.gitignore

@@ -1 +1 @@
-SOURCES/tigervnc-1.14.1.tar.gz
+SOURCES/tigervnc-1.14.0.tar.gz

.tigervnc.metadata

@@ -1 +1 @@
-bc3c8bc9f454eb307011cd5965251f4a28040a25 SOURCES/tigervnc-1.14.1.tar.gz
+9e67944113159da85f42c24b43f40b842f23feb3  SOURCES/tigervnc-1.14.0.tar.gz

SOURCES/0001-Update-Russian-translation-for-menu.patch

@@ -0,0 +1,25 @@
+From c15a1085ae4885c1874e393adee3d069dbc6f716 Mon Sep 17 00:00:00 2001
+From: tigro <tigro@msvsphere-os.ru>
+Date: Mon, 5 Feb 2024 17:22:59 +0300
+Subject: [PATCH] Update Russian translation for menu
+
+---
+ po/ru.po | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/po/ru.po b/po/ru.po
+index cc457ec..05791ab 100644
+--- a/po/ru.po
++++ b/po/ru.po
+@@ -702,7 +702,7 @@ msgstr "Не удалось перехватить устройство %i"
+ #: vncviewer/org.tigervnc.vncviewer.metainfo.xml.in:13
+ #: vncviewer/vncviewer.cxx:406 vncviewer/vncviewer.desktop.in.in:3
+ msgid "TigerVNC Viewer"
+-msgstr "TigerVNC Viewer"
++msgstr "Клиент VNC TigerVNC"
+ 
+ #: vncviewer/org.tigervnc.vncviewer.metainfo.xml.in:14
+ #: vncviewer/vncviewer.desktop.in.in:5
+-- 
+2.43.0
+

SOURCES/tigervnc-add-missing-coma-in-default-security-type-list.patch

@@ -0,0 +1,24 @@
+From 4f6a3521874da5a67fd746389cfa9b6199eb3582 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <ossman@cendio.se>
+Date: Mon, 29 Jul 2024 16:16:08 +0200
+Subject: [PATCH] Add missing comma in default security type list
+
+Otherwise it merges with the next entry, removing both of them from the
+default list.
+---
+ common/rfb/SecurityClient.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/rfb/SecurityClient.cxx b/common/rfb/SecurityClient.cxx
+index 12860662f..63e0cadc0 100644
+--- a/common/rfb/SecurityClient.cxx
++++ b/common/rfb/SecurityClient.cxx
+@@ -60,7 +60,7 @@ StringParameter SecurityClient::secTypes
+  "X509Plain,TLSPlain,X509Vnc,TLSVnc,X509None,TLSNone,"
+ #endif
+ #ifdef HAVE_NETTLE
+- "RA2,RA2_256,RA2ne,RA2ne_256,DH,MSLogonII"
++ "RA2,RA2_256,RA2ne,RA2ne_256,DH,MSLogonII,"
+ #endif
+  "VncAuth,None",
+ ConfViewer);

SOURCES/tigervnc-correctly-handle-zrle-cursors.patch

@@ -0,0 +1,29 @@
+From 6d9017eeb364491cf2acdf1c7e61aee8dd198527 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <ossman@cendio.se>
+Date: Fri, 30 Aug 2024 16:15:09 +0200
+Subject: [PATCH] Correctly handle ZRLE cursors
+
+Cursor data has a depth of 32 bits and hence cannot use CPIXELs.
+
+This is a regression from baca73d.
+---
+ common/rfb/ZRLEDecoder.cxx | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/rfb/ZRLEDecoder.cxx b/common/rfb/ZRLEDecoder.cxx
+index 474fd6ca1..e274a697a 100644
+--- a/common/rfb/ZRLEDecoder.cxx
++++ b/common/rfb/ZRLEDecoder.cxx
+@@ -125,10 +125,10 @@ void ZRLEDecoder::zrleDecode(const Rect& r, rdr::InStream* is,
+   Pixel maxPixel = pf.pixelFromRGB((uint16_t)-1, (uint16_t)-1, (uint16_t)-1);
+   bool fitsInLS3Bytes = maxPixel < (1<<24);
+   bool fitsInMS3Bytes = (maxPixel & 0xff) == 0;
+-  bool isLowCPixel = (sizeof(T) == 4) &&
++  bool isLowCPixel = (sizeof(T) == 4) && (pf.depth <= 24) &&
+                      ((fitsInLS3Bytes && pf.isLittleEndian()) ||
+                       (fitsInMS3Bytes && pf.isBigEndian()));
+-  bool isHighCPixel = (sizeof(T) == 4) &&
++  bool isHighCPixel = (sizeof(T) == 4) && (pf.depth <= 24) &&
+                       ((fitsInLS3Bytes && pf.isBigEndian()) ||
+                        (fitsInMS3Bytes && pf.isLittleEndian()));
+ 

