;
++
++            overflow = checked_int64_add(&pTrigger->test_value,
++                                         pCounter->value, pTrigger->wait_value);
++            if (overflow) {
++                client->errorValue = pTrigger->wait_value >> 32;
++                return BadValue;
++            }
++        }
++    }
++
+     if (changes & XSyncCATestType) {
+ 
+         if (pSync && SYNC_FENCE == pSync->type) {
+@@ -379,24 +397,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+         }
+     }
+ 
+-    if (changes & (XSyncCAValueType | XSyncCAValue)) {
+-        if (pTrigger->value_type == XSyncAbsolute)
+-            pTrigger->test_value = pTrigger->wait_value;
+-        else {                  /* relative */
+-            Bool overflow;
+-
+-            if (pCounter == NULL)
+-                return BadMatch;
+-
+-            overflow = checked_int64_add(&pTrigger->test_value,
+-                                         pCounter->value, pTrigger->wait_value);
+-            if (overflow) {
+-                client->errorValue = pTrigger->wait_value >> 32;
+-                return BadValue;
+-            }
+-        }
+-    }
+-
+     if (changes & XSyncCACounter) {
+         if (pSync != pTrigger->pSync) { /* new counter for trigger */
+             SyncDeleteTriggerFromSyncObject(pTrigger);
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26601-3.patch

@@ -0,0 +1,47 @@
+From 4ccaa5134482b6be9c9a7f0b66cd221ef325d082 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 17:06:07 +0100
+Subject: [PATCH xserver 3/4] sync: Do not fail SyncAddTriggerToSyncObject()
+
+We do not want to return a failure at the very last step in
+SyncInitTrigger() after having all changes applied.
+
+SyncAddTriggerToSyncObject() must not fail on memory allocation, if the
+allocation of the SyncTriggerList fails, trigger a FatalError() instead.
+
+Related to CVE-2025-26601, ZDI-CAN-25870
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/sync.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/Xext/sync.c b/Xext/sync.c
+index 4eab5a6ac..c36de1a2e 100644
+--- a/Xext/sync.c
++++ b/Xext/sync.c
+@@ -200,8 +200,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger)
+             return Success;
+     }
+ 
+-    if (!(pCur = malloc(sizeof(SyncTriggerList))))
+-        return BadAlloc;
++    /* Failure is not an option, it's succeed or burst! */
++    pCur = XNFalloc(sizeof(SyncTriggerList));
+ 
+     pCur->pTrigger = pTrigger;
+     pCur->next = pTrigger->pSync->pTriglist;
+@@ -409,8 +409,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+      *  a new counter on a trigger
+      */
+     if (newSyncObject) {
+-        if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success)
+-            return rc;
++        SyncAddTriggerToSyncObject(pTrigger);
+     }
+     else if (pCounter && IsSystemCounter(pCounter)) {
+         SyncComputeBracketValues(pCounter);
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26601-4.patch

