From e0f39d9229c12017654b054dd1c74b85f2195586 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 02 2019 23:40:32 +0000 Subject: import libvncserver-0.9.9-13.el7_6 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..08e6bea --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/LibVNCServer-0.9.9.tar.gz diff --git a/.libvncserver.metadata b/.libvncserver.metadata new file mode 100644 index 0000000..4b809ce --- /dev/null +++ b/.libvncserver.metadata @@ -0,0 +1 @@ +2004c6ae493baeff3da40b61e0a0f73c83182dad SOURCES/LibVNCServer-0.9.9.tar.gz diff --git a/SOURCES/LibVNCServer-0.9.10-CVE-2014-6051.patch b/SOURCES/LibVNCServer-0.9.10-CVE-2014-6051.patch new file mode 100644 index 0000000..ee6598c --- /dev/null +++ b/SOURCES/LibVNCServer-0.9.10-CVE-2014-6051.patch @@ -0,0 +1,42 @@ +commit 045a044e8ae79db9244593fbce154cdf6e843273 +Author: newsoft +Date: Fri Aug 15 16:31:13 2014 +0200 + + Fix integer overflow in MallocFrameBuffer() + + Promote integers to uint64_t to avoid integer overflow issue during + frame buffer allocation for very large screen sizes + +diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c +index 3b16a6f..24bc6f8 100644 +--- a/libvncclient/vncviewer.c ++++ b/libvncclient/vncviewer.c +@@ -82,9 +82,27 @@ static char* ReadPassword(rfbClient* client) { + #endif + } + static rfbBool MallocFrameBuffer(rfbClient* client) { ++uint64_t allocSize; ++ + if(client->frameBuffer) + free(client->frameBuffer); +- client->frameBuffer=malloc(client->width*client->height*client->format.bitsPerPixel/8); ++ ++ /* SECURITY: promote 'width' into uint64_t so that the multiplication does not overflow ++ 'width' and 'height' are 16-bit integers per RFB protocol design ++ SIZE_MAX is the maximum value that can fit into size_t ++ */ ++ allocSize = (uint64_t)client->width * client->height * client->format.bitsPerPixel/8; ++ ++ if (allocSize >= SIZE_MAX) { ++ rfbClientErr("CRITICAL: cannot allocate frameBuffer, requested size is too large\n"); ++ return FALSE; ++ } ++ ++ client->frameBuffer=malloc( (size_t)allocSize ); ++ ++ if (client->frameBuffer == NULL) ++ rfbClientErr("CRITICAL: frameBuffer allocation failed, requested size too large or not enough memory?\n"); ++ + return client->frameBuffer?TRUE:FALSE; + } + diff --git a/SOURCES/LibVNCServer-0.9.10-CVE-2014-6053.patch b/SOURCES/LibVNCServer-0.9.10-CVE-2014-6053.patch new file mode 100644 index 0000000..4f59a7b --- /dev/null +++ b/SOURCES/LibVNCServer-0.9.10-CVE-2014-6053.patch @@ -0,0 +1,22 @@ +commit 6037a9074d52b1963c97cb28ea1096c7c14cbf28 +Author: Nicolas Ruff +Date: Mon Aug 18 15:16:16 2014 +0200 + + Check malloc() return value on client->server ClientCutText message. Client can send up to 2**32-1 bytes of text, and such a large allocation is likely to fail in case of high memory pressure. This would in a server crash (write at address 0). + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 5f3b31d..7e43fe3 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -2461,6 +2461,11 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + msg.cct.length = Swap32IfLE(msg.cct.length); + + str = (char *)malloc(msg.cct.length); ++ if (str == NULL) { ++ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); ++ rfbCloseClient(cl); ++ return; ++ } + + if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) { + if (n != 0) diff --git a/SOURCES/LibVNCServer-0.9.10-CVE-2014-6054.patch b/SOURCES/LibVNCServer-0.9.10-CVE-2014-6054.patch new file mode 100644 index 0000000..b8225ac --- /dev/null +++ b/SOURCES/LibVNCServer-0.9.10-CVE-2014-6054.patch @@ -0,0 +1,38 @@ +commit 05a9bd41a8ec0a9d580a8f420f41718bdd235446 +Author: Nicolas Ruff +Date: Mon Aug 18 15:22:48 2014 +0200 + + Do not accept a scaling factor of zero on PalmVNCSetScaleFactor and SetScale client->server messages. This would cause a division by zero and crash the server. + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 7e43fe3..df7d74c 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -2491,6 +2491,13 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + rfbCloseClient(cl); + return; + } ++ ++ if (msg.ssc.scale == 0) { ++ rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); ++ rfbCloseClient(cl); ++ return; ++ } ++ + rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); + rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); + rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); +@@ -2507,6 +2514,13 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + