9 changed files with 274 additions and 309 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/tigervnc-1.14.1.tar.gz
+SOURCES/tigervnc-1.13.1.tar.gz
--- a/.tigervnc.metadata
+++ b/.tigervnc.metadata
@ -1 +1 @@
-bc3c8bc9f454eb307011cd5965251f4a28040a25 SOURCES/tigervnc-1.14.1.tar.gz
+6f7a23f14833f552c88523da1a5e102f3b8d35c2 SOURCES/tigervnc-1.13.1.tar.gz
--- a/SOURCES/tigervnc-support-username-alias-in-plainusers.patch
+++ b/SOURCES/tigervnc-support-username-alias-in-plainusers.patch
@ -0,0 +1,135 @@
 diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
 index 6f65e87..3142ba3 100644
 --- a/common/rfb/SSecurityPlain.cxx
 +++ b/common/rfb/SSecurityPlain.cxx
@@ -27,6 +27,8 @@
 #include <rdr/InStream.h>
 #if !defined(WIN32) && !defined(__APPLE__)
 #include <rfb/UnixPasswordValidator.h>
 +#include <unistd.h>
 +#include <pwd.h>
 #endif
 #ifdef WIN32
 #include <rfb/WinPasswdValidator.h>
@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers
 bool PasswordValidator::validUser(const char* username)
 {
 -  CharArray users(plainUsers.getValueStr()), user;
 +  std::vector<std::string> users;
 -  while (users.buf) {
 -    strSplit(users.buf, ',', &user.buf, &users.buf);
 -#ifdef WIN32
 -    if (0 == stricmp(user.buf, "*"))
 -	  return true;
 -    if (0 == stricmp(user.buf, username))
 -	  return true;
 -#else
 -    if (!strcmp(user.buf, "*"))
 -	  return true;
 -    if (!strcmp(user.buf, username))
 -	  return true;
 +  users = split(plainUsers, ',');
 +
 +  for (size_t i = 0; i < users.size(); i++) {
 +    if (users[i] == "*")
 +      return true;
 +#if !defined(WIN32) && !defined(__APPLE__)
 +    if (users[i] == "%u") {
 +      struct passwd *pw = getpwnam(username);
 +      if (pw && pw->pw_uid == getuid())
 +        return true;
 +    }
 #endif
 +    if (users[i] == username)
 +      return true;
   }
   return false;
 }
 diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
 index 649eb0b..cce73a0 100644
 --- a/common/rfb/util.cxx
 +++ b/common/rfb/util.cxx
@@ -99,6 +99,26 @@ namespace rfb {
     return false;
   }
 +  std::vector<std::string> split(const char* src,
 +                                 const char delimiter)
 +  {
 +    std::vector<std::string> out;
 +    const char *start, *stop;
 +
 +    start = src;
 +    do {
 +      stop = strchr(start, delimiter);
 +      if (stop == NULL) {
 +        out.push_back(start);
 +      } else {
 +        out.push_back(std::string(start, stop-start));
 +        start = stop + 1;
 +      }
 +    } while (stop != NULL);
 +
 +    return out;
 +  }
 +
   bool strContains(const char* src, char c) {
     int l=strlen(src);
     for (int i=0; i<l; i++)
 diff --git a/common/rfb/util.h b/common/rfb/util.h
 index f0ac9ef..ed15c28 100644
 --- a/common/rfb/util.h
 +++ b/common/rfb/util.h
@@ -27,6 +27,9 @@
 #include <limits.h>
 #include <string.h>
 +#include <string>
 +#include <vector>
 +
 struct timeval;
 #ifdef __GNUC__
@@ -76,6 +79,10 @@ namespace rfb {
   // that part of the string.  Obviously, setting both to 0 is not useful...
   bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false);
 +  // Splits a string with the specified delimiter
 +  std::vector<std::string> split(const char* src,
 +                                 const char delimiter);
 +
   // Returns true if src contains c
   bool strContains(const char* src, char c);
 diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
 index c36ae34..78db730 100644
 --- a/unix/x0vncserver/x0vncserver.man
 +++ b/unix/x0vncserver/x0vncserver.man
@@ -125,8 +125,8 @@ parameter instead.