@@ -0,0 +1,128 @@
+From f0984082067f79b45383fa1eb889c6a901667331 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 17:10:31 +0100
+Subject: [PATCH xserver 4/4] sync: Apply changes last in
+ SyncChangeAlarmAttributes()
+
+SyncChangeAlarmAttributes() would apply the various changes while
+checking for errors.
+
+If one of the changes triggers an error, the changes for the trigger,
+counter or delta value would remain, possibly leading to inconsistent
+changes.
+
+Postpone the actual changes until we're sure nothing else can go wrong.
+
+Related to CVE-2025-26601, ZDI-CAN-25870
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/sync.c | 42 +++++++++++++++++++++++++++---------------
+ 1 file changed, 27 insertions(+), 15 deletions(-)
+
+diff --git a/Xext/sync.c b/Xext/sync.c
+index c36de1a2e..e282e6657 100644
+--- a/Xext/sync.c
++++ b/Xext/sync.c
+@@ -800,8 +800,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+     int status;
+     XSyncCounter counter;
+     Mask origmask = mask;
++    SyncTrigger trigger;
++    Bool select_events_changed = FALSE;
++    Bool select_events_value;
++    int64_t delta;
+ 
+-    counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None;
++    trigger = pAlarm->trigger;
++    delta = pAlarm->delta;
++    counter = trigger.pSync ? trigger.pSync->id : None;
+ 
+     while (mask) {
+         int index2 = lowbit(mask);
+@@ -817,24 +823,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+         case XSyncCAValueType:
+             mask &= ~XSyncCAValueType;
+             /* sanity check in SyncInitTrigger */
+-            pAlarm->trigger.value_type = *values++;
++            trigger.value_type = *values++;
+             break;
+ 
+         case XSyncCAValue:
+             mask &= ~XSyncCAValue;
+-            pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
++            trigger.wait_value = ((int64_t)values[0] << 32) | values[1];
+             values += 2;
+             break;
+ 
+         case XSyncCATestType:
+             mask &= ~XSyncCATestType;
+             /* sanity check in SyncInitTrigger */
+-            pAlarm->trigger.test_type = *values++;
++            trigger.test_type = *values++;
+             break;
+ 
+         case XSyncCADelta:
+             mask &= ~XSyncCADelta;
+-            pAlarm->delta = ((int64_t)values[0] << 32) | values[1];
++            delta = ((int64_t)values[0] << 32) | values[1];
+             values += 2;
+             break;
+ 
+@@ -844,10 +850,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+                 client->errorValue = *values;
+                 return BadValue;
+             }
+-            status = SyncEventSelectForAlarm(pAlarm, client,
+-                                             (Bool) (*values++));
+-            if (status != Success)
+-                return status;
++            select_events_value = (Bool) (*values++);
++            select_events_changed = TRUE;
+             break;
+ 
+         default:
+@@ -856,25 +860,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask,
+         }
+     }
+ 
++    if (select_events_changed) {
++        status = SyncEventSelectForAlarm(pAlarm, client, select_events_value);
++        if (status != Success)
++            return status;
++    }
++
+     /* "If the test-type is PositiveComparison or PositiveTransition
+      *  and delta is less than zero, or if the test-type is
+      *  NegativeComparison or NegativeTransition and delta is
+      *  greater than zero, a Match error is generated."
+      */
+     if (origmask & (XSyncCADelta | XSyncCATestType)) {
+-        if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) ||
+-              (pAlarm->trigger.test_type == XSyncPositiveTransition))
+-             && pAlarm->delta < 0)
++        if ((((trigger.test_type == XSyncPositiveComparison) ||
++              (trigger.test_type == XSyncPositiveTransition))
++             && delta < 0)
+             ||
+-            (((pAlarm->trigger.test_type == XSyncNegativeComparison) ||
+-              (pAlarm->trigger.test_type == XSyncNegativeTransition))
+-             && pAlarm->delta > 0)
++            (((trigger.test_type == XSyncNegativeComparison) ||
++              (trigger.test_type == XSyncNegativeTransition))
++             && delta > 0)
+             ) {
+             return BadMatch;
+         }
+     }
+ 
+     /* postpone this until now, when we're sure nothing else can go wrong */
++    pAlarm->delta = delta;
++    pAlarm->trigger = trigger;
+     if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter,
+                                   origmask & XSyncCAAllTrigger)) != Success)
+         return status;
+-- 
+2.48.1
+

SOURCES/xorg-CVE-2025-26601.patch

@@ -0,0 +1,66 @@
+From 573a2265aacfeaddcc1bb001905a6f7d4fa15ee6 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 20 Jan 2025 16:52:01 +0100
+Subject: [PATCH xserver 1/4] sync: Do not let sync objects uninitialized
+
+When changing an alarm, the change mask values are evaluated one after
+the other, changing the trigger values as requested and eventually,
+SyncInitTrigger() is called.
+
+SyncInitTrigger() will evaluate the XSyncCACounter first and may free
+the existing sync object.
+
+Other changes are then evaluated and may trigger an error and an early
+return, not adding the new sync object.
+
+This can be used to cause a use after free when the alarm eventually
+triggers.
+
+To avoid the issue, delete the existing sync object as late as possible
+only once we are sure that no further error will cause an early exit.
+
+CVE-2025-26601, ZDI-CAN-25870
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/sync.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/Xext/sync.c b/Xext/sync.c
+index b6417b3b0..4267d3af6 100644
+--- a/Xext/sync.c
++++ b/Xext/sync.c
+@@ -330,11 +330,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+             client->errorValue = syncObject;
+             return rc;
+         }
+-        if (pSync != pTrigger->pSync) { /* new counter for trigger */
+-            SyncDeleteTriggerFromSyncObject(pTrigger);
+-            pTrigger->pSync = pSync;
+-            newSyncObject = TRUE;
+-        }
+     }
+ 
+     /* if system counter, ask it what the current value is */
+@@ -402,6 +397,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject,
+         }
+     }
+ 
++    if (changes & XSyncCACounter) {
++        if (pSync != pTrigger->pSync) { /* new counter for trigger */
++            SyncDeleteTriggerFromSyncObject(pTrigger);
++            pTrigger->pSync = pSync;
++            newSyncObject = TRUE;
++        }
++    }
++
+     /*  we wait until we're sure there are no errors before registering
+      *  a new counter on a trigger
+      */
+-- 
+2.48.1
+