rfbCloseClient(cl); + return; + } ++ ++ if (msg.ssc.scale == 0) { ++ rfbLogPerror("rfbProcessClientNormalMessage: will not accept a scale factor of zero"); ++ rfbCloseClient(cl); ++ return; ++ } ++ + rfbStatRecordMessageRcvd(cl, msg.type, sz_rfbSetScaleMsg, sz_rfbSetScaleMsg); + rfbLog("rfbSetScale(%d)\n", msg.ssc.scale); + rfbScalingSetup(cl,cl->screen->width/msg.ssc.scale, cl->screen->height/msg.ssc.scale); diff --git a/SOURCES/LibVNCServer-0.9.10-CVE-2014-6055.patch b/SOURCES/LibVNCServer-0.9.10-CVE-2014-6055.patch new file mode 100644 index 0000000..bbcfc1c --- /dev/null +++ b/SOURCES/LibVNCServer-0.9.10-CVE-2014-6055.patch @@ -0,0 +1,165 @@ +commit 06ccdf016154fde8eccb5355613ba04c59127b2e +Author: Nicolas Ruff +Date: Mon Sep 1 14:36:26 2014 +0200 + + Fix multiple stack-based buffer overflows in file transfer feature + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index df7d74c..445331a 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -1241,21 +1241,35 @@ typedef struct { + #define RFB_FILE_ATTRIBUTE_TEMPORARY 0x100 + #define RFB_FILE_ATTRIBUTE_COMPRESSED 0x800 + +-rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, char *path, char *unixPath) ++rfbBool rfbFilenameTranslate2UNIX(rfbClientPtr cl, /* in */ char *path, /* out */ char *unixPath, size_t unixPathMaxLen ) + { + int x; + char *home=NULL; + + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE); + ++ /* ++ * Do not use strncpy() - truncating the file name would probably have undesirable side effects ++ * Instead check if destination buffer is big enough ++ */ ++ ++ if (strlen(path) >= unixPathMaxLen) ++ return FALSE; ++ + /* C: */ + if (path[0]=='C' && path[1]==':') ++ { + strcpy(unixPath, &path[2]); ++ } + else + { + home = getenv("HOME"); + if (home!=NULL) + { ++ /* Re-check buffer size */ ++ if ((strlen(path) + strlen(home) + 1) >= unixPathMaxLen) ++ return FALSE; ++ + strcpy(unixPath, home); + strcat(unixPath,"/"); + strcat(unixPath, path); +@@ -1293,7 +1307,8 @@ rfbBool rfbSendDirContent(rfbClientPtr cl, int length, char *buffer) + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, FALSE); + + /* Client thinks we are Winblows */ +- rfbFilenameTranslate2UNIX(cl, buffer, path); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, path, sizeof(path))) ++ return FALSE; + + if (DB) rfbLog("rfbProcessFileTransfer() rfbDirContentRequest: rfbRDirContent: \"%s\"->\"%s\"\n",buffer, path); + +@@ -1570,7 +1585,11 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + /* add some space to the end of the buffer as we will be adding a timespec to it */ + if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; + /* The client requests a File */ +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } + cl->fileTransfer.fd=open(filename1, O_RDONLY, 0744); + + /* +@@ -1685,7 +1704,11 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + } + sizeHtmp = Swap32IfLE(sizeHtmp); + +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } + + /* If the file exists... We can send a rfbFileChecksums back to the client before we send an rfbFileAcceptHeader */ + /* TODO: Delta Transfer */ +@@ -1814,7 +1837,12 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; + switch (contentParam) { + case rfbCDirCreate: /* Client requests the creation of a directory */ +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } ++ + retval = mkdir(filename1, 0755); + if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCDirCreate(\"%s\"->\"%s\") %s\n", buffer, filename1, (retval==-1?"Failed":"Success")); + /* +@@ -1823,7 +1851,12 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + if (buffer!=NULL) free(buffer); + return retval; + case rfbCFileDelete: /* Client requests the deletion of a file */ +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } ++ + if (stat(filename1,&statbuf)==0) + { + if (S_ISDIR(statbuf.st_mode)) +@@ -1841,8 +1874,18 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + { + /* Split into 2 filenames ('*' is a seperator) */ + *p = '\0'; +- rfbFilenameTranslate2UNIX(cl, buffer, filename1); +- rfbFilenameTranslate2UNIX(cl, p+1, filename2); ++ if (!rfbFilenameTranslate2UNIX(cl, buffer, filename1, sizeof(filename1))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } ++ ++ if (!rfbFilenameTranslate2UNIX(cl, p+1, filename2, sizeof(filename2))) ++ { ++ if (buffer!