From 981c40973d46230477bcc1f527ad628bd4e194a4 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 28 Mar 2024 18:36:58 +0300 Subject: [PATCH] import tigervnc-1.13.1-8.el9 --- ...pointer-position-for-floating-device.patch | 13 ++ ...support-username-alias-in-plainusers.patch | 135 ++++++++++++++++++ ...se-dup-to-get-available-fd-for-inetd.patch | 17 +++ SOURCES/xorg-CVE-2024-0229-followup.patch | 32 +++++ SPECS/tigervnc.spec | 55 ++++++- 5 files changed, 250 insertions(+), 2 deletions(-) create mode 100644 SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch create mode 100644 SOURCES/tigervnc-support-username-alias-in-plainusers.patch create mode 100644 SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch create mode 100644 SOURCES/xorg-CVE-2024-0229-followup.patch diff --git a/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch b/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch new file mode 100644 index 0000000..3bf7dda --- /dev/null +++ b/SOURCES/tigervnc-dont-get-pointer-position-for-floating-device.patch @@ -0,0 +1,13 @@ +diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c +index b3d0926d..d36a096f 100644 +--- a/unix/xserver/hw/vnc/vncInput.c ++++ b/unix/xserver/hw/vnc/vncInput.c +@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y) + + void vncGetPointerPos(int *x, int *y) + { +- if (vncPointerDev != NULL) { ++ if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) { + ScreenPtr ptrScreen; + + miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY); diff --git a/SOURCES/tigervnc-support-username-alias-in-plainusers.patch b/SOURCES/tigervnc-support-username-alias-in-plainusers.patch new file mode 100644 index 0000000..abf4eda --- /dev/null +++ b/SOURCES/tigervnc-support-username-alias-in-plainusers.patch @@ -0,0 +1,135 @@ +diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx +index 6f65e87..3142ba3 100644 +--- a/common/rfb/SSecurityPlain.cxx ++++ b/common/rfb/SSecurityPlain.cxx +@@ -27,6 +27,8 @@ + #include + #if !defined(WIN32) && !defined(__APPLE__) + #include ++#include ++#include + #endif + #ifdef WIN32 + #include +@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers + + bool PasswordValidator::validUser(const char* username) + { +- CharArray users(plainUsers.getValueStr()), user; ++ std::vector users; + +- while (users.buf) { +- strSplit(users.buf, ',', &user.buf, &users.buf); +-#ifdef WIN32 +- if (0 == stricmp(user.buf, "*")) +- return true; +- if (0 == stricmp(user.buf, username)) +- return true; +-#else +- if (!strcmp(user.buf, "*")) +- return true; +- if (!strcmp(user.buf, username)) +- return true; ++ users = split(plainUsers, ','); ++ ++ for (size_t i = 0; i < users.size(); i++) { ++ if (users[i] == "*") ++ return true; ++#if !defined(WIN32) && !defined(__APPLE__) ++ if (users[i] == "%u") { ++ struct passwd *pw = getpwnam(username); ++ if (pw && pw->pw_uid == getuid()) ++ return true; ++ } + #endif ++ if (users[i] == username) ++ return true; + } + return false; + } +diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx +index 649eb0b..cce73a0 100644 +--- a/common/rfb/util.cxx ++++ b/common/rfb/util.cxx +@@ -99,6 +99,26 @@ namespace rfb { + return false; + } + ++ std::vector split(const char* src, ++ const char delimiter) ++ { ++ std::vector out; ++ const char *start, *stop; ++ ++ start = src; ++ do { ++ stop = strchr(start, delimiter); ++ if (stop == NULL) { ++ out.push_back(start); ++ } else { ++ out.push_back(std::string(start, stop-start)); ++ start = stop + 1; ++ } ++ } while (stop != NULL); ++ ++ return out; ++ } ++ + bool strContains(const char* src, char c) { + int l=strlen(src); + for (int i=0; i + #include + ++#include ++#include ++ + struct timeval; + + #ifdef __GNUC__ +@@ -76,6 +79,10 @@ namespace rfb { + // that part of the string. Obviously, setting both to 0 is not useful... + bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false); + ++ // Splits a string with the specified delimiter ++ std::vector split(const char* src, ++ const char delimiter); ++ + // Returns true if src contains c + bool strContains(const char* src, char c); + +diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man +index c36ae34..78db730 100644 +--- a/unix/x0vncserver/x0vncserver.man ++++ b/unix/x0vncserver/x0vncserver.man +@@ -125,8 +125,8 @@ parameter instead. + .B \-PlainUsers \fIuser-list\fP + A comma separated list of user names that are allowed to authenticate via + any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP +-to allow any user to authenticate using this security type. Default is to +-deny all users. ++to allow any user to authenticate using this security type. Specify \fB%u\fP ++to allow the user of the server process. Default is to deny all users. + . + .TP + .B \-pam_service \fIname\fP, \-PAMService \fIname\fP +diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man +index ea87dea..e9fb654 100644 +--- a/unix/xserver/hw/vnc/Xvnc.man ++++ b/unix/xserver/hw/vnc/Xvnc.man +@@ -200,8 +200,8 @@ parameter instead. + .B \-PlainUsers \fIuser-list\fP + A comma separated list of user names that are allowed to authenticate via + any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP +-to allow any user to authenticate using this security