Compare commits
No commits in common. 'c9-beta' and 'c9' have entirely different histories.
@ -1 +1 @@
|
||||
SOURCES/tigervnc-1.13.1.tar.gz
|
||||
SOURCES/tigervnc-1.14.1.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
6f7a23f14833f552c88523da1a5e102f3b8d35c2 SOURCES/tigervnc-1.13.1.tar.gz
|
||||
bc3c8bc9f454eb307011cd5965251f4a28040a25 SOURCES/tigervnc-1.14.1.tar.gz
|
||||
|
||||
@ -1,135 +0,0 @@
|
||||
diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
|
||||
index 6f65e87..3142ba3 100644
|
||||
--- a/common/rfb/SSecurityPlain.cxx
|
||||
+++ b/common/rfb/SSecurityPlain.cxx
|
||||
@@ -27,6 +27,8 @@
|
||||
#include <rdr/InStream.h>
|
||||
#if !defined(WIN32) && !defined(__APPLE__)
|
||||
#include <rfb/UnixPasswordValidator.h>
|
||||
+#include <unistd.h>
|
||||
+#include <pwd.h>
|
||||
#endif
|
||||
#ifdef WIN32
|
||||
#include <rfb/WinPasswdValidator.h>
|
||||
@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers
|
||||
|
||||
bool PasswordValidator::validUser(const char* username)
|
||||
{
|
||||
- CharArray users(plainUsers.getValueStr()), user;
|
||||
+ std::vector<std::string> users;
|
||||
|
||||
- while (users.buf) {
|
||||
- strSplit(users.buf, ',', &user.buf, &users.buf);
|
||||
-#ifdef WIN32
|
||||
- if (0 == stricmp(user.buf, "*"))
|
||||
- return true;
|
||||
- if (0 == stricmp(user.buf, username))
|
||||
- return true;
|
||||
-#else
|
||||
- if (!strcmp(user.buf, "*"))
|
||||
- return true;
|
||||
- if (!strcmp(user.buf, username))
|
||||
- return true;
|
||||
+ users = split(plainUsers, ',');
|
||||
+
|
||||
+ for (size_t i = 0; i < users.size(); i++) {
|
||||
+ if (users[i] == "*")
|
||||
+ return true;
|
||||
+#if !defined(WIN32) && !defined(__APPLE__)
|
||||
+ if (users[i] == "%u") {
|
||||
+ struct passwd *pw = getpwnam(username);
|
||||
+ if (pw && pw->pw_uid == getuid())
|
||||
+ return true;
|
||||
+ }
|
||||
#endif
|
||||
+ if (users[i] == username)
|
||||
+ return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
|
||||
index 649eb0b..cce73a0 100644
|
||||
--- a/common/rfb/util.cxx
|
||||
+++ b/common/rfb/util.cxx
|
||||
@@ -99,6 +99,26 @@ namespace rfb {
|
||||
return false;
|
||||
}
|
||||
|
||||
+ std::vector<std::string> split(const char* src,
|
||||
+ const char delimiter)
|
||||
+ {
|
||||
+ std::vector<std::string> out;
|
||||
+ const char *start, *stop;
|
||||
+
|
||||
+ start = src;
|
||||
+ do {
|
||||
+ stop = strchr(start, delimiter);
|
||||
+ if (stop == NULL) {
|
||||
+ out.push_back(start);
|
||||
+ } else {
|
||||
+ out.push_back(std::string(start, stop-start));
|
||||
+ start = stop + 1;
|
||||
+ }
|
||||
+ } while (stop != NULL);
|
||||
+
|
||||
+ return out;
|
||||
+ }
|
||||
+
|
||||
bool strContains(const char* src, char c) {
|
||||
int l=strlen(src);
|
||||
for (int i=0; i<l; i++)
|
||||
diff --git a/common/rfb/util.h b/common/rfb/util.h
|
||||
index f0ac9ef..ed15c28 100644
|
||||
--- a/common/rfb/util.h
|
||||
+++ b/common/rfb/util.h
|
||||
@@ -27,6 +27,9 @@
|
||||
#include <limits.h>
|
||||
#include <string.h>
|
||||
|
||||
+#include <string>
|
||||
+#include <vector>
|
||||
+
|
||||
struct timeval;
|
||||
|
||||
#ifdef __GNUC__
|
||||
@@ -76,6 +79,10 @@ namespace rfb {
|
||||
// that part of the string. Obviously, setting both to 0 is not useful...
|
||||
bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false);
|
||||
|
||||
+ // Splits a string with the specified delimiter
|
||||
+ std::vector<std::string> split(const char* src,
|
||||
+ const char delimiter);
|
||||
+
|
||||
// Returns true if src contains c
|
||||
bool strContains(const char* src, char c);
|
||||
|
||||
diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
|
||||
index c36ae34..78db730 100644
|
||||
--- a/unix/x0vncserver/x0vncserver.man
|
||||
+++ b/unix/x0vncserver/x0vncserver.man
|
||||
@@ -125,8 +125,8 @@ parameter instead.