=NULL) free(buffer); ++ return FALSE; ++ } ++ + retval = rename(filename1,filename2); + if (DB) rfbLog("rfbProcessFileTransfer() rfbCommand: rfbCFileRename(\"%s\"->\"%s\" -->> \"%s\"->\"%s\") %s\n", buffer, filename1, p+1, filename2, (retval==-1?"Failed":"Success")); + /* + +commit f528072216dec01cee7ca35d94e171a3b909e677 +Author: Nicolas Ruff +Date: Mon Sep 1 14:51:07 2014 +0200 + + Fix stack-based buffer overflow in rfbFileTransferOffer message, FileTime processing + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 445331a..23532b0 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -1683,16 +1683,17 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con + */ + if ((buffer = rfbProcessFileTransferReadBuffer(cl, length))==NULL) return FALSE; + +- /* Parse the FileTime */ ++ /* Parse the FileTime ++ * TODO: FileTime is actually never used afterwards ++ */ + p = strrchr(buffer, ','); + if (p!=NULL) { + *p = '\0'; +- strcpy(szFileTime, p+1); ++ strncpy(szFileTime, p+1, sizeof(szFileTime)); ++ szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */ + } else + szFileTime[0]=0; + +- +- + /* Need to read in sizeHtmp */ + if ((n = rfbReadExact(cl, (char *)&sizeHtmp, 4)) <= 0) { + if (n != 0) diff --git a/SOURCES/LibVNCServer-0.9.9-CVE-2014-6052.patch b/SOURCES/LibVNCServer-0.9.9-CVE-2014-6052.patch new file mode 100644 index 0000000..c225758 --- /dev/null +++ b/SOURCES/LibVNCServer-0.9.9-CVE-2014-6052.patch @@ -0,0 +1,70 @@ +From 161a1d5c884f5d4c4be9522acbab8f16cb6fd7eb Mon Sep 17 00:00:00 2001 +From: newsoft +Date: Fri, 31 Oct 2014 12:46:28 +0100 +Subject: [PATCH] Check for MallocFrameBuffer() return value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If MallocFrameBuffer() returns FALSE, frame buffer pointer is left to +NULL. Subsequent writes into that buffer could lead to memory +corruption, or even arbitrary code execution. + +Signed-off-by: Petr Písař +--- + libvncclient/rfbproto.c | 10 +++++++--- + libvncclient/vncviewer.c | 3 ++- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c +index 3ecc011..beb87fc 100644 +--- a/libvncclient/rfbproto.c ++++ b/libvncclient/rfbproto.c +@@ -1807,7 +1807,8 @@ HandleRFBServerMessage(rfbClient* client) + client->updateRect.x = client->updateRect.y = 0; + client->updateRect.w = client->width; + client->updateRect.h = client->height; +- client->MallocFrameBuffer(client); ++ if (!client->MallocFrameBuffer(client)) ++ return FALSE; + SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE); + rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h); + continue; +@@ -2260,7 +2261,8 @@ HandleRFBServerMessage(rfbClient* client) + client->updateRect.x = client->updateRect.y = 0; + client->updateRect.w = client->width; + client->updateRect.h = client->height; +- client->MallocFrameBuffer(client); ++ if (!client->MallocFrameBuffer(client)) ++ return FALSE; + SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); + rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); + break; +@@ -2276,7 +2278,9 @@ HandleRFBServerMessage(rfbClient* client) + client->updateRect.x = client->updateRect.y = 0; + client->updateRect.w = client->width; + client->updateRect.h = client->height; +- client->MallocFrameBuffer(client); ++ if (!client->MallocFrameBuffer(client)) ++ return FALSE; ++ + SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); + rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); + break; +diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c +index b2cce2b..978a9a7 100644 +--- a/libvncclient/vncviewer.c ++++ b/libvncclient/vncviewer.c +@@ -243,7 +243,8 @@ static rfbBool rfbInitConnection(rfbClient* client) + + client->width=client->si.framebufferWidth; + client->height=client->si.framebufferHeight; +- client->MallocFrameBuffer(client); ++ if (!client->MallocFrameBuffer(client)) ++ return FALSE; + + if (!SetFormatAndEncodings(client)) + return FALSE; +-- +1.9.3 + diff --git a/SOURCES/LibVNCServer-0.9.9-libvncserver-sockets.c-do-not-segfault-when-listenSo.patch b/SOURCES/LibVNCServer-0.9.9-libvncserver-sockets.c-do-not-segfault-when-listenSo.patch new file mode 100644 index 0000000..ea15e2a --- /dev/null +++ b/SOURCES/LibVNCServer-0.9.9-libvncserver-sockets.c-do-not-segfault-when-listenSo.patch @@ -0,0 +1,33 @@ +From 66282f58000c8863e104666c30cb67b1d5cbdee3 Mon Sep 17 00:00:00 2001 +From: "Kyle J. McKay" +Date: Fri, 18 May 2012 00:30:11 -0700 +Subject: [PATCH] libvncserver/sockets.c: do not segfault when + listenSock/listen6Sock == -1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Petr Písař +--- + libvncserver/sockets.