parent
ff462b9188
commit
dce9fec684
@ -1 +1 @@
|
||||
SOURCES/tigervnc-1.14.0.tar.gz
|
||||
SOURCES/tigervnc-1.14.1.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
9e67944113159da85f42c24b43f40b842f23feb3 SOURCES/tigervnc-1.14.0.tar.gz
|
||||
bc3c8bc9f454eb307011cd5965251f4a28040a25 SOURCES/tigervnc-1.14.1.tar.gz
|
||||
|
@ -1,24 +0,0 @@
|
||||
From 4f6a3521874da5a67fd746389cfa9b6199eb3582 Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Mon, 29 Jul 2024 16:16:08 +0200
|
||||
Subject: [PATCH] Add missing comma in default security type list
|
||||
|
||||
Otherwise it merges with the next entry, removing both of them from the
|
||||
default list.
|
||||
---
|
||||
common/rfb/SecurityClient.cxx | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/rfb/SecurityClient.cxx b/common/rfb/SecurityClient.cxx
|
||||
index 12860662f..63e0cadc0 100644
|
||||
--- a/common/rfb/SecurityClient.cxx
|
||||
+++ b/common/rfb/SecurityClient.cxx
|
||||
@@ -60,7 +60,7 @@ StringParameter SecurityClient::secTypes
|
||||
"X509Plain,TLSPlain,X509Vnc,TLSVnc,X509None,TLSNone,"
|
||||
#endif
|
||||
#ifdef HAVE_NETTLE
|
||||
- "RA2,RA2_256,RA2ne,RA2ne_256,DH,MSLogonII"
|
||||
+ "RA2,RA2_256,RA2ne,RA2ne_256,DH,MSLogonII,"
|
||||
#endif
|
||||
"VncAuth,None",
|
||||
ConfViewer);
|
@ -1,29 +0,0 @@
|
||||
From 6d9017eeb364491cf2acdf1c7e61aee8dd198527 Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Fri, 30 Aug 2024 16:15:09 +0200
|
||||
Subject: [PATCH] Correctly handle ZRLE cursors
|
||||
|
||||
Cursor data has a depth of 32 bits and hence cannot use CPIXELs.
|
||||
|
||||
This is a regression from baca73d.
|
||||
---
|
||||
common/rfb/ZRLEDecoder.cxx | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/common/rfb/ZRLEDecoder.cxx b/common/rfb/ZRLEDecoder.cxx
|
||||
index 474fd6ca1..e274a697a 100644
|
||||
--- a/common/rfb/ZRLEDecoder.cxx
|
||||
+++ b/common/rfb/ZRLEDecoder.cxx
|
||||
@@ -125,10 +125,10 @@ void ZRLEDecoder::zrleDecode(const Rect& r, rdr::InStream* is,
|
||||
Pixel maxPixel = pf.pixelFromRGB((uint16_t)-1, (uint16_t)-1, (uint16_t)-1);
|
||||
bool fitsInLS3Bytes = maxPixel < (1<<24);
|
||||
bool fitsInMS3Bytes = (maxPixel & 0xff) == 0;
|
||||
- bool isLowCPixel = (sizeof(T) == 4) &&
|
||||
+ bool isLowCPixel = (sizeof(T) == 4) && (pf.depth <= 24) &&
|
||||
((fitsInLS3Bytes && pf.isLittleEndian()) ||
|
||||
(fitsInMS3Bytes && pf.isBigEndian()));
|
||||
- bool isHighCPixel = (sizeof(T) == 4) &&
|
||||
+ bool isHighCPixel = (sizeof(T) == 4) && (pf.depth <= 24) &&
|
||||
((fitsInLS3Bytes && pf.isBigEndian()) ||
|
||||
(fitsInMS3Bytes && pf.isLittleEndian()));
|
||||
|
@ -1,27 +0,0 @@
|
||||
From 445e0230cf4e939dcc59caf5d5f001c2f7b04da6 Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Thu, 15 Aug 2024 14:24:42 +0200
|
||||
Subject: [PATCH] Handle existing config directory in vncpasswd
|
||||
|
||||
This fixes commit a79c33d.
