diff --git a/.gitignore b/.gitignore index abe71a2..909656d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tigervnc-1.14.0.tar.gz +SOURCES/tigervnc-1.14.1.tar.gz diff --git a/.tigervnc.metadata b/.tigervnc.metadata index 637f775..6633de2 100644 --- a/.tigervnc.metadata +++ b/.tigervnc.metadata @@ -1 +1 @@ -9e67944113159da85f42c24b43f40b842f23feb3 SOURCES/tigervnc-1.14.0.tar.gz +bc3c8bc9f454eb307011cd5965251f4a28040a25 SOURCES/tigervnc-1.14.1.tar.gz diff --git a/SOURCES/tigervnc-add-missing-coma-in-default-security-type-list.patch b/SOURCES/tigervnc-add-missing-coma-in-default-security-type-list.patch deleted file mode 100644 index cb426b6..0000000 --- a/SOURCES/tigervnc-add-missing-coma-in-default-security-type-list.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 4f6a3521874da5a67fd746389cfa9b6199eb3582 Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Mon, 29 Jul 2024 16:16:08 +0200 -Subject: [PATCH] Add missing comma in default security type list - -Otherwise it merges with the next entry, removing both of them from the -default list. ---- - common/rfb/SecurityClient.cxx | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/rfb/SecurityClient.cxx b/common/rfb/SecurityClient.cxx -index 12860662f..63e0cadc0 100644 ---- a/common/rfb/SecurityClient.cxx -+++ b/common/rfb/SecurityClient.cxx -@@ -60,7 +60,7 @@ StringParameter SecurityClient::secTypes - "X509Plain,TLSPlain,X509Vnc,TLSVnc,X509None,TLSNone," - #endif - #ifdef HAVE_NETTLE -- "RA2,RA2_256,RA2ne,RA2ne_256,DH,MSLogonII" -+ "RA2,RA2_256,RA2ne,RA2ne_256,DH,MSLogonII," - #endif - "VncAuth,None", - ConfViewer); diff --git a/SOURCES/tigervnc-correctly-handle-zrle-cursors.patch b/SOURCES/tigervnc-correctly-handle-zrle-cursors.patch deleted file mode 100644 index 1b17302..0000000 --- a/SOURCES/tigervnc-correctly-handle-zrle-cursors.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 6d9017eeb364491cf2acdf1c7e61aee8dd198527 Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Fri, 30 Aug 2024 16:15:09 +0200 -Subject: [PATCH] Correctly handle ZRLE cursors - -Cursor data has a depth of 32 bits and hence cannot use CPIXELs. - -This is a regression from baca73d. ---- - common/rfb/ZRLEDecoder.cxx | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/common/rfb/ZRLEDecoder.cxx b/common/rfb/ZRLEDecoder.cxx -index 474fd6ca1..e274a697a 100644 ---- a/common/rfb/ZRLEDecoder.cxx -+++ b/common/rfb/ZRLEDecoder.cxx -@@ -125,10 +125,10 @@ void ZRLEDecoder::zrleDecode(const Rect& r, rdr::InStream* is, - Pixel maxPixel = pf.pixelFromRGB((uint16_t)-1, (uint16_t)-1, (uint16_t)-1); - bool fitsInLS3Bytes = maxPixel < (1<<24); - bool fitsInMS3Bytes = (maxPixel & 0xff) == 0; -- bool isLowCPixel = (sizeof(T) == 4) && -+ bool isLowCPixel = (sizeof(T) == 4) && (pf.depth <= 24) && - ((fitsInLS3Bytes && pf.isLittleEndian()) || - (fitsInMS3Bytes && pf.isBigEndian())); -- bool isHighCPixel = (sizeof(T) == 4) && -+ bool isHighCPixel = (sizeof(T) == 4) && (pf.depth <= 24) && - ((fitsInLS3Bytes && pf.isBigEndian()) || - (fitsInMS3Bytes && pf.isLittleEndian())); - diff --git a/SOURCES/tigervnc-handle-existing-config-directory-in-vncpasswd.patch b/SOURCES/tigervnc-handle-existing-config-directory-in-vncpasswd.patch deleted file mode 100644 index ea431f8..0000000 --- a/SOURCES/tigervnc-handle-existing-config-directory-in-vncpasswd.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 445e0230cf4e939dcc59caf5d5f001c2f7b04da6 Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Thu, 15 Aug 2024 14:24:42 +0200 -Subject: [PATCH] Handle existing config directory in vncpasswd - -This fixes commit a79c33d. ---- - unix/vncpasswd/vncpasswd.cxx | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx -index 6666955f1..9f794e129 100644 ---- a/unix/vncpasswd/vncpasswd.cxx -+++ b/unix/vncpasswd/vncpasswd.cxx -@@ -213,8 +213,10 @@ int main(int argc, char** argv) - exit(1); - } - if (os::mkdir_p(configDir, 0777) == -1) { -- fprintf(stderr, "Could not create VNC config directory: %s\n", strerror(errno)); -- exit(1); -+ if (errno != EEXIST) { -+ fprintf(stderr, "Could not create VNC config directory: %s\n", strerror(errno)); -+ exit(1); -+ } - } - snprintf(fname, sizeof(fname), "%s/passwd", configDir); - } diff --git