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libvncserver/sockets.c b/libvncserver/sockets.c +index 84c9c98..3ff2aac 100644 +--- a/libvncserver/sockets.c ++++ b/libvncserver/sockets.c +@@ -402,9 +402,9 @@ rfbProcessNewConnection(rfbScreenInfoPtr rfbScreen) + rfbLogPerror("rfbProcessNewConnection: error in select"); + return FALSE; + } +- if (FD_ISSET(rfbScreen->listenSock, &listen_fds)) ++ if (rfbScreen->listenSock >= 0 && FD_ISSET(rfbScreen->listenSock, &listen_fds)) + chosen_listen_sock = rfbScreen->listenSock; +- if (FD_ISSET(rfbScreen->listen6Sock, &listen_fds)) ++ if (rfbScreen->listen6Sock >= 0 && FD_ISSET(rfbScreen->listen6Sock, &listen_fds)) + chosen_listen_sock = rfbScreen->listen6Sock; + + if ((sock = accept(chosen_listen_sock, +-- +2.13.5 + diff --git a/SOURCES/LibVNCServer-0.9.9-no_x11vnc.patch b/SOURCES/LibVNCServer-0.9.9-no_x11vnc.patch new file mode 100644 index 0000000..db2ec9d --- /dev/null +++ b/SOURCES/LibVNCServer-0.9.9-no_x11vnc.patch @@ -0,0 +1,26 @@ +diff -up LibVNCServer-0.9.9/configure.ac.system_minilzo LibVNCServer-0.9.9/configure.ac +--- LibVNCServer-0.9.9/configure.ac.system_minilzo 2012-05-04 11:27:08.000000000 -0500 ++++ LibVNCServer-0.9.9/configure.ac 2012-05-07 08:22:19.473583597 -0500 +@@ -992,7 +992,7 @@ if test "$build_x11vnc" = "yes"; then + # + # configure.ac:690: required file `x11vnc/Makefile.in' not found + # +- AC_CONFIG_FILES([x11vnc/Makefile x11vnc/misc/Makefile x11vnc/misc/turbovnc/Makefile]) ++ #AC_CONFIG_FILES([x11vnc/Makefile x11vnc/misc/Makefile x11vnc/misc/turbovnc/Makefile]) + + if test ! -z "$with_system_libvncserver" -a "x$with_system_libvncserver" != "xno"; then + # need to move local tarball rfb headers aside: +diff -up LibVNCServer-0.9.9/Makefile.am.system_minilzo LibVNCServer-0.9.9/Makefile.am +--- LibVNCServer-0.9.9/Makefile.am.system_minilzo 2012-05-04 09:19:00.000000000 -0500 ++++ LibVNCServer-0.9.9/Makefile.am 2012-05-07 08:22:19.475583573 -0500 +@@ -1,6 +1,6 @@ +-if WITH_X11VNC +-X11VNC=x11vnc +-endif ++#if WITH_X11VNC ++#X11VNC=x11vnc ++#endif + + SUBDIRS=libvncserver examples libvncclient vncterm webclients client_examples test $(X11VNC) + DIST_SUBDIRS=libvncserver examples libvncclient vncterm webclients client_examples test + diff --git a/SOURCES/LibVNCServer-0.9.9-pkgconfig.patch b/SOURCES/LibVNCServer-0.9.9-pkgconfig.patch new file mode 100644 index 0000000..a0425e6 --- /dev/null +++ b/SOURCES/LibVNCServer-0.9.9-pkgconfig.patch @@ -0,0 +1,26 @@ +diff -up LibVNCServer-0.9.9/libvncclient.pc.in.pkgconfig LibVNCServer-0.9.9/libvncclient.pc.in +--- LibVNCServer-0.9.9/libvncclient.pc.in.pkgconfig 2012-05-04 09:19:00.000000000 -0500 ++++ LibVNCServer-0.9.9/libvncclient.pc.in 2013-02-14 10:45:18.902001014 -0600 +@@ -7,6 +7,8 @@ Name: LibVNCClient + Description: A library for easy implementation of a VNC client. + Version: @VERSION@ + Requires: +-Libs: -L${libdir} -lvncclient @LIBS@ @WSOCKLIB@ ++Requires.private: zlib ++Libs: -L${libdir} -lvncclient ++Libs.private: @LIBS@ @WSOCKLIB@ + Cflags: -I${includedir} + +diff -up LibVNCServer-0.9.9/libvncserver.pc.in.pkgconfig LibVNCServer-0.9.9/libvncserver.pc.in +--- LibVNCServer-0.9.9/libvncserver.pc.in.pkgconfig 2012-05-04 09:19:00.000000000 -0500 ++++ LibVNCServer-0.9.9/libvncserver.pc.in 2013-02-14 10:44:49.727365748 -0600 +@@ -7,6 +7,8 @@ Name: LibVNCServer + Description: A library for easy implementation of a VNC server. + Version: @VERSION@ + Requires: +-Libs: -L${libdir} -lvncserver @LIBS@ @WSOCKLIB@ ++Requires.private: zlib ++Libs: -L${libdir} -lvncserver ++Libs.private: @LIBS@ @WSOCKLIB@ + Cflags: -I${includedir} + diff --git a/SOURCES/LibVNCServer-0.9.9-system_minilzo.patch b/SOURCES/LibVNCServer-0.9.9-system_minilzo.patch new file mode 100644 index 0000000..f6d7db9 --- /dev/null +++ b/SOURCES/LibVNCServer-0.9.9-system_minilzo.patch @@ -0,0 +1,67 @@ +diff -up LibVNCServer-0.9.9/libvncclient/Makefile.am.system_minilzo LibVNCServer-0.9.9/libvncclient/Makefile.am +--- LibVNCServer-0.9.9/libvncclient/Makefile.am.system_minilzo 2012-05-04 09:19:00.000000000 -0500 ++++ LibVNCServer-0.9.9/libvncclient/Makefile.am 2012-05-07 08:22:19.474583585 -0500 +@@ -13,10 +13,10 @@ endif + endif + + +-libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c ../common/minilzo.c $(TLSSRCS) +-libvncclient_la_LIBADD=$(TLSLIBS) ++libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c $(TLSSRCS) ++libvncclient_la_LIBADD=$(TLSLIBS) -lminilzo + +-noinst_HEADERS=../common/lzodefs.h ../common/lzoconf.h ../common/minilzo.h tls.h ++noinst_HEADERS=tls.h + + rfbproto.o: rfbproto.c corre.c hextile.c rre.c tight.c zlib.c zrle.c ultra.c + +diff -up LibVNCServer-0.9.9/libvncclient/rfbproto.c.system_minilzo LibVNCServer-0.9.9/libvncclient/rfbproto.c +--- LibVNCServer-0.9.9/libvncclient/rfbproto.c.system_minilzo 2012-05-04 09:19:00.000000000 -0500 ++++ LibVNCServer-0.9.9/libvncclient/rfbproto.c 2012-05-07 08:22:19.474583585 -0500 +@@ -59,7 +59,7 @@ + #include + #endif + +-#include "minilzo.h" ++#include + #include "tls.h" + + /* +diff -up LibVNCServer-0.9.9/libvncserver/Makefile.am.system_minilzo LibVNCServer-0.9.9/libvncserver/Makefile.am +--- LibVNCServer-0.9.9/libvncserver/Makefile.am.system_minilzo 2012-05-04 09:19:00.000000000 -0500 ++++ LibVNCServer-0.9.9/libvncserver/Makefile.am 2012-05-07 08:31:01.342059345 -0500 +@@ -37,7 +37,7 @@ include_HEADERS=../rfb/rfb.h ../rfb/rfbc + + noinst_HEADERS=../common/d3des.h ../rfb/default8x16.h zrleoutstream.h \ + zrlepalettehelper.h zrletypes.h private.h scale.h rfbssl.h rfbcrypto.h \ +- ../common/minilzo.h ../common/lzoconf.h ../common/lzodefs.h ../common/md5.h ../common/sha1.h \ ++ ../common/md5.h ../common/sha1.h \ + $(TIGHTVNCFILETRANSFERHDRS) + + EXTRA_DIST=tableinit24.c tableinittctemplate.c tabletranstemplate.c \ +@@ -54,11 +54,11 @@ endif + LIB_SRCS = main.c rfbserver.c rfbregion.c auth.c sockets.c $(WEBSOCKETSSRCS) \ + stats.c corre.c hextile.c rre.c translate.c cutpaste.c \ + httpd.c cursor.c font.c \ +- draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ../common/minilzo.c ultra.c scale.c \ ++ draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ultra.c scale.c \ + $(ZLIBSRCS) $(TIGHTSRCS) $(TIGHTVNCFILETRANSFERSRCS) + + libvncserver_la_SOURCES=$(LIB_SRCS) +-libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS) ++libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS) -lminilzo + + lib_LTLIBRARIES=libvncserver.la + +diff -up LibVNCServer-0.9.9/libvncserver/ultra.c.system_minilzo LibVNCServer-0.9.9/libvncserver/ultra.c +--- LibVNCServer-0.9.9/libvncserver/ultra.c.system_minilzo 2012-05-04 09:19:00.000000000 -0500 ++++ LibVNCServer-0.9.9/libvncserver/ultra.c 2012-05-07 08:22:19.475583573 -0500 +@@ -8,7 +8,7 @@ + */ + + #include +-#include "minilzo.h" ++#include + + /* + * cl->beforeEncBuf contains pixel data in the client's format. diff --git a/SOURCES/libvncserver-0.9.1-multilib.patch b/SOURCES/libvncserver-0.9.1-multilib.patch new file mode 100644 index 0000000..d54a470 --- /dev/null +++ b/SOURCES/libvncserver-0.9.1-multilib.patch @@ -0,0 +1,20 @@ +diff -up LibVNCServer-0.9.1/libvncserver-config.in.multilib LibVNCServer-0.9.1/libvncserver-config.in +--- LibVNCServer-0.9.1/libvncserver-config.in.multilib 2007-05-26 21:28:25.000000000 -0500 ++++ LibVNCServer-0.9.1/libvncserver-config.in 2008-01-22 14:51:08.000000000 -0600 +@@ -4,7 +4,6 @@ prefix=@prefix@ + exec_prefix=@exec_prefix@ + exec_prefix_set=no + includedir=@includedir@ +-libdir=@libdir@ + + # if this script is in the same directory as libvncserver-config.in, assume not installed + if [ -f "`dirname "$0"`/libvncserver-config.in" ]; then +@@ -63,7 +62,7 @@ while test $# -gt 0; do + libs="$libs -R$dir" + fi + done +- echo "$libs" -lvncserver -lvncclient @LIBS@ @WSOCKLIB@ ++ echo "$libs" -lvncserver -lvncclient + ;; + --link) + echo @CC@ diff --git a/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch b/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch new file mode 100644 index 0000000..3140fcb --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch @@ -0,0 +1,82 @@ +From d9a832a2edbf95d664b07791f77a22ac3dfb95f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 10 Jan 2019 12:11:04 +0100 +Subject: [PATCH] Fix CVE-2018-15127 (Heap out-of-bounds write in + rfbserver.c:rfbProcessFileTransferReadBuffer()) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch contains the following three upstream patches squashed +together and ported to 0.9.11 version: + + commit 502821828ed00b4a2c4bef90683d0fd88ce495de + Author: Christian Beier + Date: Sun Oct 21 20:21:30 2018 +0200 + + LibVNCServer: fix heap out-of-bound write access + + Closes #243 + + commit 15bb719c03cc70f14c36a843dcb16ed69b405707 + Author: Christian Beier + Date: Sun Jan 6 15:13:56 2019 +0100 + + Error out in rfbProcessFileTransferReadBuffer if length can not be allocated + + re #273 + + commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec + Author: Petr Písař + Date: Mon Jan 7 10:40:01 2019 +0100 + + Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer() + + This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap + out-of-bound write access in rfbProcessFileTransferReadBuffer() when + reading a transfered file content in a server. The former fix did not + work on platforms with a 32-bit int type (expected by rfbReadExact()). + + CVE-2018-15127 + + + +Signed-off-by: Petr Písař +--- + libvncserver/rfbserver.