 .B \-PlainUsers \fIuser-list\fP
 A comma separated list of user names that are allowed to authenticate via
 any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
 -to allow any user to authenticate using this security type. Default is to
 -deny all users.
 +to allow any user to authenticate using this security type. Specify \fB%u\fP
 +to allow the user of the server process. Default is to deny all users.
 .
 .TP
 .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
 diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
 index ea87dea..e9fb654 100644
 --- a/unix/xserver/hw/vnc/Xvnc.man
 +++ b/unix/xserver/hw/vnc/Xvnc.man
@@ -200,8 +200,8 @@ parameter instead.
 .B \-PlainUsers \fIuser-list\fP
 A comma separated list of user names that are allowed to authenticate via
 any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
 -to allow any user to authenticate using this security type. Default is to
 -deny all users.
 +to allow any user to authenticate using this security type. Specify \fB%u\fP
 +to allow the user of the server process. Default is to deny all users.
 .
 .TP
 .B \-pam_service \fIname\fP, \-PAMService \fIname\fP
--- a/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch
+++ b/SOURCES/tigervnc-use-dup-to-get-available-fd-for-inetd.patch
@ -0,0 +1,17 @@
 diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
 index f8141959..c5c36539 100644
 --- a/unix/xserver/hw/vnc/xvnc.c
 +++ b/unix/xserver/hw/vnc/xvnc.c
@@ -366,8 +366,10 @@ ddxProcessArgument(int argc, char *argv[], int i)
     if (strcmp(argv[i], "-inetd") == 0) {
         int nullfd;
 -        dup2(0, 3);
 -        vncInetdSock = 3;
 +        if ((vncInetdSock = dup(0)) == -1)
 +            FatalError
 +                ("Xvnc error: failed to allocate a new file descriptor for -inetd: %s\n", strerror(errno));
 +
         /* Avoid xserver >= 1.19's epoll-fd becoming fd 2 / stderr only to be
            replaced by /dev/null by OsInit() because the pollfd is not
--- a/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch
+++ b/SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch
@ -1,94 +0,0 @@
 From e26bc65b92d1e43570619deadf20b965e0952fef Mon Sep 17 00:00:00 2001
 From: Pat Riehecky <riehecky@fnal.gov>
 Date: Wed, 31 Jul 2024 14:43:46 -0500
 Subject: [PATCH] vncsession: Move existing log to log.old if present
 ---
 unix/vncserver/vncsession.c | 47 ++++++++++++++++++++++++++++---------
 1 file changed, 36 insertions(+), 11 deletions(-)
 diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
 index 98a0432aa..a10e0789e 100644
 --- a/unix/vncserver/vncsession.c
 +++ b/unix/vncserver/vncsession.c
@@ -393,8 +393,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
     int fd;
     long hostlen;
     char* hostname = NULL, *xdgstate;
 -    char logfile[PATH_MAX], legacy[PATH_MAX];
 +    char logdir[PATH_MAX], logfile[PATH_MAX], logfile_old[PATH_MAX], legacy[PATH_MAX];
     struct stat st;
 +    size_t fmt_len;
     fd = open("/dev/null", O_RDONLY);
     if (fd == -1) {
@@ -408,15 +409,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
     close(fd);
     xdgstate = getenvp("XDG_STATE_HOME", envp);
