diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..77f3f36 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/LibVNCServer-0.9.11.tar.gz diff --git a/.libvncserver.metadata b/.libvncserver.metadata new file mode 100644 index 0000000..01e5bd8 --- /dev/null +++ b/.libvncserver.metadata @@ -0,0 +1 @@ +d844a2c9e69465d104a8468dce515a49e4db9585 SOURCES/LibVNCServer-0.9.11.tar.gz diff --git a/SOURCES/0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch b/SOURCES/0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch new file mode 100644 index 0000000..853ea28 --- /dev/null +++ b/SOURCES/0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch @@ -0,0 +1,195 @@ +From 0a98d629447964f1d5d922d5012ee0c2cbf10694 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20=C3=85dahl?= +Date: Mon, 11 Jun 2018 23:47:02 +0200 +Subject: [PATCH 1/2] libvncserver: Add API to add custom I/O entry points + +Add API to make it possible to channel RFB input and output through +another layer, for example TLS. This is done by making it possible to +override the default read/write/peek functions. +--- + libvncserver/rfbserver.c | 4 +++ + libvncserver/sockets.c | 64 +++++++++++++++++++++++++++++++++++++--- + rfb/rfb.h | 17 +++++++++++ + 3 files changed, 81 insertions(+), 4 deletions(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 7af6aed..fbedd9f 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -322,6 +322,10 @@ rfbNewTCPOrUDPClient(rfbScreenInfoPtr rfbScreen, + + cl->screen = rfbScreen; + cl->sock = sock; ++ cl->readFromSocket = rfbDefaultReadFromSocket; ++ cl->peekAtSocket = rfbDefaultPeekAtSocket; ++ cl->hasPendingOnSocket = rfbDefaultHasPendingOnSocket; ++ cl->writeToSocket = rfbDefaultWriteToSocket; + cl->viewOnly = FALSE; + /* setup pseudo scaling */ + cl->scaledScreen = rfbScreen; +diff --git a/libvncserver/sockets.c b/libvncserver/sockets.c +index bbc3d90..27515f2 100644 +--- a/libvncserver/sockets.c ++++ b/libvncserver/sockets.c +@@ -589,6 +589,30 @@ rfbConnect(rfbScreenInfoPtr rfbScreen, + return sock; + } + ++int ++rfbDefaultReadFromSocket(rfbClientPtr cl, char *buf, int len) ++{ ++ return read(cl->sock, buf, len); ++} ++ ++static int ++rfbReadFromSocket(rfbClientPtr cl, char *buf, int len) ++{ ++ return cl->readFromSocket(cl, buf, len); ++} ++ ++rfbBool ++rfbDefaultHasPendingOnSocket(rfbClientPtr cl) ++{ ++ return FALSE; ++} ++ ++static rfbBool ++rfbHasPendingOnSocket(rfbClientPtr cl) ++{ ++ cl->hasPendingOnSocket(cl); ++} ++ + /* + * ReadExact reads an exact number of bytes from a client. Returns 1 if + * those bytes have been read, 0 if the other end has closed, or -1 if an error +@@ -610,10 +634,10 @@ rfbReadExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) + } else if (cl->sslctx) { + n = rfbssl_read(cl, buf, len); + } else { +- n = read(sock, buf, len); ++ n = rfbReadFromSocket(cl, buf, len); + } + #else +- n = read(sock, buf, len); ++ n = rfbReadFromSocket(cl, buf, len); + #endif + + if (n > 0) { +@@ -645,6 +669,10 @@ rfbReadExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) + continue; + } + #endif ++ ++ if (rfbHasPendingOnSocket(cl)) ++ continue; ++ + FD_ZERO(&fds); + FD_SET(sock, &fds); + tv.tv_sec = timeout / 1000; +@@ -681,6 +709,18 @@ int rfbReadExact(rfbClientPtr cl,char* buf,int len) + return(rfbReadExactTimeout(cl,buf,len,rfbMaxClientWait)); + } + ++int ++rfbDefaultPeekAtSocket(rfbClientPtr cl, char *buf, int len) ++{ ++ return recv(cl->sock, buf, len, MSG_PEEK); ++} ++ ++int ++rfbPeekAtSocket(rfbClientPtr cl, char *buf, int len) ++{ ++ cl->peekAtSocket(cl, buf, len); ++} ++ + /* + * PeekExact peeks at an exact number of bytes from a client. Returns 1 if + * those bytes have been read, 0 if the other end has closed, or -1 if an +@@ -701,7 +741,7 @@ rfbPeekExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) + n = rfbssl_peek(cl, buf, len); + else + #endif +- n = recv(sock, buf, len, MSG_PEEK); ++ n = rfbPeekAtSocket(cl, buf, len); + + if (n == len) { + +@@ -757,6 +797,22 @@ rfbPeekExactTimeout(rfbClientPtr cl, char* buf, int len, int timeout) + return 1; + } + ++int ++rfbDefaultWriteToSocket(rfbClientPtr cl, ++ const char *buf, ++ int len) ++{ ++ return write(cl->sock, buf, len); ++} ++ ++static int ++rfbWriteToSocket(rfbClientPtr cl, ++ const char *buf, ++ int len) ++{ ++ return cl->writeToSocket(cl, buf, len); ++} ++ + /* + * WriteExact writes an exact number of bytes to a client. Returns 1 if + * those bytes have been written, or -1 if an error occurred (errno is set to +@@ -801,7 +857,7 @@ rfbWriteExact(rfbClientPtr cl, + n = rfbssl_write(cl, buf, len); + else + #endif +- n = write(sock, buf, len); ++ n = rfbWriteToSocket(cl, buf, len); + + if (n > 0) { + +diff --git a/rfb/rfb.h b/rfb/rfb.h +index f982b40..ba9e898 100644 +--- a/rfb/rfb.h ++++ b/rfb/rfb.h +@@ -415,6 +415,14 @@ typedef struct sraRegion* sraRegionPtr; + + typedef void (*ClientGoneHookPtr)(struct _rfbClientRec* cl); + ++typedef int (*ClientReadFromSocket)(struct _rfbClientRec* cl, ++ char *buf, int len); ++typedef int (*ClientPeekAtSocket)(struct _rfbClientRec* cl, ++ char *buf, int len); ++typedef rfbBool (*ClientHasPendingOnSocket)(struct _rfbClientRec* cl); ++typedef