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index b50a7f4..1b4dd97 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -1471,11 +1471,24 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + int n=0; + + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL); ++ + /* +- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); ++ We later alloc length+1, which might wrap around on 32-bit systems if length equals ++ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF ++ will safely be allocated since this check will never trigger and malloc() can digest length+1 ++ without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ ++ if(length == SIZE_MAX || length > INT_MAX) { ++ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); ++ rfbCloseClient(cl); ++ return NULL; ++ } ++ + if (length>0) { +- buffer=malloc(length+1); ++ buffer=malloc((size_t)length+1); + if (buffer!=NULL) { + if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { + if (n != 0) +-- +2.17.2 + diff --git a/SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch b/SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch new file mode 100644 index 0000000..2a71f7f --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch @@ -0,0 +1,40 @@ +From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Tue, 6 Mar 2018 11:58:02 +0100 +Subject: [PATCH] Limit client cut text length to 1 MB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch constrains client text length to 1 MB. Otherwise a client +could make server allocate 2 GB of memory and that seems to be to much +to classify it as denial of service. + +I keep the previous checks for maximal type values intentionally as +a course of defensive coding. (You cannot never know how small the +types are. And as a warning for people patching out this change not to +introduce CVE-2018-7225 again.) + +Signed-off-by: Petr Písař +--- + libvncserver/rfbserver.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index a9561fc..0027343 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + * argument. Here we check that the value fits into all of them to + * prevent from misinterpretation and thus from accessing uninitialized + * memory. CVE-2018-7225 */ +- if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { ++ /* But first to prevent from a denial-of-service by allocating to much ++ * memory in the server, we impose a limit of 1 MB. */ ++ if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { + rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", + msg.cct.length); + rfbCloseClient(cl); +-- +2.13.6 + diff --git a/SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch b/SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch new file mode 100644 index 0000000..dc89cdf --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch @@ -0,0 +1,76 @@ +From 0073e4f694d5a51bb72ff12a5e8364b6e752e094 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 26 Feb 2018 13:48:00 +0100 +Subject: [PATCH] Validate client cut text length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Client-provided unsigned 32-bit cut text length is passed to various +functions that expects argument of a different type. + +E.g. "RFB 003.003\n\001\006\0\0\0\xff\xff\xff\xff" string sent to the +RFB server leads to 4294967295 msg.cct.length value that in turn is +interpreted as -1 by rfbReadExact() and thus uninitialized str buffer +with potentially sensitive data is passed to subsequent functions. + +This patch fixes it by checking for a maximal value that still can be +processed correctly. It also corrects accepting length value of zero +(malloc(0) is interpreted on differnet systems differently). + +Whether a client can make the server allocate up to 2 GB and cause +a denial of service on memory-tight systems is kept without answer. +A possible solution would be adding an arbitrary memory limit that is +deemed safe. + +CVE-2018-7225 + + +Signed-off-by: Petr Písař +--- + libvncserver/rfbserver.