 -    if (xdgstate != NULL && xdgstate[0] == '/')
 -        snprintf(logfile, sizeof(logfile), "%s/tigervnc", xdgstate);
 -    else
 -        snprintf(logfile, sizeof(logfile), "%s/.local/state/tigervnc", homedir);
 +    if (xdgstate != NULL && xdgstate[0] == '/') {
 +        fmt_len = snprintf(logdir, sizeof(logdir), "%s/tigervnc", xdgstate);
 +        if (fmt_len >= sizeof(logdir)) {
 +            syslog(LOG_CRIT, "Log dir path too long");
 +            _exit(EX_OSERR);
 +        }
 +    } else {
 +        fmt_len = snprintf(logdir, sizeof(logdir), "%s/.local/state/tigervnc", homedir);
 +        if (fmt_len >= sizeof(logdir)) {
 +            syslog(LOG_CRIT, "Log dir path too long");
 +            _exit(EX_OSERR);
 +        }
 +    }
     snprintf(legacy, sizeof(legacy), "%s/.vnc", homedir);
 -    if (stat(logfile, &st) != 0 && stat(legacy, &st) == 0) {
 +    if (stat(logdir, &st) != 0 && stat(legacy, &st) == 0) {
         syslog(LOG_WARNING, "~/.vnc is deprecated, please consult 'man vncsession' for paths to migrate to.");
 -        strcpy(logfile, legacy);
 +        strcpy(logdir, legacy);
 #ifdef HAVE_SELINUX
         /* this is only needed to handle historical type changes for the legacy dir */
@@ -431,9 +441,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
 #endif
     }
 -    if (mkdir_p(logfile, 0755) == -1) {
 +    if (mkdir_p(logdir, 0755) == -1) {
         if (errno != EEXIST) {
 -            syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
 +            syslog(LOG_CRIT, "Failure creating \"%s\": %s", logdir, strerror(errno));
             _exit(EX_OSERR);
         }
     }
@@ -450,9 +460,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
         _exit(EX_OSERR);
     }
 -    snprintf(logfile + strlen(logfile), sizeof(logfile) - strlen(logfile), "/%s%s.log",
 -             hostname, display);
 +    fmt_len = snprintf(logfile, sizeof(logfile), "/%s/%s%s.log", logdir, hostname, display);
 +    if (fmt_len >= sizeof(logfile)) {
 +        syslog(LOG_CRIT, "Log path too long");
 +        _exit(EX_OSERR);
 +    }
 +    fmt_len = snprintf(logfile_old, sizeof(logfile_old), "/%s/%s%s.log.old", logdir, hostname, display);
 +    if (fmt_len >= sizeof(logfile)) {
 +        syslog(LOG_CRIT, "Log.old path too long");
 +        _exit(EX_OSERR);
 +    }
     free(hostname);
 +
 +    if (stat(logfile, &st) == 0) {
 +        if (rename(logfile, logfile_old) != 0) {
 +            syslog(LOG_CRIT, "Failure renaming log file \"%s\" to \"%s\": %s", logfile, logfile_old, strerror(errno));
 +            _exit(EX_OSERR);
 +        }
 +    }
     fd = open(logfile, O_CREAT | O_WRONLY | O_TRUNC, 0644);
     if (fd == -1) {
         syslog(LOG_CRIT, "Failure creating log file \"%s\": %s", logfile, strerror(errno));
--- a/SOURCES/tigervnc-xserver120.patch
+++ b/SOURCES/tigervnc-xserver120.patch
@ -1,7 +1,6 @@
-diff --git a/configure.ac b/configure.ac
+diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac
-index 0909cc5b4..c01873200 100644
+--- xserver/configure.ac.xserver116-rebased	2016-09-29 13:14:45.595441590 +0200
--- a/configure.ac