SOURCES/tigervnc-handle-existing-config-directory-in-vncpasswd.patch

@@ -0,0 +1,27 @@
+From 445e0230cf4e939dcc59caf5d5f001c2f7b04da6 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <ossman@cendio.se>
+Date: Thu, 15 Aug 2024 14:24:42 +0200
+Subject: [PATCH] Handle existing config directory in vncpasswd
+
+This fixes commit a79c33d.
+---
+ unix/vncpasswd/vncpasswd.cxx | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx
+index 6666955f1..9f794e129 100644
+--- a/unix/vncpasswd/vncpasswd.cxx
++++ b/unix/vncpasswd/vncpasswd.cxx
+@@ -213,8 +213,10 @@ int main(int argc, char** argv)
+       exit(1);
+     }
+     if (os::mkdir_p(configDir, 0777) == -1) {
+-      fprintf(stderr, "Could not create VNC config directory: %s\n", strerror(errno));
+-      exit(1);
++      if (errno != EEXIST) {
++        fprintf(stderr, "Could not create VNC config directory: %s\n", strerror(errno));
++        exit(1);
++      }
+     }
+     snprintf(fname, sizeof(fname), "%s/passwd", configDir);
+   }

SOURCES/tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch

@@ -1,94 +0,0 @@
-From e26bc65b92d1e43570619deadf20b965e0952fef Mon Sep 17 00:00:00 2001
-From: Pat Riehecky <riehecky@fnal.gov>
-Date: Wed, 31 Jul 2024 14:43:46 -0500
-Subject: [PATCH] vncsession: Move existing log to log.old if present
-
----
- unix/vncserver/vncsession.c | 47 ++++++++++++++++++++++++++++---------
- 1 file changed, 36 insertions(+), 11 deletions(-)
-
-diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
-index 98a0432aa..a10e0789e 100644
---- a/unix/vncserver/vncsession.c
-+++ b/unix/vncserver/vncsession.c
-@@ -393,8 +393,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
-     int fd;
-     long hostlen;
-     char* hostname = NULL, *xdgstate;
--    char logfile[PATH_MAX], legacy[PATH_MAX];
-+    char logdir[PATH_MAX], logfile[PATH_MAX], logfile_old[PATH_MAX], legacy[PATH_MAX];
-     struct stat st;
-+    size_t fmt_len;
- 
-     fd = open("/dev/null", O_RDONLY);
-     if (fd == -1) {
-@@ -408,15 +409,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
-     close(fd);
- 
-     xdgstate = getenvp("XDG_STATE_HOME", envp);
--    if (xdgstate != NULL && xdgstate[0] == '/')
--        snprintf(logfile, sizeof(logfile), "%s/tigervnc", xdgstate);
--    else
--        snprintf(logfile, sizeof(logfile), "%s/.local/state/tigervnc", homedir);
-+    if (xdgstate != NULL && xdgstate[0] == '/') {
-+        fmt_len = snprintf(logdir, sizeof(logdir), "%s/tigervnc", xdgstate);
-+        if (fmt_len >= sizeof(logdir)) {
-+            syslog(LOG_CRIT, "Log dir path too long");
-+            _exit(EX_OSERR);
-+        }
-+    } else {
-+        fmt_len = snprintf(logdir, sizeof(logdir), "%s/.local/state/tigervnc", homedir);
-+        if (fmt_len >= sizeof(logdir)) {
-+            syslog(LOG_CRIT, "Log dir path too long");
-+            _exit(EX_OSERR);
-+        }
-+    }
- 
-     snprintf(legacy, sizeof(legacy), "%s/.vnc", homedir);
--    if (stat(logfile, &st) != 0 && stat(legacy, &st) == 0) {
-+    if (stat(logdir, &st) != 0 && stat(legacy, &st) == 0) {
-         syslog(LOG_WARNING, "~/.vnc is deprecated, please consult 'man vncsession' for paths to migrate to.");
--        strcpy(logfile, legacy);
-+        strcpy(logdir, legacy);
- 
- #ifdef HAVE_SELINUX
-         /* this is only needed to handle historical type changes for the legacy dir */
-@@ -431,9 +441,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
- #endif
-     }
- 
--    if (mkdir_p(logfile, 0755) == -1) {
-+    if (mkdir_p(logdir, 0755) == -1) {
-         if (errno != EEXIST) {
--            syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
-+            syslog(LOG_CRIT, "Failure creating \"%s\": %s", logdir, strerror(errno));
-             _exit(EX_OSERR);
-         }
-     }
-@@ -450,9 +460,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
-         _exit(EX_OSERR);
-     }
- 
--    snprintf(logfile + strlen(logfile), sizeof(logfile) - strlen(logfile), "/%s%s.log",
--             hostname, display);
-+    fmt_len = snprintf(logfile, sizeof(logfile), "/%s/%s%s.log", logdir, hostname, display);
-+    if (fmt_len >= sizeof(logfile)) {
-+        syslog(LOG_CRIT, "Log path too long");
-+        _exit(EX_OSERR);
-+    }
-+    fmt_len = snprintf(logfile_old, sizeof(logfile_old), "/%s/%s%s.log.old", logdir, hostname, display);
-+    if (fmt_len >= sizeof(logfile)) {
-+        syslog(LOG_CRIT, "Log.old path too long");
-+        _exit(EX_OSERR);
-+    }
-     free(hostname);
-+
-+    if (stat(logfile, &st) == 0) {
-+        if (rename(logfile, logfile_old) != 0) {
-+            syslog(LOG_CRIT, "Failure renaming log file \"%s\" to \"%s\": %s", logfile, logfile_old, strerror(errno));
-+            _exit(EX_OSERR);
-+        }
-+    }
-     fd = open(logfile, O_CREAT | O_WRONLY | O_TRUNC, 0644);
-     if (fd == -1) {
-         syslog(LOG_CRIT, "Failure creating log file \"%s\": %s", logfile, strerror(errno));