type. Default is to +-deny all users. ++to allow any user to authenticate using this security type. Specify \fB%u\fP ++to allow the user of the server process. Default is to deny all users. + . + .TP + .B \-pam_service \fIname\fP, \-PAMService \fIname\fP diff --git a/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch b/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch new file mode 100644 index 0000000..0e0f794 --- /dev/null +++ b/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch @@ -0,0 +1,17 @@ +diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c +index f8141959..c5c36539 100644 +--- a/unix/xserver/hw/vnc/xvnc.c ++++ b/unix/xserver/hw/vnc/xvnc.c +@@ -366,8 +366,10 @@ ddxProcessArgument(int argc, char *argv[], int i) + if (strcmp(argv[i], "-inetd") == 0) { + int nullfd; + +- dup2(0, 3); +- vncInetdSock = 3; ++ if ((vncInetdSock = dup(0)) == -1) ++ FatalError ++ ("Xvnc error: failed to allocate a new file descriptor for -inetd: %s\n", strerror(errno)); ++ + + /* Avoid xserver >= 1.19's epoll-fd becoming fd 2 / stderr only to be + replaced by /dev/null by OsInit() because the pollfd is not diff --git a/SOURCES/xorg-CVE-2024-0229-followup.patch b/SOURCES/xorg-CVE-2024-0229-followup.patch new file mode 100644 index 0000000..9ea651b --- /dev/null +++ b/SOURCES/xorg-CVE-2024-0229-followup.patch @@ -0,0 +1,32 @@ +From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 22 Jan 2024 14:22:12 +1000 +Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify + event + +Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5 +--- + dix/enterleave.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 7b7ba1098b..c1e6ac600e 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + ev->first_valuator = first; + switch (ev->num_valuators) { + case 6: +- ev->valuator2 = v->axisVal[first + 5]; ++ ev->valuator5 = v->axisVal[first + 5]; + case 5: +- ev->valuator2 = v->axisVal[first + 4]; ++ ev->valuator4 = v->axisVal[first + 4]; + case 4: +- ev->valuator2 = v->axisVal[first + 3]; ++ ev->valuator3 = v->axisVal[first + 3]; + case 3: + ev->valuator2 = v->axisVal[first + 2]; + case 2: +-- +GitLab diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec index 9ab1289..65514a4 100644 --- a/SPECS/tigervnc.spec +++ b/SPECS/tigervnc.spec @@ -5,7 +5,7 @@ Name: tigervnc Version: 1.13.1 -Release: 2%{?dist} +Release: 8%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -26,12 +26,22 @@ Patch1: tigervnc-use-gnome-as-default-session.patch Patch2: tigervnc-vncsession-restore-script-systemd-service.patch # Upstream patches +Patch50: tigervnc-support-username-alias-in-plainusers.patch +Patch51: tigervnc-use-dup-to-get-available-fd-for-inetd.patch + +# Upstreamable patches +Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg Patch100: tigervnc-xserver120.patch # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start Patch101: 0001-rpath-hack.patch +# XServer patches +# CVE-2024-0229 +# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1251 +Patch200: xorg-CVE-2024-0229-followup.patch + BuildRequires: make BuildRequires: gcc-c++ BuildRequires: gettext @@ -180,12 +190,18 @@ for all in `find . -type f -perm -001`; do done %patch100 -p1 -b .xserver120-rebased %patch101 -p1 -b .rpath +%patch200 -p1 -b .xorg-CVE-2024-0229-followup popd %patch1 -p1 -b .use-gnome-as-default-session %patch2 -p1 -b .vncsession-restore-script-systemd-service # Upstream patches +%patch50 -p1 -b .support-username-alias-in-plainusers +%patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd + +# Upstreamable patches +%patch80 -p1 -b .dont-get-pointer-position-for-floating-device %build %ifarch sparcv9 sparc64 s390 s390x @@ -365,9 +381,44 @@ fi %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* -%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Wed Feb 07 2024 Jan Grulich - 1.13.1-8 +- Fix copy/paste error in the DeviceStateNotify + Resolves: RHEL-20533 + +* Mon Jan 22 2024 Jan Grulich - 1.13.1-7 +- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice + Resolves: RHEL-20389 +- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent + Resolves: RHEL-20383 +- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access + Resolves: RHEL-20533 +- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer + Resolves: RHEL-21213 + +* Mon Jan 08 2024 Jan Grulich - 1.13.1-6 +- Use dup() to get available file descriptor when using -inetd option + Resolves: RHEL-19858 + +* Mon Dec 18 2023 Jan Grulich - 1.13.1-5 +- Fix CVE-2023-6377 tigervnc: xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions + Resolves: RHEL-18414 +- Fix CVE-2023-6478 tigervnc: xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty + Resolves: RHEL-18426 + +* Wed Nov 01 2023 Jan Grulich - 1.13.1-4 +- Fix CVE-2023-5380 tigervnc: xorg-x11-server: Use-after-free bug in DestroyWindow + Resolves: RHEL-15237 + +- Fix CVE-2023-5367 tigervnc: xorg-x11-server: Out-of-bounds write in XIChangeDeviceProperty/RRChangeOutputProperty + Resolves: RHEL-15249 + +* Mon Oct 09 2023 Jan Grulich - 1.13.1-3 +- Support username alias in PlainUsers + Resolves: RHEL-8430 + * Tue Apr 11 2023 Jan Grulich - 1.13.1-2 - xorg-x11-server: X.Org Server Overlay Window Use-After-Free Local Privilege Escalation Vulnerability