Hello community,
here is the log from the commit of package tigervnc.4091 for openSUSE:13.2:Update checked in at 2015-10-23 13:16:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.2:Update/tigervnc.4091 (Old)
and /work/SRC/openSUSE:13.2:Update/.tigervnc.4091.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tigervnc.4091"
Changes:
--------
New Changes file:
--- /dev/null 2015-10-14 00:04:03.524025256 +0200
+++ /work/SRC/openSUSE:13.2:Update/.tigervnc.4091.new/tigervnc.changes 2015-10-23 13:16:54.000000000 +0200
@@ -0,0 +1,333 @@
+-------------------------------------------------------------------
+Wed Oct 14 10:42:29 UTC 2015 - msrb@suse.com
+
+- u_tigervnc-prioritize-anon-ecdh.patch
+ * Prefer ANON-ECDH over ANON-DH cipher to avoid java bug.
+ (bnc#950147)
+
+-------------------------------------------------------------------
+Thu Oct 1 23:19:24 UTC 2015 - msrb@suse.com
+
+- u_tigervnc-vncserver-clean-pid-files.patch
+ * vncserver: Clean pid files of dead processes. (bnc#948392)
+
+-------------------------------------------------------------------
+Tue Aug 25 15:12:02 UTC 2015 - msrb@suse.com
+
+- Remove commented out DefaultDepth 16 from 10-libvnc.conf file.
+ Using 16 bit depth can cause troubles and does not have any
+ positives anymore, so lets not suggest it to users. (bnc#942982)
+
+-------------------------------------------------------------------
+Tue May 5 12:35:17 UTC 2015 - privacy@not.given
+
+- compile with -fPIC - fixes build for armv7l. (bnc#929685)
+
+-------------------------------------------------------------------
+Wed Apr 1 12:12:36 UTC 2015 - msrb@suse.com
+
+- u_terminate_instead_of_ignoring_restart.patch
+ * Terminate instead of ignoring restart. (bnc#920969)
+
+-------------------------------------------------------------------
+Thu Feb 12 12:28:17 UTC 2015 - msrb@suse.com
+
+- U_xkb-check-strings-length-against-request-size.patch
+ * Check string lenghts in XkbSetGeometry request.
+ (bnc#915810, CVE-2015-0255)
+
+-------------------------------------------------------------------
+Mon Feb 2 13:10:47 UTC 2015 - msrb@suse.com
+
+- n_tigervnc_Revert_Attempt_to_handle_Ctrl-key.patch
+ * Revert bugged upstream commit. (bnc#915782)
+
+- Rebuild against fltk backported patches for cursor and clipboard
+ handling. (bnc#908738)
+
+-------------------------------------------------------------------
+Tue Jan 13 12:57:09 UTC 2015 - msrb@suse.com
+
+- Update to tigervnc 1.4.1 and X server 1.16.1. (bnc#911577)
+
+- Synchronize patches from xorg-x11-server that are relevant for Xvnc:
+ * U_BellProc-Send-bell-event-on-core-protocol-bell-when-requested.patch
+ * U_Xi_unvalidated_lengths_in_Xinput_extension.patch
+ * U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch
+ * U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch
+ * U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch
+ * U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch
+ * U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch
+ * U_dix_integer_overflow_in_GetHosts.patch
+ * U_dix_integer_overflow_in_ProcPutImage.patch
+ * U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch
+ * U_dix_integer_overflow_in_RegionSizeof.patch
+ * U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch
+ * U_dri3_unvalidated_lengths_in_DRI3_extension_swapped_procs.patch
+ * U_fb-Fix-invalid-bpp-for-24bit-depth-window.patch
+ * U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch
+ * U_glx_Add_safe__add_mul_pad.patch
+ * U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch
+ * U_glx_Be_more_paranoid_about_variable_length_requests.patch
+ * U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch
+ * U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch
+ * U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch
+ * U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch
+ * U_glx_Length_checking_for_GLXRender_requests.patch
+ * U_glx_Length_checking_for_RenderLarge_requests.patch
+ * U_glx_Length_checking_for_non_generated_single_request.patch
+ * U_glx_Length_checking_for_non_generated_vendor_private_requests.patch
+ * U_glx_Pass_remaining_request_length_into_varsize.patch
+ * U_glx_Request_length_checks_for_SetClientInfoARB.patch
+ * U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch
+ * U_present_unvalidated_lengths_in_Present_extension_procs.patch
+ * U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch
+ * U_render_check_request_size_before_reading_it.patch
+ * U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch
+ * U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch
+ * U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch
+ * U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch
+ * u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch
+ * u_xorg-server-xdmcp.patch
+
+- Drop upstreamed/obsolete patches:
+ * tigervnc-1.2.80-fix-int-to-pointer.patch
+ * tigervnc-sf3492352.diff
+ * u_aarch64-support.patch
+ * u_arch-Fix-image-and-bitmap-byte-order-for-ppc64le.patch
+ * u_tigervnc-1.3.0-fix-use-after-free.patch
+ * u_tigervnc-check-shm-harder.patch
+
+
+-------------------------------------------------------------------
+Fri Dec 5 14:09:06 UTC 2014 - msrb@suse.com
+
+- U_tigervnc-Allow-SSecurity-to-specify-AccessRights-for-SConnect.patch,
+ U_tigervnc-vncpasswd-Ask-for-read-only-password.patch,
+ U_tigervnc-VncAuth-Read-and-use-readonly-password.patch,
+ U_tigervnc-Add-AccessSetDesktopSize-right.patch,
+ U_tigervnc-Use-new-API-for-getVncAuthPasswd.patch,
+ U_tigervnc-Limit-access-to-non-shared-mode.patch,
+ U_tigervnc-Make-sure-attributes-propagate-through-security-wrap.patch
+ * Add support for view only passwords. (bnc#901752)
+
+-------------------------------------------------------------------
+Tue Nov 25 15:26:45 UTC 2014 - msrb@suse.com
+
+- Add u_tigervnc-send-special-keys-directly.patch,
+ fix u_tigervnc-dont-send-ascii-control-characters.patch
+ * Send correctly keys that don't type any characters, such as
+ CTRL+Space. (bnc#906922)
+
+-------------------------------------------------------------------
+Mon Oct 13 11:51:03 UTC 2014 - msrb@suse.com
+
+- u_tigervnc-use_preferred_mode.patch
+ * Mark user chosen resolution as preferred. (bnc#896540)
+
+-------------------------------------------------------------------
+Mon Aug 18 13:58:30 UTC 2014 - sndirsch@suse.com
+
+- use update-alternatives only on openSUSE > 13.1
+
+-------------------------------------------------------------------
+Mon Aug 18 11:07:09 UTC 2014 - msrb@suse.com
+
+- u_tigervnc-check-shm-harder.patch
+ * Check if SHM really works before deciding to use it.
+ (bnc#890580)
+
+-------------------------------------------------------------------
+Mon Aug 4 10:37:08 UTC 2014 - msrb@suse.com
+
+- U_include-vencrypt-only-if-any-subtype-present.patch
+ * Do not automatically offer VeNCrypt security if none of it's
+ subtypes is selected. (bnc#889781)
+
+-------------------------------------------------------------------
+Wed Jun 4 11:39:54 UTC 2014 - msrb@suse.com
+
+- Fix some errors reported by rpmlint.
+
+-------------------------------------------------------------------
+Thu May 29 03:37:30 UTC 2014 - crrodriguez@opensuse.org
+
+- n_tigervnc-date-time.patch package republishes everyday
+ and gets on my nerves, this is because the binaries contain
+ hardcoded timestamps, avoid that.
+- export CXXFLAGS and CFLAGS before building ttigervnc otherwise
+ it gets built without optimization.
+- Make build verbose so it rpmlint catches errors like the above ones.
+
+-------------------------------------------------------------------
+Wed May 28 14:54:02 UTC 2014 - msrb@suse.com
+
+- Use update-alternatives.
+
+-------------------------------------------------------------------
+Tue May 20 13:55:30 UTC 2014 - msrb@suse.com
+
+- u_tigervnc-ignore-epipe-on-write.patch
+ * Do not display error message because of EPIPE on write.
+ (bnc#864676)
+
+-------------------------------------------------------------------
+Fri May 16 13:52:19 UTC 2014 - msrb@suse.com
+
+- Update to version 1.3.1
+ * Security release (CVE-2014-0011).
+
+-------------------------------------------------------------------
+Mon Apr 28 01:00:39 UTC 2014 - sndirsch@suse.com
+
+- added missing pkgconfig(xorg-macros) >= 1.14
+
+-------------------------------------------------------------------
+Sat Apr 26 12:04:30 UTC 2014 - sndirsch@suse.com
+
+- xorg-x11-Xvnc: require xkeyboard-config (bnc#875329)
+
+-------------------------------------------------------------------
+Fri Apr 25 11:55:11 UTC 2014 - msrb@suse.com
+
+- vnc.xinetd
+ * Do not use 16 bpp by default anymore. The network trafic gain
+ of 16 bpp together with Tight encoding is arguable. 16 bpp
+ causes graphical issues and is known to not work properly
+ in Mesa. (bnc#871965)
++++ 136 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.2:Update/.tigervnc.4091.new/tigervnc.changes
New:
----
10-libvnc.conf
N_xorg-server-xdmcp.patch
U_BellProc-Send-bell-event-on-core-protocol-bell-when-requested.patch
U_Xi_unvalidated_lengths_in_Xinput_extension.patch
U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch
U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch
U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch
U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch
U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch
U_dix_integer_overflow_in_GetHosts.patch
U_dix_integer_overflow_in_ProcPutImage.patch
U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch
U_dix_integer_overflow_in_RegionSizeof.patch
U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch
U_dri3_unvalidated_lengths_in_DRI3_extension_swapped_procs.patch
U_fb-Fix-invalid-bpp-for-24bit-depth-window.patch
U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch
U_glx_Add_safe__add_mul_pad.patch
U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch
U_glx_Be_more_paranoid_about_variable_length_requests.patch
U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch
U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch
U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch
U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch
U_glx_Length_checking_for_GLXRender_requests.patch
U_glx_Length_checking_for_RenderLarge_requests.patch
U_glx_Length_checking_for_non_generated_single_request.patch
U_glx_Length_checking_for_non_generated_vendor_private_requests.patch
U_glx_Pass_remaining_request_length_into_varsize.patch
U_glx_Request_length_checks_for_SetClientInfoARB.patch
U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch
U_include-vencrypt-only-if-any-subtype-present.patch
U_present_unvalidated_lengths_in_Present_extension_procs.patch
U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch
U_render_check_request_size_before_reading_it.patch
U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch
U_tigervnc-Add-AccessSetDesktopSize-right.patch
U_tigervnc-Allow-SSecurity-to-specify-AccessRights-for-SConnect.patch
U_tigervnc-Limit-access-to-non-shared-mode.patch
U_tigervnc-Make-sure-attributes-propagate-through-security-wrap.patch
U_tigervnc-Use-new-API-for-getVncAuthPasswd.patch
U_tigervnc-VncAuth-Read-and-use-readonly-password.patch
U_tigervnc-vncpasswd-Ask-for-read-only-password.patch
U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch
U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch
U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch
U_xkb-check-strings-length-against-request-size.patch
index.vnc
n_tigervnc-date-time.patch
n_tigervnc-dont-build-gtf.patch
n_tigervnc_Revert_Attempt_to_handle_Ctrl-key.patch
tigervnc-1.4.1.tar.gz
tigervnc-clean-pressed-key-on-exit.patch
tigervnc-newfbsize.patch
tigervnc-sf3495623.patch
tigervnc.changes
tigervnc.spec
u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch
u_terminate_instead_of_ignoring_restart.patch
u_tigervnc-dont-send-ascii-control-characters.patch
u_tigervnc-ignore-epipe-on-write.patch
u_tigervnc-prioritize-anon-ecdh.patch
u_tigervnc-send-special-keys-directly.patch
u_tigervnc-use_preferred_mode.patch
u_tigervnc-vncserver-clean-pid-files.patch
u_xorg-server-xdmcp.patch
vnc-httpd.firewall
vnc-server.firewall
vnc.reg
vnc.xinetd
vnc_inetd_httpd
vncpasswd.arg
xorg-server-1.16.1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tigervnc.spec ++++++
#
# spec file for package tigervnc
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: tigervnc
Version: 1.4.1
Release: 0
Provides: tightvnc = 1.3.9
Obsoletes: tightvnc < 1.3.9
Provides: vnc
BuildRequires: Mesa-devel
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: cmake
BuildRequires: fltk-devel
BuildRequires: gcc-c++
BuildRequires: gcc-c++
BuildRequires: java-devel
BuildRequires: jpackage-utils
BuildRequires: libjpeg-devel
BuildRequires: libopenssl-devel
BuildRequires: libtool
BuildRequires: nasm
BuildRequires: xorg-x11-server-sdk
BuildRequires: pkgconfig(x11)
BuildRequires: pkgconfig(xext)
BuildRequires: pkgconfig(xproto)
BuildRequires: pkgconfig(xtst)
# Because of keytool to build java client
BuildRequires: libgcrypt-devel
BuildRequires: libgpg-error-devel
BuildRequires: mozilla-nss
BuildRequires: pam-devel
BuildRequires: pkg-config
BuildRequires: xmlto
BuildRequires: xorg-x11-libICE-devel
BuildRequires: xorg-x11-libSM-devel
BuildRequires: pkgconfig(bigreqsproto) >= 1.1.0
BuildRequires: pkgconfig(compositeproto) >= 0.4
BuildRequires: pkgconfig(damageproto) >= 1.1
BuildRequires: pkgconfig(dri)
BuildRequires: pkgconfig(fixesproto) >= 4.1
BuildRequires: pkgconfig(fontsproto)
BuildRequires: pkgconfig(fontutil)
BuildRequires: pkgconfig(gl)
BuildRequires: pkgconfig(glproto)
BuildRequires: pkgconfig(gnutls)
BuildRequires: pkgconfig(inputproto) >= 1.9.99.902
BuildRequires: pkgconfig(kbproto) >= 1.0.3
BuildRequires: pkgconfig(libtasn1)
BuildRequires: pkgconfig(openssl)
BuildRequires: pkgconfig(pciaccess) >= 0.8.0
BuildRequires: pkgconfig(pixman-1) >= 0.15.20
BuildRequires: pkgconfig(randrproto) >= 1.2.99.3
BuildRequires: pkgconfig(recordproto) >= 1.13.99.1
BuildRequires: pkgconfig(renderproto) >= 0.11
BuildRequires: pkgconfig(resourceproto)
BuildRequires: pkgconfig(scrnsaverproto) >= 1.1
BuildRequires: pkgconfig(videoproto)
BuildRequires: pkgconfig(xau)
BuildRequires: pkgconfig(xcmiscproto) >= 1.2.0
BuildRequires: pkgconfig(xdmcp)
BuildRequires: pkgconfig(xextproto) >= 7.0.99.3
BuildRequires: pkgconfig(xfont) >= 1.4.2
BuildRequires: pkgconfig(xineramaproto)
BuildRequires: pkgconfig(xkbfile)
BuildRequires: pkgconfig(xorg-macros) >= 1.14
BuildRequires: pkgconfig(xproto) >= 7.0.17
BuildRequires: pkgconfig(xtrans) >= 1.2.2
%if 0%{?suse_version} >= 1315
Requires(post): update-alternatives
Requires(postun): update-alternatives
%endif
Url: http://sourceforge.net/apps/mediawiki/tigervnc/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Summary: A high-performance, platform-neutral implementation of VNC
License: GPL-2.0 and MIT
Group: System/X11/Servers/XF86_4
Source1: tigervnc-1.4.1.tar.gz
Source2: xorg-server-1.16.1.tar.bz2
Source3: vnc.xinetd
Source4: 10-libvnc.conf
Source5: vnc-server.firewall
Source6: vnc-httpd.firewall
Source7: vnc_inetd_httpd
Source8: vnc.reg
Source9: vncpasswd.arg
Source10: index.vnc
# Tiger vnc patches
Patch1: tigervnc-newfbsize.patch
Patch2: tigervnc-clean-pressed-key-on-exit.patch
Patch3: tigervnc-sf3495623.patch
Patch4: u_tigervnc-dont-send-ascii-control-characters.patch
Patch5: u_tigervnc-ignore-epipe-on-write.patch
Patch6: n_tigervnc-date-time.patch
Patch7: U_include-vencrypt-only-if-any-subtype-present.patch
Patch8: u_tigervnc-use_preferred_mode.patch
Patch9: u_tigervnc-send-special-keys-directly.patch
Patch10: U_tigervnc-Allow-SSecurity-to-specify-AccessRights-for-SConnect.patch
Patch11: U_tigervnc-vncpasswd-Ask-for-read-only-password.patch
Patch12: U_tigervnc-VncAuth-Read-and-use-readonly-password.patch
Patch13: U_tigervnc-Add-AccessSetDesktopSize-right.patch
Patch14: U_tigervnc-Use-new-API-for-getVncAuthPasswd.patch
Patch15: U_tigervnc-Limit-access-to-non-shared-mode.patch
Patch16: U_tigervnc-Make-sure-attributes-propagate-through-security-wrap.patch
Patch17: n_tigervnc_Revert_Attempt_to_handle_Ctrl-key.patch
Patch18: u_terminate_instead_of_ignoring_restart.patch
Patch19: u_tigervnc-vncserver-clean-pid-files.patch
Patch20: u_tigervnc-prioritize-anon-ecdh.patch
# Xserver patches
Patch100: u_xorg-server-xdmcp.patch
Patch101: u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch
Patch102: U_BellProc-Send-bell-event-on-core-protocol-bell-when-requested.patch
Patch103: U_fb-Fix-invalid-bpp-for-24bit-depth-window.patch
Patch104: U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch
Patch105: U_dix_integer_overflow_in_ProcPutImage.patch
Patch106: U_dix_integer_overflow_in_GetHosts.patch
Patch107: U_dix_integer_overflow_in_RegionSizeof.patch
Patch108: U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch
Patch109: U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch
Patch110: U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch
Patch111: U_Xi_unvalidated_lengths_in_Xinput_extension.patch
Patch112: U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch
Patch113: U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch
Patch114: U_dri3_unvalidated_lengths_in_DRI3_extension_swapped_procs.patch
Patch115: U_present_unvalidated_lengths_in_Present_extension_procs.patch
Patch116: U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch
Patch117: U_render_check_request_size_before_reading_it.patch
Patch118: U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch
Patch119: U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch
Patch120: U_glx_Be_more_paranoid_about_variable_length_requests.patch
Patch121: U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch
Patch122: U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch
Patch123: U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch
Patch124: U_glx_Add_safe__add_mul_pad.patch
Patch125: U_glx_Length_checking_for_GLXRender_requests.patch
Patch126: U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch
Patch127: U_glx_Length_checking_for_RenderLarge_requests.patch
Patch128: U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch
Patch129: U_glx_Request_length_checks_for_SetClientInfoARB.patch
Patch130: U_glx_Length_checking_for_non_generated_vendor_private_requests.patch
Patch131: U_glx_Length_checking_for_non_generated_single_request.patch
Patch132: U_glx_Pass_remaining_request_length_into_varsize.patch
Patch133: U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch
Patch134: U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch
Patch135: U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch
Patch136: U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch
Patch137: U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch
Patch138: U_xkb-check-strings-length-against-request-size.patch
%description
TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing),
a client/server application that allows users to launch and interact with graphical applications on remote machines.
TigerVNC provides the levels of performance necessary to run 3D and video applications;
it attempts to maintain a common look and feel and re-use components, where possible, across the various platforms that it supports.
TigerVNC also provides extensions for advanced authentication methods and TLS encryption.
%package -n xorg-x11-Xvnc
Requires: xinetd
Requires: xkeyboard-config
Summary: TigerVNC implementation of Xvnc
Group: System/X11/Servers/XF86_4
%description -n xorg-x11-Xvnc
This is the TigerVNC implementation of Xvnc.
%prep
%setup -T -b1 -b2
cp -r ../xorg-server-*/* unix/xserver/
if [ -e unix/xserver/hw/xfree86/modes/xf86gtf.c -o -e unix/xserver/hw/xfree86/utils/gtf/gtf.c ]; then
echo "Files hw/xfree86/modes/xf86gtf hw/xfree86/utils/gtf/gtf.c have to be excluded from the xserver source tar ball (bnc#85566)."
exit 1
fi
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p0
%patch5 -p0
%patch6 -p1
%patch7 -p0
%patch8 -p0
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
pushd unix/xserver
patch -p1 < ../xserver116.patch
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%patch108 -p1
%patch109 -p1
%patch110 -p1
%patch111 -p1
%patch112 -p1
%patch113 -p1
%patch114 -p1
%patch115 -p1
%patch116 -p1
%patch117 -p1
%patch118 -p1
%patch119 -p1
%patch120 -p1
%patch121 -p1
%patch122 -p1
%patch123 -p1
%patch124 -p1
%patch125 -p1
%patch126 -p1
%patch127 -p1
%patch128 -p1
%patch129 -p1
%patch130 -p1
%patch131 -p1
%patch132 -p1
%patch133 -p1
%patch134 -p1
%patch135 -p1
%patch136 -p1
%patch137 -p1
%patch138 -p1
popd
%build
export CXXFLAGS="%optflags -fPIC"
export CFLAGS="%optflags -fPIC"
# Build all tigervnc
cmake -DCMAKE_VERBOSE_MAKEFILE=ON -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix} -DCMAKE_BUILD_TYPE=RelWithDebInfo
make %{?_smp_mflags}
# Build Xvnc server
pushd unix/xserver
autoreconf -fi
%configure \
--disable-xorg --disable-xnest --disable-xvfb --disable-dmx \
--disable-xwin --disable-xephyr --disable-kdrive --with-pic \
--disable-static --disable-xinerama \
--with-xkb-path="/usr/share/X11/xkb" \
--with-xkb-output="/var/lib/xkb/compiled" \
--enable-glx --enable-dri --enable-dri2 \
--disable-config-dbus \
--disable-config-hal \
--disable-config-udev \
--without-dtrace \
--disable-unit-tests \
--disable-devel-docs \
--with-fontrootdir=/usr/share/fonts \
--disable-selective-werror
make %{?_smp_mflags} V=1
popd
# Build java client
pushd java
cmake -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix}
make %{?_smp_mflags}
popd
%install
%make_install
mv $RPM_BUILD_ROOT/usr/bin/vncviewer $RPM_BUILD_ROOT/usr/bin/vncviewer-tigervnc
mv $RPM_BUILD_ROOT/usr/share/man/man1/vncviewer.1 $RPM_BUILD_ROOT/usr/share/man/man1/vncviewer-tigervnc.1
pushd unix/xserver
%make_install
popd
pushd java
mkdir -p $RPM_BUILD_ROOT%{_datadir}/vnc/classes
install -m755 VncViewer.jar $RPM_BUILD_ROOT%{_datadir}/vnc/classes
popd
install -D -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/xinetd.d/vnc
%ifnarch s390x
install -D -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/X11/xorg.conf.d/10-libvnc.conf
%endif
install -D -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/vnc-server
install -D -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/vnc-httpd
install -D -m 755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/vnc_inetd_httpd
install -D -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc/slp.reg.d/vnc.reg
install -D -m 755 %{SOURCE9} $RPM_BUILD_ROOT%{_bindir}/vncpasswd.arg
install -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_datadir}/vnc/classes
%if 0%{?suse_version} >= 1315
ln -s -f %{_sysconfdir}/alternatives/vncviewer $RPM_BUILD_ROOT%{_bindir}/vncviewer
ln -s -f %{_sysconfdir}/alternatives/vncviewer.1.gz $RPM_BUILD_ROOT%{_mandir}/man1/vncviewer.1.gz
%endif
%find_lang '%{name}'
%if 0%{?suse_version} >= 1315
%post
%_sbindir/update-alternatives \
--install %{_bindir}/vncviewer vncviewer %{_bindir}/vncviewer-tigervnc 20 \
--slave %{_mandir}/man1/vncviewer.1.gz vncviewer.1.gz %{_mandir}/man1/vncviewer-tigervnc.1.gz
%postun
if [ "$1" = 0 ] ; then
"%_sbindir/update-alternatives" --remove vncviewer /usr/bin/vncviewer-tigervnc
fi
%endif
%files -f %{name}.lang
%defattr(-,root,root,-)
%ghost %{_bindir}/vncviewer
%{_bindir}/vncviewer-tigervnc
%exclude /usr/share/doc/tigervnc-1.4.1
%doc LICENCE.TXT
%doc README.txt
%ghost %_mandir/man1/vncviewer.1.gz
%doc %_mandir/man1/vncviewer-tigervnc.1.gz
%if 0%{?suse_version} >= 1315
%ghost %_sysconfdir/alternatives/vncviewer
%ghost %_sysconfdir/alternatives/vncviewer.1.gz
%endif
%files -n xorg-x11-Xvnc
%defattr(-,root,root)