|
||||
---
|
||||
unix/vncpasswd/vncpasswd.cxx | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx
|
||||
index 6666955f1..9f794e129 100644
|
||||
--- a/unix/vncpasswd/vncpasswd.cxx
|
||||
+++ b/unix/vncpasswd/vncpasswd.cxx
|
||||
@@ -213,8 +213,10 @@ int main(int argc, char** argv)
|
||||
exit(1);
|
||||
}
|
||||
if (os::mkdir_p(configDir, 0777) == -1) {
|
||||
- fprintf(stderr, "Could not create VNC config directory: %s\n", strerror(errno));
|
||||
- exit(1);
|
||||
+ if (errno != EEXIST) {
|
||||
+ fprintf(stderr, "Could not create VNC config directory: %s\n", strerror(errno));
|
||||
+ exit(1);
|
||||
+ }
|
||||
}
|
||||
snprintf(fname, sizeof(fname), "%s/passwd", configDir);
|
||||
}
|
@ -0,0 +1,94 @@
|
||||
From e26bc65b92d1e43570619deadf20b965e0952fef Mon Sep 17 00:00:00 2001
|
||||
From: Pat Riehecky <riehecky@fnal.gov>
|
||||
Date: Wed, 31 Jul 2024 14:43:46 -0500
|
||||
Subject: [PATCH] vncsession: Move existing log to log.old if present
|
||||
|
||||
---
|
||||
unix/vncserver/vncsession.c | 47 ++++++++++++++++++++++++++++---------
|
||||
1 file changed, 36 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
||||
index 98a0432aa..a10e0789e 100644
|
||||
--- a/unix/vncserver/vncsession.c
|
||||
+++ b/unix/vncserver/vncsession.c
|
||||
@@ -393,8 +393,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
||||
int fd;
|
||||
long hostlen;
|
||||
char* hostname = NULL, *xdgstate;
|
||||
- char logfile[PATH_MAX], legacy[PATH_MAX];
|
||||
+ char logdir[PATH_MAX], logfile[PATH_MAX], logfile_old[PATH_MAX], legacy[PATH_MAX];
|
||||
struct stat st;
|
||||
+ size_t fmt_len;
|
||||
|
||||
fd = open("/dev/null", O_RDONLY);
|
||||
if (fd == -1) {
|
||||
@@ -408,15 +409,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
||||
close(fd);
|
||||
|
||||
xdgstate = getenvp("XDG_STATE_HOME", envp);
|
||||
- if (xdgstate != NULL && xdgstate[0] == '/')
|
||||
- snprintf(logfile, sizeof(logfile), "%s/tigervnc", xdgstate);
|
||||
- else
|
||||
- snprintf(logfile, sizeof(logfile), "%s/.local/state/tigervnc", homedir);
|
||||
+ if (xdgstate != NULL && xdgstate[0] == '/') {
|
||||
+ fmt_len = snprintf(logdir, sizeof(logdir), "%s/tigervnc", xdgstate);
|
||||
+ if (fmt_len >= sizeof(logdir)) {
|
||||
+ syslog(LOG_CRIT, "Log dir path too long");
|
||||
+ _exit(EX_OSERR);
|
||||
+ }
|
||||
+ } else {
|
||||
+ fmt_len = snprintf(logdir, sizeof(logdir), "%s/.local/state/tigervnc", homedir);
|
||||
+ if (fmt_len >= sizeof(logdir)) {
|
||||
+ syslog(LOG_CRIT, "Log dir path too long");
|
||||
+ _exit(EX_OSERR);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
snprintf(legacy, sizeof(legacy), "%s/.vnc", homedir);
|
||||
- if (stat(logfile, &st) != 0 && stat(legacy, &st) == 0) {
|
||||
+ if (stat(logdir, &st) != 0 && stat(legacy, &st) == 0) {
|
||||
syslog(LOG_WARNING, "~/.vnc is deprecated, please consult 'man vncsession' for paths to migrate to.");
|
||||
- strcpy(logfile, legacy);
|
||||
+ strcpy(logdir, legacy);
|
||||
|
||||
#ifdef HAVE_SELINUX
|
||||
/* this is only needed to handle historical type changes for the legacy dir */
|
||||
@@ -431,9 +441,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
||||
#endif
|
||||
}
|
||||
|
||||
- if (mkdir_p(logfile, 0755) == -1) {
|
||||
+ if (mkdir_p(logdir, 0755) == -1) {
|
||||
if (errno != EEXIST) {
|
||||
- syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
|
||||
+ syslog(LOG_CRIT, "Failure creating \"%s\": %s", logdir, strerror(errno));
|
||||
_exit(EX_OSERR);
|
||||
}
|
||||
}
|
||||
@@ -450,9 +460,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
||||
_exit(EX_OSERR);
|
||||
}
|
||||
|
||||
- snprintf(logfile + strlen(logfile), sizeof(logfile) - strlen(logfile), "/%s%s.log",
|
||||
- hostname, display);
|
||||