+++ xserver/configure.ac	2016-09-29 13:14:45.631442006 +0200
 +++ b/configure.ac
@@ -74,6 +74,7 @@ dnl forcing an entire recompile.x
 AC_CONFIG_HEADERS(include/version-config.h)
@ -10,30 +9,35 @@ index 0909cc5b4..c01873200 100644
 AC_PROG_LN_S
 LT_PREREQ([2.2])
 LT_INIT([disable-static win32-dll])
-@@ -1735,6 +1736,14 @@ if test "x$XVFB" = xyes; then
+@@ -1863,6 +1864,10 @@ if test "x$XVFB" = xyes; then
 	AC_SUBST([XVFB_SYS_LIBS])
 fi
 +dnl Xvnc DDX
 +AC_SUBST([XVNC_CPPFLAGS], ["-DHAVE_DIX_CONFIG_H $XSERVER_CFLAGS"])
 +AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"])
 +AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"])
 +
 +PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no])
 +if test "x$GBM" = xyes; then
 +	AC_DEFINE(HAVE_GBM, 1, [Have GBM support])
 +fi
 dnl Xnest DDX
-@@ -2058,7 +2067,6 @@ if test "x$GLAMOR" = xyes; then
+@@ -1898,6 +1903,8 @@ if test "x$XORG" = xauto; then
- 			 [AC_DEFINE(GLAMOR_HAS_EGL_QUERY_DRIVER, 1, [Have GLAMOR_HAS_EGL_QUERY_DRIVER])],
+ fi
- 			 [])
+ AC_MSG_RESULT([$XORG])
-	PKG_CHECK_MODULES(GBM, "$LIBGBM", [GBM=yes], [GBM=no])
+AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version])
- 	if test "x$GBM" = xyes; then
+
- 		AC_DEFINE(GLAMOR_HAS_GBM, 1,
+ if test "x$XORG" = xyes; then
- 			  [Build glamor with GBM-based EGL support])
+ 	XORG_DDXINCS='-I$(top_srcdir)/hw/xfree86 -I$(top_srcdir)/hw/xfree86/include -I$(top_srcdir)/hw/xfree86/common'
-@@ -2523,6 +2531,7 @@ hw/dmx/Makefile
+ 	XORG_OSINCS='-I$(top_srcdir)/hw/xfree86/os-support -I$(top_srcdir)/hw/xfree86/os-support/bus -I$(top_srcdir)/os'
@@ -2116,7 +2123,6 @@ if test "x$XORG" = xyes; then
 	AC_DEFINE(XORG_SERVER, 1, [Building Xorg server])
 	AC_DEFINE(XORGSERVER, 1, [Building Xorg server])
 	AC_DEFINE(XFree86Server, 1, [Building XFree86 server])
 -	AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version])
 	AC_DEFINE(NEED_XF86_TYPES, 1, [Need XFree86 typedefs])
 	AC_DEFINE(NEED_XF86_PROTOTYPES, 1, [Need XFree86 helper functions])
 	AC_DEFINE(__XSERVERNAME__, "Xorg", [Name of X server])
@@ -2691,6 +2697,7 @@ hw/dmx/Makefile
 hw/dmx/man/Makefile
 hw/vfb/Makefile
 hw/vfb/man/Makefile
@ -41,98 +45,47 @@ index 0909cc5b4..c01873200 100644
 hw/xnest/Makefile
 hw/xnest/man/Makefile
 hw/xwin/Makefile
-diff --git a/dri3/Makefile.am b/dri3/Makefile.am
+diff -up xserver/hw/Makefile.am.xserver116-rebased xserver/hw/Makefile.am
-index e47a734e0..99c3718a5 100644
+--- xserver/hw/Makefile.am.xserver116-rebased	2016-09-29 13:14:45.601441659 +0200
--- a/dri3/Makefile.am
+++ xserver/hw/Makefile.am	2016-09-29 13:14:45.631442006 +0200
-+++ b/dri3/Makefile.am
+@@ -38,7 +38,8 @@ SUBDIRS =			\
-@@ -1,7 +1,7 @@
+ 	$(DMX_SUBDIRS)		\
- noinst_LTLIBRARIES = libdri3.la
+ 	$(KDRIVE_SUBDIRS)	\
- AM_CFLAGS = \
+ 	$(XQUARTZ_SUBDIRS)	\
-	-DHAVE_XORG_CONFIG_H \
+-	$(XWAYLAND_SUBDIRS)
-	@DIX_CFLAGS@ @XORG_CFLAGS@
+	$(XWAYLAND_SUBDIRS)	\
-+	@DIX_CFLAGS@ \
+	vnc
 +	@LIBDRM_CFLAGS@
 libdri3_la_SOURCES = \
 	dri3.h \
 diff --git a/dri3/dri3.c b/dri3/dri3.c
 index ba32facd7..191252969 100644
 --- a/dri3/dri3.c
 +++ b/dri3/dri3.c
@@ -20,10 +20,6 @@
  * OF THIS SOFTWARE.