%{_bindir}/Xvnc
%{_bindir}/vncconfig
%{_bindir}/vncpasswd
%{_bindir}/vncpasswd.arg
%{_bindir}/vncserver
%{_bindir}/x0vncserver
%{_bindir}/vnc_inetd_httpd
%exclude %{_mandir}/man1/Xserver.1*
%{_mandir}/man1/Xvnc.1*
%{_mandir}/man1/vncconfig.1*
%{_mandir}/man1/vncpasswd.1*
%{_mandir}/man1/vncserver.1*
%{_mandir}/man1/x0vncserver.1*
%exclude /usr/%{_lib}/xorg/protocol.txt
%exclude /usr/%{_lib}/xorg/modules/extensions/libvnc.la
%ifnarch s390x
%{_libdir}/xorg/modules/extensions/libvnc.so
%else
%exclude %{_libdir}/xorg/modules
%exclude %{_libdir}/xorg/modules/extensions
%exclude %{_libdir}/xorg/modules/extensions/libvnc.so
%endif
%exclude /var/lib/xkb/compiled/README.compiled
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/vnc-server
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/vnc-httpd
%ifnarch s390x
%config(noreplace) /etc/X11/xorg.conf.d/10-libvnc.conf
%else
%exclude /etc/X11/xorg.conf.d
%endif
%config(noreplace) /etc/xinetd.d/vnc
%dir /etc/slp.reg.d
%config(noreplace) /etc/slp.reg.d/vnc.reg
%exclude /usr/lib/debug/*
%exclude /usr/lib/debug/.*
%exclude /usr/src/debug
%doc java/com/tigervnc/vncviewer/README
%{_datadir}/vnc
%changelog
++++++ 10-libvnc.conf ++++++
# This file contains configuration of libvnc.so module
#
# To get libvnc.so module working, do this:
# 1. run "vncpasswd" as root user
# 2. uncomment configuration lines below
#
# Please note you can specify any option which Xvnc accepts.
# Refer to `Xvnc -help` output for detailed list of options.
#Section "Module"
# Load "vnc"
#EndSection
#Section "Screen"
# Identifier "Screen0
# Option "SecurityTypes" "VncAuth"
# Option "PasswordFile" "/root/.vnc/passwd"
#EndSection
++++++ N_xorg-server-xdmcp.patch ++++++
Index: xorg-server-1.12.1/os/access.c
===================================================================
--- xorg-server-1.12.1.orig/os/access.c
+++ xorg-server-1.12.1/os/access.c
@@ -714,7 +714,9 @@ DefineSelf(int fd)
/*
* ignore 'localhost' entries as they're not useful
- * on the other end of the wire
+ * on the other end of the wire and because on hosts
+ * with shared home dirs they'll result in conflicting
+ * entries in ~/.Xauthority
*/
if (ifr->ifa_flags & IFF_LOOPBACK)
continue;
@@ -735,6 +737,14 @@ DefineSelf(int fd)
else if (family == FamilyInternet6 &&
IN6_IS_ADDR_LOOPBACK((struct in6_addr *) addr))
continue;
+
+ /* Ignore IPv6 link local addresses (fe80::/10), because
+ * they need a scope identifier, which we have no way
+ * of telling to the other end.
+ */
+ if (family == FamilyInternet6 &&
+ IN6_IS_ADDR_LINKLOCAL((struct in6_addr *)addr))
+ continue;
#endif
XdmcpRegisterConnection(family, (char *) addr, len);
#if defined(IPv6) && defined(AF_INET6)
++++++ U_BellProc-Send-bell-event-on-core-protocol-bell-when-requested.patch ++++++
From: Egbert Eich
Date: Mon Aug 4 19:16:30 2014 +0200
Subject: [PATCH] BellProc: Send bell event on core protocol bell when requested
Patch-mainline: Upstream
Git-commit: e6c8c7e46c79b2837a7d0b12079a47734eff1eb7
Git-repo: git://anongit.freedesktop.org/git/xorg/xserver
References: bnc#890323
Signed-off-by: Egbert Eich
XKB allows to override the BellProc() ringing the 'keyboard bell':
instead an event is sent to an X client which can perform an
appropriate action.
In most cases this effectively prevents the core protocol bell
from ringing: if no BellProc() is set for the device, no attempt
is made to ring a bell.
This patch ensures that an XKB bell event is sent also when
the core protocol bell is rung end thus an appropriate action
can be taken by a client.
Signed-off-by: Egbert Eich
Acked-by: Peter Hutterer
Signed-off-by: Keith Packard
---
dix/devices.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dix/devices.c b/dix/devices.c
index 7f079ff..5d26fae 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2257,7 +2257,7 @@ ProcBell(ClientPtr client)
for (dev = inputInfo.devices; dev; dev = dev->next) {
if ((dev == keybd ||
(!IsMaster(dev) && GetMaster(dev, MASTER_KEYBOARD) == keybd)) &&
- dev->kbdfeed && dev->kbdfeed->BellProc) {
+ ((dev->kbdfeed && dev->kbdfeed->BellProc) || dev->xkb_interest)) {
rc = XaceHook(XACE_DEVICE_ACCESS, client, dev, DixBellAccess);
if (rc != Success)
++++++ U_Xi_unvalidated_lengths_in_Xinput_extension.patch ++++++
Subject: Xi: unvalidated lengths in Xinput extension
References: bnc#907268, CVE-2014-8095
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.
This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
Xi/chgdctl.c | 8 ++++++--
Xi/chgfctl.c | 2 ++
Xi/sendexev.c | 3 +++
Xi/xiallowev.c | 2 ++
Xi/xichangecursor.c | 2 +-
Xi/xichangehierarchy.c | 35 ++++++++++++++++++++++++++++++++---
Xi/xigetclientpointer.c | 1 +
Xi/xigrabdev.c | 9 ++++++++-
Xi/xipassivegrab.c | 12 ++++++++++--
Xi/xiproperty.c | 14 ++++++--------
Xi/xiquerydevice.c | 1 +
Xi/xiquerypointer.c | 2 ++
Xi/xiselectev.c | 8 ++++++++
Xi/xisetclientpointer.c | 3 ++-
Xi/xisetdevfocus.c | 4 ++++
Xi/xiwarppointer.c | 2 ++
include/dix.h | 4 ++++
17 files changed, 94 insertions(+), 18 deletions(-)
diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c
index d078aa2..b3ee867 100644
--- a/Xi/chgdctl.c
+++ b/Xi/chgdctl.c
@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client)
REQUEST(xChangeDeviceControlReq);
swaps(&stuff->length);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
swaps(&stuff->control);
ctl = (xDeviceCtl *) &stuff[1];
swaps(&ctl->control);
@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client)
xDeviceEnableCtl *e;
REQUEST(xChangeDeviceControlReq);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client)
break;
case DEVICE_ENABLE:
e = (xDeviceEnableCtl *) &stuff[1];
+ if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
+ ret = BadLength;
+ goto out;
+ }
if (IsXTestDevice(dev, NULL))
status = !Success;
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
index 6dcf60c..224c2ba 100644
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client)
xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
if (client->swapped) {
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
swaps(&f->num_keysyms);
}
if (len !=
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index 3c21386..183f88d 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
if (ret != Success)
return ret;
+ if (stuff->num_events == 0)
+ return ret;
+
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]);
diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c
index ebef233..ca263ef 100644
--- a/Xi/xiallowev.c
+++ b/Xi/xiallowev.c
@@ -48,6 +48,7 @@ int
SProcXIAllowEvents(ClientPtr client)
{
REQUEST(xXIAllowEventsReq);
+ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
if (stuff->length > 3) {
xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
+ REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
swapl(&req_xi22->touchid);
swapl(&req_xi22->grab_window);
}
diff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c
index 7a1bb7a..8e6255b 100644
--- a/Xi/xichangecursor.c
+++ b/Xi/xichangecursor.c
@@ -57,11 +57,11 @@ int
SProcXIChangeCursor(ClientPtr client)
{
REQUEST(xXIChangeCursorReq);
+ REQUEST_SIZE_MATCH(xXIChangeCursorReq);
swaps(&stuff->length);
swapl(&stuff->win);
swapl(&stuff->cursor);
swaps(&stuff->deviceid);
- REQUEST_SIZE_MATCH(xXIChangeCursorReq);
return (ProcXIChangeCursor(client));
}
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index 9e36354..2732445 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -411,7 +411,7 @@ int
ProcXIChangeHierarchy(ClientPtr client)
{
xXIAnyHierarchyChangeInfo *any;
- int required_len = sizeof(xXIChangeHierarchyReq);
+ size_t len; /* length of data remaining in request */
int rc = Success;
int flags[MAXDEVICES] = { 0 };
@@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
+ if (stuff->length > (INT_MAX >> 2))
+ return BadAlloc;
+ len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
+ if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
+ rc = BadLength;
+ goto unwind;
+ }
+
SWAPIF(swaps(&any->type));
SWAPIF(swaps(&any->length));
- required_len += any->length;
- if ((stuff->length * 4) < required_len)
+ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
return BadLength;
+#define CHANGE_SIZE_MATCH(type) \
+ do { \
+ if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
+ rc = BadLength; \
+ goto unwind; \
+ } \
+ } while(0)
+
switch (any->type) {
case XIAddMaster:
{
xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
+ /* Variable length, due to appended name string */
+ if (len < sizeof(xXIAddMasterInfo)) {
+ rc = BadLength;
+ goto unwind;
+ }
SWAPIF(swaps(&c->name_len));
+ if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
+ rc = BadLength;
+ goto unwind;
+ }
rc = add_master(client, c, flags);
if (rc != Success)
@@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
+ CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
rc = remove_master(client, r, flags);
if (rc != Success)
goto unwind;
@@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
+ CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
rc = detach_slave(client, c, flags);
if (rc != Success)
goto unwind;
@@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
+ CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
rc = attach_slave(client, c, flags);
if (rc != Success)
goto unwind;
@@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client)
break;
}
+ len -= any->length * 4;
any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
}
diff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c
index 3c90d58..306dd39 100644
--- a/Xi/xigetclientpointer.c
+++ b/Xi/xigetclientpointer.c
@@ -50,6 +50,7 @@ int
SProcXIGetClientPointer(ClientPtr client)
{
REQUEST(xXIGetClientPointerReq);
+ REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
swaps(&stuff->length);
swapl(&stuff->win);
diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c
index 63d95bc..e2a2ae3 100644
--- a/Xi/xigrabdev.c
+++ b/Xi/xigrabdev.c
@@ -47,6 +47,11 @@ int
SProcXIGrabDevice(ClientPtr client)
{
REQUEST(xXIGrabDeviceReq);
+ /*
+ * Check here for at least the length of the struct we swap, then
+ * let ProcXIGrabDevice check the full size after we swap mask_len.