a/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch b/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch index e69de29..9a1ae26 100644 --- a/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch +++ b/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch @@ -0,0 +1,94 @@ +From e26bc65b92d1e43570619deadf20b965e0952fef Mon Sep 17 00:00:00 2001 +From: Pat Riehecky +Date: Wed, 31 Jul 2024 14:43:46 -0500 +Subject: [PATCH] vncsession: Move existing log to log.old if present + +--- + unix/vncserver/vncsession.c | 47 ++++++++++++++++++++++++++++--------- + 1 file changed, 36 insertions(+), 11 deletions(-) + +diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c +index 98a0432aa..a10e0789e 100644 +--- a/unix/vncserver/vncsession.c ++++ b/unix/vncserver/vncsession.c +@@ -393,8 +393,9 @@ redir_stdio(const char *homedir, const char *display, char **envp) + int fd; + long hostlen; + char* hostname = NULL, *xdgstate; +- char logfile[PATH_MAX], legacy[PATH_MAX]; ++ char logdir[PATH_MAX], logfile[PATH_MAX], logfile_old[PATH_MAX], legacy[PATH_MAX]; + struct stat st; ++ size_t fmt_len; + + fd = open("/dev/null", O_RDONLY); + if (fd == -1) { +@@ -408,15 +409,24 @@ redir_stdio(const char *homedir, const char *display, char **envp) + close(fd); + + xdgstate = getenvp("XDG_STATE_HOME", envp); +- if (xdgstate != NULL && xdgstate[0] == '/') +- snprintf(logfile, sizeof(logfile), "%s/tigervnc", xdgstate); +- else +- snprintf(logfile, sizeof(logfile), "%s/.local/state/tigervnc", homedir); ++ if (xdgstate != NULL && xdgstate[0] == '/') { ++ fmt_len = snprintf(logdir, sizeof(logdir), "%s/tigervnc", xdgstate); ++ if (fmt_len >= sizeof(logdir)) { ++ syslog(LOG_CRIT, "Log dir path too long"); ++ _exit(EX_OSERR); ++ } ++ } else { ++ fmt_len = snprintf(logdir, sizeof(logdir), "%s/.local/state/tigervnc", homedir); ++ if (fmt_len >= sizeof(logdir)) { ++ syslog(LOG_CRIT, "Log dir path too long"); ++ _exit(EX_OSERR); ++ } ++ } + + snprintf(legacy, sizeof(legacy), "%s/.vnc", homedir); +- if (stat(logfile, &st) != 0 && stat(legacy, &st) == 0) { ++ if (stat(logdir, &st) != 0 && stat(legacy, &st) == 0) { + syslog(LOG_WARNING, "~/.vnc is deprecated, please consult 'man vncsession' for paths to migrate to."); +- strcpy(logfile, legacy); ++ strcpy(logdir, legacy); + + #ifdef HAVE_SELINUX + /* this is only needed to handle historical type changes for the legacy dir */ +@@ -431,9 +441,9 @@ redir_stdio(const char *homedir, const char *display, char **envp) + #endif + } + +- if (mkdir_p(logfile, 0755) == -1) { ++ if (mkdir_p(logdir, 0755) == -1) { + if (errno != EEXIST) { +- syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno)); ++ syslog(LOG_CRIT, "Failure creating \"%s\": %s", logdir, strerror(errno)); + _exit(EX_OSERR); + } + } +@@ -450,9 +460,24 @@ redir_stdio(const char *homedir, const char *display, char **envp) + _exit(EX_OSERR); + } + +- snprintf(logfile + strlen(logfile), sizeof(logfile) - strlen(logfile), "/%s%s.log", +- hostname, display); ++ fmt_len = snprintf(logfile, sizeof(logfile), "/%s/%s%s.log", logdir, hostname, display); ++ if (fmt_len >= sizeof(logfile)) { ++ syslog(LOG_CRIT, "Log path too long"); ++ _exit(EX_OSERR); ++ } ++ fmt_len = snprintf(logfile_old, sizeof(logfile_old), "/%s/%s%s.log.old", logdir, hostname, display); ++ if (fmt_len >= sizeof(logfile)) { ++ syslog(LOG_CRIT, "Log.old path too long"); ++ _exit(EX_OSERR); ++ } + free(hostname); ++ ++ if (stat(logfile, &st) == 0) { ++ if (rename(logfile, logfile_old) != 0) { ++ syslog(LOG_CRIT, "Failure renaming log file \"%s\" to \"%s\": %s", logfile, logfile_old, strerror(errno)); ++ _exit(EX_OSERR); ++ } ++ } + fd = open(logfile, O_CREAT | O_WRONLY | O_TRUNC, 0644); + if (fd == -1) { + syslog(LOG_CRIT, "Failure creating log file \"%s\": %s", logfile, strerror(errno)); diff --git a/SOURCES/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch b/SOURCES/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch deleted file mode 100644 index 3f46c73..0000000 --- a/SOURCES/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 4db34f73d461b973867ddaf18bf690219229cd7a Mon Sep 17 00:00:00 2001 -From: Carlos Santos -Date: Thu, 25 Jul 2024 18:39:59 -0300 -Subject: [PATCH] vncsession: use /bin/sh if the user shell is not set - -An empty shell field in the password file is valid, although not common. -Use /bin/sh in this case, as documented in the passwd(5) man page, since -the vncserver script requires a non-empty SHELL environment variable. - -Fixes issue #1786. - -Signed-off-by: Carlos Santos ---- - unix/vncserver/vncsession.