  */
 -#ifdef HAVE_XORG_CONFIG_H
 -#include <xorg-config.h>
 -#endif
 -
 #include "dri3_priv.h"
- #include <drm_fourcc.h>
+ DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland
 diff --git a/dri3/dri3_priv.h b/dri3/dri3_priv.h
 index b087a9529..f319d1770 100644
 --- a/dri3/dri3_priv.h
 +++ b/dri3/dri3_priv.h
@@ -23,6 +23,7 @@
 #ifndef _DRI3PRIV_H_
 #define _DRI3PRIV_H_
-+#include "dix-config.h"
+diff --git xserver/mi/miinitext.c xserver/mi/miinitext.c
- #include <X11/X.h>
+index 5596e21..003fc3c 100644
- #include "scrnintstr.h"
+--- xserver/mi/miinitext.c
- #include "misc.h"
+++ xserver/mi/miinitext.c
-diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c
+@@ -107,8 +107,15 @@ SOFTWARE.
-index 958877efa..687168930 100644
+ #include "os.h"
--- a/dri3/dri3_request.c
+ #include "globals.h"
 +++ b/dri3/dri3_request.c
@@ -20,10 +20,6 @@
  * OF THIS SOFTWARE.
  */
-#ifdef HAVE_XORG_CONFIG_H
+#ifdef TIGERVNC
-#include <xorg-config.h>
+extern void vncExtensionInit(INITARGS);
-#endif
+#endif
 -
 #include "dri3_priv.h"
 #include <syncsrv.h>
 #include <unistd.h>
 diff --git a/dri3/dri3_screen.c b/dri3/dri3_screen.c
 index b98259753..3c7e5bf60 100644
 --- a/dri3/dri3_screen.c
 +++ b/dri3/dri3_screen.c
@@ -20,10 +20,6 @@
  * OF THIS SOFTWARE.
  */
 -#ifdef HAVE_XORG_CONFIG_H
 -#include <xorg-config.h>
 -#endif
 -
 #include "dri3_priv.h"
 #include <syncsdk.h>
 #include <misync.h>
 diff --git a/hw/Makefile.am b/hw/Makefile.am
 index 19895dc77..3ecfa8b7a 100644
 --- a/hw/Makefile.am
 +++ b/hw/Makefile.am
@@ -44,3 +44,5 @@ DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland
 relink:
 	$(AM_V_at)for i in $(SUBDIRS) ; do $(MAKE) -C $$i relink || exit 1 ; done
 +
-+SUBDIRS += vnc
+ /* List of built-in (statically linked) extensions */
-diff --git a/include/dix-config.h.in b/include/dix-config.h.in
+ static const ExtensionModule staticExtensions[] = {
-index f8fc67067..d53c4e72f 100644
+#ifdef TIGERVNC
--- a/include/dix-config.h.in
+    {vncExtensionInit, "VNC-EXTENSION", NULL},
-+++ b/include/dix-config.h.in
+#endif
-@@ -83,6 +83,9 @@
+     {GEExtensionInit, "Generic Event Extension", &noGEExtension},
- /* Define to 1 if you have the <fcntl.h> header file. */
+     {ShapeExtensionInit, "SHAPE", NULL},
- #undef HAVE_FCNTL_H
+ #ifdef MITSHM
- 
+--- xserver/include/os.h~	2016-10-03 09:07:29.000000000 +0200
-+/* Have GBM support */
+++ xserver/include/os.h	2016-10-03 14:13:00.013654506 +0200
-+#undef HAVE_GBM
+@@ -621,7 +621,7 @@
-+
+ extern _X_EXPORT void
- /* Define to 1 if you have the `getdtablesize' function. */
+ LogClose(enum ExitCode error);
- #undef HAVE_GETDTABLESIZE
+ extern _X_EXPORT Bool
- 
+-LogSetParameter(LogParameter param, int value);
 +LogSetParameter(enum _LogParameter param, int value);
 extern _X_EXPORT void
 LogVWrite(int verb, const char *f, va_list args)
 _X_ATTRIBUTE_PRINTF(2, 0);
--- a/SOURCES/xorg-CVE-2024-0229-followup.patch
+++ b/SOURCES/xorg-CVE-2024-0229-followup.patch
@ -0,0 +1,32 @@
 From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Mon, 22 Jan 2024 14:22:12 +1000
 Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
 event
 Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
 ---
 dix/enterleave.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/dix/enterleave.c b/dix/enterleave.c
 index 7b7ba1098b..c1e6ac600e 100644
 --- a/dix/enterleave.c
 +++ b/dix/enterleave.c
@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
     ev->first_valuator = first;
     switch (ev->num_valuators) {
     case 6:
 -        ev->valuator2 = v->axisVal[first + 5];
 +        ev->valuator5 = v->axisVal[first + 5];
     case 5:
 -        ev->valuator2 = v->axisVal[first + 4];
 +        ev->valuator4 = v->axisVal[first + 4];
     case 4:
 -        ev->valuator2 = v->axisVal[first + 3];
 +        ev->valuator3 = v->axisVal[first + 3];
     case 3:
         ev->valuator2 = v->axisVal[first + 2];
     case 2:
 --
 GitLab
--- a/SOURCES/xorg-CVE-2024-9632.patch
+++ b/SOURCES/xorg-CVE-2024-9632.patch
@ -1,54 +0,0 @@
 From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001
 From: Matthieu Herrb <matthieu@herrb.eu>
 Date: Thu, 10 Oct 2024 10:37:28 +0200
 Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap()
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
 buffer.
