Compare commits
No commits in common. 'c9' and 'i9c-beta' have entirely different histories.
@ -1 +1 @@
|
|||||||
SOURCES/tigervnc-1.14.1.tar.gz
|
SOURCES/tigervnc-1.13.1.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
bc3c8bc9f454eb307011cd5965251f4a28040a25 SOURCES/tigervnc-1.14.1.tar.gz
|
6f7a23f14833f552c88523da1a5e102f3b8d35c2 SOURCES/tigervnc-1.13.1.tar.gz
|
||||||
|
@ -0,0 +1,135 @@
|
|||||||
|
diff --git a/common/rfb/SSecurityPlain.cxx b/common/rfb/SSecurityPlain.cxx
|
||||||
|
index 6f65e87..3142ba3 100644
|
||||||
|
--- a/common/rfb/SSecurityPlain.cxx
|
||||||
|
+++ b/common/rfb/SSecurityPlain.cxx
|
||||||
|
@@ -27,6 +27,8 @@
|
||||||
|
#include <rdr/InStream.h>
|
||||||
|
#if !defined(WIN32) && !defined(__APPLE__)
|
||||||
|
#include <rfb/UnixPasswordValidator.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <pwd.h>
|
||||||
|
#endif
|
||||||
|
#ifdef WIN32
|
||||||
|
#include <rfb/WinPasswdValidator.h>
|
||||||
|
@@ -45,21 +47,22 @@ StringParameter PasswordValidator::plainUsers
|
||||||
|
|
||||||
|
bool PasswordValidator::validUser(const char* username)
|
||||||
|
{
|
||||||
|
- CharArray users(plainUsers.getValueStr()), user;
|
||||||
|
+ std::vector<std::string> users;
|
||||||
|
|
||||||
|
- while (users.buf) {
|
||||||
|
- strSplit(users.buf, ',', &user.buf, &users.buf);
|
||||||
|
-#ifdef WIN32
|
||||||
|
- if (0 == stricmp(user.buf, "*"))
|
||||||
|
- return true;
|
||||||
|
- if (0 == stricmp(user.buf, username))
|
||||||
|
- return true;
|
||||||
|
-#else
|
||||||
|
- if (!strcmp(user.buf, "*"))
|
||||||
|
- return true;
|
||||||
|
- if (!strcmp(user.buf, username))
|
||||||
|
- return true;
|
||||||
|
+ users = split(plainUsers, ',');
|
||||||
|
+
|
||||||
|
+ for (size_t i = 0; i < users.size(); i++) {
|
||||||
|
+ if (users[i] == "*")
|
||||||
|
+ return true;
|
||||||
|
+#if !defined(WIN32) && !defined(__APPLE__)
|
||||||
|
+ if (users[i] == "%u") {
|
||||||
|
+ struct passwd *pw = getpwnam(username);
|
||||||
|
+ if (pw && pw->pw_uid == getuid())
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
+ if (users[i] == username)
|
||||||
|
+ return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
|
||||||
|
index 649eb0b..cce73a0 100644
|
||||||
|
--- a/common/rfb/util.cxx
|
||||||
|
+++ b/common/rfb/util.cxx
|
||||||
|
@@ -99,6 +99,26 @@ namespace rfb {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ std::vector<std::string> split(const char* src,
|
||||||
|
+ const char delimiter)
|
||||||
|
+ {
|
||||||
|
+ std::vector<std::string> out;
|
||||||
|
+ const char *start, *stop;
|
||||||
|
+
|
||||||
|
+ start = src;
|
||||||
|
+ do {
|
||||||
|
+ stop = strchr(start, delimiter);
|
||||||
|
+ if (stop == NULL) {
|
||||||
|
+ out.push_back(start);
|
||||||
|
+ } else {
|
||||||
|
+ out.push_back(std::string(start, stop-start));
|
||||||
|
+ start = stop + 1;
|
||||||
|
+ }
|
||||||
|
+ } while (stop != NULL);
|
||||||
|
+
|
||||||
|
+ return out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
bool strContains(const char* src, char c) {
|
||||||
|
int l=strlen(src);
|
||||||
|
for (int i=0; i<l; i++)
|
||||||
|
diff --git a/common/rfb/util.h b/common/rfb/util.h
|
||||||
|
index f0ac9ef..ed15c28 100644
|
||||||
|
--- a/common/rfb/util.h
|
||||||
|
+++ b/common/rfb/util.h
|
||||||
|
@@ -27,6 +27,9 @@
|
||||||
|
#include <limits.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
+#include <string>
|
||||||
|
+#include <vector>
|
||||||
|
+
|
||||||
|
struct timeval;
|
||||||
|
|
||||||
|
#ifdef __GNUC__
|
||||||
|
@@ -76,6 +79,10 @@ namespace rfb {
|
||||||
|
// that part of the string. Obviously, setting both to 0 is not useful...