SPECS/tigervnc.spec

@@ -4,8 +4,8 @@
 %global modulename vncsession
 
 Name:           tigervnc
-Version:        1.12.0
-Release:        9%{?dist}
+Version:        1.15.0
+Release:        1%{?dist}
 Summary:        A TigerVNC remote display system
 
 %global _hardened_build 1
@@ -13,7 +13,7 @@ Summary:        A TigerVNC remote display system
 License:        GPLv2+
 URL:            http://www.tigervnc.com
 
-Source0:        %{name}-%{version}.tar.gz
+Source0:        https://github.com/TigerVNC/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        xvnc.service
 Source2:        xvnc.socket
 Source3:        10-libvnc.conf
@@ -21,47 +21,86 @@ Source3:        10-libvnc.conf
 # Backwards compatibility
 Source5:        vncserver
 
+# Downstream patches
 Patch1:         tigervnc-use-gnome-as-default-session.patch
+# https://github.com/TigerVNC/tigervnc/pull/1425
+Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
+Patch3:         tigervnc-dont-install-appstream-metadata-file.patch
 
 # Upstream patches
-Patch50:        tigervnc-selinux-restore-context-in-case-of-different-policies.patch
-Patch51:        tigervnc-fix-typo-in-mirror-monitor-detection.patch
-Patch52:        tigervnc-root-user-selinux-context.patch
-Patch53:        tigervnc-vncsession-restore-script-systemd-service.patch
-# https://github.com/TigerVNC/tigervnc/pull/1513
-Patch54:        tigervnc-fix-ghost-cursor-in-zaphod-mode.patch
-# https://github.com/TigerVNC/tigervnc/pull/1510
-Patch55:       tigervnc-add-new-keycodes-for-unknown-keysyms.patch
-
-# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
-Patch100:       tigervnc-xserver120.patch
-# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
-Patch101:       0001-rpath-hack.patch
+Patch50:        tigervnc-add-selinux-policy-rules-allowing-create-dirs-under-root-dir.patch
+Patch51:        tigervnc-add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open.patch
 
 # Upstreamable patches
 
+# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
+Patch100:       0001-rpath-hack.patch
+
+# XServer patches
+Patch200:       xorg-CVE-2025-26594.patch
+Patch201:       xorg-CVE-2025-26594-2.patch
+Patch202:       xorg-CVE-2025-26595.patch
+Patch203:       xorg-CVE-2025-26596.patch
+Patch204:       xorg-CVE-2025-26597.patch
+Patch205:       xorg-CVE-2025-26598.patch
+Patch206:       xorg-CVE-2025-26599.patch
+Patch207:       xorg-CVE-2025-26599-2.patch
+Patch208:       xorg-CVE-2025-26600.patch
+Patch209:       xorg-CVE-2025-26601.patch
+Patch210:       xorg-CVE-2025-26601-2.patch
+Patch211:       xorg-CVE-2025-26601-3.patch
+Patch212:       xorg-CVE-2025-26601-4.patch
+
+BuildRequires:  make
 BuildRequires:  gcc-c++
-BuildRequires:  libX11-devel, automake, autoconf, libtool, gettext, gettext-autopoint
-BuildRequires:  libXext-devel, xorg-x11-server-source, libXi-devel
-BuildRequires:  xorg-x11-xtrans-devel, xorg-x11-util-macros, libXtst-devel
-BuildRequires:  libxkbfile-devel, openssl-devel, libpciaccess-devel
-BuildRequires:  mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils
-BuildRequires:  freetype-devel, libXdmcp-devel, libxshmfence-devel
-BuildRequires:  libjpeg-turbo-devel, gnutls-devel, pam-devel
-BuildRequires:  libdrm-devel, libXt-devel, pixman-devel
-BuildRequires:  systemd, cmake, desktop-file-utils
-BuildRequires:  libselinux-devel, selinux-policy-devel
-BuildRequires:  libXfixes-devel, libXdamage-devel, libXrandr-devel
-%if 0%{?fedora} > 24 || 0%{?rhel} >= 7
-BuildRequires:  libXfont2-devel
-%else
-BuildRequires:  libXfont-devel
-%endif
+BuildRequires:  gettext
+BuildRequires:  cmake
+
+BuildRequires:  gnutls-devel
+BuildRequires:  desktop-file-utils
+BuildRequires:  libappstream-glib
+BuildRequires:  libjpeg-turbo-devel
+BuildRequires:  openssl-devel
+BuildRequires:  pam-devel
+BuildRequires:  zlib-devel
 