+ */
+ REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client)
unsigned int pointer_mode;
REQUEST(xXIGrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
if (ret != Success)
@@ -131,6 +136,7 @@ int
SProcXIUngrabDevice(ClientPtr client)
{
REQUEST(xXIUngrabDeviceReq);
+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client)
TimeStamp time;
REQUEST(xXIUngrabDeviceReq);
+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
if (ret != Success)
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 700622d..9241ffd 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr client)
uint32_t *mods;
REQUEST(xXIPassiveGrabDeviceReq);
+ REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr client)
swaps(&stuff->mask_len);
swaps(&stuff->num_modifiers);
+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
mods = (uint32_t *) &stuff[1] + stuff->mask_len;
for (i = 0; i < stuff->num_modifiers; i++, mods++) {
@@ -92,7 +95,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
int mask_len;
REQUEST(xXIPassiveGrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
if (stuff->deviceid == XIAllDevices)
dev = inputInfo.all_devices;
@@ -252,6 +256,7 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
uint32_t *modifiers;
REQUEST(xXIPassiveUngrabDeviceReq);
+ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
swaps(&stuff->length);
swapl(&stuff->grab_window);
@@ -259,6 +264,8 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
swapl(&stuff->detail);
swaps(&stuff->num_modifiers);
+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
+ ((uint32_t) stuff->num_modifiers) << 2);
modifiers = (uint32_t *) &stuff[1];
for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
@@ -277,7 +284,8 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
int i, rc;
REQUEST(xXIPassiveUngrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
+ ((uint32_t) stuff->num_modifiers) << 2);
if (stuff->deviceid == XIAllDevices)
dev = inputInfo.all_devices;
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
index 463607d..8e8e4b0 100644
--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
@@ -1013,10 +1013,9 @@ int
SProcXListDeviceProperties(ClientPtr client)
{
REQUEST(xListDevicePropertiesReq);
+ REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
swaps(&stuff->length);
-
- REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
return (ProcXListDeviceProperties(client));
}
@@ -1037,10 +1036,10 @@ int
SProcXDeleteDeviceProperty(ClientPtr client)
{
REQUEST(xDeleteDevicePropertyReq);
+ REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
swaps(&stuff->length);
swapl(&stuff->property);
- REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
return (ProcXDeleteDeviceProperty(client));
}
@@ -1048,13 +1047,13 @@ int
SProcXGetDeviceProperty(ClientPtr client)
{
REQUEST(xGetDevicePropertyReq);
+ REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
swaps(&stuff->length);
swapl(&stuff->property);
swapl(&stuff->type);
swapl(&stuff->longOffset);
swapl(&stuff->longLength);
- REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
return (ProcXGetDeviceProperty(client));
}
@@ -1253,11 +1252,10 @@ int
SProcXIListProperties(ClientPtr client)
{
REQUEST(xXIListPropertiesReq);
+ REQUEST_SIZE_MATCH(xXIListPropertiesReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
-
- REQUEST_SIZE_MATCH(xXIListPropertiesReq);
return (ProcXIListProperties(client));
}
@@ -1279,11 +1277,11 @@ int
SProcXIDeleteProperty(ClientPtr client)
{
REQUEST(xXIDeletePropertyReq);
+ REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
swapl(&stuff->property);
- REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
return (ProcXIDeleteProperty(client));
}
@@ -1291,6 +1289,7 @@ int
SProcXIGetProperty(ClientPtr client)
{
REQUEST(xXIGetPropertyReq);
+ REQUEST_SIZE_MATCH(xXIGetPropertyReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client)
swapl(&stuff->type);
swapl(&stuff->offset);
swapl(&stuff->len);
- REQUEST_SIZE_MATCH(xXIGetPropertyReq);
return (ProcXIGetProperty(client));
}
diff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c
index 4e544f0..67a9a4f 100644
--- a/Xi/xiquerydevice.c
+++ b/Xi/xiquerydevice.c
@@ -54,6 +54,7 @@ int
SProcXIQueryDevice(ClientPtr client)
{
REQUEST(xXIQueryDeviceReq);
+ REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
index e9bdd42..7ec0c85 100644
--- a/Xi/xiquerypointer.c
+++ b/Xi/xiquerypointer.c
@@ -63,6 +63,8 @@ int
SProcXIQueryPointer(ClientPtr client)
{
REQUEST(xXIQueryPointerReq);
+ REQUEST_SIZE_MATCH(xXIQueryPointerReq);
+
swaps(&stuff->length);
swaps(&stuff->deviceid);
swapl(&stuff->win);
diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
index 45a996e..168579f 100644
--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
@@ -114,6 +114,7 @@ int
SProcXISelectEvents(ClientPtr client)
{
int i;
+ int len;
xXIEventMask *evmask;
REQUEST(xXISelectEventsReq);
@@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client)
swapl(&stuff->win);
swaps(&stuff->num_masks);
+ len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
evmask = (xXIEventMask *) &stuff[1];
for (i = 0; i < stuff->num_masks; i++) {
+ if (len < bytes_to_int32(sizeof(xXIEventMask)))
+ return BadLength;
+ len -= bytes_to_int32(sizeof(xXIEventMask));
swaps(&evmask->deviceid);
swaps(&evmask->mask_len);
+ if (len < evmask->mask_len)
+ return BadLength;
+ len -= evmask->mask_len;
evmask =
(xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
}
diff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c
index 38ff51e..24d4a53 100644
--- a/Xi/xisetclientpointer.c
+++ b/Xi/xisetclientpointer.c
@@ -51,10 +51,11 @@ int
SProcXISetClientPointer(ClientPtr client)
{
REQUEST(xXISetClientPointerReq);
+ REQUEST_SIZE_MATCH(xXISetClientPointerReq);
+
swaps(&stuff->length);
swapl(&stuff->win);
swaps(&stuff->deviceid);
- REQUEST_SIZE_MATCH(xXISetClientPointerReq);
return (ProcXISetClientPointer(client));
}
diff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c
index 372ec24..96a9a16 100644
--- a/Xi/xisetdevfocus.c
+++ b/Xi/xisetdevfocus.c
@@ -44,6 +44,8 @@ int
SProcXISetFocus(ClientPtr client)
{
REQUEST(xXISetFocusReq);
+ REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
+
swaps(&stuff->length);
swaps(&stuff->deviceid);
swapl(&stuff->focus);
@@ -56,6 +58,8 @@ int
SProcXIGetFocus(ClientPtr client)
{
REQUEST(xXIGetFocusReq);
+ REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
+
swaps(&stuff->length);
swaps(&stuff->deviceid);
diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c
index 3f051f7..780758a 100644
--- a/Xi/xiwarppointer.c
+++ b/Xi/xiwarppointer.c
@@ -56,6 +56,8 @@ int
SProcXIWarpPointer(ClientPtr client)
{
REQUEST(xXIWarpPointerReq);
+ REQUEST_SIZE_MATCH(xXIWarpPointerReq);
+
swaps(&stuff->length);
swapl(&stuff->src_win);
swapl(&stuff->dst_win);
diff --git a/include/dix.h b/include/dix.h
index e0c6ed8..21176a8 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -74,6 +74,10 @@ SOFTWARE.
if ((sizeof(req) >> 2) > client->req_len )\
return(BadLength)
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
+ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+ return(BadLength)
+
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
((n >> 2) >= client->req_len) || \
--
1.7.9.2
++++++ U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch ++++++
Subject: Xv: unvalidated lengths in XVideo extension swapped procs
References: bnc#907268, CVE-2014-8099
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
Xext/xvdisp.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
index 86f982a..c2d0fc9 100644
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@@ -1121,6 +1121,7 @@ static int
SProcXvQueryExtension(ClientPtr client)
{
REQUEST(xvQueryExtensionReq);
+ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
swaps(&stuff->length);
return XvProcVector[xv_QueryExtension] (client);
}
@@ -1129,6 +1130,7 @@ static int
SProcXvQueryAdaptors(ClientPtr client)
{
REQUEST(xvQueryAdaptorsReq);
+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
swaps(&stuff->length);
swapl(&stuff->window);
return XvProcVector[xv_QueryAdaptors] (client);
@@ -1138,6 +1140,7 @@ static int
SProcXvQueryEncodings(ClientPtr client)
{
REQUEST(xvQueryEncodingsReq);
+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_QueryEncodings] (client);
@@ -1147,6 +1150,7 @@ static int
SProcXvGrabPort(ClientPtr client)
{
REQUEST(xvGrabPortReq);
+ REQUEST_SIZE_MATCH(xvGrabPortReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->time);
@@ -1157,6 +1161,7 @@ static int
SProcXvUngrabPort(ClientPtr client)
{
REQUEST(xvUngrabPortReq);
+ REQUEST_SIZE_MATCH(xvUngrabPortReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->time);
@@ -1167,6 +1172,7 @@ static int
SProcXvPutVideo(ClientPtr client)
{
REQUEST(xvPutVideoReq);
+ REQUEST_SIZE_MATCH(xvPutVideoReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1186,6 +1192,7 @@ static int
SProcXvPutStill(ClientPtr client)
{
REQUEST(xvPutStillReq);
+ REQUEST_SIZE_MATCH(xvPutStillReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1205,6 +1212,7 @@ static int
SProcXvGetVideo(ClientPtr client)
{
REQUEST(xvGetVideoReq);
+ REQUEST_SIZE_MATCH(xvGetVideoReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1224,6 +1232,7 @@ static int
SProcXvGetStill(ClientPtr client)
{
REQUEST(xvGetStillReq);
+ REQUEST_SIZE_MATCH(xvGetStillReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1243,6 +1252,7 @@ static int
SProcXvPutImage(ClientPtr client)
{
REQUEST(xvPutImageReq);
+ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1266,6 +1276,7 @@ static int
SProcXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1293,6 +1304,7 @@ static int
SProcXvSelectVideoNotify(ClientPtr client)
{
REQUEST(xvSelectVideoNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
return XvProcVector[xv_SelectVideoNotify] (client);
@@ -1302,6 +1314,7 @@ static int
SProcXvSelectPortNotify(ClientPtr client)
{
REQUEST(xvSelectPortNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_SelectPortNotify] (client);
@@ -1311,6 +1324,7 @@ static int
SProcXvStopVideo(ClientPtr client)
{
REQUEST(xvStopVideoReq);
+ REQUEST_SIZE_MATCH(xvStopVideoReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1321,6 +1335,7 @@ static int
SProcXvSetPortAttribute(ClientPtr client)
{
REQUEST(xvSetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->attribute);
@@ -1332,6 +1347,7 @@ static int
SProcXvGetPortAttribute(ClientPtr client)
{
REQUEST(xvGetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->attribute);
@@ -1342,6 +1358,7 @@ static int
SProcXvQueryBestSize(ClientPtr client)
{
REQUEST(xvQueryBestSizeReq);
+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
swaps(&stuff->length);
swapl(&stuff->port);
swaps(&stuff->vid_w);
@@ -1355,6 +1372,7 @@ static int
SProcXvQueryPortAttributes(ClientPtr client)
{
REQUEST(xvQueryPortAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_QueryPortAttributes] (client);
@@ -1364,6 +1382,7 @@ static int
SProcXvQueryImageAttributes(ClientPtr client)
{
REQUEST(xvQueryImageAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->id);
@@ -1376,6 +1395,7 @@ static int
SProcXvListImageFormats(ClientPtr client)
{
REQUEST(xvListImageFormatsReq);
+ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_ListImageFormats] (client);
--
1.7.9.2
++++++ U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch ++++++
Subject: dbe: Call to DDX SwapBuffers requires address of int, not unsigned int
References: bnc#907268, CVE-2014-8097
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
When the local types used to walk the DBE request were changed, this
changed the type of the parameter passed to the DDX SwapBuffers API,
but there wasn't a matching change in the API definition.
At this point, with the API frozen, I just stuck a new variable in
with the correct type. Because we've already bounds-checked nStuff to
be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
fit in a signed int without overflow.
Signed-off-by: Keith Packard
Signed-off-by: Alan Coopersmith
---
dbe/dbe.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/dbe/dbe.c b/dbe/dbe.c
index df2ad5c..e5d928d 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
int error;
unsigned int i, j;
unsigned int nStuff;
+ int nStuff_i; /* DDX API requires int for nStuff */
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
nStuff = stuff->n; /* use local variable for performance. */
@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
* could deal with cross-screen synchronization.
