diff --git a/.gitignore b/.gitignore index 7192365..abe71a2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tigervnc-1.13.1.tar.gz +SOURCES/tigervnc-1.14.0.tar.gz diff --git a/.tigervnc.metadata b/.tigervnc.metadata index a37349f..637f775 100644 --- a/.tigervnc.metadata +++ b/.tigervnc.metadata @@ -1 +1 @@ -6f7a23f14833f552c88523da1a5e102f3b8d35c2 SOURCES/tigervnc-1.13.1.tar.gz +9e67944113159da85f42c24b43f40b842f23feb3 SOURCES/tigervnc-1.14.0.tar.gz diff --git a/SOURCES/tigervnc-add-missing-coma-in-default-security-type-list.patch b/SOURCES/tigervnc-add-missing-coma-in-default-security-type-list.patch new file mode 100644 index 0000000..cb426b6 --- /dev/null +++ b/SOURCES/tigervnc-add-missing-coma-in-default-security-type-list.patch @@ -0,0 +1,24 @@ +From 4f6a3521874da5a67fd746389cfa9b6199eb3582 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Mon, 29 Jul 2024 16:16:08 +0200 +Subject: [PATCH] Add missing comma in default security type list + +Otherwise it merges with the next entry, removing both of them from the +default list. +--- + common/rfb/SecurityClient.cxx | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/rfb/SecurityClient.cxx b/common/rfb/SecurityClient.cxx +index 12860662f..63e0cadc0 100644 +--- a/common/rfb/SecurityClient.cxx ++++ b/common/rfb/SecurityClient.cxx +@@ -60,7 +60,7 @@ StringParameter SecurityClient::secTypes + "X509Plain,TLSPlain,X509Vnc,TLSVnc,X509None,TLSNone," + #endif + #ifdef HAVE_NETTLE +- "RA2,RA2_256,RA2ne,RA2ne_256,DH,MSLogonII" ++ "RA2,RA2_256,RA2ne,RA2ne_256,DH,MSLogonII," + #endif + "VncAuth,None", + ConfViewer); diff --git a/SOURCES/tigervnc-correctly-handle-zrle-cursors.patch b/SOURCES/tigervnc-correctly-handle-zrle-cursors.patch new file mode 100644 index 0000000..1b17302 --- /dev/null +++ b/SOURCES/tigervnc-correctly-handle-zrle-cursors.patch @@ -0,0 +1,29 @@ +From 6d9017eeb364491cf2acdf1c7e61aee8dd198527 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Fri, 30 Aug 2024 16:15:09 +0200 +Subject: [PATCH] Correctly handle ZRLE cursors + +Cursor data has a depth of 32 bits and hence cannot use CPIXELs. + +This is a regression from baca73d. +--- + common/rfb/ZRLEDecoder.cxx | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/rfb/ZRLEDecoder.cxx b/common/rfb/ZRLEDecoder.cxx +index 474fd6ca1..e274a697a 100644 +--- a/common/rfb/ZRLEDecoder.cxx ++++ b/common/rfb/ZRLEDecoder.cxx +@@ -125,10 +125,10 @@ void ZRLEDecoder::zrleDecode(const Rect& r, rdr::InStream* is, + Pixel maxPixel = pf.pixelFromRGB((uint16_t)-1, (uint16_t)-1, (uint16_t)-1); + bool fitsInLS3Bytes = maxPixel < (1<<24); + bool fitsInMS3Bytes = (maxPixel & 0xff) == 0; +- bool isLowCPixel = (sizeof(T) == 4) && ++ bool isLowCPixel = (sizeof(T) == 4) && (pf.depth <= 24) && + ((fitsInLS3Bytes && pf.isLittleEndian()) || + (fitsInMS3Bytes && pf.isBigEndian())); +- bool isHighCPixel = (sizeof(T) == 4) && ++ bool isHighCPixel = (sizeof(T) == 4) && (pf.depth <= 24) && + ((fitsInLS3Bytes && pf.isBigEndian()) || + (fitsInMS3Bytes && pf.isLittleEndian())); + diff --git a/SOURCES/tigervnc-handle-existing-config-directory-in-vncpasswd.patch b/SOURCES/tigervnc-handle-existing-config-directory-in-vncpasswd.patch new file mode 100644 index 0000000..ea431f8 --- /dev/null +++ b/SOURCES/tigervnc-handle-existing-config-directory-in-vncpasswd.patch @@ -0,0 +1,27 @@ +From 445e0230cf4e939dcc59caf5d5f001c2f7b04da6 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Thu, 15 Aug 2024 14:24:42 +0200 +Subject: [PATCH] Handle existing config directory in vncpasswd + +This fixes commit a79c33d. +--- + unix/vncpasswd/vncpasswd.cxx | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx +index 6666955f1..9f794e129 100644 +--- a/unix/vncpasswd/vncpasswd.cxx ++++ b/unix/vncpasswd/vncpasswd.cxx +@@ -213,8 +213,10 @@ int main(int argc, char** argv) + exit(1); + } + if (os::mkdir_p(configDir, 0777) == -1) { +- fprintf(stderr, "Could not create VNC config directory: %s\n", strerror(errno)); +- exit(1); ++ if (errno != EEXIST) { ++ fprintf(stderr, "Could not create VNC config directory: %s\n", strerror(errno)); ++ exit(1); ++ } + } + snprintf(fname, sizeof(fname), "%s/passwd", configDir); + } diff --git a/SOURCES/tigervnc-support-username-alias-in-plainusers.patch