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c -index 1ee096c7c..98a0432aa 100644 ---- a/unix/vncserver/vncsession.c -+++ b/unix/vncserver/vncsession.c -@@ -545,7 +545,7 @@ run_script(const char *username, const char *display, char **envp) - - // Set up some basic environment for the script - setenv("HOME", pwent->pw_dir, 1); -- setenv("SHELL", pwent->pw_shell, 1); -+ setenv("SHELL", *pwent->pw_shell != '\0' ? pwent->pw_shell : "/bin/sh", 1); - setenv("LOGNAME", pwent->pw_name, 1); - setenv("USER", pwent->pw_name, 1); - setenv("USERNAME", pwent->pw_name, 1); diff --git a/SOURCES/xorg-CVE-2024-9632.patch b/SOURCES/xorg-CVE-2024-9632.patch new file mode 100644 index 0000000..2db1508 --- /dev/null +++ b/SOURCES/xorg-CVE-2024-9632.patch @@ -0,0 +1,54 @@ +From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer +Tested-by: Peter Hutterer +Reviewed-by: José Expósito +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f203270d5..70e8279aa 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +2.46.2 + diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec index 87565d3..c11e210 100644 --- a/SPECS/tigervnc.spec +++ b/SPECS/tigervnc.spec @@ -4,8 +4,8 @@ %global modulename vncsession Name: tigervnc -Version: 1.14.0 -Release: 2%{?dist} +Version: 1.14.1 +Release: 1%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -23,14 +23,11 @@ Source5: vncserver # Downstream patches Patch1: tigervnc-use-gnome-as-default-session.patch +# https://github.com/TigerVNC/tigervnc/pull/1425 Patch2: tigervnc-vncsession-restore-script-systemd-service.patch # Upstream patches -Patch50: tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch -Patch51: tigervnc-add-missing-coma-in-default-security-type-list.patch -Patch52: tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch -Patch53: tigervnc-handle-existing-config-directory-in-vncpasswd.patch -Patch54: tigervnc-correctly-handle-zrle-cursors.patch +Patch50: tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch # Upstreamable patches Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch @@ -41,7 +38,7 @@ Patch100: tigervnc-xserver120.patch Patch101: 0001-rpath-hack.patch # XServer patches - +Patch200: xorg-CVE-2024-9632.patch BuildRequires: make BuildRequires: gcc-c++ @@ -91,7 +88,9 @@ BuildRequires: xorg-x11-util-macros BuildRequires: xorg-x11-xtrans-devel # SELinux -BuildRequires: libselinux-devel, selinux-policy-devel, systemd +BuildRequires: libselinux-devel +BuildRequires: selinux-policy-devel +BuildRequires: systemd Requires(post): coreutils Requires(postun):coreutils @@ -194,6 +193,7 @@ done # Xorg patches %patch -P100 -p1 -b .xserver120-rebased %patch -P101 -p1 -b .rpath +%patch -P200 -p1 -b .xorg-CVE-2024-9632 popd # Tigervnc patches @@ -201,11 +201,7 @@ popd %patch -P2 -p1 -b .vncsession-restore-script-systemd-service # Upstream patches -%patch -P50 -p1 -b .vncsession-use-bin-sh-when-shell-not-set -%patch -P51 -p1 -b .add-missing-coma-in-default-security-type-list -%patch -P52 -p1 -b .vncsession-move-existing-log-to-log-old-if-present -%patch -P53 -p1 -b .handle-existing-config-directory-in-vncpasswd -%patch -P54 -p1 -b .correctly-handle-zrle-cursors.patch +%patch -P50 -p1 -b .vncsession-move-existing-log-to-log-old-if-present # Upstreamable patches %patch -P80 -p1 -b .dont-get-pointer-position-for-floating-device @@ -390,13 +386,11 @@ fi %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog -* Tue Jul 23 2024 Jan Grulich - 1.14.0-2 -- 1.14.0 - Resolves: RHEL-45316 -- Move old log to log.old if present - Resolves: RHEL-54294 -- Fix shared memory leak - Resolves: RHEL-55768 +* Fri Nov 08 2024 Jan Grulich - 1.14.1-1 +- 1.14.1 + Resolves: RHEL-66600 +- Fix CVE-2024-9632: xorg-x11-server: heap-based buffer overflow privilege escalation vulnerability + Resolves: RHEL-62000 * Mon Aug 05 2024 Jan Grulich - 1.13.1-11 - vncsession: use /bin/sh if the user shell is not set