*/
- while (nStuff > 0) {
+ nStuff_i = nStuff;
+ while (nStuff_i > 0) {
pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
- error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
+ error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
if (error != Success) {
free(swapInfo);
return error;
--
1.8.4.5
++++++ U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch ++++++
Subject: dbe: unvalidated lengths in DbeSwapBuffers calls
References: bnc#907268, CVE-2014-8097
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.
SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc. While doing the swapping, the
length field is not validated, which can cause memory corruption.
v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
dbe/dbe.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 527588c..df2ad5c 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
DbeSwapInfoPtr swapInfo;
xDbeSwapInfo *dbeSwapInfo;
int error;
- register int i, j;
- int nStuff;
+ unsigned int i, j;
+ unsigned int nStuff;
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
nStuff = stuff->n; /* use local variable for performance. */
if (nStuff == 0) {
+ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
return Success;
}
if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
@@ -914,13 +916,16 @@ static int
SProcDbeSwapBuffers(ClientPtr client)
{
REQUEST(xDbeSwapBuffersReq);
- register int i;
+ unsigned int i;
xDbeSwapInfo *pSwapInfo;
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
swapl(&stuff->n);
+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0) {
pSwapInfo = (xDbeSwapInfo *) stuff + 1;
--
1.7.9.2
++++++ U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch ++++++
Subject: dix: GetHosts bounds check using wrong pointer value
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard
Reviewed-by: Alan Coopersmith
Signed-off-by: Alan Coopersmith
---
os/access.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/os/access.c b/os/access.c
index f393c8d..28f2d32 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
}
for (host = validhosts; host; host = host->next) {
len = host->len;
- if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
break;
((xHostEntry *) ptr)->family = host->family;
((xHostEntry *) ptr)->length = len;
--
1.8.4.5
++++++ U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch ++++++
Subject: Missing parens in REQUEST_FIXED_SIZE macro
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
The 'n' parameter must be surrounded by parens in both places to
prevent precedence from mis-computing things.
Signed-off-by: Keith Packard
Reviewed-by: Alan Coopersmith
Signed-off-by: Alan Coopersmith
---
include/dix.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/dix.h b/include/dix.h
index 21176a8..921156b 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -80,7 +80,7 @@ SOFTWARE.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
- ((n >> 2) >= client->req_len) || \
+ (((n) >> 2) >= client->req_len) || \
((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
--
1.8.4.5
++++++ U_dix_integer_overflow_in_GetHosts.patch ++++++
Subject: dix: integer overflow in GetHosts()
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
os/access.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/os/access.c b/os/access.c
index 5c510de..f393c8d 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1296,6 +1296,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
for (host = validhosts; host; host = host->next) {
nHosts++;
n += pad_to_int32(host->len) + sizeof(xHostEntry);
+ /* Could check for INT_MAX, but in reality having more than 1mb of
+ hostnames in the access list is ridiculous */
+ if (n >= 1048576)
+ break;
}
if (n) {
*data = ptr = malloc(n);
@@ -1304,6 +1308,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
}
for (host = validhosts; host; host = host->next) {
len = host->len;
+ if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+ break;
((xHostEntry *) ptr)->family = host->family;
((xHostEntry *) ptr)->length = len;
ptr += sizeof(xHostEntry);
--
1.7.9.2
++++++ U_dix_integer_overflow_in_ProcPutImage.patch ++++++
Subject: dix: integer overflow in ProcPutImage()
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
dix/dispatch.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index d844a09..55b978d 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client)
tmpImage = (char *) &stuff[1];
lengthProto = length;
+ if (lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
if ((bytes_to_int32(lengthProto * stuff->height) +
bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
return BadLength;
--
1.7.9.2
++++++ U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch ++++++
Subject: dix: integer overflow in REQUEST_FIXED_SIZE()
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
include/dix.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/dix.h b/include/dix.h
index 991a3ce..e0c6ed8 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -76,7 +76,8 @@ SOFTWARE.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+ ((n >> 2) >= client->req_len) || \
+ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
#define LEGAL_NEW_RESOURCE(id,client)\
--
1.7.9.2
++++++ U_dix_integer_overflow_in_RegionSizeof.patch ++++++
Subject: dix: integer overflow in RegionSizeof()
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
Reviewed-by: Julien Cristau
---
dix/region.c | 20 +++++++++++++-------
include/regionstr.h | 10 +++++++---
2 files changed, 20 insertions(+), 10 deletions(-)
Index: xorg-server-1.15.2/dix/region.c
===================================================================
--- xorg-server-1.15.2.orig/dix/region.c
+++ xorg-server-1.15.2/dix/region.c
@@ -169,7 +169,6 @@ Equipment Corporation.
((r1)->y1 <= (r2)->y1) && \
((r1)->y2 >= (r2)->y2) )
-#define xallocData(n) malloc(RegionSizeof(n))
#define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
#define RECTALLOC_BAIL(pReg,n,bail) \
@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->num
#define DOWNSIZE(reg,numRects) \
if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
{ \
- RegDataPtr NewData; \
- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \
+ size_t NewSize = RegionSizeof(numRects); \
+ RegDataPtr NewData = \
+ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \
if (NewData) \
{ \
NewData->size = (numRects); \
@@ -345,17 +345,20 @@ Bool
RegionRectAlloc(RegionPtr pRgn, int n)
{
RegDataPtr data;
+ size_t rgnSize;
if (!pRgn->data) {
n++;
- pRgn->data = xallocData(n);
+ rgnSize = RegionSizeof(n);
+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pRgn->data)
return RegionBreak(pRgn);
pRgn->data->numRects = 1;
*RegionBoxptr(pRgn) = pRgn->extents;
}
else if (!pRgn->data->size) {
- pRgn->data = xallocData(n);
+ rgnSize = RegionSizeof(n);
+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pRgn->data)
return RegionBreak(pRgn);
pRgn->data->numRects = 0;
@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
n = 250;
}
n += pRgn->data->numRects;
- data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
+ rgnSize = RegionSizeof(n);
+ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
if (!data)
return RegionBreak(pRgn);
pRgn->data = data;
@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *
{
RegionPtr pRgn;
+ size_t rgnSize;
RegDataPtr pData;
BoxPtr pBox;
int i;
@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *
}
return pRgn;
}
- pData = xallocData(nrects);
+ rgnSize = RegionSizeof(nrects);
+ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pData) {
RegionBreak(pRgn);
return pRgn;
Index: xorg-server-1.15.2/include/regionstr.h
===================================================================
--- xorg-server-1.15.2.orig/include/regionstr.h
+++ xorg-server-1.15.2/include/regionstr.h
@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
static inline size_t
RegionSizeof(int n)
{
- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
+ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+ else
+ return 0;
}
static inline void
@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect
(_pReg)->data = (RegDataPtr) NULL;
}
else {
+ size_t rgnSize;
(_pReg)->extents = RegionEmptyBox;
- if (((_size) > 1) && ((_pReg)->data =
- (RegDataPtr) malloc(RegionSizeof(_size)))) {
+ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
+ (((_pReg)->data = malloc(rgnSize)) != NULL)) {
(_pReg)->data->size = (_size);
(_pReg)->data->numRects = 0;
}
++++++ U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch ++++++
Subject: dri2: integer overflow in ProcDRI2GetBuffers()
References: bnc#907268, CVE-2014-8094
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
ProcDRI2GetBuffers() tries to validate a length field (count).
There is an integer overflow in the validation. This can cause
out of bound reads and memory corruption later on.
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
Reviewed-by: Julien Cristau
---
hw/xfree86/dri2/dri2ext.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
index ffd66fa..221ec53 100644
--- a/hw/xfree86/dri2/dri2ext.c
+++ b/hw/xfree86/dri2/dri2ext.c
@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
unsigned int *attachments;
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
+ if (stuff->count > (INT_MAX / 4))
+ return BadLength;
+
if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
&pDrawable, &status))
return status;
--
1.7.9.2
++++++ U_dri3_unvalidated_lengths_in_DRI3_extension_swapped_procs.patch ++++++
Subject: dri3: unvalidated lengths in DRI3 extension swapped procs
References: bnc#907268, CVE-2014-8103
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
dri3/dri3_request.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c
index fe45620..2d75588 100644
--- a/dri3/dri3_request.c
+++ b/dri3/dri3_request.c
@@ -321,6 +321,7 @@ static int
sproc_dri3_query_version(ClientPtr client)
{
REQUEST(xDRI3QueryVersionReq);
+ REQUEST_SIZE_MATCH(xDRI3QueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
@@ -332,6 +333,7 @@ static int
sproc_dri3_open(ClientPtr client)
{
REQUEST(xDRI3OpenReq);
+ REQUEST_SIZE_MATCH(xDRI3OpenReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
@@ -343,6 +345,7 @@ static int
sproc_dri3_pixmap_from_buffer(ClientPtr client)
{
REQUEST(xDRI3PixmapFromBufferReq);
+ REQUEST_SIZE_MATCH(xDRI3PixmapFromBufferReq);
swaps(&stuff->length);
swapl(&stuff->pixmap);
@@ -358,6 +361,7 @@ static int
sproc_dri3_buffer_from_pixmap(ClientPtr client)
{
REQUEST(xDRI3BufferFromPixmapReq);
+ REQUEST_SIZE_MATCH(xDRI3BufferFromPixmapReq);
swaps(&stuff->length);
swapl(&stuff->pixmap);
@@ -368,6 +372,7 @@ static int
sproc_dri3_fence_from_fd(ClientPtr client)
{
REQUEST(xDRI3FenceFromFDReq);
+ REQUEST_SIZE_MATCH(xDRI3FenceFromFDReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
@@ -379,6 +384,7 @@ static int
sproc_dri3_fd_from_fence(ClientPtr client)
{
REQUEST(xDRI3FDFromFenceReq);
+ REQUEST_SIZE_MATCH(xDRI3FDFromFenceReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
--
1.7.9.2
++++++ U_fb-Fix-invalid-bpp-for-24bit-depth-window.patch ++++++
From fe5018e0564118a7a8198fa286186fdb9ed818c7 Mon Sep 17 00:00:00 2001
From: Takashi Iwai
Date: Tue, 19 Aug 2014 15:57:22 -0500
Subject: [PATCH] fb: Fix invalid bpp for 24bit depth window
We have a hack in fb layer for a 24bpp screen to use 32bpp images, and
fbCreateWindow() replaces its drawable.bitsPerPixel field
appropriately. But, the problem is that it always replaces when 32bpp
is passed. If the depth is 32, this results in bpp < depth, which is
actually invalid.
Meanwhile, fbCreatePixmap() has a more check and it creates with 24bpp
only when the passed depth <= 24 for avoiding such a problem.
This oneliner patch just adds the similar check in fbCreateWindow().
This (hopefully) fixes the long-standing broken graphics mess of
cirrus KMS with 24bpp.
Signed-off-by: Takashi Iwai
Reviewed-by: Keith Packard
---
fb/fbwindow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fb/fbwindow.c b/fb/fbwindow.c
index 368c4b883b31..c90175faa078 100644
--- a/fb/fbwindow.c
+++ b/fb/fbwindow.c
@@ -33,7 +33,7 @@ fbCreateWindow(WindowPtr pWin)
{
dixSetPrivate(&pWin->devPrivates, fbGetWinPrivateKey(pWin),
fbGetScreenPixmap(pWin->drawable.pScreen));
- if (pWin->drawable.bitsPerPixel == 32)
+ if (pWin->drawable.bitsPerPixel == 32 && pWin->drawable.depth <= 24)
pWin->drawable.bitsPerPixel =
fbGetScreenPrivate(pWin->drawable.pScreen)->win32bpp;
return TRUE;
--
2.0.4
++++++ U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch ++++++
Subject: fb: Fix Bresenham algorithms for commonly used small segments.
Git-commit: 1b94fd77792310c80b0a2bcf4bf6d4e4c4c23bca
Author: Alex Orange
Patch-Mainline: Upstream
References: bnc#908258, bnc#856931, fdo#54168
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=54168
Fix errors introducted in 863d528a9f76d0e8f122aebf19f8564a4c67a938. Said
patch does indeed remove the problematic writes to bad memory, however
it also introduces errors in the algoritm. This patch has the effect of
reverting said patch and adding an if in the proper location to catch
the out of bounds memory write without causing problems to the overall
algorithm.