|
||||||
|
bool strSplit(const char* src, const char limiter, char** out1, char** out2, bool fromEnd=false);
|
||||||
|
|
||||||
|
+ // Splits a string with the specified delimiter
|
||||||
|
+ std::vector<std::string> split(const char* src,
|
||||||
|
+ const char delimiter);
|
||||||
|
+
|
||||||
|
// Returns true if src contains c
|
||||||
|
bool strContains(const char* src, char c);
|
||||||
|
|
||||||
|
diff --git a/unix/x0vncserver/x0vncserver.man b/unix/x0vncserver/x0vncserver.man
|
||||||
|
index c36ae34..78db730 100644
|
||||||
|
--- a/unix/x0vncserver/x0vncserver.man
|
||||||
|
+++ b/unix/x0vncserver/x0vncserver.man
|
||||||
|
@@ -125,8 +125,8 @@ parameter instead.
|
||||||
|
.B \-PlainUsers \fIuser-list\fP
|
||||||
|
A comma separated list of user names that are allowed to authenticate via
|
||||||
|
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
|
||||||
|
-to allow any user to authenticate using this security type. Default is to
|
||||||
|
-deny all users.
|
||||||
|
+to allow any user to authenticate using this security type. Specify \fB%u\fP
|
||||||
|
+to allow the user of the server process. Default is to deny all users.
|
||||||
|
.
|
||||||
|
.TP
|
||||||
|
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
|
||||||
|
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
|
||||||
|
index ea87dea..e9fb654 100644
|
||||||
|
--- a/unix/xserver/hw/vnc/Xvnc.man
|
||||||
|
+++ b/unix/xserver/hw/vnc/Xvnc.man
|
||||||
|
@@ -200,8 +200,8 @@ parameter instead.
|
||||||
|
.B \-PlainUsers \fIuser-list\fP
|
||||||
|
A comma separated list of user names that are allowed to authenticate via
|
||||||
|
any of the "Plain" security types (Plain, TLSPlain, etc.). Specify \fB*\fP
|
||||||
|
-to allow any user to authenticate using this security type. Default is to
|
||||||
|
-deny all users.
|
||||||
|
+to allow any user to authenticate using this security type. Specify \fB%u\fP
|
||||||
|
+to allow the user of the server process. Default is to deny all users.
|
||||||
|
.
|
||||||
|
.TP
|
||||||
|
.B \-pam_service \fIname\fP, \-PAMService \fIname\fP
|
@ -0,0 +1,17 @@
|
|||||||
|
diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
|
||||||
|
index f8141959..c5c36539 100644
|
||||||
|
--- a/unix/xserver/hw/vnc/xvnc.c
|
||||||
|
+++ b/unix/xserver/hw/vnc/xvnc.c
|
||||||
|
@@ -366,8 +366,10 @@ ddxProcessArgument(int argc, char *argv[], int i)
|
||||||
|
if (strcmp(argv[i], "-inetd") == 0) {
|
||||||
|
int nullfd;
|
||||||
|
|
||||||
|
- dup2(0, 3);
|
||||||
|
- vncInetdSock = 3;
|
||||||
|
+ if ((vncInetdSock = dup(0)) == -1)
|
||||||
|
+ FatalError
|
||||||
|
+ ("Xvnc error: failed to allocate a new file descriptor for -inetd: %s\n", strerror(errno));
|
||||||
|
+
|
||||||
|
|
||||||
|
/* Avoid xserver >= 1.19's epoll-fd becoming fd 2 / stderr only to be
|
||||||
|
replaced by /dev/null by OsInit() because the pollfd is not
|
@ -1,94 +0,0 @@
|
|||||||
From e26bc65b92d1e43570619deadf20b965e0952fef Mon Sep 17 00:00:00 2001
|
|
||||||
From: Pat Riehecky <riehecky@fnal.gov>
|
|
||||||
Date: Wed, 31 Jul 2024 14:43:46 -0500
|
|
||||||
Subject: [PATCH] vncsession: Move existing log to log.old if present
|
|
||||||
|
|
||||||
---
|
|
||||||
unix/vncserver/vncsession.c | 47 ++++++++++++++++++++++++++++---------
|
|
||||||
1 file changed, 36 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
|
||||||
index 98a0432aa..a10e0789e 100644
|
|
||||||
--- a/unix/vncserver/vncsession.c