+ fmt_len = snprintf(logfile, sizeof(logfile), "/%s/%s%s.log", logdir, hostname, display);
|
||||
+ if (fmt_len >= sizeof(logfile)) {
|
||||
+ syslog(LOG_CRIT, "Log path too long");
|
||||
+ _exit(EX_OSERR);
|
||||
+ }
|
||||
+ fmt_len = snprintf(logfile_old, sizeof(logfile_old), "/%s/%s%s.log.old", logdir, hostname, display);
|
||||
+ if (fmt_len >= sizeof(logfile)) {
|
||||
+ syslog(LOG_CRIT, "Log.old path too long");
|
||||
+ _exit(EX_OSERR);
|
||||
+ }
|
||||
free(hostname);
|
||||
+
|
||||
+ if (stat(logfile, &st) == 0) {
|
||||
+ if (rename(logfile, logfile_old) != 0) {
|
||||
+ syslog(LOG_CRIT, "Failure renaming log file \"%s\" to \"%s\": %s", logfile, logfile_old, strerror(errno));
|
||||
+ _exit(EX_OSERR);
|
||||
+ }
|
||||
+ }
|
||||
fd = open(logfile, O_CREAT | O_WRONLY | O_TRUNC, 0644);
|
||||
if (fd == -1) {
|
||||
syslog(LOG_CRIT, "Failure creating log file \"%s\": %s", logfile, strerror(errno));
|
@ -1,29 +0,0 @@
|
||||
From 4db34f73d461b973867ddaf18bf690219229cd7a Mon Sep 17 00:00:00 2001
|
||||
From: Carlos Santos <casantos@redhat.com>
|
||||
Date: Thu, 25 Jul 2024 18:39:59 -0300
|
||||
Subject: [PATCH] vncsession: use /bin/sh if the user shell is not set
|
||||
|
||||
An empty shell field in the password file is valid, although not common.
|
||||
Use /bin/sh in this case, as documented in the passwd(5) man page, since
|
||||
the vncserver script requires a non-empty SHELL environment variable.
|
||||
|
||||
Fixes issue #1786.
|
||||
|
||||
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
||||
---
|
||||
unix/vncserver/vncsession.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
||||
index 1ee096c7c..98a0432aa 100644
|
||||
--- a/unix/vncserver/vncsession.c
|
||||
+++ b/unix/vncserver/vncsession.c
|
||||
@@ -545,7 +545,7 @@ run_script(const char *username, const char *display, char **envp)
|
||||
|
||||
// Set up some basic environment for the script
|
||||
setenv("HOME", pwent->pw_dir, 1);
|
||||
- setenv("SHELL", pwent->pw_shell, 1);
|
||||
+ setenv("SHELL", *pwent->pw_shell != '\0' ? pwent->pw_shell : "/bin/sh", 1);
|
||||
setenv("LOGNAME", pwent->pw_name, 1);
|
||||
setenv("USER", pwent->pw_name, 1);
|
||||
setenv("USERNAME", pwent->pw_name, 1);
|
@ -0,0 +1,54 @@
|
||||
From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001
|
||||
From: Matthieu Herrb <matthieu@herrb.eu>
|
||||
Date: Thu, 10 Oct 2024 10:37:28 +0200
|
||||
Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
|
||||
buffer.
|
||||
|
||||
However, It didn't update its size properly. It updated `num_si` only,
|
||||
without updating `size_si`.
|
||||
|
||||
This may lead to local privilege escalation if the server is run as root
|
||||
or remote code execution (e.g. x11 over ssh).
|
||||
|
||||
CVE-2024-9632, ZDI-CAN-24756
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Reviewed-by: José Expósito <jexposit@redhat.com>
|
||||
---
|
||||
xkb/xkb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index f203270d5..70e8279aa 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
|
||||
XkbSymInterpretPtr sym;
|
||||
unsigned int skipped = 0;
|
||||
|
||||
- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
|
||||
- compat->num_si = req->firstSI + req->nSI;
|
||||
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
|
||||
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
|
||||
compat->sym_interpret = reallocarray(compat->sym_interpret,
|
||||
- compat->num_si,
|
||||
+ compat->size_si,
|
||||
sizeof(XkbSymInterpretRec));
|
||||
if (!compat->sym_interpret) {
|
||||
- compat->num_si = 0;
|
||||
+ compat->num_si = compat->size_si = 0;
|
||||
return BadAlloc;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.46.2
|
||||
|
Loading…
Reference in new issue