Signed-off-by: Alex Orange
Reviewed-by: Peter Harris
Tested-by: Peter Harris
Signed-off-by: Keith Packard
---
fb/fbseg.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/fb/fbseg.c b/fb/fbseg.c
index 36b17e3..c3c196a 100644
--- a/fb/fbseg.c
+++ b/fb/fbseg.c
@@ -65,12 +65,6 @@ fbBresSolid(DrawablePtr pDrawable,
if (axis == X_AXIS) {
bits = 0;
while (len--) {
- if (e >= 0) {
- WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits));
- bits = 0;
- dst += dstStride;
- e += e3;
- }
bits |= mask;
mask = fbBresShiftMask(mask, signdx, dstBpp);
if (!mask) {
@@ -80,12 +74,23 @@ fbBresSolid(DrawablePtr pDrawable,
mask = mask0;
}
e += e1;
+ if (e >= 0) {
+ if (bits) {
+ WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits));
+ bits = 0;
+ }
+ dst += dstStride;
+ e += e3;
+ }
}
if (bits)
WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, bits));
}
else {
while (len--) {
+ WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, mask));
+ dst += dstStride;
+ e += e1;
if (e >= 0) {
e += e3;
mask = fbBresShiftMask(mask, signdx, dstBpp);
@@ -94,9 +99,6 @@ fbBresSolid(DrawablePtr pDrawable,
mask = mask0;
}
}
- WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, mask));
- dst += dstStride;
- e += e1;
}
}
--
1.8.4.5
++++++ U_glx_Add_safe__add_mul_pad.patch ++++++
Subject: glx: Add safe_{add,mul,pad} (v3)
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
These are paranoid about integer overflow, and will return -1 if their
operation would overflow a (signed) integer or if either argument is
negative.
Note that RenderLarge requests are sized with a uint32_t so in principle
this could be sketchy there, but dix limits bigreqs to 128M so you
shouldn't ever notice, and honestly if you're sending more than 2G of
rendering commands you're already doing something very wrong.
v2: Use INT_MAX for consistency with the rest of the server (jcristau)
v3: Reject negative arguments (anholt)
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/glx/glxserver.h b/glx/glxserver.h
index a324b29..9482601 100644
--- a/glx/glxserver.h
+++ b/glx/glxserver.h
@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
* Routines for computing the size of variably-sized rendering commands.
*/
+static _X_INLINE int
+safe_add(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (INT_MAX - a < b)
+ return -1;
+
+ return a + b;
+}
+
+static _X_INLINE int
+safe_mul(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (a == 0 || b == 0)
+ return 0;
+
+ if (a > INT_MAX / b)
+ return -1;
+
+ return a * b;
+}
+
+static _X_INLINE int
+safe_pad(int a)
+{
+ int ret;
+
+ if (a < 0)
+ return -1;
+
+ if ((ret = safe_add(a, 3)) < 0)
+ return -1;
+
+ return ret & (GLuint)~3;
+}
+
extern int __glXTypeSize(GLenum enm);
extern int __glXImageSize(GLenum format, GLenum type,
GLenum target, GLsizei w, GLsizei h, GLsizei d,
--
1.7.9.2
++++++ U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch ++++++
Subject: glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2)
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
If the computed reply size is negative, something went wrong, treat it
as an error.
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/indirect_util.c | 7 ++++++-
glx/unpack.h | 3 ++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/glx/indirect_util.c b/glx/indirect_util.c
index 926e57c..de81491 100644
--- a/glx/indirect_util.c
+++ b/glx/indirect_util.c
@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
const unsigned mask = alignment - 1;
if (local_size < required_size) {
- const size_t worst_case_size = required_size + alignment;
+ size_t worst_case_size;
intptr_t temp_buf;
+ if (required_size < SIZE_MAX - alignment)
+ worst_case_size = required_size + alignment;
+ else
+ return NULL;
+
if (cl->returnBufSize < worst_case_size) {
void *temp = realloc(cl->returnBuf, worst_case_size);
diff --git a/glx/unpack.h b/glx/unpack.h
index 52fba74..2b1ebcf 100644
--- a/glx/unpack.h
+++ b/glx/unpack.h
@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
** pointer.
*/
#define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
- if ((size) > sizeof(answerBuffer)) { \
+ if (size < 0) return BadLength; \
+ else if ((size) > sizeof(answerBuffer)) { \
int bump; \
if ((cl)->returnBufSize < (size)+(align)) { \
(cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \
--
1.7.9.2
++++++ U_glx_Be_more_paranoid_about_variable_length_requests.patch ++++++
Subject: glx: Be more paranoid about variable-length requests
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/glxcmds.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 8d3fa9f..0521b58 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2060,7 +2060,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
client->swapped);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
return BadLength;
@@ -2177,7 +2177,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
client->swapped);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
/* large command's header is 4 bytes longer, so add 4 */
if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
--
1.7.9.2
++++++ U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch ++++++
Subject: glx: Be more strict about rejecting invalid image sizes
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Before this we'd just clamp the image size to 0, which was just
hideously stupid; if the parameters were such that they'd overflow an
integer, you'd allocate a small buffer, then pass huge values into (say)
ReadPixels, and now you're scribbling over arbitrary server memory.
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/singlepix.c | 16 ++++++++--------
glx/singlepixswap.c | 16 ++++++++--------
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/glx/singlepix.c b/glx/singlepix.c
index 506fdaa..8b6c261 100644
--- a/glx/singlepix.c
+++ b/glx/singlepix.c
@@ -65,7 +65,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
lsbFirst = *(GLboolean *) (pc + 25);
compsize = __glReadPixels_size(format, type, width, height);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -124,7 +124,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
compsize =
__glGetTexImage_size(target, level, format, type, width, height, depth);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -218,9 +218,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
if (compsize2 < 0)
- compsize2 = 0;
+ return BadLength;
compsize = __GLX_PAD(compsize);
compsize2 = __GLX_PAD(compsize2);
@@ -296,7 +296,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -365,7 +365,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -426,7 +426,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -491,7 +491,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
index 8469101..8dc304f 100644
--- a/glx/singlepixswap.c
+++ b/glx/singlepixswap.c
@@ -75,7 +75,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
lsbFirst = *(GLboolean *) (pc + 25);
compsize = __glReadPixels_size(format, type, width, height);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -144,7 +144,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
compsize =
__glGetTexImage_size(target, level, format, type, width, height, depth);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -252,9 +252,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
if (compsize2 < 0)
- compsize2 = 0;
+ return BadLength;
compsize = __GLX_PAD(compsize);
compsize2 = __GLX_PAD(compsize2);
@@ -338,7 +338,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -415,7 +415,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -483,7 +483,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -554,7 +554,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
--
1.7.9.2
++++++ U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch ++++++
Subject: glx: Fix image size computation for EXT_texture_integer
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Without this we'd reject the request with BadLength. Note that some old
versions of Mesa had a bug in the same place, and would _send_ zero
bytes of image data; these will now be rejected, correctly.
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/rensize.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/glx/rensize.c b/glx/rensize.c
index ba22d10..9ff73c7 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
case GL_ALPHA:
case GL_LUMINANCE:
case GL_INTENSITY:
+ case GL_RED_INTEGER_EXT:
+ case GL_GREEN_INTEGER_EXT:
+ case GL_BLUE_INTEGER_EXT:
+ case GL_ALPHA_INTEGER_EXT:
+ case GL_LUMINANCE_INTEGER_EXT:
elementsPerGroup = 1;
break;
case GL_422_EXT:
@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
case GL_DEPTH_STENCIL_MESA:
case GL_YCBCR_MESA:
case GL_LUMINANCE_ALPHA:
+ case GL_LUMINANCE_ALPHA_INTEGER_EXT:
elementsPerGroup = 2;
break;
case GL_RGB:
case GL_BGR:
+ case GL_RGB_INTEGER_EXT:
+ case GL_BGR_INTEGER_EXT:
elementsPerGroup = 3;
break;
case GL_RGBA:
case GL_BGRA:
+ case GL_RGBA_INTEGER_EXT:
+ case GL_BGRA_INTEGER_EXT:
case GL_ABGR_EXT:
elementsPerGroup = 4;
break;
--
1.7.9.2
++++++ U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch ++++++
Subject: glx: Fix mask truncation in __glXGetAnswerBuffer
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
bitwise not operation will result in a mask that clears all high bits
from temp_buf in the expression:
temp_buf = (temp_buf + mask) & ~mask;
Signed-off-by: Robert Morell
Reviewed-by: Alan Coopersmith
Signed-off-by: Alan Coopersmith
---
glx/indirect_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/glx/indirect_util.c b/glx/indirect_util.c
index de81491..9ba2815 100644
--- a/glx/indirect_util.c
+++ b/glx/indirect_util.c
@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
void *local_buffer, size_t local_size, unsigned alignment)
{
void *buffer = local_buffer;
- const unsigned mask = alignment - 1;
+ const intptr_t mask = alignment - 1;
if (local_size < required_size) {
size_t worst_case_size;
--
1.7.9.2
++++++ U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch ++++++
Subject: glx: Integer overflow protection for non-generated render requests (v3)
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
v2:
Fix constants in __glXMap2fReqSize (Michal Srb)
Validate w/h/d for proxy targets too (Keith Packard)
v3:
Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
Reviewed-by: Keith Packard
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/rensize.c | 77 ++++++++++++++++++++++++++++++---------------------------
1 file changed, 41 insertions(+), 36 deletions(-)
diff --git a/glx/rensize.c b/glx/rensize.c
index 9ff73c7..d46334a 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -43,19 +43,11 @@
(((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
-static int
-Map1Size(GLint k, GLint order)
-{
- if (order <= 0 || k < 0)
- return -1;
- return k * order;
-}
-
int
__glXMap1dReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *) (pc + 16);
order = *(GLint *) (pc + 20);
@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
target = SWAPL(target);
order = SWAPL(order);
}
- k = __glMap1d_size(target);
- return 8 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
}
int
__glXMap1fReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *) (pc + 0);
order = *(GLint *) (pc + 12);
@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
target = SWAPL(target);
order = SWAPL(order);
}
- k = __glMap1f_size(target);
- return 4 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
}
static int
Map2Size(int k, int majorOrder, int minorOrder)
{
- if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
+ if (majorOrder < 1 || minorOrder < 1)
return -1;
- return k * majorOrder * minorOrder;
+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
}
int
__glXMap2dReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *) (pc + 32);
uorder = *(GLint *) (pc + 36);
@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
uorder = SWAPL(uorder);
vorder = SWAPL(vorder);
}
- k = __glMap2d_size(target);
- return 8 * Map2Size(k, uorder, vorder);
+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
}
int
__glXMap2fReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *) (pc + 0);
uorder = *(GLint *) (pc + 12);
@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
uorder = SWAPL(uorder);
vorder = SWAPL(vorder);
}
- k = __glMap2f_size(target);
- return 4 * Map2Size(k, uorder, vorder);
+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
}
/**
@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
GLint bytesPerElement, elementsPerGroup, groupsPerRow;
GLint groupSize, rowSize, padding, imageSize;
+ if (w == 0 || h == 0 || d == 0)
+ return 0;
+
if (w < 0 || h < 0 || d < 0 ||
(type == GL_BITMAP &&
(format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
return -1;
}
- if (w == 0 || h == 0 || d == 0)
- return 0;
+ /* proxy targets have no data */
switch (target) {
case GL_PROXY_TEXTURE_1D:
case GL_PROXY_TEXTURE_2D:
@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
return 0;
}
+ /* real data has to have real sizes */
+ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+ return -1;
+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+ return -1;
+
if (type == GL_BITMAP) {
if (rowLength > 0) {
groupsPerRow = rowLength;
@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
groupsPerRow = w;
}
rowSize = bits_to_bytes(groupsPerRow);
+ if (rowSize < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- return ((h + skipRows) * rowSize);
+
+ return safe_mul(safe_add(h, skipRows), rowSize);
}
else {
switch (format) {
@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
default:
return -1;
}
+ /* known safe by the switches above, not checked */
groupSize = bytesPerElement * elementsPerGroup;
if (rowLength > 0) {
groupsPerRow = rowLength;
@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
else {
groupsPerRow = w;
}
- rowSize = groupsPerRow * groupSize;
+
+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- if (imageHeight > 0) {
- imageSize = (imageHeight + skipRows) * rowSize;
- }
- else {
- imageSize = (h + skipRows) * rowSize;
- }
- return ((d + skipImages) * imageSize);
+
+ if (imageHeight > 0)
+ h = imageHeight;
+ h = safe_add(h, skipRows);
+
+ imageSize = safe_mul(h, rowSize);
+
+ return safe_mul(safe_add(d, skipImages), imageSize);
}
}
@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
/* XXX Should rowLength be used for either or both image? */
image1size = __glXImageSize(format, type, 0, w, 1, 1,
0, rowLength, 0, 0, alignment);
- image1size = __GLX_PAD(image1size);
image2size = __glXImageSize(format, type, 0, h, 1, 1,
0, rowLength, 0, 0, alignment);
- return image1size + image2size;
-
+ return safe_add(safe_pad(image1size), image2size);
}
--
1.7.9.2
++++++ U_glx_Length_checking_for_GLXRender_requests.patch ++++++
Subject: glx: Length checking for GLXRender requests (v2)
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
Reviewed-by: Adam Jackson
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Julien Cristau
Signed-off-by: Alan Coopersmith
---
glx/glxcmds.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 0521b58..4c2e616 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2023,7 +2023,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
left = (req->length << 2) - sz_xGLXRenderReq;
while (left > 0) {
__GLXrenderSizeData entry;
- int extra;
+ int extra = 0;
__GLXdispatchRenderProcPtr proc;
int err;
@@ -2042,6 +2042,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
cmdlen = hdr->length;
opcode = hdr->opcode;
+ if (left < cmdlen)
+ return BadLength;