 However, It didn't update its size properly. It updated `num_si` only,
 without updating `size_si`.
 This may lead to local privilege escalation if the server is run as root
 or remote code execution (e.g. x11 over ssh).
 CVE-2024-9632, ZDI-CAN-24756
 This vulnerability was discovered by:
 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
 Reviewed-by: José Expósito <jexposit@redhat.com>
 ---
 xkb/xkb.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/xkb/xkb.c b/xkb/xkb.c
 index f203270d5..70e8279aa 100644
 --- a/xkb/xkb.c
 +++ b/xkb/xkb.c
@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
         XkbSymInterpretPtr sym;
         unsigned int skipped = 0;
 -        if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
 -            compat->num_si = req->firstSI + req->nSI;
 +        if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
 +            compat->num_si = compat->size_si = req->firstSI + req->nSI;
             compat->sym_interpret = reallocarray(compat->sym_interpret,
 -                                                 compat->num_si,
 +                                                 compat->size_si,
                                                  sizeof(XkbSymInterpretRec));
             if (!compat->sym_interpret) {
 -                compat->num_si = 0;
 +                compat->num_si = compat->size_si = 0;
                 return BadAlloc;
             }
         }
 -- 
 2.46.2
--- a/SPECS/tigervnc.spec
+++ b/SPECS/tigervnc.spec
@ -4,8 +4,8 @@
 %global modulename vncsession
 Name:           tigervnc
-Version:        1.14.1
+Version:        1.13.1
-Release:        1%{?dist}
+Release:        8%{?dist}
 Summary:        A TigerVNC remote display system
 %global _hardened_build 1
@ -23,11 +23,11 @@ Source5:        vncserver
 # Downstream patches
 Patch1:         tigervnc-use-gnome-as-default-session.patch
 # https://github.com/TigerVNC/tigervnc/pull/1425
 Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
 # Upstream patches
-Patch50:        tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch
+Patch50:        tigervnc-support-username-alias-in-plainusers.patch
 Patch51:        tigervnc-use-dup-to-get-available-fd-for-inetd.patch
 # Upstreamable patches
 Patch80:        tigervnc-dont-get-pointer-position-for-floating-device.patch
@ -38,7 +38,9 @@ Patch100:       tigervnc-xserver120.patch
 Patch101:       0001-rpath-hack.patch
 # XServer patches
-Patch200:       xorg-CVE-2024-9632.patch
+# CVE-2024-0229
 # https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1251
 Patch200:       xorg-CVE-2024-0229-followup.patch
 BuildRequires:  make
 BuildRequires:  gcc-c++
@ -75,22 +77,18 @@ BuildRequires:  libXinerama-devel
 BuildRequires:  libXt-devel
 BuildRequires:  libXtst-devel
 BuildRequires:  libdrm-devel
 BuildRequires:  mesa-libgbm-devel
 BuildRequires:  libtool
 BuildRequires:  libxkbfile-devel
 BuildRequires:  libxshmfence-devel
 BuildRequires:  mesa-libGL-devel
-BuildRequires:  pkgconfig(fontutil)
+BuildRequires:  xorg-x11-font-utils
 BuildRequires:  pkgconfig(xkbcomp)
 BuildRequires:  xorg-x11-server-devel
 BuildRequires:  xorg-x11-server-source
 BuildRequires:  xorg-x11-util-macros
