diff --git a/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch b/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch new file mode 100644 index 0000000000000000000000000000000000000000..3f46c7397c654feee28d56bfaca9a5b75e685fca --- /dev/null +++ b/tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch @@ -0,0 +1,29 @@ +From 4db34f73d461b973867ddaf18bf690219229cd7a Mon Sep 17 00:00:00 2001 +From: Carlos Santos +Date: Thu, 25 Jul 2024 18:39:59 -0300 +Subject: [PATCH] vncsession: use /bin/sh if the user shell is not set + +An empty shell field in the password file is valid, although not common. +Use /bin/sh in this case, as documented in the passwd(5) man page, since +the vncserver script requires a non-empty SHELL environment variable. + +Fixes issue #1786. + +Signed-off-by: Carlos Santos +--- + unix/vncserver/vncsession.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c +index 1ee096c7c..98a0432aa 100644 +--- a/unix/vncserver/vncsession.c ++++ b/unix/vncserver/vncsession.c +@@ -545,7 +545,7 @@ run_script(const char *username, const char *display, char **envp) + + // Set up some basic environment for the script + setenv("HOME", pwent->pw_dir, 1); +- setenv("SHELL", pwent->pw_shell, 1); ++ setenv("SHELL", *pwent->pw_shell != '\0' ? pwent->pw_shell : "/bin/sh", 1); + setenv("LOGNAME", pwent->pw_name, 1); + setenv("USER", pwent->pw_name, 1); + setenv("USERNAME", pwent->pw_name, 1); diff --git a/tigervnc.spec b/tigervnc.spec index e12c52f4543f84c601455000ce0abd9abc4b30f0..9e7943023b3ce3abf550ba65252ac08a678eb9cb 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,11 +1,11 @@ -%define anolis_release .0.1 + #defining macros needed by SELinux %global selinuxtype targeted %global modulename vncsession Name: tigervnc Version: 1.13.1 -Release: 11%{anolis_release}%{?dist} +Release: 13%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -25,13 +25,12 @@ Source5: vncserver Patch1: tigervnc-use-gnome-as-default-session.patch Patch2: tigervnc-vncsession-restore-script-systemd-service.patch Patch3: tigervnc-dont-install-appstream-metadata-file.patch -# https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 -Patch201: xorg-CVE-2023-6816.patch # Upstream patches Patch50: tigervnc-support-username-alias-in-plainusers.patch Patch51: tigervnc-use-dup-to-get-available-fd-for-inetd.patch Patch52: tigervnc-add-option-to-force-view-only-remote-connections.patch +Patch53: tigervnc-vncsession-use-bin-sh-when-shell-not-set.patch # Upstreamable patches Patch80: tigervnc-dont-get-pointer-position-for-floating-device.patch @@ -41,6 +40,8 @@ Patch100: tigervnc-xserver120.patch # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start Patch101: 0001-rpath-hack.patch +# XServer patches + BuildRequires: make BuildRequires: gcc-c++ BuildRequires: gettext @@ -187,7 +188,6 @@ for all in `find . -type f -perm -001`; do done %patch100 -p1 -b .xserver120-rebased %patch101 -p1 -b .rpath -%patch201 -p1 -b .xorg-CVE-2023-6816 popd %patch1 -p1 -b .use-gnome-as-default-session @@ -198,6 +198,7 @@ popd %patch50 -p1 -b .support-username-alias-in-plainusers %patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd %patch52 -p1 -b .add-option-to-force-view-only-remote-connections +%patch53 -p1 -b .tigervnc-vncsession-use-bin-sh-when-shell-not-set # Upstreamable patches %patch80 -p1 -b .dont-get-pointer-position-for-floating-device @@ -355,8 +356,13 @@ fi %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog -* Mon Aug 05 2024 Kaiqiang Wang - 1.13.1-11.0.1 -- Fic CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer +* Mon Aug 05 2024 Jan Grulich - 1.13.1-13 +- vncsession: use /bin/sh if the user shell is not set + Resolves: RHEL-52827 + +* Fri Jul 12 2024 Jan Grulich - 1.13.1-12 +- Fix FTBS: drop already applied Xorg patches + Resolves: RHEL-46696 * Tue May 28 2024 Jan Grulich - 1.13.1-11 - vncconfig: add option to force view-only remote client connections diff --git a/xorg-CVE-2023-6816.patch b/xorg-CVE-2023-6816.patch deleted file mode 100644 index 16b8468f337959d62ccd9139099bdde894b0173a..0000000000000000000000000000000000000000 --- a/xorg-CVE-2023-6816.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 77e294797db17845808462b588d4e7a2130196bc Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Thu, 14 Dec 2023 11:29:49 +1000 -Subject: [PATCH xserver] dix: allocate enough space for logical button maps - -Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for -each logical button currently down. Since buttons can be arbitrarily mapped -to anything up to 255 make sure we have enough bits for the maximum mapping. - -CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 - -This vulnerability was discovered by: -Jan-Niklas Sohn working with Trend Micro Zero Day Initiative ---- - Xi/xiquerypointer.c | 3 +-- - dix/enterleave.c | 5 +++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c -index 5b77b1a444..2b05ac5f39 100644 ---- a/Xi/xiquerypointer.c -+++ b/Xi/xiquerypointer.c -@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) - if (pDev->button) { - int i; - -- rep.buttons_len = -- bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); -+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ - rep.length += rep.buttons_len; - buttons = calloc(rep.buttons_len, 4); - if (!buttons) -diff --git a/dix/enterleave.c b/dix/enterleave.c -index 867ec74363..ded8679d76 100644 ---- a/dix/enterleave.c -+++ b/dix/enterleave.c -@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, - - mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); - -- /* XI 2 event */ -- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; -+ /* XI 2 event contains the logical button map - maps are CARD8 -+ * so we need 256 bits for the possibly maximum mapping */ -+ btlen = (mouse->button) ? bits_to_bytes(256) : 0; - btlen = bytes_to_int32(btlen); - len = sizeof(xXIFocusInEvent) + btlen * 4; - --- -2.43.0 -