SOURCES/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch

@@ -0,0 +1,29 @@
+From 4db34f73d461b973867ddaf18bf690219229cd7a Mon Sep 17 00:00:00 2001
+From: Carlos Santos <casantos@redhat.com>
+Date: Thu, 25 Jul 2024 18:39:59 -0300
+Subject: [PATCH] vncsession: use /bin/sh if the user shell is not set
+
+An empty shell field in the password file is valid, although not common.
+Use /bin/sh in this case, as documented in the passwd(5) man page, since
+the vncserver script requires a non-empty SHELL environment variable.
+
+Fixes issue #1786.
+
+Signed-off-by: Carlos Santos <casantos@redhat.com>
+---
+ unix/vncserver/vncsession.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
+index 1ee096c7c..98a0432aa 100644
+--- a/unix/vncserver/vncsession.c
++++ b/unix/vncserver/vncsession.c
+@@ -545,7 +545,7 @@ run_script(const char *username, const char *display, char **envp)
+ 
+     // Set up some basic environment for the script
+     setenv("HOME", pwent->pw_dir, 1);
+-    setenv("SHELL", pwent->pw_shell, 1);
++    setenv("SHELL", *pwent->pw_shell != '\0' ? pwent->pw_shell : "/bin/sh", 1);
+     setenv("LOGNAME", pwent->pw_name, 1);
+     setenv("USER", pwent->pw_name, 1);
+     setenv("USERNAME", pwent->pw_name, 1);

SOURCES/xorg-CVE-2024-9632.patch

@@ -1,54 +0,0 @@
-From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@herrb.eu>
-Date: Thu, 10 Oct 2024 10:37:28 +0200
-Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
-buffer.
-
-However, It didn't update its size properly. It updated `num_si` only,
-without updating `size_si`.
-
-This may lead to local privilege escalation if the server is run as root
-or remote code execution (e.g. x11 over ssh).
-
-CVE-2024-9632, ZDI-CAN-24756
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: José Expósito <jexposit@redhat.com>
----
- xkb/xkb.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index f203270d5..70e8279aa 100644
---- a/xkb/xkb.c
-+++ b/xkb/xkb.c
-@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
-         XkbSymInterpretPtr sym;
-         unsigned int skipped = 0;
- 
--        if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
--            compat->num_si = req->firstSI + req->nSI;
-+        if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
-+            compat->num_si = compat->size_si = req->firstSI + req->nSI;
-             compat->sym_interpret = reallocarray(compat->sym_interpret,
--                                                 compat->num_si,
-+                                                 compat->size_si,
-                                                  sizeof(XkbSymInterpretRec));
-             if (!compat->sym_interpret) {
--                compat->num_si = 0;
-+                compat->num_si = compat->size_si = 0;
-                 return BadAlloc;
-             }
-         }
--- 
-2.46.2
-