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 116c488..a9561fc 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -88,6 +88,12 @@ + #include + /* strftime() */ + #include ++/* SIZE_MAX */ ++#include ++/* PRIu32 */ ++#include ++/* INT_MAX */ ++#include + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -2575,7 +2581,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)malloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we check that the value fits into all of them to ++ * prevent from misinterpretation and thus from accessing uninitialized ++ * memory. CVE-2018-7225 */ ++ if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseClient(cl); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)malloc(msg.cct.length ? msg.cct.length : 1); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); +-- +2.13.6 + diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec new file mode 100644 index 0000000..d10a199 --- /dev/null +++ b/SPECS/libvncserver.spec @@ -0,0 +1,273 @@ + +%if 0%{?fedora} || 0%{?rhel} > 5 +%define system_minilzo 1 +%endif + +Summary: Library to make writing a vnc server easy +Name: libvncserver +Version: 0.9.9 +Release: 13%{?dist} +# NOTE: --with-tightvnc-filetransfer => GPLv2 +License: GPLv2+ +Group: System Environment/Libraries +URL: http://libvncserver.sourceforge.net/ +Source0: http://downloads.sf.net/libvncserver/LibVNCServer-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +# workaround there being no x11vnc/ dir in tarball +Patch0: LibVNCServer-0.9.9-no_x11vnc.patch +Patch1: LibVNCServer-0.9.9-system_minilzo.patch +Patch2: libvncserver-0.9.1-multilib.patch +# pkgconfig love (upstreamable) +Patch3: LibVNCServer-0.9.9-pkgconfig.patch +# Fix CVE-2014-6051, bug #1157671 +Patch4: LibVNCServer-0.9.10-CVE-2014-6051.patch +# Fix CVE-2014-6052, bug #1157671 +Patch5: LibVNCServer-0.9.9-CVE-2014-6052.patch +# Fix CVE-2014-6053, bug #1157671 +Patch6: LibVNCServer-0.9.10-CVE-2014-6053.patch +# Fix CVE-2014-6054, bug #1157671 +Patch7: LibVNCServer-0.9.10-CVE-2014-6054.patch +# Fix CVE-2014-6055, bug #1157671 +Patch8: LibVNCServer-0.9.10-CVE-2014-6055.patch +# Fix a crash in the VNC server library on connecting an IPv4 client if the +# server could not start listening on an IPv6 socket, bug #1314814, in upstream +# after 0.9.9, +# +Patch9: LibVNCServer-0.9.9-libvncserver-sockets.c-do-not-segfault-when-listenSo.patch +# 1/2 Fix CVE-2018-7225, bug #1548441 +Patch10: libvncserver-0.9.11-Validate-client-cut-text-length.patch +# 2/2 Fix CVE-2018-7225, bug #1548441 +Patch11: libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch +# Fix CVE-2018-15127 (Heap out-of-bounds write in +# rfbserver.c:rfbProcessFileTransferReadBuffer()), bug #1662995, upstream bugs +# +# +# +# fixed in upstream after 0.9.12 +Patch12: libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch + +# upstream name +Obsoletes: LibVNCServer < 0.9.1 +Provides: LibVNCServer = %{version}-%{release} + +BuildRequires: automake autoconf +BuildRequires: libgcrypt-devel +BuildRequires: libjpeg-devel +%{?system_minilzo:BuildRequires: lzo-minilzo lzo-devel} +BuildRequires: pkgconfig(gnutls) +# for %%check +BuildRequires: xorg-x11-server-Xvfb +BuildRequires: xorg-x11-xauth +BuildRequires: zlib-devel + +%description +LibVNCServer makes writing a VNC server (or more correctly, a program +exporting a framebuffer via the Remote Frame Buffer protocol) easy. + +It hides the programmer from the tedious task of managing clients and +compression schemata. + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +# libvncserver-config deps +Requires: coreutils +# upstream name +#Obsoletes: LibVNCServer-devel < %{version}-%{release} +Provides: LibVNCServer-devel = %{version}-%{release} +%description devel +%{summary}. + + +%prep +%setup -q -n LibVNCServer-%{version} + +%patch0 -p1 -b .no_x11vnc +%if 0%{?system_minilzo} +%patch1 -p1 -b .system_minilzo +#nuke bundled minilzo +rm -f common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c +%endif +%patch2 -p1 -b .multilib +%patch3 -p1 -b .pkgconfig +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 + +# fix encoding +for file in AUTHORS ChangeLog ; do +mv ${file} ${file}.OLD && \ +iconv -f ISO_8859-1 -t UTF8 ${file}.OLD > ${file} && \ +touch --reference ${file}.OLD $file +done + +# needed by patch 1 (and to nuke rpath's) +autoreconf + + +%build +%configure \ + --disable-static \ + --without-tightvnc-filetransfer \ + --with-gcrypt \ + --without-png + +# hack to omit unused-direct-shlib-dependencies +sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool + +make V=1 %{?