 # TigerVNC 1.4.x requires fltk 1.3.3 for keyboard handling support
 # See https://github.com/TigerVNC/tigervnc/issues/8, also bug #1208814
 BuildRequires:  fltk-devel >= 1.3.3
+BuildRequires:  libX11-devel
+BuildRequires:  libXext-devel
+BuildRequires:  libXi-devel
+BuildRequires:  libXrandr-devel
+BuildRequires:  libXrender-devel
+BuildRequires:  pixman-devel
+
+# X11/graphics dependencies
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gettext-autopoint
+BuildRequires:  libXdamage-devel
+BuildRequires:  libXdmcp-devel
+BuildRequires:  libXfixes-devel
+BuildRequires:  libXfont2-devel
+BuildRequires:  libXinerama-devel
+BuildRequires:  libXt-devel
+BuildRequires:  libXtst-devel
+BuildRequires:  libdrm-devel
+BuildRequires:  mesa-libgbm-devel
+BuildRequires:  libtool
+BuildRequires:  libxkbfile-devel
+BuildRequires:  libxshmfence-devel
+BuildRequires:  mesa-libGL-devel
+BuildRequires:  pkgconfig(fontutil)
+BuildRequires:  pkgconfig(xkbcomp)
 BuildRequires:  xorg-x11-server-devel
+BuildRequires:  xorg-x11-server-source
+BuildRequires:  xorg-x11-util-macros
+BuildRequires:  xorg-x11-xtrans-devel
+
+# SELinux
+BuildRequires:  libselinux-devel
+BuildRequires:  selinux-policy-devel
 
 Requires(post): coreutils
 Requires(postun):coreutils
@@ -69,6 +108,7 @@ Requires(postun):coreutils
 Requires:       hicolor-icon-theme
 Requires:       tigervnc-license
 Requires:       tigervnc-icons
+Requires:       which
 
 %description
 Virtual Network Computing (VNC) is a remote display system which
@@ -99,11 +139,16 @@ X session.
 
 %package server-minimal
 Summary:        A minimal installation of TigerVNC server
-Requires(post): chkconfig
-Requires(preun):chkconfig
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+Requires(post): systemd
 
-Requires:       mesa-dri-drivers, xkeyboard-config, xorg-x11-xkb-utils
-Requires:       tigervnc-license, dbus-x11
+Requires:       dbus-x11
+Requires:       mesa-dri-drivers
+Requires:       tigervnc-license
+Requires:       xkbcomp
+Requires:       xkeyboard-config
 