|
|
||||||
+++ b/unix/vncserver/vncsession.c
|
|
||||||
@@ -393,8 +393,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
|
||||||
int fd;
|
|
||||||
long hostlen;
|
|
||||||
char* hostname = NULL, *xdgstate;
|
|
||||||
- char logfile[PATH_MAX], legacy[PATH_MAX];
|
|
||||||
+ char logdir[PATH_MAX], logfile[PATH_MAX], logfile_old[PATH_MAX], legacy[PATH_MAX];
|
|
||||||
struct stat st;
|
|
||||||
+ size_t fmt_len;
|
|
||||||
|
|
||||||
fd = open("/dev/null", O_RDONLY);
|
|
||||||
if (fd == -1) {
|
|
||||||
@@ -408,15 +409,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
|
||||||
close(fd);
|
|
||||||
|
|
||||||
xdgstate = getenvp("XDG_STATE_HOME", envp);
|
|
||||||
- if (xdgstate != NULL && xdgstate[0] == '/')
|
|
||||||
- snprintf(logfile, sizeof(logfile), "%s/tigervnc", xdgstate);
|
|
||||||
- else
|
|
||||||
- snprintf(logfile, sizeof(logfile), "%s/.local/state/tigervnc", homedir);
|
|
||||||
+ if (xdgstate != NULL && xdgstate[0] == '/') {
|
|
||||||
+ fmt_len = snprintf(logdir, sizeof(logdir), "%s/tigervnc", xdgstate);
|
|
||||||
+ if (fmt_len >= sizeof(logdir)) {
|
|
||||||
+ syslog(LOG_CRIT, "Log dir path too long");
|
|
||||||
+ _exit(EX_OSERR);
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ fmt_len = snprintf(logdir, sizeof(logdir), "%s/.local/state/tigervnc", homedir);
|
|
||||||
+ if (fmt_len >= sizeof(logdir)) {
|
|
||||||
+ syslog(LOG_CRIT, "Log dir path too long");
|
|
||||||
+ _exit(EX_OSERR);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
snprintf(legacy, sizeof(legacy), "%s/.vnc", homedir);
|
|
||||||
- if (stat(logfile, &st) != 0 && stat(legacy, &st) == 0) {
|
|
||||||
+ if (stat(logdir, &st) != 0 && stat(legacy, &st) == 0) {
|
|
||||||
syslog(LOG_WARNING, "~/.vnc is deprecated, please consult 'man vncsession' for paths to migrate to.");
|
|
||||||
- strcpy(logfile, legacy);
|
|
||||||
+ strcpy(logdir, legacy);
|
|
||||||
|
|
||||||
#ifdef HAVE_SELINUX
|
|
||||||
/* this is only needed to handle historical type changes for the legacy dir */
|
|
||||||
@@ -431,9 +441,9 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (mkdir_p(logfile, 0755) == -1) {
|
|
||||||
+ if (mkdir_p(logdir, 0755) == -1) {
|
|
||||||
if (errno != EEXIST) {
|
|
||||||
- syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
|
|
||||||
+ syslog(LOG_CRIT, "Failure creating \"%s\": %s", logdir, strerror(errno));
|
|
||||||
_exit(EX_OSERR);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -450,9 +460,24 @@ redir_stdio(const char *homedir, const char *display, char **envp)
|
|
||||||
_exit(EX_OSERR);
|
|
||||||
}
|
|
||||||
|
|
||||||
- snprintf(logfile + strlen(logfile), sizeof(logfile) - strlen(logfile), "/%s%s.log",
|
|
||||||
- hostname, display);
|
|
||||||
+ fmt_len = snprintf(logfile, sizeof(logfile), "/%s/%s%s.log", logdir, hostname, display);
|
|
||||||
+ if (fmt_len >= sizeof(logfile)) {
|
|
||||||
+ syslog(LOG_CRIT, "Log path too long");
|
|
||||||
+ _exit(EX_OSERR);
|
|
||||||
+ }
|
|
||||||
+ fmt_len = snprintf(logfile_old, sizeof(logfile_old), "/%s/%s%s.log.old", logdir, hostname, display);
|
|
||||||
+ if (fmt_len >= sizeof(logfile)) {
|
|
||||||
+ syslog(LOG_CRIT, "Log.old path too long");
|
|
||||||
+ _exit(EX_OSERR);
|
|
||||||
+ }
|
|
||||||
free(hostname);
|
|
||||||
+
|
|
||||||
+ if (stat(logfile, &st) == 0) {
|
|
||||||
+ if (rename(logfile, logfile_old) != 0) {
|
|
||||||
+ syslog(LOG_CRIT, "Failure renaming log file \"%s\" to \"%s\": %s", logfile, logfile_old, strerror(errno));
