diff --git a/SOURCES/0001-auth-Add-API-to-unregister-built-in-security-handler.patch b/SOURCES/0001-auth-Add-API-to-unregister-built-in-security-handler.patch new file mode 100644 index 0000000..882b993 --- /dev/null +++ b/SOURCES/0001-auth-Add-API-to-unregister-built-in-security-handler.patch @@ -0,0 +1,47 @@ +From b793e8c51ab253c0951e43a84e9d448416462887 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20=C3=85dahl?= +Date: Wed, 27 Nov 2019 16:58:29 +0100 +Subject: [PATCH] auth: Add API to unregister built in security handlers + +If I have a VNC server that first accepts password based authentication, +then switches to something not using password (e.g. a prompt on screen), +the security handler from the first would still be sent as, meaning +clients would still ask for a password without there being one. +--- + libvncserver/auth.c | 7 +++++++ + rfb/rfb.h | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/libvncserver/auth.c b/libvncserver/auth.c +index 55e0b3c9..8b6fc48f 100644 +--- a/libvncserver/auth.c ++++ b/libvncserver/auth.c +@@ -248,6 +248,13 @@ determinePrimarySecurityType(rfbClientPtr cl) + } + } + ++void ++rfbUnregisterPrimarySecurityHandlers (void) ++{ ++ rfbUnregisterSecurityHandler(&VncSecurityHandlerNone); ++ rfbUnregisterSecurityHandler(&VncSecurityHandlerVncAuth); ++} ++ + void + rfbSendSecurityTypeList(rfbClientPtr cl, + enum rfbSecurityTag exclude) +diff --git a/rfb/rfb.h b/rfb/rfb.h +index 70b92242..738dbd82 100644 +--- a/rfb/rfb.h ++++ b/rfb/rfb.h +@@ -887,6 +887,7 @@ extern void rfbProcessClientSecurityType(rfbClientPtr cl); + extern void rfbAuthProcessClientMessage(rfbClientPtr cl); + extern void rfbRegisterSecurityHandler(rfbSecurityHandler* handler); + extern void rfbUnregisterSecurityHandler(rfbSecurityHandler* handler); ++extern void rfbUnregisterPrimarySecurityHandlers (void); + extern void rfbRegisterChannelSecurityHandler(rfbSecurityHandler* handler); + extern void rfbUnregisterChannelSecurityHandler(rfbSecurityHandler* handler); + extern void rfbSendSecurityTypeList(rfbClientPtr cl, enum rfbSecurityTag exclude); +-- +2.23.0 + diff --git a/SOURCES/0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch b/SOURCES/0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch index 853ea28..1f7b94c 100644 --- a/SOURCES/0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch +++ b/SOURCES/0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch @@ -1,4 +1,4 @@ -From 0a98d629447964f1d5d922d5012ee0c2cbf10694 Mon Sep 17 00:00:00 2001 +From fb4b12407e869c3da33df65ed3a43ef87aeae1c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20=C3=85dahl?= Date: Mon, 11 Jun 2018 23:47:02 +0200 Subject: [PATCH 1/2] libvncserver: Add API to add custom I/O entry points @@ -7,16 +7,16 @@ Add API to make it possible to channel RFB input and output through another layer, for example TLS. This is done by making it possible to override the default read/write/peek functions. --- - libvncserver/rfbserver.c | 4 +++ - libvncserver/sockets.c | 64 +++++++++++++++++++++++++++++++++++++--- - rfb/rfb.h | 17 +++++++++++ - 3 files changed, 81 insertions(+), 4 deletions(-) + libvncserver/rfbserver.c | 4 ++ + libvncserver/sockets.c | 79 ++++++++++++++++++++++++++++++++++++---- + rfb/rfb.h | 17 +++++++++ + 3 files changed, 93 insertions(+), 7 deletions(-) diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c -index 7af6aed..fbedd9f 100644 +index bc9cc117..0c8ee735 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c -@@ -322,6 +322,10 @@ rfbNewTCPOrUDPClient(rfbScreenInfoPtr rfbScreen, +@@ -319,6 +319,10 @@ rfbNewTCPOrUDPClient(rfbScreenInfoPtr rfbScreen, cl->screen = rfbScreen; cl->sock = sock; @@ -28,10 +28,56 @@ index 7af6aed..fbedd9f 100644 /* setup pseudo scaling */ cl->scaledScreen = rfbScreen; diff --git a/libvncserver/sockets.c b/libvncserver/sockets.c -index bbc3d90..27515f2 100644 +index bbc3d90d..4874d4b6 100644 --- a/libvncserver/sockets.c +++ b/libvncserver/sockets.c -@@ -589,6 +589,30 @@ rfbConnect(rfbScreenInfoPtr rfbScreen, +@@ -126,6 +126,9 @@ int deny_severity=LOG_WARNING; + int rfbMaxClientWait = 20000; /* time (ms) after which we decide client has + gone away - needed to stop us hanging */ + ++static rfbBool ++rfbHasPendingOnSocket(rfbClientPtr cl); ++ + static rfbBool + rfbNewConnectionFromSock(rfbScreenInfoPtr rfbScreen, int sock) + { +@@ -370,16 +373,20 @@ rfbCheckFds(rfbScreenInfoPtr rfbScreen,long usec) + tv.tv_usec = usec; + nfds = select(rfbScreen->maxFd + 1, &fds, NULL, NULL /* &fds */, &tv); + if (nfds == 0) { ++ rfbBool hasPendingData = FALSE; ++ + /* timed out, check for async events */ + i = rfbGetClientIterator(rfbScreen); + while((cl = rfbClientIteratorNext(i))) { + if (cl->onHold) + continue; ++ hasPendingData |= rfbHasPendingOnSocket(cl); + if (FD_ISSET(cl->sock, &(rfbScreen->allFds))) + rfbSendFileTransferChunk(cl); + } + rfbReleaseClientIterator(i); +- return result; ++ if (!hasPendingData) ++ return result; + } + + if (nfds < 0) { +@@ -455,9 +462,11 @@ rfbCheckFds(rfbScreenInfoPtr rfbScreen,long usec) + if (cl->onHold) + continue; + +- if (FD_ISSET(cl->sock, &(rfbScreen->allFds))) ++ if (rfbHasPendingOnSocket (cl) || ++ FD_ISSET(cl->sock, &(rfbScreen->allFds))) + { +- if (FD_ISSET(cl->sock, &fds)) ++ if (rfbHasPendingOnSocket (cl) || ++ FD_ISSET(cl->sock, &fds)) + { + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + do { +@@ -589,6 +598,30 @@ rfbConnect(rfbScreenInfoPtr rfbScreen, return sock; } @@ -56,13 +102,13 @@ index bbc3d90..27515f2 100644 +static rfbBool +rfbHasPendingOnSocket(rfbClientPtr cl) +{ -+ cl->hasPendingOnSocket(cl); ++ return cl->hasPendingOnSocket(cl); +} + /* * ReadExact reads an exact number of bytes from a client. Returns 1 if * those bytes have been read, 0 if the other end has closed, or -1 if an error -@@ -610,10 +634,10 @@ rfbReadExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) +@@ -610,10 +643,10 @@ rfbReadExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) } else if (cl->sslctx) { n = rfbssl_read(cl, buf, len); } else { @@ -75,7 +121,7 @@ index bbc3d90..27515f2 100644 #endif if (n > 0) { -@@ -645,6 +669,10 @@ rfbReadExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) +@@ -645,6 +678,10 @@ rfbReadExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) continue; } #endif @@ -86,7 +132,7 @@ index bbc3d90..27515f2 100644 FD_ZERO(&fds); FD_SET(sock, &fds); tv.tv_sec = timeout / 1000; -@@ -681,6 +709,18 @@ int rfbReadExact(rfbClientPtr cl,char* buf,int len) +@@ -681,6 +718,18 @@ int rfbReadExact(rfbClientPtr cl,char* buf,int len) return(rfbReadExactTimeout(cl,buf,len,rfbMaxClientWait)); } @@ -105,7 +151,7 @@ index bbc3d90..27515f2 100644 /* * PeekExact peeks at an exact number of bytes from a client. Returns 1 if * those bytes have been read, 0 if the other end has closed, or -1 if an -@@ -701,7 +741,7 @@ rfbPeekExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) +@@ -701,7 +750,7 @@ rfbPeekExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) n = rfbssl_peek(cl, buf, len); else #endif @@ -114,7 +160,7 @@ index bbc3d90..27515f2 100644 if (n == len) { -@@ -757,6 +797,22 @@ rfbPeekExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) +@@ -757,6 +806,22 @@ rfbPeekExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) return 1; } @@ -137,7 +183,7 @@ index bbc3d90..27515f2 100644 /* * WriteExact writes an exact number of bytes to a client. Returns 1 if * those bytes have been written, or -1 if an error occurred (errno is set to -@@ -801,7 +857,7 @@ rfbWriteExact(rfbClientPtr cl, +@@ -801,7 +866,7 @@ rfbWriteExact(rfbClientPtr cl, n = rfbssl_write(cl, buf, len); else #endif @@ -147,10 +193,10 @@ index bbc3d90..27515f2 100644 if (n > 0) { diff --git a/rfb/rfb.h b/rfb/rfb.h -index f982b40..ba9e898 100644 +index c6edc119..2e5597a9 100644 --- a/rfb/rfb.h +++ b/rfb/rfb.h -@@ -415,6 +415,14 @@ typedef struct sraRegion* sraRegionPtr; +@@ -414,6 +414,14 @@ typedef struct sraRegion* sraRegionPtr; typedef void (*ClientGoneHookPtr)(struct _rfbClientRec* cl); @@ -165,7 +211,7 @@ index f982b40..ba9e898 100644 typedef struct _rfbFileTransferData { int fd; int compressionEnabled; -@@ -696,6 +704,11 @@ typedef struct _rfbClientRec { +@@ -695,6 +703,11 @@ typedef struct _rfbClientRec { wsCtx *wsctx; char *wspath; /* Requests path component */ #endif @@ -177,7 +223,7 @@ index f982b40..ba9e898 100644 } rfbClientRec, *rfbClientPtr; /** -@@ -748,8 +761,12 @@ extern void rfbDisconnectUDPSock(rfbScreenInfoPtr rfbScreen); +@@ -747,8 +760,12 @@ extern void rfbDisconnectUDPSock(rfbScreenInfoPtr rfbScreen); extern void rfbCloseClient(rfbClientPtr cl); extern int rfbReadExact(rfbClientPtr cl, char *buf, int len); extern int rfbReadExactTimeout(rfbClientPtr cl, char *buf, int len,int timeout); @@ -191,5 +237,5 @@ index f982b40..ba9e898 100644 extern int rfbConnect(rfbScreenInfoPtr rfbScreen, char* host, int port); extern int rfbConnectToTcpAddr(char* host, int port); -- -2.17.1 +2.23.0 diff --git a/SOURCES/0002-libvncserver-Add-channel-security-handlers.patch b/SOURCES/0002-libvncserver-Add-channel-security-handlers.patch index e922461..8b9cca6 100644 --- a/SOURCES/0002-libvncserver-Add-channel-security-handlers.patch +++ b/SOURCES/0002-libvncserver-Add-channel-security-handlers.patch @@ -1,4 +1,4 @@ -From c343c1b43080bcb45dad285faa5cd8926bfb9811 Mon Sep 17 00:00:00 2001 +From 5e4d810d62da0f2048ce78b3a7812e9e13968162 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20=C3=85dahl?