+
/*
** Check for core opcodes and grab entry data.
*/
@@ -2055,6 +2058,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
return __glXError(GLXBadRenderRequest);
}
+ if (cmdlen < entry.bytes) {
+ return BadLength;
+ }
+
if (entry.varsize) {
/* variable size command */
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
@@ -2062,17 +2069,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
if (extra < 0) {
return BadLength;
}
- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
- return BadLength;
- }
}
- else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry.bytes)) {
- return BadLength;
- }
- }
- if (left < cmdlen) {
+
+ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
return BadLength;
}
--
1.7.9.2
++++++ U_glx_Length_checking_for_RenderLarge_requests.patch ++++++
Subject: glx: Length checking for RenderLarge requests (v2)
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
This is a half-measure until we start passing request length into the
varsize function, but it's better than the nothing we had before.
v2: Verify that there's at least a large render header's worth of
dataBytes (Julien Cristau)
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/glxcmds.c | 57 ++++++++++++++++++++++++++++++++++-----------------------
1 file changed, 34 insertions(+), 23 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 4c2e616..0e7efcc 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2107,6 +2107,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
+
req = (xGLXRenderLargeReq *) pc;
if (client->swapped) {
__GLX_SWAP_SHORT(&req->length);
@@ -2122,12 +2124,14 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
__glXResetLargeCommandStatus(cl);
return error;
}
+ if (safe_pad(req->dataBytes) < 0)
+ return BadLength;
dataBytes = req->dataBytes;
/*
** Check the request length.
*/
- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
+ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
client->errorValue = req->length;
/* Reset in case this isn't 1st request. */
__glXResetLargeCommandStatus(cl);
@@ -2137,7 +2141,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData entry;
- int extra;
+ int extra = 0;
size_t cmdlen;
int err;
@@ -2150,13 +2154,17 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
return __glXError(GLXBadLargeRequest);
}
+ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
+ return BadLength;
+
hdr = (__GLXrenderLargeHeader *) pc;
if (client->swapped) {
__GLX_SWAP_INT(&hdr->length);
__GLX_SWAP_INT(&hdr->opcode);
}
- cmdlen = hdr->length;
opcode = hdr->opcode;
+ if ((cmdlen = safe_pad(hdr->length)) < 0)
+ return BadLength;
/*
** Check for core opcodes and grab entry data.
@@ -2178,17 +2186,13 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
if (extra < 0) {
return BadLength;
}
- /* large command's header is 4 bytes longer, so add 4 */
- if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
- return BadLength;
- }
}
- else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
- return BadLength;
- }
+
+ /* the +4 is safe because we know entry.bytes is small */
+ if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
+ return BadLength;
}
+
/*
** Make enough space in the buffer, then copy the entire request.
*/
@@ -2215,6 +2219,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
** We are receiving subsequent (i.e. not the first) requests of a
** multi request command.
*/
+ int bytesSoFar; /* including this packet */
/*
** Check the request number and the total request count.
@@ -2233,11 +2238,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
/*
** Check that we didn't get too much data.
*/
- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXError(GLXBadLargeRequest);
+ }
+
+ if (bytesSoFar > cl->largeCmdBytesTotal) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXError(GLXBadLargeRequest);
}
+
memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
cl->largeCmdBytesSoFar += dataBytes;
cl->largeCmdRequestsSoFar++;
@@ -2241,17 +2253,16 @@ __glXDisp_RenderLarge(__GLXclientState *
** This is the last request; it must have enough bytes to complete
** the command.
*/
- /* NOTE: the two pad macros have been added below; they are needed
- ** because the client library pads the total byte count, but not
- ** the per-request byte counts. The Protocol Encoding says the
- ** total byte count should not be padded, so a proposal will be
- ** made to the ARB to relax the padding constraint on the total
- ** byte count, thus preserving backward compatibility. Meanwhile,
- ** the padding done below fixes a bug that did not allow
- ** large commands of odd sizes to be accepted by the server.
+ /* NOTE: the pad macro below is needed because the client library
+ ** pads the total byte count, but not the per-request byte counts.
+ ** The Protocol Encoding says the total byte count should not be
+ ** padded, so a proposal will be made to the ARB to relax the
+ ** padding constraint on the total byte count, thus preserving
+ ** backward compatibility. Meanwhile, the padding done below
+ ** fixes a bug that did not allow large commands of odd sizes to
+ ** be accepted by the server.
*/
- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
- __GLX_PAD(cl->largeCmdBytesTotal)) {
+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXError(GLXBadLargeRequest);
++++++ U_glx_Length_checking_for_non_generated_single_request.patch ++++++
Subject: glx: Length checking for non-generated single requests (v2)
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
v2:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
v3:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Julien Cristau
Signed-off-by: Alan Coopersmith
---
glx/indirect_texture_compression.c | 4 ++++
glx/single2.c | 23 +++++++++++++++----
glx/single2swap.c | 19 ++++++++++++----
glx/singlepix.c | 44 ++++++++++++++++++++++++------------
glx/singlepixswap.c | 34 ++++++++++++++++++++++++----
5 files changed, 95 insertions(+), 29 deletions(-)
diff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c
index cda7656..1ebf7f3 100644
--- a/glx/indirect_texture_compression.c
+++ b/glx/indirect_texture_compression.c
@@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
__GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
pc += __GLX_SINGLE_HDR_SIZE;
if (cx != NULL) {
const GLenum target = *(GLenum *) (pc + 0);
@@ -87,6 +89,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
__glXForceCurrent(cl, bswap_32(req->contextTag), &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
pc += __GLX_SINGLE_HDR_SIZE;
if (cx != NULL) {
const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
diff --git a/glx/single2.c b/glx/single2.c
index 53b661d..a6ea614 100644
--- a/glx/single2.c
+++ b/glx/single2.c
@@ -45,11 +45,14 @@
int
__glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -76,10 +79,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -104,7 +110,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
xGLXRenderModeReply reply;
__GLXcontext *cx;
GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -112,6 +118,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
GLenum newMode;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -188,7 +196,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply = (xGLXRenderModeReply) {
.type = X_Reply,
.sequenceNumber = client->sequence,
@@ -207,9 +214,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -223,10 +233,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -317,7 +329,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string)
int
DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLenum name;
const char *string;
@@ -327,6 +339,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
char *buf = NULL, *buf1 = NULL;
GLint length = 0;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
/* If the client has the opposite byte order, swap the contextTag and
* the name.
*/
@@ -343,7 +357,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
pc += __GLX_SINGLE_HDR_SIZE;
name = *(GLenum *) (pc + 0);
string = (const char *) glGetString(name);
- client = cl->client;
if (string == NULL)
string = "";
diff --git a/glx/single2swap.c b/glx/single2swap.c
index 764501f..5349069 100644
--- a/glx/single2swap.c
+++ b/glx/single2swap.c
@@ -41,6 +41,7 @@
int
__glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
@@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
__GLX_DECLARE_SWAP_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
xGLXRenderModeReply reply;
GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply = (xGLXRenderModeReply) {
.type = X_Reply,
.sequenceNumber = client->sequence,
@@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
cx->hasUnflushedCommands = GL_FALSE;
/* Send empty reply packet to indicate finish is finished */
- client = cl->client;
__GLX_BEGIN_REPLY(0);
__GLX_PUT_RETVAL(0);
__GLX_SWAP_REPLY_HEADER();
diff --git a/glx/singlepix.c b/glx/singlepix.c
index 8b6c261..54ed7fd 100644
--- a/glx/singlepix.c
+++ b/glx/singlepix.c
@@ -51,6 +51,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -100,6 +102,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
char *answer, answerBuffer[200];
GLint width = 0, height = 0, depth = 1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -157,6 +161,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
GLubyte answerBuffer[200];
char *answer;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -217,15 +223,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- if (compsize < 0)
+ if ((compsize = safe_pad(compsize)) < 0)
return BadLength;
- if (compsize2 < 0)
+ if ((compsize2 = safe_pad(compsize2)) < 0)
return BadLength;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
*(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -249,7 +253,8 @@ int
__glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -257,7 +262,8 @@ int
__glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -323,7 +329,8 @@ int
__glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -331,7 +338,8 @@ int
__glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -390,7 +398,8 @@ int
__glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -398,7 +407,8 @@ int
__glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -450,7 +460,8 @@ int
__glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -458,7 +469,8 @@ int
__glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -517,7 +529,8 @@ int
__glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -525,6 +538,7 @@ int
__glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
index 8dc304f..9eff592 100644
--- a/glx/singlepixswap.c
+++ b/glx/singlepixswap.c
@@ -53,6 +53,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -114,6 +116,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
char *answer, answerBuffer[200];
GLint width = 0, height = 0, depth = 1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -184,6 +188,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -251,15 +257,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- if (compsize < 0)
+ if ((compsize = safe_pad(compsize)) < 0)
return BadLength;
- if (compsize2 < 0)
+ if ((compsize2 = safe_pad(compsize2)) < 0)
return BadLength;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
*(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -285,7 +289,9 @@ int
__glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -293,7 +299,9 @@ int
__glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -367,7 +375,9 @@ int
__glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -375,7 +385,9 @@ int
__glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -441,7 +453,9 @@ int
__glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -449,7 +463,9 @@ int
__glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -507,7 +523,9 @@ int
__glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -515,7 +533,9 @@ int
__glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -581,7 +601,9 @@ int
__glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -589,6 +611,8 @@ int
__glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
--
1.7.9.2
++++++ U_glx_Length_checking_for_non_generated_vendor_private_requests.patch ++++++
Subject: glx: Length-checking for non-generated vendor private requests
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Reviewed-by: Keith Packard
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/indirect_program.c | 2 ++
glx/swap_interval.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/glx/indirect_program.c b/glx/indirect_program.c
index cda139e..5caee7b 100644
--- a/glx/indirect_program.c
+++ b/glx/indirect_program.c
@@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
__GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
if (cx != NULL) {
GLenum target;
diff --git a/glx/swap_interval.c b/glx/swap_interval.c
index 17bc992..2320550 100644
--- a/glx/swap_interval.c
+++ b/glx/swap_interval.c
@@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
__GLXcontext *cx;
GLint interval;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
+
cx = __glXLookupContextByTag(cl, tag);
if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
--
1.7.9.2
++++++ U_glx_Pass_remaining_request_length_into_varsize.patch ++++++
++++ 915 lines (skipped)
++++++ U_glx_Request_length_checks_for_SetClientInfoARB.patch ++++++
Subject: glx: Request length checks for SetClientInfoARB
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/clientinfo.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/glx/clientinfo.c b/glx/clientinfo.c
index 4aaa4c9..c5fef30 100644
--- a/glx/clientinfo.c
+++ b/glx/clientinfo.c
@@ -33,18 +33,21 @@ static int
set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
unsigned bytes_per_version)
{
+ ClientPtr client = cl->client;
char *gl_extensions;
char *glx_extensions;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
/* Verify that the size of the packet matches the size inferred from the
* sizes specified for the various fields.