 %description server-minimal
 The VNC system allows you to access the same desktop from a wide
@@ -159,20 +204,33 @@ pushd unix/xserver
 for all in `find . -type f -perm -001`; do
         chmod -x "$all"
 done
-%patch100 -p1 -b .xserver120-rebased
-%patch101 -p1 -b .rpath
+%patch -P100 -p1 -b .rpath
+cat ../xserver120.patch | patch -p1
+
+%patch -P200 -p1 -b .xorg-CVE-2025-26594
+%patch -P201 -p1 -b .xorg-CVE-2025-26594-2
+%patch -P202 -p1 -b .xorg-CVE-2025-26595
+%patch -P203 -p1 -b .xorg-CVE-2025-26596
+%patch -P204 -p1 -b .xorg-CVE-2025-26597
+%patch -P205 -p1 -b .xorg-CVE-2025-26598
+%patch -P206 -p1 -b .xorg-CVE-2025-26599
+%patch -P207 -p1 -b .xorg-CVE-2025-26599-2
+%patch -P208 -p1 -b .xorg-CVE-2025-26600
+%patch -P209 -p1 -b .xorg-CVE-2025-26601
+%patch -P210 -p1 -b .xorg-CVE-2025-26601-2
+%patch -P211 -p1 -b .xorg-CVE-2025-26601-3
+%patch -P212 -p1 -b .xorg-CVE-2025-26601-4
 popd
 
-%patch1 -p1 -b .use-gnome-as-default-session
+%patch -P1 -p1 -b .use-gnome-as-default-session
+%patch -P2 -p1 -b .vncsession-restore-script-systemd-service
+%patch -P3 -p1 -b .dont-install-appstream-metadata-file.patch
 
 # Upstream patches
-%patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies
-%patch51 -p1 -b .fix-typo-in-mirror-monitor-detection
-%patch52 -p1 -b .root-user-selinux-context
-%patch53 -p1 -b .vncsession-restore-script-systemd-service
-%patch54 -p1 -b .fix-ghost-cursor-in-zaphod-mode
-%patch55 -p1 -b .add-new-keycodes-for-unknown-keysyms
+%patch -P50 -p1 -b .add-selinux-policy-rules-allowing-create-dirs-under-root-dir
+%patch -P51 -p1 -b .add-selinux-policy-rules-allowing-access-to-proc-sys-fs-nr-open
 
+# Upstreamable patches
 
 %build
 %ifarch sparcv9 sparc64 s390 s390x
@@ -180,7 +238,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fPIC"
 %else
 export CFLAGS="$RPM_OPT_FLAGS -fpic"
 %endif
-export CXXFLAGS="$CFLAGS"
+export CXXFLAGS="$CFLAGS -std=c++11"
 
 %{cmake} .
 make %{?_smp_mflags}
@@ -191,15 +249,12 @@ autoreconf -fiv
         --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
         --disable-xwin --disable-xephyr --disable-kdrive --disable-xwayland \
         --with-pic --disable-static \
-        --with-default-font-path="catalogue:%{_sysconfdir}/X11/fontpath.d,built-ins" \
-        --with-fontdir=%{_datadir}/X11/fonts \
+        --with-default-font-path="catalogue:/etc/X11/fontpath.d,built-ins" \
         --with-xkb-output=%{_localstatedir}/lib/xkb \
-        --enable-install-libxf86config \
-        --enable-glx --disable-dri --enable-dri2 --disable-dri3 \
+        --enable-glx --disable-dri --enable-dri2 --enable-dri3 \
         --disable-unit-tests \
         --disable-config-hal \
         --disable-config-udev \
-        --with-dri-driver-path=%{_libdir}/dri \
         --without-dtrace \
         --disable-devel-docs \
         --disable-selective-werror
@@ -233,17 +288,18 @@ popd
 # Install systemd unit file
 install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service
 install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket
+# Install old vncserver script
+install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
 
 # Install desktop stuff
 mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps
 
 pushd media/icons
-for s in 16 24 48; do
+for s in 16 22 24 32 48 64 128; do
 install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps/tigervnc.png
 done
 popd
 
-install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
 
 %find_lang %{name} %{name}.lang
 
@@ -254,15 +310,14 @@ mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/
 install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
 
 %post server
-%systemd_post xvnc.service
+%systemd_post xvnc@.service
 %systemd_post xvnc.socket
 
 %preun server
-%systemd_preun xvnc.service
 %systemd_preun xvnc.socket
 
 %postun server
-%systemd_postun xvnc.service
+%systemd_postun xvnc@.service
 %systemd_postun xvnc.socket
 
 %pre selinux
@@ -293,8 +348,8 @@ fi
 %{_unitdir}/vncserver@.service
 %{_unitdir}/xvnc@.service
 %{_unitdir}/xvnc.socket
-%{_bindir}/x0vncserver
 %{_bindir}/vncserver
+%{_bindir}/x0vncserver
 %{_sbindir}/vncsession
 %{_libexecdir}/vncserver
 %{_libexecdir}/vncsession-start
@@ -314,7 +369,7 @@ fi
 