int (*ClientWriteToSocket)(struct _rfbClientRec* cl, ++ const char *buf, int len); ++ + typedef struct _rfbFileTransferData { + int fd; + int compressionEnabled; +@@ -696,6 +704,11 @@ typedef struct _rfbClientRec { + wsCtx *wsctx; + char *wspath; /* Requests path component */ + #endif ++ ++ ClientReadFromSocket readFromSocket; /* Read data from socket */ ++ ClientPeekAtSocket peekAtSocket; /* Peek at data from socket */ ++ ClientHasPendingOnSocket hasPendingOnSocket; /* Peek at data from socket */ ++ ClientWriteToSocket writeToSocket; /* Write data to socket */ + } rfbClientRec, *rfbClientPtr; + + /** +@@ -748,8 +761,12 @@ extern void rfbDisconnectUDPSock(rfbScreenInfoPtr rfbScreen); + extern void rfbCloseClient(rfbClientPtr cl); + extern int rfbReadExact(rfbClientPtr cl, char *buf, int len); + extern int rfbReadExactTimeout(rfbClientPtr cl, char *buf, int len,int timeout); ++extern int rfbDefaultReadFromSocket(rfbClientPtr cl, char *buf, int len); + extern int rfbPeekExactTimeout(rfbClientPtr cl, char *buf, int len,int timeout); ++extern int rfbDefaultPeekAtSocket(rfbClientPtr cl, char *buf, int len); ++extern rfbBool rfbDefaultHasPendingOnSocket(rfbClientPtr cl); + extern int rfbWriteExact(rfbClientPtr cl, const char *buf, int len); ++extern int rfbDefaultWriteToSocket(rfbClientPtr cl, const char *buf, int len); + extern int rfbCheckFds(rfbScreenInfoPtr rfbScreen,long usec); + extern int rfbConnect(rfbScreenInfoPtr rfbScreen, char* host, int port); + extern int rfbConnectToTcpAddr(char* host, int port); +-- +2.17.1 + diff --git a/SOURCES/0002-libvncserver-Add-channel-security-handlers.patch b/SOURCES/0002-libvncserver-Add-channel-security-handlers.patch new file mode 100644 index 0000000..e922461 --- /dev/null +++ b/SOURCES/0002-libvncserver-Add-channel-security-handlers.patch @@ -0,0 +1,366 @@ +From c343c1b43080bcb45dad285faa5cd8926bfb9811 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20=C3=85dahl?= +Date: Mon, 11 Jun 2018 23:50:05 +0200 +Subject: [PATCH 2/2] libvncserver: Add channel security handlers + +Add another type of security handler that is meant to be used initially +to set up a secure channel. Regular security handlers would be +advertised and processed after any channel security have succeeded. + +For example, this, together with the custom I/O functions allows a +LibVNCServer user to implement TLS in combination with VNCAuth. This is +done by adding a single channel security handler with the rfbTLS (18) +with a handler that initiates a TLS session, and when a TLS session is +initiated, the regular security handler list is sent. +--- + libvncserver/auth.c | 162 ++++++++++++++++++++++++++++++--------- + libvncserver/rfbserver.c | 1 + + rfb/rfb.h | 15 +++- + 3 files changed, 140 insertions(+), 38 deletions(-) + +diff --git a/libvncserver/auth.c b/libvncserver/auth.c +index 814a814..6581953 100644 +--- a/libvncserver/auth.c ++++ b/libvncserver/auth.c +@@ -37,18 +37,17 @@ void rfbClientSendString(rfbClientPtr cl, const char *reason); + * Handle security types + */ + ++/* Channel security handlers to set up a secure channel, e.g. TLS. */ ++static rfbSecurityHandler* channelSecurityHandlers = NULL; ++ ++/* Security handlers when channel security is established. */ + static rfbSecurityHandler* securityHandlers = NULL; + +-/* +- * This method registers a list of new security types. +- * It avoids same security type getting registered multiple times. +- * The order is not preserved if multiple security types are +- * registered at one-go. +- */ + void +-rfbRegisterSecurityHandler(rfbSecurityHandler* handler) ++rfbRegisterSecurityHandlerTo(rfbSecurityHandler* handler, ++ rfbSecurityHandler** handlerList) + { +- rfbSecurityHandler *head = securityHandlers, *next = NULL; ++ rfbSecurityHandler *head = *handlerList, *next = NULL; + + if(handler == NULL) + return; +@@ -57,39 +56,35 @@ rfbRegisterSecurityHandler(rfbSecurityHandler* handler) + + while(head != NULL) { + if(head == handler) { +- rfbRegisterSecurityHandler(next); ++ rfbRegisterSecurityHandlerTo(next, handlerList); + return; + } + + head = head->next; + } + +- handler->next = securityHandlers; +- securityHandlers = handler; ++ handler->next = *handlerList; ++ *handlerList = handler; + +- rfbRegisterSecurityHandler(next); ++ rfbRegisterSecurityHandlerTo(next, handlerList); + } + +-/* +- * This method unregisters a list of security types. +- * These security types won't be available for any new +- * client connection. +- */ +-void +-rfbUnregisterSecurityHandler(rfbSecurityHandler* handler) ++static void ++rfbUnregisterSecurityHandlerFrom(rfbSecurityHandler* handler, ++ rfbSecurityHandler** handlerList) + { + rfbSecurityHandler *cur = NULL, *pre = NULL; + + if(handler == NULL) + return; + +- if(securityHandlers == handler) { +- securityHandlers = securityHandlers->next; +- rfbUnregisterSecurityHandler(handler->next); ++ if(*handlerList == handler) { ++ *handlerList = (*handlerList)->next; ++ rfbUnregisterSecurityHandlerFrom(handler->next, handlerList); + return; + } + +- cur = pre = securityHandlers; ++ cur = pre = *handlerList; + + while(cur) { + if(cur == handler) { +@@ -99,7 +94,50 @@ rfbUnregisterSecurityHandler(rfbSecurityHandler* handler) + pre = cur; + cur = cur->next; + } +- rfbUnregisterSecurityHandler(handler->next); ++ rfbUnregisterSecurityHandlerFrom(handler->next, handlerList); ++} ++ ++void ++rfbRegisterChannelSecurityHandler(rfbSecurityHandler* handler) ++{ ++ rfbRegisterSecurityHandlerTo(handler, &channelSecurityHandlers); ++} ++ ++/* ++ * This method unregisters a list of security types. ++ * These security types won't be available for any new ++ * client connection. ++ */ ++ ++void ++rfbUnregisterChannelSecurityHandler(rfbSecurityHandler* handler) ++{ ++ rfbUnregisterSecurityHandlerFrom(handler, &channelSecurityHandlers); ++} ++ ++/* ++ * This method registers a list of new security types. ++ * It avoids same security type getting registered multiple times. ++ * The order is not preserved if multiple security types are ++ * registered at one-go. ++ */ ++ ++void ++rfbRegisterSecurityHandler(rfbSecurityHandler* handler) ++{ ++ rfbRegisterSecurityHandlerTo(handler, &securityHandlers); ++} ++ ++/* ++ * This method unregisters a list of security types. ++ * These security types won't be available for any new ++ * client connection. ++ */ ++ ++void ++rfbUnregisterSecurityHandler(rfbSecurityHandler* handler) ++{ ++ rfbUnregisterSecurityHandlerFrom(handler, &securityHandlers); + } + + /* +@@ -197,9 +235,22 @@ static rfbSecurityHandler VncSecurityHandlerNone = { + NULL + }; + ++static int32_t ++determinePrimarySecurityType(rfbClientPtr cl) ++{ ++ if (!cl->screen->authPasswdData || cl->reverseConnection) { ++ /* chk if this condition is valid or not. */ ++ return rfbSecTypeNone; ++ } else if (cl->screen->authPasswdData) { ++ return rfbSecTypeVncAuth; ++ } else { ++ return rfbSecTypeInvalid; ++ } ++} + +-static void +-rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType) ++void ++rfbSendSecurityTypeList(rfbClientPtr cl, ++ enum rfbSecurityTag exclude) + { + /* The size of the message is the count of security types +1, + * since the first byte is the number of types. */ +@@ -207,9 +258,10 @@ rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType) + rfbSecurityHandler* handler; + #define MAX_SECURITY_TYPES 255 + uint8_t buffer[MAX_SECURITY_TYPES+1]; +- ++ int32_t primaryType; + + /* Fill in the list of security types in the client structure. (NOTE: Not really in the client structure) */ ++ primaryType = determinePrimarySecurityType(cl); + switch (primaryType) { + case rfbSecTypeNone: + rfbRegisterSecurityHandler(&VncSecurityHandlerNone); +@@ -221,6 +273,9 @@ rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType) + + for (handler = securityHandlers; + handler && sizenext) { ++ if (exclude && (handler->securityTags & exclude)) ++ continue; ++ + buffer[size] = handler->type; + size++; + } +@@ -249,7 +304,29 @@ rfbSendSecurityTypeList(rfbClientPtr cl, int primaryType) + cl->state = RFB_SECURITY_TYPE; + } + ++static void ++rfbSendChannelSecurityTypeList(rfbClientPtr cl) ++{ ++ int size = 1; ++ rfbSecurityHandler* handler; ++ uint8_t buffer[MAX_SECURITY_TYPES+1]; ++ ++ for (handler = channelSecurityHandlers; ++ handler && sizenext) { ++ buffer[size] = handler->type; ++ size++; ++ } ++ buffer[0] = (unsigned char)size-1; ++ ++ if (rfbWriteExact(cl, (char *)buffer, size) < 0) { ++ rfbLogPerror("rfbSendSecurityTypeList: write"); ++ rfbCloseClient(cl); ++ return; ++ } + ++ /* Dispatch client input to rfbProcessClientChannelSecurityType. */ ++ cl->state = RFB_CHANNEL_SECURITY_TYPE; ++} + + + /* +@@ -297,18 +374,19 @@ rfbSendSecurityType(rfbClientPtr cl, int32_t securityType) + void + rfbAuthNewClient(rfbClientPtr cl) + { +- int32_t securityType = rfbSecTypeInvalid; ++ int32_t securityType; + +- if (!cl->screen->authPasswdData || cl->reverseConnection) { +- /* chk if this condition is valid or not. */ +- securityType = rfbSecTypeNone; +- } else if (cl->screen->authPasswdData) { +- securityType = rfbSecTypeVncAuth; +- } ++ securityType = determinePrimarySecurityType(cl); + + if (cl->protocolMajorVersion==3 && cl->protocolMinorVersion < 7) + { + /* Make sure we use only RFB 3.3 compatible security types. */ ++ if (channelSecurityHandlers) { ++ rfbLog("VNC channel security enabled - RFB 3.3 client rejected\n"); ++ rfbClientConnFailed(cl, "Your viewer cannot hnadler required " ++ "security methods"); ++ return; ++ } + if (securityType == rfbSecTypeInvalid) { + rfbLog("VNC authentication disabled - RFB 3.3 client rejected\n"); + rfbClientConnFailed(cl, "Your viewer cannot handle required " +@@ -316,9 +394,11 @@ rfbAuthNewClient(rfbClientPtr cl) + return; + } + rfbSendSecurityType(cl, securityType); ++ } else if (channelSecurityHandlers) { ++ rfbSendChannelSecurityTypeList(cl); + } else { + /* Here it's ok when securityType is set to rfbSecTypeInvalid. */ +- rfbSendSecurityTypeList(cl, securityType); ++ rfbSendSecurityTypeList(cl, RFB_SECURITY_TAG_NONE); + } + } + +@@ -332,6 +412,7 @@ rfbProcessClientSecurityType(rfbClientPtr cl) + int n; + uint8_t chosenType; + rfbSecurityHandler* handler; ++ rfbSecurityHandler* handlerListHead; + + /* Read the security type. */ + n = rfbReadExact(cl, (char *)&chosenType, 1); +@@ -344,8 +425,17 @@ rfbProcessClientSecurityType(rfbClientPtr cl) + return; + } + ++ switch (cl->state) { ++ case RFB_CHANNEL_SECURITY_TYPE: ++ handlerListHead = channelSecurityHandlers; ++ break; ++ case RFB_SECURITY_TYPE: ++ handlerListHead = securityHandlers; ++ break; ++ } ++ + /* Make sure it was present in the list sent by the server. */ +- for (handler = securityHandlers; handler; handler = handler->next) { ++ for (handler = handlerListHead; handler; handler = handler->next) { + if (chosenType == handler->type) { + rfbLog("rfbProcessClientSecurityType: executing handler for type %d\n", chosenType); + handler->handler(cl); +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index fbedd9f..1e8b3c1 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -643,6 +643,7 @@ rfbProcessClientMessage(rfbClientPtr cl) + case RFB_PROTOCOL_VERSION: + rfbProcessClientProtocolVersion(cl); + return; ++ case RFB_CHANNEL_SECURITY_TYPE: + case RFB_SECURITY_TYPE: + rfbProcessClientSecurityType(cl); + return; +diff --git a/rfb/rfb.h b/rfb/rfb.h +index ba9e898..be58d08 100644 +--- a/rfb/rfb.h ++++ b/rfb/rfb.h +@@ -182,6 +182,11 @@ typedef struct { + } data; /**< there have to be count*3 entries */ + } rfbColourMap; + ++enum rfbSecurityTag { ++ RFB_SECURITY_TAG_NONE = 0, ++ RFB_SECURITY_TAG_CHANNEL = 1 << 0 ++}; ++ + /** + * Security handling (RFB protocol version 3.7) + */ +@@ -190,6 +195,7 @@ typedef struct _rfbSecurity { + uint8_t type; + void (*handler)(struct _rfbClientRec* cl); + struct _rfbSecurity* next; ++ enum rfbSecurityTag securityTags; + } rfbSecurityHandler; + + /** +@@ -506,7 +512,7 @@ typedef struct _rfbClientRec { + /** Possible client states: */ + enum { + RFB_PROTOCOL_VERSION, /**< establishing protocol version */ +- RFB_SECURITY_TYPE, /**< negotiating security (RFB v.3.7) */ ++ RFB_SECURITY_TYPE, /**< negotiating security (RFB v.3.7) */ + RFB_AUTHENTICATION, /**< authenticating */ + RFB_INITIALISATION, /**< sending initialisation messages */ + RFB_NORMAL, /**< normal protocol messages */ +@@ -514,7 +520,9 @@ typedef struct _rfbClientRec { + /* Ephemeral internal-use states that will never be seen by software + * using LibVNCServer to provide services: */ + +- RFB_INITIALISATION_SHARED /**< sending initialisation messages with implicit shared-flag already true */ ++ RFB_INITIALISATION_SHARED, /**< sending initialisation messages with implicit shared-flag already true */ ++ ++ RFB_CHANNEL_SECURITY_TYPE, /**< negotiating security (RFB v.3.7) */ + } state; + + rfbBool reverseConnection; +@@ -855,6 +863,9 @@ extern void rfbProcessClientSecurityType(rfbClientPtr cl); + extern void rfbAuthProcessClientMessage(rfbClientPtr cl); + extern void rfbRegisterSecurityHandler(rfbSecurityHandler* handler); + extern void rfbUnregisterSecurityHandler(rfbSecurityHandler* handler); ++extern void rfbRegisterChannelSecurityHandler(rfbSecurityHandler* handler); ++extern void rfbUnregisterChannelSecurityHandler(rfbSecurityHandler* handler); ++extern void rfbSendSecurityTypeList(rfbClientPtr cl, enum rfbSecurityTag exclude); + + /* rre.c */ + +-- +2.17.1 + diff --git a/SOURCES/0040-Ensure-compatibility-with-gtk-vnc-0.7.0.patch b/SOURCES/0040-Ensure-compatibility-with-gtk-vnc-0.7.0.patch new file mode 100644 index 0000000..a814328 --- /dev/null +++ b/SOURCES/0040-Ensure-compatibility-with-gtk-vnc-0.7.0.patch @@ -0,0 +1,28 @@ +From 75f04c14e49e084e41bdd5491edad8823773a08c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Tue, 14 Feb 2017 12:42:04 +0100 +Subject: [PATCH 40/98] Ensure compatibility with gtk-vnc 0.7.0+ + +--- + libvncserver/websockets.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/websockets.c b/libvncserver/websockets.c +index 72396c2..0b2d46f 100644 +--- a/libvncserver/websockets.c ++++ b/libvncserver/websockets.c +@@ -245,7 +245,10 @@ webSocketsCheck (rfbClientPtr cl) + return FALSE; + } + +- if (strncmp(bbuf, "<", 1) == 0) { ++ if (strncmp(bbuf, "RFB ", 4) == 0) { ++ rfbLog("Normal socket connection\n"); ++ return TRUE; ++ } else if (strncmp(bbuf, "<", 1) == 0) { + rfbLog("Got Flash policy request, sending response\n"); + if (rfbWriteExact(cl, FLASH_POLICY_RESPONSE, + SZ_FLASH_POLICY_RESPONSE) < 0) { +-- +2.9.4 + diff --git a/SOURCES/LibVNCServer-0.9.10-system-crypto-policy.patch b/SOURCES/LibVNCServer-0.9.10-system-crypto-policy.patch new file mode 100644 index 0000000..47d540b --- /dev/null +++ b/SOURCES/LibVNCServer-0.9.10-system-crypto-policy.patch @@ -0,0 +1,26 @@ +diff -Naur libvncserver-LibVNCServer-0.9.10.old/libvncclient/tls_gnutls.c libvncserver-LibVNCServer-0.9.10/libvncclient/tls_gnutls.c +--- libvncserver-LibVNCServer-0.9.10.old/libvncclient/tls_gnutls.c 2015-12-12 00:14:37.269157918 +0100 ++++ libvncserver-LibVNCServer-0.9.10/libvncclient/tls_gnutls.c 2015-12-12 11:23:29.391385234 +0100 +@@ -31,8 +31,8 @@ + #include "tls.h" + + +-static const char *rfbTLSPriority = "NORMAL:+DHE-DSS:+RSA:+DHE-RSA:+SRP"; +-static const char *rfbAnonTLSPriority= "NORMAL:+ANON-DH"; ++static const char *rfbTLSPriority = "@SYSTEM"; ++static const char *rfbAnonTLSPriority= "@SYSTEM:+ANON-DH"; + + #define DH_BITS 1024 + static gnutls_dh_params_t rfbDHParams; +diff -Naur libvncserver-LibVNCServer-0.9.10.old/libvncserver/rfbssl_gnutls.c