|
|
||||||
+ _exit(EX_OSERR);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
fd = open(logfile, O_CREAT | O_WRONLY | O_TRUNC, 0644);
|
|
||||||
if (fd == -1) {
|
|
||||||
syslog(LOG_CRIT, "Failure creating log file \"%s\": %s", logfile, strerror(errno));
|
|
@ -0,0 +1,32 @@
|
|||||||
|
From 133e0d651c5d12bf01999d6289e84e224ba77adc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||||
|
Date: Mon, 22 Jan 2024 14:22:12 +1000
|
||||||
|
Subject: [PATCH] dix: fix valuator copy/paste error in the DeviceStateNotify
|
||||||
|
event
|
||||||
|
|
||||||
|
Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
|
||||||
|
---
|
||||||
|
dix/enterleave.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dix/enterleave.c b/dix/enterleave.c
|
||||||
|
index 7b7ba1098b..c1e6ac600e 100644
|
||||||
|
--- a/dix/enterleave.c
|
||||||
|
+++ b/dix/enterleave.c
|
||||||
|
@@ -619,11 +619,11 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
|
||||||
|
ev->first_valuator = first;
|
||||||
|
switch (ev->num_valuators) {
|
||||||
|
case 6:
|
||||||
|
- ev->valuator2 = v->axisVal[first + 5];
|
||||||
|
+ ev->valuator5 = v->axisVal[first + 5];
|
||||||
|
case 5:
|
||||||
|
- ev->valuator2 = v->axisVal[first + 4];
|
||||||
|
+ ev->valuator4 = v->axisVal[first + 4];
|
||||||
|
case 4:
|
||||||
|
- ev->valuator2 = v->axisVal[first + 3];
|
||||||
|
+ ev->valuator3 = v->axisVal[first + 3];
|
||||||
|
case 3:
|
||||||
|
ev->valuator2 = v->axisVal[first + 2];
|
||||||
|
case 2:
|
||||||
|
--
|
||||||
|
GitLab
|
@ -1,54 +0,0 @@
|
|||||||
From 56351307017e2501f7cd6e31efcfb55c19aba75a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matthieu Herrb <matthieu@herrb.eu>
|
|
||||||
Date: Thu, 10 Oct 2024 10:37:28 +0200
|
|
||||||
Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap()
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
|
|
||||||
buffer.
|
|
||||||
|
|
||||||
However, It didn't update its size properly. It updated `num_si` only,
|
|
||||||
without updating `size_si`.
|
|
||||||
|
|
||||||
This may lead to local privilege escalation if the server is run as root
|
|
||||||
or remote code execution (e.g. x11 over ssh).
|
|
||||||
|
|
||||||
CVE-2024-9632, ZDI-CAN-24756
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
||||||
|
|
||||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Reviewed-by: José Expósito <jexposit@redhat.com>
|
|
||||||
---
|
|
||||||
xkb/xkb.c | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
|
||||||
index f203270d5..70e8279aa 100644
|
|
||||||
--- a/xkb/xkb.c
|
|
||||||
+++ b/xkb/xkb.c
|
|
||||||
@@ -2991,13 +2991,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
|
|
||||||
XkbSymInterpretPtr sym;
|
|
||||||
unsigned int skipped = 0;
|
|
||||||
|
|
||||||
- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
|
|
||||||
- compat->num_si = req->firstSI + req->nSI;
|
|
||||||
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
|
|
||||||
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
|
|
||||||
compat->sym_interpret = reallocarray(compat->sym_interpret,
|
|
||||||
- compat->num_si,
|
|
||||||
+ compat->size_si,
|
|
||||||
sizeof(XkbSymInterpretRec));
|
|
||||||
if (!compat->sym_interpret) {
|
|
||||||
- compat->num_si = 0;
|
|
||||||
+ compat->num_si = compat->size_si = 0;
|
|
||||||
return BadAlloc;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.46.2
|
|
||||||
|
|
Loading…
Reference in new issue