From 0e4b8f3253c8ea5d81de6450aa185370187f5b65 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 05 2021 22:59:13 +0000 Subject: import vino-3.22.0-11.el8 --- diff --git a/SOURCES/Fix-crashes-under-FIPS.patch b/SOURCES/Fix-crashes-under-FIPS.patch new file mode 100644 index 0000000..dddf33a --- /dev/null +++ b/SOURCES/Fix-crashes-under-FIPS.patch @@ -0,0 +1,45 @@ +From 403bb480066605ee6270fa2c7c1fd55bf5d1dbe6 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Tue, 15 Jun 2021 10:10:11 +0200 +Subject: [PATCH] Fix crashes under FIPS + +When FIPS mode is enabled, gnutls_dh_params_generate2 returns 0, because +DH_BITS is 1024, which is too small for FIPS. This causes +gnutls_anon_set_server_dh_params to crash. Let's use +gnutls_sec_param_to_pk_bits instead of the hardcoded DH_BITS value. It +returns 2048 for GNUTLS_SEC_PARAM_MEDIUM, which is big enough. Just a note +that the similar downstream patch is used for TigerVNC already. +--- + server/libvncserver/auth.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/server/libvncserver/auth.c b/server/libvncserver/auth.c +index cfaed55..639d3c5 100644 +--- a/server/libvncserver/auth.c ++++ b/server/libvncserver/auth.c +@@ -32,19 +32,17 @@ void + rfbAuthInitScreen(rfbScreenInfoPtr rfbScreen) + { + #ifdef VINO_HAVE_GNUTLS +-#define DH_BITS 1024 +- + gnutls_global_init(); + + gnutls_anon_allocate_server_credentials(&rfbScreen->anonCredentials); + + gnutls_dh_params_init(&rfbScreen->dhParams); +- gnutls_dh_params_generate2(rfbScreen->dhParams, DH_BITS); ++ gnutls_dh_params_generate2(rfbScreen->dhParams, ++ gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, ++ GNUTLS_SEC_PARAM_MEDIUM)); + + gnutls_anon_set_server_dh_params(rfbScreen->anonCredentials, + rfbScreen->dhParams); +- +-#undef DH_BITS + #endif /* VINO_HAVE_GNUTLS */ + } + +-- +2.31.1 + diff --git a/SPECS/vino.spec b/SPECS/vino.spec index 766d6a5..d63227d 100644 --- a/SPECS/vino.spec +++ b/SPECS/vino.spec @@ -1,6 +1,6 @@ Name: vino Version: 3.22.0 -Release: 10%{?dist} +Release: 11%{?dist} Summary: A remote desktop system for GNOME License: GPLv2+ @@ -20,6 +20,9 @@ Patch4: Properly-remove-watches-when-changing-server-props.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1602728 Patch5: Fix-various-defects-reported-by-covscan.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1960705 +Patch6: Fix-crashes-under-FIPS.patch + BuildRequires: pkgconfig(avahi-client) BuildRequires: pkgconfig(avahi-glib) BuildRequires: pkgconfig(gnutls) @@ -54,6 +57,7 @@ connect to a running GNOME session using VNC. %patch3 -p1 -b .Prevent-monitoring-all-interfaces-after-change-of-ot.patch %patch4 -p1 -b .Properly-remove-watches-when-changing-server-props.patch %patch5 -p1 -b .Fix-various-defects-reported-by-covscan +%patch6 -p1 -b .Fix-crashes-under-FIPS %build @@ -81,15 +85,15 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/vino-server.desktop %post -%systemd_user_post +%systemd_user_post vino-server.service %preun -%systemd_user_preun +%systemd_user_preun vino-server.service %postun -%systemd_user_postun +%systemd_user_postun vino-server.service %files -f %{name}.lang @@ -103,6 +107,10 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/vino-server.desktop %changelog +* Tue Jun 29 2021 Ondrej Holy - 3.22.0-11 +- Fix crashes under FIPS +- Resolves: #1960705 + * Wed Sep 26 2018 Ondrej Holy - 3.22.0-10 - Fix various defects reported by covscan - Resolves: #1602728