libvncserver-LibVNCServer-0.9.10/libvncserver/rfbssl_gnutls.c +--- libvncserver-LibVNCServer-0.9.10.old/libvncserver/rfbssl_gnutls.c 2015-12-12 00:14:37.270157930 +0100 ++++ libvncserver-LibVNCServer-0.9.10/libvncserver/rfbssl_gnutls.c 2015-12-12 11:14:49.966830581 +0100 +@@ -54,7 +54,7 @@ + + if (!GNUTLS_E_SUCCESS == (ret = gnutls_init(&session, GNUTLS_SERVER))) { + /* */ +- } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_priority_set_direct(session, "EXPORT", NULL))) { ++ } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_set_default_priority(session))) { + /* */ + } else if (!GNUTLS_E_SUCCESS == (ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->x509_cred))) { + /* */ diff --git a/SOURCES/libvncserver-0.9.1-multilib.patch b/SOURCES/libvncserver-0.9.1-multilib.patch new file mode 100644 index 0000000..d54a470 --- /dev/null +++ b/SOURCES/libvncserver-0.9.1-multilib.patch @@ -0,0 +1,20 @@ +diff -up LibVNCServer-0.9.1/libvncserver-config.in.multilib LibVNCServer-0.9.1/libvncserver-config.in +--- LibVNCServer-0.9.1/libvncserver-config.in.multilib 2007-05-26 21:28:25.000000000 -0500 ++++ LibVNCServer-0.9.1/libvncserver-config.in 2008-01-22 14:51:08.000000000 -0600 +@@ -4,7 +4,6 @@ prefix=@prefix@ + exec_prefix=@exec_prefix@ + exec_prefix_set=no + includedir=@includedir@ +-libdir=@libdir@ + + # if this script is in the same directory as libvncserver-config.in, assume not installed + if [ -f "`dirname "$0"`/libvncserver-config.in" ]; then +@@ -63,7 +62,7 @@ while test $# -gt 0; do + libs="$libs -R$dir" + fi + done +- echo "$libs" -lvncserver -lvncclient @LIBS@ @WSOCKLIB@ ++ echo "$libs" -lvncserver -lvncclient + ;; + --link) + echo @CC@ diff --git a/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch b/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch new file mode 100644 index 0000000..3140fcb --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch @@ -0,0 +1,82 @@ +From d9a832a2edbf95d664b07791f77a22ac3dfb95f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 10 Jan 2019 12:11:04 +0100 +Subject: [PATCH] Fix CVE-2018-15127 (Heap out-of-bounds write in + rfbserver.c:rfbProcessFileTransferReadBuffer()) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch contains the following three upstream patches squashed +together and ported to 0.9.11 version: + + commit 502821828ed00b4a2c4bef90683d0fd88ce495de + Author: Christian Beier + Date: Sun Oct 21 20:21:30 2018 +0200 + + LibVNCServer: fix heap out-of-bound write access + + Closes #243 + + commit 15bb719c03cc70f14c36a843dcb16ed69b405707 + Author: Christian Beier + Date: Sun Jan 6 15:13:56 2019 +0100 + + Error out in rfbProcessFileTransferReadBuffer if length can not be allocated + + re #273 + + commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec + Author: Petr Písař + Date: Mon Jan 7 10:40:01 2019 +0100 + + Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer() + + This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap + out-of-bound write access in rfbProcessFileTransferReadBuffer() when + reading a transfered file content in a server. The former fix did not + work on platforms with a 32-bit int type (expected by rfbReadExact()). + + CVE-2018-15127 + + + +Signed-off-by: Petr Písař +--- + libvncserver/rfbserver.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index b50a7f4..1b4dd97 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -1471,11 +1471,24 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + int n=0; + + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL); ++ + /* +- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); ++ We later alloc length+1, which might wrap around on 32-bit systems if length equals ++ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF ++ will safely be allocated since this check will never trigger and malloc() can digest length+1 ++ without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ ++ if(length == SIZE_MAX || length > INT_MAX) { ++ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); ++ rfbCloseClient(cl); ++ return NULL; ++ } ++ + if (length>0) { +- buffer=malloc(length+1); ++ buffer=malloc((size_t)length+1); + if (buffer!=NULL) { + if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { + if (n != 0) +-- +2.17.2 + diff --git a/SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch b/SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch new file mode 100644 index 0000000..2a71f7f --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch @@ -0,0 +1,40 @@ +From e7d578afbb16592ccee8f13aedd65b2220e220ae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Tue, 6 Mar 2018 11:58:02 +0100 +Subject: [PATCH] Limit client cut text length to 1 MB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch constrains client text length to 1 MB. Otherwise a client +could make server allocate 2 GB of memory and that seems to be to much +to classify it as denial of service. + +I keep the previous checks for maximal type values intentionally as +a course of defensive coding. (You cannot never know how small the +types are. And as a warning for people patching out this change not to +introduce CVE-2018-7225 again.) + +Signed-off-by: Petr Písař +--- + libvncserver/rfbserver.