b/SOURCES/tigervnc-support-username-alias-in-plainusers.patch deleted file mode 100644 index abf4eda..0000000 --- a/SOURCES/tigervnc-support-username-alias-in-plainusers.patch +++ /dev/null @@ -1,135 +0,0 @@ -diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx -index 6f65e87..3142ba3 100644 ---- a/common/rfb/SSecurityPlain.cxx -+++ b/common/rfb/SSecurityPlain.cxx -@@ -27,6 +27,8 @@ - #include - #if !defined(WIN32) && !defined(__APPLE__) - #include -+#include -+#include - #endif - #ifdef WIN32 - #include -@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers - - bool PasswordValidator::validUser(const char* username) - { -- CharArray users(plainUsers.getValueStr()), user; -+ std::vector users; - -- while (users.buf) { -- strSplit(users.buf, ',', &user.buf, &users.buf); --#ifdef WIN32 -- if (0 == stricmp(user.buf, "*")) -- return true; -- if (0 == stricmp(user.buf, username)) -- return true; --#else -- if (!strcmp(user.buf, "*")) -- return true; -- if (!strcmp(user.buf, username)) -- return true; -+ users = split(plainUsers, ','); -+ -+ for (size_t i = 0; i < users.size(); i++) { -+ if (users[i] == "*") -+ return true; -+#if !defined(WIN32) && !defined(__APPLE__) -+ if (users[i] == "%u") { -+ struct passwd *pw = getpwnam(username); -+ if (pw && pw->pw_uid == getuid()) -+ return true; -+ } - #endif -+ if (users[i] == username) -+ return true; - } - return false; - } -diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx -index 649eb0b..cce73a0 100644 ---- a/common/rfb/util.cxx -+++ b/common/rfb/util.cxx -@@ -99,6 +99,26 @@ namespace rfb { - return false; - } - -+ std::vector split(const char* src, -+ const char delimiter) -+ { -+ std::vector out; -+ const char *start, *stop; -+ -+ start = src; -+ do { -+ stop = strchr(start, delimiter); -+ if (stop == NULL) { -+ out.push_back(start); -+ } else { -+ out.push_back(std::string(start, stop-start)); -+ start = stop + 1; -+ } -+ } while (stop != NULL); -+ -+ return out; -+ } -+ - bool strContains(const char* src, char c) { - int l=strlen(src); - for (int i=0; i - #include - -+#include -+#include -+ - struct timeval; - - #ifdef __GNUC__ -@@ -76,6 +79,10 @@ namespace rfb { - // that part of the string. Obviously, setting both to 0 is not useful... - bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false); - -+ // Splits a string with the specified delimiter -+ std::vector split(const char* src, -+ const char delimiter); -+ - // Returns true if src contains c - bool strContains(const char* src, char c); - -diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man -index c36ae34..78db730 100644 ---- a/unix/x0vncserver/x0vncserver.man -+++ b/unix/x0vncserver/x0vncserver.man -@@ -125,8 +125,8 @@ parameter instead. - .B \-PlainUsers \fIuser-list\fP - A comma separated list of user names that are allowed to authenticate via - any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP --to allow any user to authenticate using this security type. Default is to --deny all users. -+to allow any user to authenticate using this security type. Specify \fB%u\fP -+to allow the user of the server process. Default is to deny all users. - . - .TP - .B \-pam_service \fIname\fP, \-PAMService \fIname\fP -diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man -index ea87dea..e9fb654 100644 ---- a/unix/xserver/hw/vnc/Xvnc.man -+++ b/unix/xserver/hw/vnc/Xvnc.man -@@ -200,8 +200,8 @@ parameter instead. - .B \-PlainUsers \fIuser-list\fP - A comma separated list of user names that are allowed to authenticate via - any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP --to allow any user to authenticate using this security type. Default is to --deny all users. -+to allow any user to authenticate using this security type. Specify \fB%u\fP -+to allow the user of the server process. Default is to deny all users. - . - .TP - .B \-pam_service \fIname\fP, \-PAMService \fIname\fP diff --git a/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch b/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch deleted file mode 100644 index 0e0f794..0000000 --- a/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c -index f8141959..c5c36539 100644 ---- a/unix/xserver/hw/vnc/xvnc.c -+++ b/unix/xserver/hw/vnc/xvnc.c -@@ -366,8 +366,10 @@ ddxProcessArgument(int argc, char *argv[], int i) - if (strcmp(argv[i], "-inetd") == 0) { - int nullfd; - -- dup2(0, 3); -- vncInetdSock = 3; -+ if ((vncInetdSock = dup(0)) == -1) -+ FatalError -+ ("Xvnc error: failed to allocate a new file descriptor for -inetd: %s\n", strerror(errno)); -+ - - /* Avoid xserver >= 1.19's epoll-fd becoming fd 2 / stderr only to be - replaced by /dev/null by OsInit() because the pollfd is not diff --git a/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch b/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch new file mode 100644 index 0000000..e69de29 diff --git a/SOURCES/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch b/SOURCES/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch new file mode 100644 index 0000000..3f46c73 --- /dev/null +++ b/SOURCES/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch @@ -0,0 +1,29 @@ +From 4db34f73d461b973867ddaf18bf690219229cd7a Mon Sep 17 00:00:00 2001 +From: Carlos Santos +Date: Thu, 25 Jul 2024 18:39:59 -0300 +Subject: [PATCH] vncsession: use /bin/sh if the user shell is not set + +An empty shell field in the password file is valid, although not common. +Use /bin/sh in this case, as documented in the passwd(5) man page, since +the vncserver script requires a non-empty SHELL environment variable. + +Fixes issue #1786. + +Signed-off-by: Carlos Santos +--- + unix/vncserver/vncsession.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c +index 1ee096c7c..98a0432aa 100644 +--- a/unix/vncserver/vncsession.c ++++ b/unix/vncserver/vncsession.c +@@ -545,7 +545,7 @@ run_script(const char *username, const char *display, char **envp) + + // Set up some basic environment for the script + setenv("HOME", pwent->pw_dir, 1); +- setenv("SHELL", pwent->pw_shell, 1); ++ setenv("SHELL", *pwent->pw_shell != '\0' ? pwent->pw_shell : "/bin/sh", 1); + setenv("LOGNAME", pwent->pw_name, 1); + setenv("USER", pwent->pw_name, 1); + setenv("USERNAME", pwent->pw_name, 1); diff --git a/SOURCES/tigervnc-xserver120.patch b/SOURCES/tigervnc-xserver120.patch index e7eae3c..9bc5182 100644 --- a/SOURCES/tigervnc-xserver120.patch +++ b/SOURCES/tigervnc-xserver120.patch @@ -1,43 +1,39 @@ -diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac ---- xserver/configure.ac.xserver116-rebased 2016-09-29 13:14:45.595441590 +0200 -+++ xserver/configure.ac 2016-09-29 13:14:45.631442006 +0200 +diff --git a/configure.ac b/configure.ac +index 0909cc5b4..c01873200 100644 +--- a/configure.ac ++++ b/configure.ac @@ -74,6 +74,7 @@ dnl forcing an entire recompile.x AC_CONFIG_HEADERS(include/version-config.h) - + AM_PROG_AS +AC_PROG_CXX AC_PROG_LN_S LT_PREREQ([2.2]) LT_INIT([disable-static win32-dll]) -@@ -1863,6 +1864,10 @@ if test "x$XVFB" = xyes; then +@@ -1735,6 +1736,14 @@ if test "x$XVFB" = xyes; then AC_SUBST([XVFB_SYS_LIBS]) fi - + +dnl Xvnc DDX -+AC_SUBST([XVNC_CPPFLAGS], ["-DHAVE_DIX_CONFIG_H $XSERVER_CFLAGS"]) +AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"]) +AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"]) - - dnl Xnest DDX - -@@ -1898,6 +1903,8 @@ if test "x$XORG" = xauto; then - fi - AC_MSG_RESULT([$XORG]) - -+AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version]) + - if test "x$XORG" = xyes; then - XORG_DDXINCS='-I$(top_srcdir)/hw/xfree86 -I$(top_srcdir)/hw/xfree86/include -I$(top_srcdir)/hw/xfree86/common' - XORG_OSINCS='-I$(top_srcdir)/hw/xfree86/os-support -I$(top_srcdir)/hw/xfree86/os-support/bus -I$(top_srcdir)/os' -@@ -2116,7 +2123,6 @@ if test "x$XORG" = xyes; then - AC_DEFINE(XORG_SERVER, 1, [Building Xorg server]) - AC_DEFINE(XORGSERVER, 1, [Building Xorg server]) - AC_DEFINE(XFree86Server, 1, [Building XFree86 server]) -- AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version]) - AC_DEFINE(NEED_XF86_TYPES, 1, [Need XFree86 typedefs]) - AC_DEFINE(NEED_XF86_PROTOTYPES, 1, [Need XFree86 helper functions]) - AC_DEFINE(__XSERVERNAME__, "Xorg", [Name of X server]) -@@ -2691,6 +2697,7 @@ hw/dmx/Makefile ++PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no]) ++if test "x$GBM" = xyes; then ++ AC_DEFINE(HAVE_GBM, 1, [Have GBM support]) ++fi + + dnl Xnest DDX + +@@ -2058,7 +2067,6 @@ if test "x$GLAMOR" = xyes; then + [AC_DEFINE(GLAMOR_HAS_EGL_QUERY_DRIVER, 1, [Have GLAMOR_HAS_EGL_QUERY_DRIVER])], + []) + +- PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no]) + if test "x$GBM" = xyes; then + AC_DEFINE(GLAMOR_HAS_GBM, 1, + [Build glamor with GBM-based EGL support]) +@@ -2523,6 +2531,7 @@ hw/dmx/Makefile hw/dmx/man/Makefile hw/vfb/Makefile hw/vfb/man/Makefile @@ -45,47 +41,98 @@ diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac hw/xnest/Makefile hw/xnest/man/Makefile hw/xwin/Makefile -diff -up xserver/hw/Makefile.am.xserver116-rebased xserver/hw/Makefile.am ---- xserver/hw/Makefile.am.xserver116-rebased 2016-09-29 13:14:45.601441659 +0200 -+++ xserver/hw/Makefile.am 2016-09-29 13:14:45.631442006 +0200 -@@ -38,7 +38,8 @@ SUBDIRS = \ - $(DMX_SUBDIRS) \ - $(KDRIVE_SUBDIRS) \ - $(XQUARTZ_SUBDIRS) \ -- $(XWAYLAND_SUBDIRS) -+ $(XWAYLAND_SUBDIRS) \ -+ vnc - - DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland +diff --git a/dri3/Makefile.am b/dri3/Makefile.am +index e47a734e0..99c3718a5 100644 +--- a/dri3/Makefile.am ++++ b/dri3/Makefile.am +@@ -1,7 +1,7 @@ + noinst_LTLIBRARIES = libdri3.la + AM_CFLAGS = \ +- -DHAVE_XORG_CONFIG_H \ +- @DIX_CFLAGS@ @XORG_CFLAGS@ ++ @DIX_CFLAGS@ \ ++ @LIBDRM_CFLAGS@ -diff --git xserver/mi/miinitext.c xserver/mi/miinitext.c -index 5596e21..003fc3c 100644 ---- xserver/mi/miinitext.c -+++ xserver/mi/miinitext.c -@@ -107,8 +107,15 @@ SOFTWARE. - #include "os.h" - #include "globals.h" - -+#ifdef TIGERVNC -+extern void vncExtensionInit(INITARGS); -+#endif + libdri3_la_SOURCES = \ + dri3.h \ +diff --git a/dri3/dri3.c b/dri3/dri3.c +index ba32facd7..191252969 100644 +--- a/dri3/dri3.c ++++ b/dri3/dri3.c +@@ -20,10 +20,6 @@ + * OF THIS SOFTWARE. + */ + +-#ifdef HAVE_XORG_CONFIG_H +-#include +-#endif +- + #include "dri3_priv.h" + + #include +diff --git a/dri3/dri3_priv.h b/dri3/dri3_priv.h +index b087a9529..f319d1770 100644 +--- a/dri3/dri3_priv.h ++++ b/dri3/dri3_priv.h +@@ -23,6 +23,7 @@ + #ifndef _DRI3PRIV_H_ + #define _DRI3PRIV_H_ + ++#include "dix-config.h" + #include + #include "scrnintstr.h" + #include "misc.h" +diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c +index 958877efa..687168930 100644 +--- a/dri3/dri3_request.c ++++ b/dri3/dri3_request.c +@@ -20,10 +20,6 @@ + * OF THIS SOFTWARE. + */ + +-#ifdef HAVE_XORG_CONFIG_H +-#include +-#endif +- + #include "dri3_priv.h" + #include + #include +diff --git a/dri3/dri3_screen.c b/dri3/dri3_screen.c +index b98259753..3c7e5bf60 100644 +--- a/dri3/dri3_screen.c ++++ b/dri3/dri3_screen.c +@@ -20,10 +20,6 @@ + * OF THIS SOFTWARE. + */ + +-#ifdef HAVE_XORG_CONFIG_H +-#include +-#endif +- + #include "dri3_priv.h" + #include + #include +diff --git a/hw/Makefile.am b/hw/Makefile.am +index 19895dc77..3ecfa8b7a 100644 +--- a/hw/Makefile.am ++++ b/hw/Makefile.am +@@ -44,3 +44,5 @@ DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland + + relink: + $(AM_V_at)for i in $(SUBDIRS) ; do $(MAKE) -C $$i relink || exit 1 ; done ++ ++SUBDIRS += vnc +diff --git a/include/dix-config.h.in b/include/dix-config.h.in +index f8fc67067..d53c4e72f 100644 +--- a/include/dix-config.h.in ++++ b/include/dix-config.h.in +@@ -83,6 +83,9 @@ + /* Define to 1 if you have the header file. */ + #undef HAVE_FCNTL_H + ++/* Have GBM support */ ++#undef HAVE_GBM + - /* List of built-in (statically linked) extensions */ - static const ExtensionModule staticExtensions[] = { -+#ifdef TIGERVNC -+ {vncExtensionInit, "VNC-EXTENSION", NULL}, -+#endif - {GEExtensionInit, "Generic Event Extension", &noGEExtension}, - {ShapeExtensionInit, "SHAPE", NULL}, - #ifdef MITSHM ---- xserver/include/os.h~ 2016-10-03 09:07:29.000000000 +0200 -+++ xserver/include/os.h 2016-10-03 14:13:00.013654506 +0200 -@@ -621,7 +621,7 @@ - extern _X_EXPORT void - LogClose(enum ExitCode error); - extern _X_EXPORT Bool --LogSetParameter(LogParameter param, int value); -+LogSetParameter(enum _LogParameter param, int value); - extern _X_EXPORT void - LogVWrite(int verb, const char *f, va_list args) - _X_ATTRIBUTE_PRINTF(2, 0); + /* Define to 1 if you have the `getdtablesize' function. */ + #undef HAVE_GETDTABLESIZE + diff --git a/SOURCES/xorg-CVE-2024-0229-followup.patch b/SOURCES/xorg-CVE-2024-0229-followup.patch deleted file mode 100644 index 9ea651b..0000000 --- a/SOURCES/xorg-CVE-2024-0229-followup.