SPECS/tigervnc.spec

@@ -4,8 +4,8 @@
 %global modulename vncsession
 
 Name:           tigervnc
-Version:        1.14.1
+Version:        1.14.0
-Release:        1%{?dist}
+Release:        2%{?dist}.inferit
 Summary:        A TigerVNC remote display system
 
 %global _hardened_build 1
@@ -23,11 +23,14 @@ Source5:        vncserver
 
 # Downstream patches
 Patch1:         tigervnc-use-gnome-as-default-session.patch
-# https://github.com/TigerVNC/tigervnc/pull/1425
 Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
 
 # Upstream patches
-Patch50:        tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch
+Patch50:        tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch
+Patch51:        tigervnc-add-missing-coma-in-default-security-type-list.patch
+Patch52:        tigervnc-vncsession-move-existing-log-to-log-old-if-present.patch
+Patch53:        tigervnc-handle-existing-config-directory-in-vncpasswd.patch
+Patch54:        tigervnc-correctly-handle-zrle-cursors.patch
 
 # Upstreamable patches
 Patch80:        tigervnc-dont-get-pointer-position-for-floating-device.patch
@@ -38,7 +41,9 @@ Patch100:       tigervnc-xserver120.patch
 Patch101:       0001-rpath-hack.patch
 
 # XServer patches
-Patch200:       xorg-CVE-2024-9632.patch
+
+# MSVSphere
+Patch500:       0001-Update-Russian-translation-for-menu.patch
 
 BuildRequires:  make
 BuildRequires:  gcc-c++
@@ -88,9 +93,7 @@ BuildRequires:  xorg-x11-util-macros
 BuildRequires:  xorg-x11-xtrans-devel
 
 # SELinux
-BuildRequires:  libselinux-devel
+BuildRequires:  libselinux-devel, selinux-policy-devel, systemd
-BuildRequires:  selinux-policy-devel
-BuildRequires:  systemd
 
 Requires(post): coreutils
 Requires(postun):coreutils
@@ -193,7 +196,6 @@ done
 # Xorg patches
 %patch -P100 -p1 -b .xserver120-rebased
 %patch -P101 -p1 -b .rpath
-%patch -P200 -p1 -b .xorg-CVE-2024-9632
 popd
 
 # Tigervnc patches
@@ -201,10 +203,16 @@ popd
 %patch -P2 -p1 -b .vncsession-restore-script-systemd-service
 
 # Upstream patches
-%patch -P50 -p1 -b .vncsession-move-existing-log-to-log-old-if-present
+%patch -P50 -p1 -b .vncsession-use-bin-sh-when-shell-not-set
+%patch -P51 -p1 -b .add-missing-coma-in-default-security-type-list
+%patch -P52 -p1 -b .vncsession-move-existing-log-to-log-old-if-present
+%patch -P53 -p1 -b .handle-existing-config-directory-in-vncpasswd
+%patch -P54 -p1 -b .correctly-handle-zrle-cursors.patch
 
 # Upstreamable patches
 %patch -P80 -p1 -b .dont-get-pointer-position-for-floating-device
+# MSVSphere
+%patch500 -p1 -b .update-russian-translation-for-menu
 
 %build
 %ifarch sparcv9 sparc64 s390 s390x
@@ -386,11 +394,16 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
-* Fri Nov 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.1-1
+* Sat Oct 12 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 1.14.0-2.inferit
-- 1.14.1
+- INF-1028 Update Russian translation for menu
-  Resolves: RHEL-66600
+
-- Fix CVE-2024-9632: xorg-x11-server: heap-based buffer overflow privilege escalation vulnerability
+* Tue Jul 23 2024 Jan Grulich <jgrulich@redhat.com> - 1.14.0-2
-  Resolves: RHEL-62000
+- 1.14.0
+  Resolves: RHEL-45316
+- Move old log to log.old if present
+  Resolves: RHEL-54294
+- Fix shared memory leak
+  Resolves: RHEL-55768
 
 * Mon Aug 05 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-11
 - vncsession: use /bin/sh if the user shell is not set