|
||||
.B \-PlainUsers \fIuser-list\fP
|
||||
A comma separated list of user names that are allowed to authenticate via
|
||||
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
|
||||
-to allow any user to authenticate using this security type. Default is to
|
||||
-deny all users.
|
||||
+to allow any user to authenticate using this security type. Specify \fB%u\fP
|
||||
+to allow the user of the server process. Default is to deny all users.
|
||||
.
|
||||
.TP
|
||||
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
|
||||
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
|
||||
index ea87dea..e9fb654 100644
|
||||
--- a/unix/xserver/hw/vnc/Xvnc.man
|
||||
+++ b/unix/xserver/hw/vnc/Xvnc.man
|
||||
@@ -200,8 +200,8 @@ parameter instead.
|
||||
.B \-PlainUsers \fIuser-list\fP
|
||||
A comma separated list of user names that are allowed to authenticate via
|
||||
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
|
||||
-to allow any user to authenticate using this security type. Default is to
|
||||
-deny all users.
|
||||
+to allow any user to authenticate using this security type. Specify \fB%u\fP
|
||||
+to allow the user of the server process. Default is to deny all users.
|
||||
.
|
||||
.TP
|
||||
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
|
||||
@ -1,17 +0,0 @@
|
||||
diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
|
||||
index f8141959..c5c36539 100644
|
||||
--- a/unix/xserver/hw/vnc/xvnc.c
|
||||
+++ b/unix/xserver/hw/vnc/xvnc.c
|
||||
@@ -366,8 +366,10 @@ ddxProcessArgument(int argc, char *argv[], int i)
|
||||
if (strcmp(argv[i], "-inetd") == 0) {
|
||||
int nullfd;
|
||||
|
||||
- dup2(0, 3);
|
||||
- vncInetdSock = 3;
|
||||
+ if ((vncInetdSock = dup(0)) == -1)
|
||||
+ FatalError
|
||||
+ ("Xvnc error: failed to allocate a new file descriptor for -inetd: %s\n", strerror(errno));
|
||||
+
|
||||
|
||||
/* Avoid xserver >= 1.19's epoll-fd becoming fd 2 / stderr only to be
|
||||
replaced by /dev/null by OsInit() because the pollfd is not
|
||||
@ -0,0 +1,94 @@
|
||||
From e26bc65b92d1e43570619deadf20b965e0952fef Mon Sep 17 00:00:00 2001
|
||||
From: Pat Riehecky <riehecky@fnal.gov>
|
||||
Date: Wed, 31 Jul 2024 14:43:46 -0500
|
||||
Subject: [PATCH] vncsession: Move existing log to log.old if present
|
||||
|
||||
---
|
||||
unix/vncserver/vncsession.c | 47 ++++++++++++++++++++++++++++---------
|
||||
1 file changed, 36 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
||||
index 98a0432aa..a10e0789e 100644
|
||||
--- a/unix/vncserver/vncsession.c
|
||||
+++ b/unix/vncserver/vncsession.c
|
||||
@@ -393,8 +393,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
||||
int fd;
|
||||
long hostlen;
|
||||
char* hostname = NULL, *xdgstate;
|
||||
- char logfile[PATH_MAX], legacy[PATH_MAX];
|
||||
+ char logdir[PATH_MAX], logfile[PATH_MAX], logfile_old[PATH_MAX], legacy[PATH_MAX];
|
||||
struct stat st;
|
||||
+ size_t fmt_len;
|
||||
|
||||
fd = open("/dev/null", O_RDONLY);
|
||||
if (fd == -1) {
|
||||
@@ -408,15 +409,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
||||
close(fd);
|
||||
|
||||
xdgstate = getenvp("XDG_STATE_HOME", envp);
|
||||
- if (xdgstate != NULL && xdgstate[0] == '/')
|
||||
- snprintf(logfile, sizeof(logfile), "%s/tigervnc", xdgstate);
|
||||
- else
|
||||
- snprintf(logfile, sizeof(logfile), "%s/.local/state/tigervnc", homedir);
|
||||
+ if (xdgstate != NULL && xdgstate[0] == '/') {
|
||||
+ fmt_len = snprintf(logdir, sizeof(logdir), "%s/tigervnc", xdgstate);
|
||||
+ if (fmt_len >= sizeof(logdir)) {
|
||||
+ syslog(LOG_CRIT, "Log dir path too long");
|
||||
+ _exit(EX_OSERR);
|
||||
+ }
|
||||
+ } else {
|
||||
+ fmt_len = snprintf(logdir, sizeof(logdir), "%s/.local/state/tigervnc", homedir);
|
||||
+ if (fmt_len >= sizeof(logdir)) {
|
||||
+ syslog(LOG_CRIT, "Log dir path too long");
|
||||
+ _exit(EX_OSERR);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
snprintf(legacy, sizeof(legacy), "%s/.vnc", homedir);
|
||||
- if (stat(logfile, &st) != 0 && stat(legacy, &st) == 0) {
|
||||
+ if (stat(logdir, &st) != 0 && stat(legacy, &st) == 0) {
|
||||
syslog(LOG_WARNING, "~/.vnc is deprecated, please consult 'man vncsession' for paths to migrate to.");
|
||||
- strcpy(logfile, legacy);
|
||||
+ strcpy(logdir, legacy);
|
||||
|
||||
#ifdef HAVE_SELINUX
|