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index a9561fc..0027343 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -2587,7 +2587,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + * argument. Here we check that the value fits into all of them to + * prevent from misinterpretation and thus from accessing uninitialized + * memory. CVE-2018-7225 */ +- if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { ++ /* But first to prevent from a denial-of-service by allocating to much ++ * memory in the server, we impose a limit of 1 MB. */ ++ if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { + rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", + msg.cct.length); + rfbCloseClient(cl); +-- +2.13.6 + diff --git a/SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch b/SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch new file mode 100644 index 0000000..dc89cdf --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-Validate-client-cut-text-length.patch @@ -0,0 +1,76 @@ +From 0073e4f694d5a51bb72ff12a5e8364b6e752e094 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 26 Feb 2018 13:48:00 +0100 +Subject: [PATCH] Validate client cut text length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Client-provided unsigned 32-bit cut text length is passed to various +functions that expects argument of a different type. + +E.g. "RFB 003.003\n\001\006\0\0\0\xff\xff\xff\xff" string sent to the +RFB server leads to 4294967295 msg.cct.length value that in turn is +interpreted as -1 by rfbReadExact() and thus uninitialized str buffer +with potentially sensitive data is passed to subsequent functions. + +This patch fixes it by checking for a maximal value that still can be +processed correctly. It also corrects accepting length value of zero +(malloc(0) is interpreted on differnet systems differently). + +Whether a client can make the server allocate up to 2 GB and cause +a denial of service on memory-tight systems is kept without answer. +A possible solution would be adding an arbitrary memory limit that is +deemed safe. + +CVE-2018-7225 + + +Signed-off-by: Petr Písař +--- + libvncserver/rfbserver.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 116c488..a9561fc 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -88,6 +88,12 @@ + #include + /* strftime() */ + #include ++/* SIZE_MAX */ ++#include ++/* PRIu32 */ ++#include ++/* INT_MAX */ ++#include + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -2575,7 +2581,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + + msg.cct.length = Swap32IfLE(msg.cct.length); + +- str = (char *)malloc(msg.cct.length); ++ /* uint32_t input is passed to malloc()'s size_t argument, ++ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int ++ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int ++ * argument. Here we check that the value fits into all of them to ++ * prevent from misinterpretation and thus from accessing uninitialized ++ * memory. CVE-2018-7225 */ ++ if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) { ++ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", ++ msg.cct.length); ++ rfbCloseClient(cl); ++ return; ++ } ++ ++ /* Allow zero-length client cut text. */ ++ str = (char *)malloc(msg.cct.length ? msg.cct.length : 1); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); +-- +2.13.6 + diff --git a/SOURCES/libvncserver-0.9.11-soname.patch b/SOURCES/libvncserver-0.9.11-soname.patch new file mode 100644 index 0000000..3b45b34 --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-soname.patch @@ -0,0 +1,22 @@ +diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.soname libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am +--- libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.soname 2017-05-16 10:21:51.500768946 -0500 ++++ libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am 2017-05-17 11:26:44.383312391 -0500 +@@ -25,5 +25,5 @@ EXTRA_DIST=corre.c hextile.c rre.c tight + $(libvncclient_la_OBJECTS): ../rfb/rfbclient.h + + lib_LTLIBRARIES=libvncclient.la +-libvncclient_la_LDFLAGS = -version-info 1:0:0 ++libvncclient_la_LDFLAGS = -version-info 0:0:0 + +diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.soname libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am +--- libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.soname 2017-05-16 10:21:51.500768946 -0500 ++++ libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am 2017-05-17 11:27:02.259459683 -0500 +@@ -66,7 +66,7 @@ libvncserver_la_LIBADD += $(LIBSYSTEMD_L + endif + + lib_LTLIBRARIES=libvncserver.la +-libvncserver_la_LDFLAGS = -version-info 1:0:0 ++libvncserver_la_LDFLAGS = -version-info 0:0:0 + + if HAVE_RPM + $(PACKAGE)-$(VERSION).tar.gz: dist diff --git a/SOURCES/libvncserver-0.9.11-system_minilzo.patch b/SOURCES/libvncserver-0.9.11-system_minilzo.patch new file mode 100644 index 0000000..c513c40 --- /dev/null +++ b/SOURCES/libvncserver-0.9.11-system_minilzo.patch @@ -0,0 +1,55 @@ +diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am +--- libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am.system_minilzo 