 %files server-module
 %{_libdir}/xorg/modules/extensions/libvnc.so
-%config %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
+%config(noreplace) %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
 
 %files license
 %{_docdir}/tigervnc/LICENCE.TXT
@@ -324,9 +379,108 @@ fi
 
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
-%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
+* Wed Feb 26 2025 Jan Grulich <jgrulich@redhat.com> - 1.15.0-1
+- 1.15.0
+  Resolves: RHEL-79161
+  Resolves: RHEL-79982
+
+* Wed Feb 26 2025 Jan Grulich <jgrulich@redhat.com> - 1.13.1-15
+- Fix CVE-2025-26594 xorg-x11-server Use-after-free of the root cursor
+  Resolves: RHEL-79397
+- Fix CVE-2025-26595 xorg-x11-server Buffer overflow in XkbVModMaskText()
+  Resolves: RHEL-79401
+- Fix CVE-2025-26596 xorg-x11-server Heap overflow in XkbWriteKeySyms()
+  Resolves: RHEL-79386
+- Fix CVE-2025-26597 xorg-x11-server Buffer overflow in XkbChangeTypesOfKey()
+  Resolves: RHEL-79380
+- Fix CVE-2025-26598 xorg-x11-server Out-of-bounds write in CreatePointerBarrierClient()
+  Resolves: RHEL-79369
+- Fix CVE-2025-26599 xorg-x11-server Use of uninitialized pointer in compRedirectWindow()
+  Resolves: RHEL-79364
+- Fix CVE-2025-26600 xorg-x11-server Use-after-free in PlayReleasedEvents()
+  Resolves: RHEL-79360
+- Fix CVE-2025-26601 xorg-x11-server Use-after-free in SyncInitTrigger()
+  Resolves: RHEL-79348
+
+* Thu Oct 31 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-14
+- Fix CVE-2024-9632: xorg-x11-server: heap-based buffer overflow privilege escalation vulnerability
+  Resolves: RHEL-61999
+
+* Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-13
+- vncsession: use /bin/sh if the user shell is not set
+  Resolves: RHEL-52827
+
+* Fri Jul 12 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-12
+- Fix FTBS: drop already applied Xorg patches
+  Resolves: RHEL-46696
+
+* Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
+- vncconfig: add option to force view-only remote client connections
+  Resolves: RHEL-11908
+
+* Mon Apr 15 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
+- Drop patches that are already part of xorg-x11-server
+  Resolves: RHEL-30755
+  Resolves: RHEL-30767
+  Resolves: RHEL-30761
+
+* Thu Apr 04 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
+- Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
+  Resolves: RHEL-30755
+- Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs
+  Resolves: RHEL-30767
+- Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
+  Resolves: RHEL-30761
+
+* Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
+- Fix copy/paste error in the DeviceStateNotify
+  Resolves: RHEL-20530
+
+* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
+- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
+  Resolves: RHEL-20388
+- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
+  Resolves: RHEL-20382
+- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
+  Resolves: RHEL-20530
+- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
+  Resolves: RHEL-21214
+
+* Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
+- Use dup() to get available file descriptor when using -inetd option
+  Resolves: RHEL-21000
+
+* Mon Dec 18 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-5
+- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions
+  Resolves: RHEL-18410
+- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
+  Resolves: RHEL-18422
+
+* Wed Nov 01 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-4
+- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow
+  Resolves: RHEL-15236
+
+- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty
+  Resolves: RHEL-15230
+
+* Mon Oct 09 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-3
+- Support username alias in PlainUsers
+  Resolves: RHEL-4258
+
+* Tue Apr 11 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-2
+- xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege
+  Escalation Vulnerability
+  Resolves: bz#2180306
+
+* Tue Mar 21 2023 Jan Grulich <jgrulich@redhat.com> - 1.13.1-1
+- 1.13.1
+  Resolves: bz#2175748
+- Restore "--fallbacktofreeport" option in the vncserver script
+  Resolves: bz#2174398
+
 * Thu Dec 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-9
 - Bump build version to fix upgrade path
   Resolves: bz#1437569