||||
/* this is only needed to handle historical type changes for the legacy dir */
|
||||
@@ -431,9 +441,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
||||
#endif
|
||||
}
|
||||
|
||||
- if (mkdir_p(logfile, 0755) == -1) {
|
||||
+ if (mkdir_p(logdir, 0755) == -1) {
|
||||
if (errno != EEXIST) {
|
||||
- syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
|
||||
+ syslog(LOG_CRIT, "Failure creating \"%s\": %s", logdir, strerror(errno));
|
||||
_exit(EX_OSERR);
|
||||
}
|
||||
}
|
||||
@@ -450,9 +460,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
||||
_exit(EX_OSERR);
|
||||
}
|
||||
|
||||
- snprintf(logfile + strlen(logfile), sizeof(logfile) - strlen(logfile), "/%s%s.log",
|
||||
- hostname, display);
|
||||
+ fmt_len = snprintf(logfile, sizeof(logfile), "/%s/%s%s.log", logdir, hostname, display);
|
||||
+ if (fmt_len >= sizeof(logfile)) {
|
||||
+ syslog(LOG_CRIT, "Log path too long");
|
||||
+ _exit(EX_OSERR);
|
||||
+ }
|
||||
+ fmt_len = snprintf(logfile_old, sizeof(logfile_old), "/%s/%s%s.log.old", logdir, hostname, display);
|
||||
+ if (fmt_len >= sizeof(logfile)) {
|
||||
+ syslog(LOG_CRIT, "Log.old path too long");
|
||||
+ _exit(EX_OSERR);
|
||||
+ }
|
||||
free(hostname);
|
||||
+
|
||||
+ if (stat(logfile, &st) == 0) {
|
||||
+ if (rename(logfile, logfile_old) != 0) {
|
||||
+ syslog(LOG_CRIT, "Failure renaming log file \"%s\" to \"%s\": %s", logfile, logfile_old, strerror(errno));
|
||||
+ _exit(EX_OSERR);
|
||||
+ }
|
||||
+ }
|
||||
fd = open(logfile, O_CREAT | O_WRONLY | O_TRUNC, 0644);
|
||||
if (fd == -1) {
|
||||
syslog(LOG_CRIT, "Failure creating log file \"%s\": %s", logfile, strerror(errno));
|
||||
@ -1,32 +0,0 @@
|
||||
From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 22 Jan 2024 14:22:12 +1000
|
||||
Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
|
||||
event
|
||||
|
||||
Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
|
||||
---
|
||||
dix/enterleave.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||
index 7b7ba1098b..c1e6ac600e 100644
|
||||
--- a/dix/enterleave.c
|
||||
+++ b/dix/enterleave.c
|
||||
@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
||||
ev->first_valuator = first;
|
||||
switch (ev->num_valuators) {
|
||||
case 6:
|
||||
- ev->valuator2 = v->axisVal[first + 5];
|
||||
+ ev->valuator5 = v->axisVal[first + 5];
|
||||
case 5:
|
||||
- ev->valuator2 = v->axisVal[first + 4];
|
||||
+ ev->valuator4 = v->axisVal[first + 4];
|
||||
case 4:
|
||||
- ev->valuator2 = v->axisVal[first + 3];
|
||||
+ ev->valuator3 = v->axisVal[first + 3];
|
||||
case 3:
|
||||
ev->valuator2 = v->axisVal[first + 2];
|
||||
case 2:
|
||||
--
|
||||
GitLab
|
||||
@ -0,0 +1,54 @@
|
||||
From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001
|
||||
From: Matthieu Herrb <matthieu@herrb.eu>
|
||||
Date: Thu, 10 Oct 2024 10:37:28 +0200
|
||||
Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
|
||||
buffer.
|
||||
|
||||
However, It didn't update its size properly. It updated `num_si` only,
|
||||
without updating `size_si`.
|
||||
|
||||
This may lead to local privilege escalation if the server is run as root
|
||||
or remote code execution (e.g. x11 over ssh).
|
||||
|
||||
CVE-2024-9632, ZDI-CAN-24756
|
||||
|
||||
This vulnerability was discovered by:
|
||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
||||
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Reviewed-by: José Expósito <jexposit@redhat.com>
|
||||
---
|
||||
xkb/xkb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index f203270d5..70e8279aa 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
|
||||
XkbSymInterpretPtr sym;
|
||||
unsigned int skipped = 0;
|
||||
|
||||
- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
|
||||
- compat->num_si = req->firstSI + req->nSI;
|
||||
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
|
||||
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
|
||||
compat->sym_interpret = reallocarray(compat->sym_interpret,
|
||||
- compat->num_si,
|
||||
+ compat->size_si,
|
||||
sizeof(XkbSymInterpretRec));
|
||||
if (!compat->sym_interpret) {
|
||||
- compat->num_si = 0;
|
||||
+ compat->num_si = compat->size_si = 0;
|
||||
return BadAlloc;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.46.2
|
||||
|
||||
Loading…
Reference in new issue