2017-02-14 10:54:54.308402791 -0600 ++++ libvncserver-LibVNCServer-0.9.11/libvncclient/Makefile.am 2017-02-14 10:56:28.007379315 -0600 +@@ -13,8 +13,8 @@ endif + endif + + +-libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c ../common/minilzo.c $(TLSSRCS) +-libvncclient_la_LIBADD=$(TLSLIBS) ++libvncclient_la_SOURCES=cursor.c listen.c rfbproto.c sockets.c vncviewer.c $(TLSSRCS) ++libvncclient_la_LIBADD=$(TLSLIBS) -lminilzo + + noinst_HEADERS=../common/lzodefs.h ../common/lzoconf.h ../common/minilzo.h tls.h + +diff -up libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c +--- libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c.system_minilzo 2016-12-30 07:01:28.000000000 -0600 ++++ libvncserver-LibVNCServer-0.9.11/libvncclient/rfbproto.c 2017-02-14 10:54:54.309402801 -0600 +@@ -66,7 +66,7 @@ + #include + #endif + +-#include "minilzo.h" ++#include + #include "tls.h" + + #ifdef _MSC_VER +diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am +--- libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am.system_minilzo 2017-02-14 10:54:54.309402801 -0600 ++++ libvncserver-LibVNCServer-0.9.11/libvncserver/Makefile.am 2017-02-14 10:57:28.495009713 -0600 +@@ -53,11 +53,11 @@ endif + LIB_SRCS = main.c rfbserver.c rfbregion.c auth.c sockets.c $(WEBSOCKETSSRCS) \ + stats.c corre.c hextile.c rre.c translate.c cutpaste.c \ + httpd.c cursor.c font.c \ +- draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ../common/minilzo.c ultra.c scale.c \ ++ draw.c selbox.c ../common/d3des.c ../common/vncauth.c cargs.c ultra.c scale.c \ + $(ZLIBSRCS) $(TIGHTSRCS) $(TIGHTVNCFILETRANSFERSRCS) + + libvncserver_la_SOURCES=$(LIB_SRCS) +-libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS) ++libvncserver_la_LIBADD=$(WEBSOCKETSSSLLIBS) -lminilzo + + if WITH_SYSTEMD + AM_CPPFLAGS += -DLIBVNCSERVER_WITH_SYSTEMD +diff -up libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c.system_minilzo libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c +--- libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c.system_minilzo 2016-12-30 07:01:28.000000000 -0600 ++++ libvncserver-LibVNCServer-0.9.11/libvncserver/ultra.c 2017-02-14 10:54:54.309402801 -0600 +@@ -8,7 +8,7 @@ + */ + + #include +-#include "minilzo.h" ++#include + + /* + * cl->beforeEncBuf contains pixel data in the client's format. diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec new file mode 100644 index 0000000..3c619a7 --- /dev/null +++ b/SPECS/libvncserver.spec @@ -0,0 +1,280 @@ +Summary: Library to make writing a VNC server easy +Name: libvncserver +Version: 0.9.11 +Release: 9%{?dist} + +# NOTE: --with-filetransfer => GPLv2 +License: GPLv2+ +URL: http://libvnc.github.io/ +Source0: https://github.com/LibVNC/libvncserver/archive/LibVNCServer-%{version}.tar.gz + +## upstream patches +Patch4: 0040-Ensure-compatibility-with-gtk-vnc-0.7.0.patch + +## TLS security type enablement patches +# https://github.com/LibVNC/libvncserver/pull/234 +Patch10: 0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch +Patch11: 0002-libvncserver-Add-channel-security-handlers.patch + +## downstream patches +Patch100: libvncserver-0.9.11-system_minilzo.patch +Patch101: libvncserver-0.9.1-multilib.patch +Patch102: LibVNCServer-0.9.10-system-crypto-policy.patch +# revert soname bump +Patch103: libvncserver-0.9.11-soname.patch +# 1/2 Fix CVE-2018-7225, bug #1546860 +Patch104: libvncserver-0.9.11-Validate-client-cut-text-length.patch +# 2/2 Fix CVE-2018-7225, bug #1546860 +Patch105: libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch +# Fix CVE-2018-15127 (Heap out-of-bounds write in +# rfbserver.c:rfbProcessFileTransferReadBuffer()), bug #1662997, upstream bugs +# +# +# +# fixed in upstream after 0.9.12 +Patch106: libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libgcrypt-devel +BuildRequires: libjpeg-devel +BuildRequires: libtool +BuildRequires: lzo-devel +BuildRequires: lzo-minilzo +BuildRequires: pkgconfig(gnutls) +BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libpng) +BuildRequires: pkgconfig(libssl) +# Additional deps for --with-x11vnc, see https://bugzilla.redhat.com/show_bug.cgi?id=864947 +BuildRequires: pkgconfig(avahi-client) +BuildRequires: pkgconfig(ice) +BuildRequires: pkgconfig(x11) +BuildRequires: pkgconfig(xdamage) +BuildRequires: pkgconfig(xext) +BuildRequires: pkgconfig(xfixes) +BuildRequires: pkgconfig(xi) +BuildRequires: pkgconfig(xinerama) +BuildRequires: pkgconfig(xrandr) +BuildRequires: pkgconfig(xtst) + +# For %%check +BuildRequires: xorg-x11-xauth +BuildRequires: zlib-devel + +%description +LibVNCServer makes writing a VNC server (or more correctly, a program exporting +a frame-buffer via the Remote Frame Buffer protocol) easy. + +It hides the programmer from the tedious task of managing clients and +compression schemata. + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} +# libvncserver-config deps +Requires: coreutils + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%prep +%setup -q -n %{name}-LibVNCServer-%{version} + +%patch4 -p1 -b .0004 + +%patch10 -p1 +%patch11 -p1 + +%patch100 -p1 -b .system_minilzo +# Nuke bundled minilzo +#rm -fv common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c + +%patch101 -p1 -b .multilib +%patch102 -p1 +%if 0%{?fedora} < 26 +%patch103 -p1 -b .soname +%global soname 0 +%else +%global soname 1 +%endif +%patch104 -p1 +%patch105 -p1 +%patch106 -p1 + +# Fix encoding +for file in ChangeLog ; do + mv ${file} ${file}.OLD && \ + iconv -f ISO_8859-1 -t UTF8 ${file}.OLD > ${file} && \ + touch --reference ${file}.OLD $file +done + +# Needed by patch 1 (and to nuke rpath's) +autoreconf -vif + + +%build +%configure \ + --disable-silent-rules \ + --disable-static \ + --without-filetransfer \ + --with-gcrypt \ + --with-png \ + --with-x11vnc + +# Hack to omit unused-direct-shlib-dependencies +sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool + +make %{?