= Date: Mon, 11 Jun 2018 23:50:05 +0200 Subject: [PATCH 2/2] libvncserver: Add channel security handlers @@ -13,13 +13,13 @@ done by adding a single channel security handler with the rfbTLS (18) with a handler that initiates a TLS session, and when a TLS session is initiated, the regular security handler list is sent. --- - libvncserver/auth.c | 162 ++++++++++++++++++++++++++++++--------- + libvncserver/auth.c | 164 ++++++++++++++++++++++++++++++--------- libvncserver/rfbserver.c | 1 + rfb/rfb.h | 15 +++- - 3 files changed, 140 insertions(+), 38 deletions(-) + 3 files changed, 142 insertions(+), 38 deletions(-) diff --git a/libvncserver/auth.c b/libvncserver/auth.c -index 814a814..6581953 100644 +index 814a8142..55e0b3c9 100644 --- a/libvncserver/auth.c +++ b/libvncserver/auth.c @@ -37,18 +37,17 @@ void rfbClientSendString(rfbClientPtr cl, const char *reason); @@ -255,20 +255,22 @@ index 814a814..6581953 100644 if (securityType == rfbSecTypeInvalid) { rfbLog("VNC authentication disabled - RFB 3.3 client rejected\n"); rfbClientConnFailed(cl, "Your viewer cannot handle required " -@@ -316,9 +394,11 @@ rfbAuthNewClient(rfbClientPtr cl) +@@ -316,9 +394,13 @@ rfbAuthNewClient(rfbClientPtr cl) return; } rfbSendSecurityType(cl, securityType); + } else if (channelSecurityHandlers) { ++ rfbLog("Send channel security type list\n"); + rfbSendChannelSecurityTypeList(cl); } else { /* Here it's ok when securityType is set to rfbSecTypeInvalid. */ - rfbSendSecurityTypeList(cl, securityType); ++ rfbLog("Send channel security type 'none'\n"); + rfbSendSecurityTypeList(cl, RFB_SECURITY_TAG_NONE); } } -@@ -332,6 +412,7 @@ rfbProcessClientSecurityType(rfbClientPtr cl) +@@ -332,6 +414,7 @@ rfbProcessClientSecurityType(rfbClientPtr cl) int n; uint8_t chosenType; rfbSecurityHandler* handler; @@ -276,7 +278,7 @@ index 814a814..6581953 100644 /* Read the security type. */ n = rfbReadExact(cl, (char *)&chosenType, 1); -@@ -344,8 +425,17 @@ rfbProcessClientSecurityType(rfbClientPtr cl) +@@ -344,8 +427,17 @@ rfbProcessClientSecurityType(rfbClientPtr cl) return; } @@ -296,10 +298,10 @@ index 814a814..6581953 100644 rfbLog("rfbProcessClientSecurityType: executing handler for type %d\n", chosenType); handler->handler(cl); diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c -index fbedd9f..1e8b3c1 100644 +index 0c8ee735..421d8c7f 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c -@@ -643,6 +643,7 @@ rfbProcessClientMessage(rfbClientPtr cl) +@@ -640,6 +640,7 @@ rfbProcessClientMessage(rfbClientPtr cl) case RFB_PROTOCOL_VERSION: rfbProcessClientProtocolVersion(cl); return; @@ -308,10 +310,10 @@ index fbedd9f..1e8b3c1 100644 rfbProcessClientSecurityType(cl); return; diff --git a/rfb/rfb.h b/rfb/rfb.h -index ba9e898..be58d08 100644 +index 2e5597a9..d2a7c9fb 100644 --- a/rfb/rfb.h +++ b/rfb/rfb.h -@@ -182,6 +182,11 @@ typedef struct { +@@ -181,6 +181,11 @@ typedef struct { } data; /**< there have to be count*3 entries */ } rfbColourMap; @@ -323,7 +325,7 @@ index ba9e898..be58d08 100644 /** * Security handling (RFB protocol version 3.7) */ -@@ -190,6 +195,7 @@ typedef struct _rfbSecurity { +@@ -189,6 +194,7 @@ typedef struct _rfbSecurity { uint8_t type; void (*handler)(struct _rfbClientRec* cl); struct _rfbSecurity* next; @@ -331,7 +333,7 @@ index ba9e898..be58d08 100644 } rfbSecurityHandler; /** -@@ -506,7 +512,7 @@ typedef struct _rfbClientRec { +@@ -505,7 +511,7 @@ typedef struct _rfbClientRec { /** Possible client states: */ enum { RFB_PROTOCOL_VERSION, /**< establishing protocol version */ @@ -340,7 +342,7 @@ index ba9e898..be58d08 100644 RFB_AUTHENTICATION, /**< authenticating */ RFB_INITIALISATION, /**< sending initialisation messages */ RFB_NORMAL, /**< normal protocol messages */ -@@ -514,7 +520,9 @@ typedef struct _rfbClientRec { +@@ -513,7 +519,9 @@ typedef struct _rfbClientRec { /* Ephemeral internal-use states that will never be seen by software * using LibVNCServer to provide services: */ @@ -351,7 +353,7 @@ index ba9e898..be58d08 100644 } state; rfbBool reverseConnection; -@@ -855,6 +863,9 @@ extern void rfbProcessClientSecurityType(rfbClientPtr cl); +@@ -854,6 +862,9 @@ extern void rfbProcessClientSecurityType(rfbClientPtr cl); extern void rfbAuthProcessClientMessage(rfbClientPtr cl); extern void rfbRegisterSecurityHandler(rfbSecurityHandler* handler); extern void rfbUnregisterSecurityHandler(rfbSecurityHandler* handler); @@ -362,5 +364,5 @@ index ba9e898..be58d08 100644 /* rre.c */ -- -2.17.1 +2.23.0 diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec index 707fcde..9d93403 100644 --- a/SPECS/libvncserver.spec +++ b/SPECS/libvncserver.spec @@ -1,7 +1,7 @@ Summary: Library to make writing a VNC server easy Name: libvncserver Version: 0.9.11 -Release: 9%{?dist}.2 +Release: 14%{?dist} # NOTE: --with-filetransfer => GPLv2 License: GPLv2+ @@ -16,6 +16,10 @@ Patch4: 0040-Ensure-compatibility-with-gtk-vnc-0.7.0.patch Patch10: 0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch Patch11: 0002-libvncserver-Add-channel-security-handlers.patch +## Add API needed by gnome-remote-desktop to handle settings changes +# rhbz#1684729 +Patch12: 0001-auth-Add-API-to-unregister-built-in-security-handler.patch + ## downstream patches Patch100: libvncserver-0.9.11-system_minilzo.patch Patch101: libvncserver-0.9.1-multilib.patch @@ -34,7 +38,7 @@ Patch105: libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch # fixed in upstream after 0.9.12 Patch106: libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch # Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client), -# bug #1814342, , +# bug #1814343, , # in upstream after 0.9.12 Patch107: libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch @@ -91,6 +95,8 @@ developing applications that use %{name}. %patch10 -p1 %patch11 -p1 +%patch12 -p1 + %patch100 -p1 -b .system_minilzo # Nuke bundled minilzo #rm -fv common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c @@ -166,12 +172,25 @@ make -C test test ||: %changelog -* Wed Mar 18 2020 Petr Pisar - 0.9.11-9.2 -- Enable gating (bug #1681199) - -* Wed Mar 18 2020 Petr Pisar - 0.9.11-9.1 +* Wed Mar 18 2020 Petr Pisar - 0.9.11-14 - Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client) - (bug #1814342) + (bug #1814343) + +* Thu Nov 28 2019 Jonas Ådahl - 0.9.11-13 +- Manually apply new patch + Resolves: #1684729 + +* Wed Nov 27 2019 Jonas Ådahl - 0.9.11-12 +- Add API needed by gnome-remote-desktop to handle settings changes + Resolves: #1684729 + +* Wed Nov 27 2019 Tomas Pelka - 0.9.11-11 +- Enable gating through gnome-remote-desktop for now + Resolves: #1765448 + +* Wed Nov 27 2019 Jonas Ådahl - 0.9.11-10 +- Update TLS security type enablement patches + Resolves: #1765448 * Thu Jan 10 2019 Petr Pisar - 0.9.11-9 - Fix CVE-2018-15127 (Heap out-of-bounds write in