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Mon, 22 Jan 2024 14:22:12 +1000 -Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify - event - -Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5 ---- - dix/enterleave.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/dix/enterleave.c b/dix/enterleave.c -index 7b7ba1098b..c1e6ac600e 100644 ---- a/dix/enterleave.c -+++ b/dix/enterleave.c -@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, - ev->first_valuator = first; - switch (ev->num_valuators) { - case 6: -- ev->valuator2 = v->axisVal[first + 5]; -+ ev->valuator5 = v->axisVal[first + 5]; - case 5: -- ev->valuator2 = v->axisVal[first + 4]; -+ ev->valuator4 = v->axisVal[first + 4]; - case 4: -- ev->valuator2 = v->axisVal[first + 3]; -+ ev->valuator3 = v->axisVal[first + 3]; - case 3: - ev->valuator2 = v->axisVal[first + 2]; - case 2: --- -GitLab diff --git a/SOURCES/xorg-CVE-2024-31080.patch b/SOURCES/xorg-CVE-2024-31080.patch deleted file mode 100644 index 5a64c75..0000000 --- a/SOURCES/xorg-CVE-2024-31080.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 22 Mar 2024 18:51:45 -0700 -Subject: [PATCH 1/4] Xi: ProcXIGetSelectedEvents needs to use unswapped length - to send reply - -CVE-2024-31080 - -Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 -Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.") -Signed-off-by: Alan Coopersmith -Part-of: ---- - Xi/xiselectev.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c -index edcb8a0d3..ac1494987 100644 ---- a/Xi/xiselectev.c -+++ b/Xi/xiselectev.c -@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client) - InputClientsPtr others = NULL; - xXIEventMask *evmask = NULL; - DeviceIntPtr dev; -+ uint32_t length; - - REQUEST(xXIGetSelectedEventsReq); - REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq); -@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client) - } - } - -+ /* save the value before SRepXIGetSelectedEvents swaps it */ -+ length = reply.length; - WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply); - - if (reply.num_masks) -- WriteToClient(client, reply.length * 4, buffer); -+ WriteToClient(client, length * 4, buffer); - - free(buffer); - return Success; --- -2.44.0 - diff --git a/SOURCES/xorg-CVE-2024-31081.patch b/SOURCES/xorg-CVE-2024-31081.patch deleted file mode 100644 index 4e061f7..0000000 --- a/SOURCES/xorg-CVE-2024-31081.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 22 Mar 2024 18:56:27 -0700 -Subject: [PATCH 2/4] Xi: ProcXIPassiveGrabDevice needs to use unswapped length - to send reply - -CVE-2024-31081 - -Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.") -Signed-off-by: Alan Coopersmith -Part-of: ---- - Xi/xipassivegrab.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c -index c9ac2f855..896233bec 100644 ---- a/Xi/xipassivegrab.c -+++ b/Xi/xipassivegrab.c -@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client) - GrabParameters param; - void *tmp; - int mask_len; -+ uint32_t length; - - REQUEST(xXIPassiveGrabDeviceReq); - REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, -@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client) - } - } - -+ /* save the value before SRepXIPassiveGrabDevice swaps it */ -+ length = rep.length; - WriteReplyToClient(client, sizeof(rep), &rep); - if (rep.num_modifiers) -- WriteToClient(client, rep.length * 4, modifiers_failed); -+ WriteToClient(client, length * 4, modifiers_failed); - - out: - free(modifiers_failed); --- -2.44.0 - diff --git a/SOURCES/xorg-CVE-2024-31082.patch b/SOURCES/xorg-CVE-2024-31082.patch deleted file mode 100644 index df0a498..0000000 --- a/SOURCES/xorg-CVE-2024-31082.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 22 Mar 2024 19:07:34 -0700 -Subject: [PATCH 3/4] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped - length to send reply - -CVE-2024-31082 - -Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies") -Signed-off-by: Alan Coopersmith -Part-of: ---- - hw/xquartz/xpr/appledri.