 BuildRequires:  xorg-x11-xtrans-devel
 # SELinux
-BuildRequires:  libselinux-devel
+BuildRequires:  libselinux-devel, selinux-policy-devel, systemd
 BuildRequires:  selinux-policy-devel
 BuildRequires:  systemd
 Requires(post): coreutils
 Requires(postun):coreutils
@ -190,21 +188,20 @@ pushd unix/xserver
 for all in `find . -type f -perm -001`; do
        chmod -x "$all"
 done
-# Xorg patches
+%patch100 -p1 -b .xserver120-rebased
-%patch -P100 -p1 -b .xserver120-rebased
+%patch101 -p1 -b .rpath
-%patch -P101 -p1 -b .rpath
+%patch200 -p1 -b .xorg-CVE-2024-0229-followup
 %patch -P200 -p1 -b .xorg-CVE-2024-9632
 popd
-# Tigervnc patches
+%patch1 -p1 -b .use-gnome-as-default-session
-%patch -P1 -p1 -b .use-gnome-as-default-session
+%patch2 -p1 -b .vncsession-restore-script-systemd-service
 %patch -P2 -p1 -b .vncsession-restore-script-systemd-service
 # Upstream patches
-%patch -P50 -p1 -b .vncsession-move-existing-log-to-log-old-if-present
+%patch50 -p1 -b .support-username-alias-in-plainusers
 %patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd
 # Upstreamable patches
-%patch -P80 -p1 -b .dont-get-pointer-position-for-floating-device
+%patch80 -p1 -b .dont-get-pointer-position-for-floating-device
 %build
 %ifarch sparcv9 sparc64 s390 s390x
@ -237,10 +234,11 @@ autoreconf -fiv
        --with-fontdir=%{_datadir}/X11/fonts \
        --with-xkb-output=%{_localstatedir}/lib/xkb \
        --enable-install-libxf86config \
-        --enable-glx --disable-dri --enable-dri2 --enable-dri3 \
+        --enable-glx --disable-dri --enable-dri2 --disable-dri3 \
        --disable-unit-tests \
        --disable-config-hal \
        --disable-config-udev \
        --with-dri-driver-path=%{_libdir}/dri \
        --without-dtrace \
        --disable-devel-docs \
        --disable-selective-werror
@ -386,28 +384,6 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 %changelog
 * Fri Nov 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.1-1
 - 1.14.1
  Resolves: RHEL-66600
 - Fix CVE-2024-9632: xorg-x11-server: heap-based buffer overflow privilege escalation vulnerability
  Resolves: RHEL-62000
 * Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
 - vncsession: use /bin/sh if the user shell is not set
  Resolves: RHEL-50679
 * Tue May 28 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-10
 - vncconfig: add option to force view-only remote client connections
  Resolves: RHEL-12144
 * Tue Apr 16 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-9
 - Fix CVE-2024-31080 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
  Resolves: RHEL-30756
 - Fix CVE-2024-31083 tigervnc: xorg-x11-server: User-after-free in ProcRenderAddGlyphs
  Resolves: RHEL-30768
 - Fix CVE-2024-31081 tigervnc: xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
  Resolves: RHEL-30762
 * Wed Feb 07 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-8
 - Fix copy/paste error in the DeviceStateNotify
  Resolves: RHEL-20533
`@ -1 +1 @@`
	`SOURCES/tigervnc-1.14.1.tar.gz`	`SOURCES/tigervnc-1.13.1.tar.gz`
`@ -1 +1 @@`
	`bc3c8bc9f454eb307011cd5965251f4a28040a25 SOURCES/tigervnc-1.14.1.tar.gz`	`6f7a23f14833f552c88523da1a5e102f3b8d35c2 SOURCES/tigervnc-1.13.1.tar.gz`