_smp_mflags} + + +%install +rm -rf %{buildroot} + +make install DESTDIR=%{buildroot} + +# unpackaged files +rm -fv %{buildroot}%{_bindir}/linuxvnc +rm -fv %{buildroot}%{_libdir}/lib*.a +rm -fv %{buildroot}%{_libdir}/lib*.la + + +%check +unset DISPLAY +# Run a fake X session +# rawhide/koji seems to have some some unreproducible errors atm -- rex +# there's also selinux :( https://bugzilla.redhat.com/843603 +xvfb-run -a make -C test test ||: + + +%clean +rm -rf %{buildroot} + + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root,-) +%doc AUTHORS ChangeLog COPYING NEWS README TODO +%{_libdir}/libvncclient.so.0* +%{_libdir}/libvncserver.so.0* + +%files devel +%defattr(-,root,root,-) +%{_bindir}/libvncserver-config +%{_includedir}/rfb/ +%{_libdir}/libvncclient.so +%{_libdir}/libvncserver.so +%{_libdir}/pkgconfig/libvncclient.pc +%{_libdir}/pkgconfig/libvncserver.pc + + +%changelog +* Thu Jan 10 2019 Petr Pisar - 0.9.9-13 +- Fix CVE-2018-15127 (Heap out-of-bounds write in + rfbserver.c:rfbProcessFileTransferReadBuffer()) (bug #1662995) + +* Mon Feb 26 2018 Petr Pisar - 0.9.9-12 +- Fix CVE-2018-7225 (improper client cut text length sanitization) (bug #1548441) + +* Fri Sep 15 2017 Petr Pisar - 0.9.9-11 +- Fix a crash in the VNC server library on connecting an IPv4 client if the + server could not start listening on an IPv6 socket (bug #1314814) + +* Fri Oct 31 2014 Petr Pisar - 0.9.9-10 +- Fix CVE-2014-6051 (integer overflow in screen size handling) (bug #1157671) +- Fix CVE-2014-6052 (NULL pointer dereference in framebuffer setup) + (bug #1157671) +- Fix CVE-2014-6053 (NULL pointer dereference in ClientCutText message + handling) (bug #1157671) +- Fix CVE-2014-6054 (server divide-by-zero in scaling factor handling) + (bug #1157671) +- Fix CVE-2014-6055 (server stacked-based buffer overflow in file transfer + handling) (bug #1157671) + +* Fri Jan 24 2014 Daniel Mach - 0.9.9-9 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 0.9.9-8 +- Mass rebuild 2013-12-27 + +* Tue Jul 23 2013 Petr Pisar - 0.9.9-7.2 +- Specify dependencies on libpng and libgcrypt (bug #852660) + +* Mon Apr 08 2013 Daniel Mach - 0.9.9-7.1 +- Rebuild for gnutls + +* Thu Feb 14 2013 Rex Dieter 0.9.9-7 +- pkgconfig love (#854111) + +* Thu Feb 14 2013 Fedora Release Engineering - 0.9.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Adam Tkac - 0.9.9-5 +- rebuild due to "jpeg8-ABI" feature drop + +* Fri Dec 21 2012 Adam Tkac - 0.9.9-4 +- rebuild against new libjpeg + +* Thu Jul 26 2012 Rex Dieter 0.9.9-3 +- libvncserver fails to build in mock with selinux enabled (#843603) + +* Thu Jul 19 2012 Fedora Release Engineering - 0.9.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon May 07 2012 Rex Dieter 0.9.9-1 +- 0.9.9 + +* Wed Apr 18 2012 Petr Pisar 0.9.8.2-4 +- Enable system lzo library on rhel >= 6 (#813764) + +* Fri Jan 13 2012 Fedora Release Engineering - 0.9.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Sat Dec 31 2011 Christoph Wickert - 0.9.8.2-2 +- On F15, %%check needs xorg-x11-xauth, too + +* Tue Dec 13 2011 Rex Dieter 0.9.8.2-1 +- 0.9.8.2 (#694975) +- new %%check section (yay for xvfb-run) + +* Tue Feb 08 2011 Fedora Release Engineering - 0.9.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Feb 18 2010 Stepan Kasal - 0.9.7-4 +- repack the tarball, there are .jar files without any source +- do not BR findutils, they are guaranteed in Fedora mock +- fix obsolete, so that it covers only packages created before this + spec was added to Fedora + +* Sat Jul 25 2009 Fedora Release Engineering - 0.9.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat May 23 2009 Rex Dieter - 0.9.7-3 +- Socket is not closed when disconnecting from server (#501895) + +* Mon May 04 2009 Rex Dieter - 0.9.7-2 +- fix detection of LINUX platform/define + +* Mon May 04 2009 Rex Dieter - 0.9.7-1 +- LibVNCServer-0.9.7 + +* Wed Feb 25 2009 Fedora Release Engineering - 0.9.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Apr 10 2008 Manuel Wolfshant 0.9.1-3 +- do not use bundled copy of minilzo (#439979) + +* Sun Jan 27 2008 Rex Dieter 0.9.1-2 +- hack libtool to omit unused shlib dependencies +- fix AUTHORS encoding +- fix src perms + +* Mon Jan 21 2008 Rex Dieter 0.9.1-1 +- 0.9.1