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c -index 77574655b..40422b61a 100644 ---- a/hw/xquartz/xpr/appledri.c -+++ b/hw/xquartz/xpr/appledri.c -@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) - xAppleDRICreatePixmapReply rep; - int width, height, pitch, bpp; - void *ptr; -+ CARD32 stringLength; - - REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq); - -@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) - if (sizeof(rep) != sz_xAppleDRICreatePixmapReply) - ErrorF("error sizeof(rep) is %zu\n", sizeof(rep)); - -+ stringLength = rep.stringLength; /* save unswapped value */ - if (client->swapped) { - swaps(&rep.sequenceNumber); - swapl(&rep.length); -@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client) - } - - WriteToClient(client, sizeof(rep), &rep); -- WriteToClient(client, rep.stringLength, path); -+ WriteToClient(client, stringLength, path); - - return Success; - } --- -2.44.0 - diff --git a/SOURCES/xorg-CVE-2024-31083-followup.patch b/SOURCES/xorg-CVE-2024-31083-followup.patch deleted file mode 100644 index 549f90a..0000000 --- a/SOURCES/xorg-CVE-2024-31083-followup.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 337d8d48b618d4fc0168a7b978be4c3447650b04 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Fri, 5 Apr 2024 15:24:49 +0200 -Subject: [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs() - -ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and -then frees it using FreeGlyph() to decrease the reference count, after -AddGlyph() has increased it. - -AddGlyph() however may chose to reuse an existing glyph if it's already -in the glyphSet, and free the glyph that was given, in which case the -caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an -already freed glyph, as reported by ASan: - - READ of size 4 thread T0 - #0 in FreeGlyph xserver/render/glyph.c:252 - #1 in ProcRenderAddGlyphs xserver/render/render.c:1174 - #2 in Dispatch xserver/dix/dispatch.c:546 - #3 in dix_main xserver/dix/main.c:271 - #4 in main xserver/dix/stubmain.c:34 - #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 - #6 in __libc_start_main_impl ../csu/libc-start.c:360 - #7 (/usr/bin/Xwayland+0x44fe4) - Address is located 0 bytes inside of 64-byte region - freed by thread T0 here: - #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52 - #1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538 - #2 in AddGlyph xserver/render/glyph.c:295 - #3 in ProcRenderAddGlyphs xserver/render/render.c:1173 - #4 in Dispatch xserver/dix/dispatch.c:546 - #5 in dix_main xserver/dix/main.c:271 - #6 in main xserver/dix/stubmain.c:34 - #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 - previously allocated by thread T0 here: - #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69 - #1 in AllocateGlyph xserver/render/glyph.c:355 - #2 in ProcRenderAddGlyphs xserver/render/render.c:1085 - #3 in Dispatch xserver/dix/dispatch.c:546 - #4 in dix_main xserver/dix/main.c:271 - #5 in main xserver/dix/stubmain.c:34 - #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 - SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph - -To avoid that, make sure not to free the given glyph in AddGlyph(). - -v2: Simplify the test using the boolean returned from AddGlyph() (Michel) -v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter) - -Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs -Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659 -Signed-off-by: Olivier Fourdan -Part-of: ---- - render/glyph.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/render/glyph.c b/render/glyph.c -index 13991f8a1..5fa7f3b5b 100644 ---- a/render/glyph.c -+++ b/render/glyph.c -@@ -291,8 +291,6 @@ AddGlyph(GlyphSetPtr glyphSet, GlyphPtr glyph, Glyph id) - gr = FindGlyphRef(&globalGlyphs[glyphSet->fdepth], signature, - TRUE, glyph->sha1); - if (gr->glyph && gr->glyph != DeletedGlyph && gr->glyph != glyph) { -- FreeGlyphPicture(glyph); -- dixFreeObjectWithPrivates(glyph, PRIVATE_GLYPH); - glyph = gr->glyph; - } - else if (gr->glyph != glyph) { --- -2.44.0 - diff --git a/SOURCES/xorg-CVE-2024-31083.patch b/SOURCES/xorg-CVE-2024-31083.patch deleted file mode 100644 index dcbf337..0000000 --- a/SOURCES/xorg-CVE-2024-31083.patch +++ /dev/null @@ -1,112 +0,0 @@ -From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Tue, 30 Jan 2024 13:13:35 +1000 -Subject: [PATCH 4/4] render: fix refcounting of glyphs during - ProcRenderAddGlyphs - -Previously, AllocateGlyph would return a new glyph with refcount=0 and a -re-used glyph would end up not changing the refcount at all. The -resulting glyph_new array would thus have multiple entries pointing to -the same non-refcounted glyphs. - -AddGlyph may free a glyph, resulting in a UAF when the same glyph -pointer is then later used. - -Fix this by returning a refcount of 1 for a new glyph and always -incrementing the refcount for a re-used glyph, followed by dropping that -refcount back down again when we're done with it. - -CVE-2024-31083, ZDI-CAN-22880 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative - -Part-of: ---- - render/glyph.c | 5 +++-- - render/glyphstr_priv.h | 1 + - render/render.c | 15 +++++++++++---- - 3 files changed, 15 insertions(+), 6 deletions(-) - -diff --git a/render/glyph.c b/render/glyph.c -index 850ea8440..13991f8a1 100644 ---- a/render/glyph.c -+++ b/render/glyph.c -@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph) - } - } - --static void -+void - FreeGlyph(GlyphPtr glyph, int format) - { - CheckDuplicates(&globalGlyphs[format], "FreeGlyph"); -+ BUG_RETURN(glyph->refcnt == 0); - if (--glyph->refcnt == 0) { - GlyphRefPtr gr; - int i; -@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth) - glyph = (GlyphPtr) malloc(size); - if (!glyph) - return 0; -- glyph->refcnt = 0; -+ glyph->refcnt = 1; - glyph->size = size + sizeof(xGlyphInfo); - glyph->info = *gi; - dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH); -diff --git a/render/glyphstr.h b/render/glyphstr.h -index 2f51bd244..3b1d806d1 100644 ---- a/render/glyphstr.h -+++ b/render/glyphstr.h -@@ -108,6 +108,7 @@ extern Bool - extern GlyphPtr FindGlyph(GlyphSetPtr glyphSet, Glyph id); - - extern GlyphPtr AllocateGlyph(xGlyphInfo * gi, int format); -+extern void FreeGlyph(GlyphPtr glyph, int format); - - extern Bool - ResizeGlyphSet(GlyphSetPtr glyphSet, CARD32 change); -diff --git a/render/render.c b/render/render.c -index 29c5055c6..fe5e37dd9 100644 ---- a/render/render.c -+++ b/render/render.c -@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client) - - if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) { - glyph_new->found = TRUE; -+ ++glyph_new->glyph->refcnt; - } - else { - GlyphPtr glyph; -@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client) - err = BadAlloc; - goto bail; - } -- for (i = 0; i < nglyphs; i++) -+ for (i = 0; i < nglyphs; i++) { - AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id); -+ FreeGlyph(glyphs[i].glyph, glyphSet->fdepth); -+ } - - if (glyphsBase != glyphsLocal) - free(glyphsBase); -@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client) - FreePicture((void *) pSrc, 0); - if (pSrcPix) - FreeScratchPixmapHeader(pSrcPix); -- for (i = 0; i < nglyphs; i++) -- if (glyphs[i].glyph && !glyphs[i].found) -- free(glyphs[i].glyph); -+ for (i = 0; i < nglyphs; i++) { -+ if (glyphs[i].glyph) { -+ --glyphs[i].glyph->refcnt; -+ if (!glyphs[i].found) -+ free(glyphs[i].glyph); -+ } -+ } - if (glyphsBase != glyphsLocal) - free(glyphsBase); - return err; --- -2.44.0 - diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec index 052cb78..87565d3 100644 --- a/SPECS/tigervnc.spec +++ b/SPECS/tigervnc.spec @@ -4,8 +4,8 @@ %global modulename vncsession Name: tigervnc -Version: 1.13.1 -Release: 8%{?dist}.3 +Version: 1.14.0 +Release: 2%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -26,8 +26,11 @@ Patch1: tigervnc-use-gnome-as-default-session.patch Patch2: tigervnc-vncsession-restore-script-systemd-service.patch # Upstream patches -Patch50: tigervnc-support-username-alias-in-plainusers.patch -Patch51: tigervnc-use-dup-to-get-available-fd-for-inetd.patch +Patch50: tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch +Patch51: tigervnc-add-missing-coma-in-default-security-type-list.patch +Patch52: tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch +Patch53: tigervnc-handle-existing-config-directory-in-vncpasswd.patch +Patch54: tigervnc-correctly-handle-zrle-cursors.patch # Upstreamable patches Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch @@ -38,14 +41,7 @@ Patch100: tigervnc-xserver120.patch Patch101: 0001-rpath-hack.patch # XServer patches -# CVE-2024-0229 -# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1251 -Patch200: xorg-CVE-2024-0229-followup.patch -Patch201: xorg-CVE-2024-31080.patch -Patch202: xorg-CVE-2024-31081.patch -Patch203: xorg-CVE-2024-31082.patch -Patch204: xorg-CVE-2024-31083.patch -Patch205: xorg-CVE-2024-31083-followup.patch + BuildRequires: make BuildRequires: gcc-c++ @@ -82,11 +78,13 @@ BuildRequires: libXinerama-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel BuildRequires: libdrm-devel +BuildRequires: mesa-libgbm-devel BuildRequires: libtool BuildRequires: libxkbfile-devel BuildRequires: libxshmfence-devel BuildRequires: mesa-libGL-devel -BuildRequires: xorg-x11-font-utils +BuildRequires: pkgconfig(fontutil) +BuildRequires: pkgconfig(xkbcomp) BuildRequires: xorg-x11-server-devel BuildRequires: xorg-x11-server-source BuildRequires: xorg-x11-util-macros @@ -193,25 +191,24 @@ pushd unix/xserver for all in `find . -type f -perm -001`; do chmod -x "$all" done -%patch100 -p1 -b .xserver120-rebased -%patch101 -p1 -b .rpath -%patch200 -p1 -b .xorg-CVE-2024-0229-followup -%patch201 -p1 -b .xorg-CVE-2024-31080.patch -%patch202 -p1 -b .xorg-CVE-2024-31081.patch -%patch203 -p1 -b .xorg-CVE-2024-31082.patch -%patch204 -p1 -b .xorg-CVE-2024-31083.patch -%patch205 -p1 -b .xorg-CVE-2024-31083-followup +# Xorg patches +%patch -P100 -p1 -b .xserver120-rebased +%patch -P101 -p1 -b .rpath popd -%patch1 -p1 -b .use-gnome-as-default-session -%patch2 -p1 -b .vncsession-restore-script-systemd-service +# Tigervnc patches +%patch -P1 -p1 -b .use-gnome-as-default-session +%patch -P2 -p1 -b .vncsession-restore-script-systemd-service # Upstream patches -%patch50 -p1 -b .support-username-alias-in-plainusers -%patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd +%patch -P50 -p1 -b .vncsession-use-bin-sh-when-shell-not-set +%patch -P51 -p1 -b .add-missing-coma-in-default-security-type-list +%patch -P52 -p1 -b .vncsession-move-existing-log-to-log-old-if-present +%patch -P53 -p1 -b .handle-existing-config-directory-in-vncpasswd +%patch -P54 -p1 -b .correctly-handle-zrle-cursors.patch # Upstreamable patches -%patch80 -p1 -b .dont-get-pointer-position-for-floating-device +%patch -P80 -p1 -b .dont-get-pointer-position-for-floating-device %build %ifarch sparcv9 sparc64 s390 s390x @@ -244,11 +241,10 @@ autoreconf -fiv --with-fontdir=%{_datadir}/X11/fonts \ --with-xkb-output=%{_localstatedir}/lib/xkb \ --enable-install-libxf86config \ - --enable-glx --disable-dri --enable-dri2 --disable-dri3 \ + --enable-glx --disable-dri --enable-dri2 --enable-dri3 \ --disable-unit-tests \ --disable-config-hal \ --disable-config-udev \ - --with-dri-driver-path=%{_libdir}/dri \ --without-dtrace \ --disable-devel-docs \ --disable-selective-werror @@ -394,20 +390,29 @@ fi %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog -* Mon Apr 22 2024 Jan Grulich - 1.13.1-8.3 -- Rebuild (z-stream target) - Resolves: RHEL-30985 - Resolves: RHEL-31015 - -* Fri Apr 12 2024 Jan Grulich - 1.13.1-8.2 -- Fix crash caused by fix for CVE-2024-31083 - Resolves: RHEL-30985 - -* Thu Apr 04 2024 Jan Grulich - 1.13.1-8.1 +* Tue Jul 23 2024 Jan Grulich - 1.14.0-2 +- 1.14.0 + Resolves: RHEL-45316 +- Move old log to log.old if present + Resolves: RHEL-54294 +- Fix shared memory leak + Resolves: RHEL-55768 + +* Mon Aug 05 2024 Jan Grulich - 1.13.1-11 +- vncsession: use /bin/sh if the user shell is not set + Resolves: RHEL-50679 + +* Tue May 28 2024 Jan Grulich - 1.13.1-10 +- vncconfig: add option to force view-only remote client connections + Resolves: RHEL-12144 + +* Tue Apr 16 2024 Jan Grulich - 1.13.1-9 - Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents - Resolves: RHEL-31015 + Resolves: RHEL-30756 - Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs - Resolves: RHEL-30985 + Resolves: RHEL-30768 +- Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice + Resolves: RHEL-30762 * Wed Feb 07 2024 Jan Grulich - 1.13.1-8 - Fix copy/paste error in the DeviceStateNotify