_smp_mflags} + + +%install +%make_install + +# Unpackaged files +rm -fv %{buildroot}%{_bindir}/linuxvnc +rm -fv %{buildroot}%{_libdir}/lib*.a +rm -fv %{buildroot}%{_libdir}/lib*.la + + +%check +make -C test test ||: + + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%license COPYING +%doc AUTHORS ChangeLog NEWS README TODO +%{_libdir}/libvncclient.so.%{soname}* +%{_libdir}/libvncserver.so.%{soname}* + +%files devel +%{_bindir}/libvncserver-config +%{_includedir}/rfb/ +%{_libdir}/libvncclient.so +%{_libdir}/libvncserver.so +%{_libdir}/pkgconfig/libvncclient.pc +%{_libdir}/pkgconfig/libvncserver.pc + + +%changelog +* Thu Jan 10 2019 Petr Pisar - 0.9.11-9 +- Fix CVE-2018-15127 (Heap out-of-bounds write in + rfbserver.c:rfbProcessFileTransferReadBuffer()) (bug #1662997) + +* Fri Jul 13 2018 Fedora Release Engineering - 0.9.11-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Jonas Ådahl - 0.9.11-7 +- Add API to enable implementing TLS security type + +* Mon Feb 26 2018 Petr Pisar - 0.9.11-6 +- Fix CVE-2018-7225 (bug #1546860) + +* Wed Feb 07 2018 Fedora Release Engineering - 0.9.11-5.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 0.9.11-4.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.9.11-3.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed May 17 2017 Rex Dieter - 0.9.11-2.1 +- revert soname bump for < f26 + +* Tue May 16 2017 Rex Dieter - 0.9.11-2 +- libvncclient sets +SRP in priority string (#1449605) +- libvncserver blocks gtk-vnc clients >= 0.7.0 (#1451321) + +* Tue Feb 14 2017 Rex Dieter - 0.9.11-1 +- 0.9.11 (#1421948) + +* Fri Feb 10 2017 Fedora Release Engineering - 0.9.10-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 18 2016 Than Ngo - 0.9.10-5 +- fix conflict with max() macro with gcc6, which causes build failure in KDE/Qt + like krfb + +* Thu Feb 04 2016 Fedora Release Engineering - 0.9.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Dec 17 2015 Simone Caronni - 0.9.10-3 +- Update crypto policies patch. + +* Sat Dec 12 2015 Simone Caronni - 0.9.10-2 +- Add patch for using system crypto policies (#1179318). + +* Fri Dec 11 2015 Simone Caronni - 0.9.10-1 +- Update to official 0.9.10 release, update configure parameters and remove + upstreamed patches. +- Trim changelog. +- Clean up SPEC file. +- Add license macro. +- Remove very old obsolete/provides on pacakge with camel case (LibVNCServer). + +* Wed Jun 17 2015 Fedora Release Engineering - 0.9.10-0.7.20140718git9453be42 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu Sep 25 2014 Rex Dieter 0.9.10-0.6.20140718git9453be42 +- Security fixes (#1145878) ... +- CVE-2014-6051 (#1144287) +- CVE-2014-6052 (#1144288) +- CVE-2014-6053 (#1144289) +- CVE-2014-6054 (#1144291) +- CVE-2014-6055 (#1144293) + +* Sun Aug 17 2014 Fedora Release Engineering - 0.9.10-0.5.20140718git9453be42 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Aug 03 2014 Rex Dieter 0.9.10-0.4.20140718git9453be42 +- 20140718git9453be42 snapshot + +* Sun Aug 03 2014 Rex Dieter 0.9.10-0.3.20140405git646f844f +- include krfb patches (upstream pull request #16) + +* Sat Jun 07 2014 Fedora Release Engineering - 0.9.10-0.2.20140405git646f844f +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Apr 29 2014 Rex Dieter 0.9.10-0.1.20140405git646f844f +- Update to the latest git commit 646f844 (#1092245) + +* Mon Mar 31 2014 Rex Dieter 0.9.9-11 +- x11vnc crash when client connect (#972618) + pull in some upstream commits that may help + +* Sat Dec 21 2013 Rex Dieter - 0.9.9-10 +- include additional dependencies for x11vnc (#864947) +- %%build: --disable-silent-rules +- cleanup spec, drop support for old rpm (el5) + +* Sat Aug 03 2013 Fedora Release Engineering - 0.9.9-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 23 2013 Rex Dieter 0.9.9-8 +- Automagic dependencies, explitictly build --with-gcrypt --with-png (#852660) + +* Thu Feb 14 2013 Rex Dieter 0.9.9-7 +- pkgconfig love (#854111) + +* Thu Feb 14 2013 Fedora Release Engineering - 0.9.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Adam Tkac - 0.9.9-5 +- rebuild due to "jpeg8-ABI" feature drop + +* Fri Dec 21 2012 Adam Tkac - 0.9.9-4 +- rebuild against new libjpeg + +* Thu Jul 26 2012 Rex Dieter 0.9.9-3 +- libvncserver fails to build in mock with selinux enabled (#843603) + +* Thu Jul 19 2012 Fedora Release Engineering - 0.9.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon May 07 2012 Rex Dieter 0.9.9-1 +- 0.9.9