*/
- const unsigned expected_size = sz_xGLXSetClientInfoARBReq
- + (req->numVersions * bytes_per_version)
- + __GLX_PAD(req->numGLExtensionBytes)
- + __GLX_PAD(req->numGLXExtensionBytes);
+ int size = sz_xGLXSetClientInfoARBReq;
+ size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
+ size = safe_add(size, safe_pad(req->numGLExtensionBytes));
+ size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
- if (req->length != (expected_size / 4))
+ if (size < 0 || req->length != (size / 4))
return BadLength;
/* Verify that the actual length of the GL extension string matches what's
@@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
req->length = bswap_16(req->length);
req->numVersions = bswap_32(req->numVersions);
req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
@@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
req->length = bswap_16(req->length);
req->numVersions = bswap_32(req->numVersions);
req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
--
1.7.9.2
++++++ U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch ++++++
Subject: glx: Top-level length checking for swapped VendorPrivate requests
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/glxcmdsswap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 5d179f3..9ec1222 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req;
GLint vendorcode;
__GLXdispatchVendorPrivProcPtr proc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
req = (xGLXVendorPrivateReq *) pc;
__GLX_SWAP_SHORT(&req->length);
@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateWithReplyReq *req;
GLint vendorcode;
__GLXdispatchVendorPrivProcPtr proc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
req = (xGLXVendorPrivateWithReplyReq *) pc;
__GLX_SWAP_SHORT(&req->length);
--
1.7.9.2
++++++ U_include-vencrypt-only-if-any-subtype-present.patch ++++++
Index: common/rfb/Security.cxx
===================================================================
--- common/rfb/Security.cxx (revision 5186)
+++ common/rfb/Security.cxx (working copy)
@@ -71,10 +71,15 @@
listrdr::U8 result;
list<U32>::iterator i;
- result.push_back(secTypeVeNCrypt);
+ bool VeNCryptPresent = false;
for (i = enabledSecTypes.begin(); i != enabledSecTypes.end(); i++)
- if (*i < 0x100)
+ if (*i < 0x100) {
result.push_back(*i);
+ } else {
+ if(!VeNCryptPresent)
+ result.push_back(secTypeVeNCrypt);
+ VeNCryptPresent = true;
+ }
return result;
}
++++++ U_present_unvalidated_lengths_in_Present_extension_procs.patch ++++++
Subject: present: unvalidated lengths in Present extension procs
References: bnc#907268, CVE-2014-8103
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
Reviewed-by: Julien Cristau
---
present/present_request.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/present/present_request.c b/present/present_request.c
index 835890d..7c53e72 100644
--- a/present/present_request.c
+++ b/present/present_request.c
@@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
RRCrtcPtr crtc = NULL;
int r;
+ REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
switch (r) {
case Success:
@@ -254,6 +255,7 @@ static int
sproc_present_query_version(ClientPtr client)
{
REQUEST(xPresentQueryVersionReq);
+ REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
@@ -265,6 +267,7 @@ static int
sproc_present_pixmap(ClientPtr client)
{
REQUEST(xPresentPixmapReq);
+ REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -284,6 +287,7 @@ static int
sproc_present_notify_msc(ClientPtr client)
{
REQUEST(xPresentNotifyMSCReq);
+ REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -297,6 +301,7 @@ static int
sproc_present_select_input (ClientPtr client)
{
REQUEST(xPresentSelectInputReq);
+ REQUEST_SIZE_MATCH(xPresentSelectInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -308,6 +313,7 @@ static int
sproc_present_query_capabilities (ClientPtr client)
{
REQUEST(xPresentQueryCapabilitiesReq);
+ REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
swaps(&stuff->length);
swapl(&stuff->target);
return (*proc_present_vector[stuff->presentReqType]) (client);
--
1.7.9.2
++++++ U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch ++++++
Subject: randr: unvalidated lengths in RandR extension swapped procs
References: bnc#907268, CVE-2014-8101
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
randr/rrsdispatch.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
index 08c3b6a..47558cf 100644
--- a/randr/rrsdispatch.c
+++ b/randr/rrsdispatch.c
@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
{
REQUEST(xRRQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
swapl(&stuff->minorVersion);
@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
{
REQUEST(xRRGetScreenInfoReq);
+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
swaps(&stuff->length);
swapl(&stuff->window);
return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
{
REQUEST(xRRSelectInputReq);
+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
swaps(&stuff->enable);
@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
{
REQUEST(xRRConfigureOutputPropertyReq);
+ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
swaps(&stuff->length);
swapl(&stuff->output);
swapl(&stuff->property);
--
1.7.9.2
++++++ U_render_check_request_size_before_reading_it.patch ++++++
Subject: render: check request size before reading it
References: bnc#907268, CVE-2014-8100
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Otherwise we may be reading outside of the client request.
Signed-off-by: Julien Cristau
Reviewed-by: Alan Coopersmith
Signed-off-by: Alan Coopersmith
---
render/render.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/render/render.c b/render/render.c
index e3031da..200e0c8 100644
--- a/render/render.c
+++ b/render/render.c
@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
pRenderClient->major_version = stuff->majorVersion;
pRenderClient->minor_version = stuff->minorVersion;
- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
-
if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
(SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
rep.majorVersion = stuff->majorVersion;
--
1.7.9.2
++++++ U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch ++++++
Subject: render: unvalidated lengths in Render extn. swapped procs
References: bnc#907268, CVE-2014-8100
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
render/render.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/render/render.c b/render/render.c
index 200e0c8..723f380 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1995,7 +1995,7 @@ static int
SProcRenderQueryVersion(ClientPtr client)
{
REQUEST(xRenderQueryVersionReq);
-
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
swapl(&stuff->minorVersion);
@@ -2006,6 +2006,7 @@ static int
SProcRenderQueryPictFormats(ClientPtr client)
{
REQUEST(xRenderQueryPictFormatsReq);
+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
swaps(&stuff->length);
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
@@ -2014,6 +2015,7 @@ static int
SProcRenderQueryPictIndexValues(ClientPtr client)
{
REQUEST(xRenderQueryPictIndexValuesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
swaps(&stuff->length);
swapl(&stuff->format);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2029,6 +2031,7 @@ static int
SProcRenderCreatePicture(ClientPtr client)
{
REQUEST(xRenderCreatePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
swaps(&stuff->length);
swapl(&stuff->pid);
swapl(&stuff->drawable);
@@ -2042,6 +2045,7 @@ static int
SProcRenderChangePicture(ClientPtr client)
{
REQUEST(xRenderChangePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
swaps(&stuff->length);
swapl(&stuff->picture);
swapl(&stuff->mask);
@@ -2053,6 +2057,7 @@ static int
SProcRenderSetPictureClipRectangles(ClientPtr client)
{
REQUEST(xRenderSetPictureClipRectanglesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
swaps(&stuff->length);
swapl(&stuff->picture);
swaps(&stuff->xOrigin);
@@ -2065,6 +2070,7 @@ static int
SProcRenderFreePicture(ClientPtr client)
{
REQUEST(xRenderFreePictureReq);
+ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
swaps(&stuff->length);
swapl(&stuff->picture);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2074,6 +2080,7 @@ static int
SProcRenderComposite(ClientPtr client)
{
REQUEST(xRenderCompositeReq);
+ REQUEST_SIZE_MATCH(xRenderCompositeReq);
swaps(&stuff->length);
swapl(&stuff->src);
swapl(&stuff->mask);
@@ -2093,6 +2100,7 @@ static int
SProcRenderScale(ClientPtr client)
{
REQUEST(xRenderScaleReq);
+ REQUEST_SIZE_MATCH(xRenderScaleReq);
swaps(&stuff->length);
swapl(&stuff->src);
swapl(&stuff->dst);
@@ -2193,6 +2201,7 @@ static int
SProcRenderCreateGlyphSet(ClientPtr client)
{
REQUEST(xRenderCreateGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
swaps(&stuff->length);
swapl(&stuff->gsid);
swapl(&stuff->format);
@@ -2203,6 +2212,7 @@ static int
SProcRenderReferenceGlyphSet(ClientPtr client)
{
REQUEST(xRenderReferenceGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
swaps(&stuff->length);
swapl(&stuff->gsid);
swapl(&stuff->existing);
@@ -2213,6 +2223,7 @@ static int
SProcRenderFreeGlyphSet(ClientPtr client)
{
REQUEST(xRenderFreeGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
swaps(&stuff->length);
swapl(&stuff->glyphset);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
xGlyphInfo *gi;
REQUEST(xRenderAddGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
swaps(&stuff->length);
swapl(&stuff->glyphset);
swapl(&stuff->nglyphs);
@@ -2261,6 +2273,7 @@ static int
SProcRenderFreeGlyphs(ClientPtr client)
{
REQUEST(xRenderFreeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
swaps(&stuff->length);
swapl(&stuff->glyphset);
SwapRestL(stuff);
@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
int size;
REQUEST(xRenderCompositeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
switch (stuff->renderReqType) {
default:
--
1.7.9.2
++++++ U_tigervnc-Add-AccessSetDesktopSize-right.patch ++++++
Subject: Add AccessSetDesktopSize right.
Patch-Mainline: Upstream
Git-commit: b318b8f978a6f6b99578ec39a5dbd9b7dc860505
References: bnc#901752
Singed-off-by: Michal Srb
So clients with limited access rights can not affect it.
---
common/rfb/SConnection.cxx | 15 ++++++++-------
common/rfb/SConnection.h | 15 ++++++++-------
common/rfb/ServerCore.cxx | 4 ++++
common/rfb/ServerCore.h | 1 +
common/rfb/VNCSConnectionST.cxx | 3 +++
5 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/common/rfb/SConnection.cxx b/common/rfb/SConnection.cxx
index 4bf0f93..20182a0 100644
--- a/common/rfb/SConnection.cxx
+++ b/common/rfb/SConnection.cxx
@@ -37,13 +37,14 @@ using namespace rfb;
static LogWriter vlog("SConnection");
// AccessRights values
-const SConnection::AccessRights SConnection::AccessView = 0x0001;
-const SConnection::AccessRights SConnection::AccessKeyEvents = 0x0002;
-const SConnection::AccessRights SConnection::AccessPtrEvents = 0x0004;
-const SConnection::AccessRights SConnection::AccessCutText = 0x0008;
-const SConnection::AccessRights SConnection::AccessDefault = 0x03ff;
-const SConnection::AccessRights SConnection::AccessNoQuery = 0x0400;
-const SConnection::AccessRights SConnection::AccessFull = 0xffff;
+const SConnection::AccessRights SConnection::AccessView = 0x0001;
+const SConnection::AccessRights SConnection::AccessKeyEvents = 0x0002;
+const SConnection::AccessRights SConnection::AccessPtrEvents = 0x0004;
+const SConnection::AccessRights SConnection::AccessCutText = 0x0008;
+const SConnection::AccessRights SConnection::AccessSetDesktopSize = 0x0010;
+const SConnection::AccessRights SConnection::AccessDefault = 0x03ff;
+const SConnection::AccessRights SConnection::AccessNoQuery = 0x0400;
+const SConnection::AccessRights SConnection::AccessFull = 0xffff;
SConnection::SConnection(bool reverseConnection_)
diff --git a/common/rfb/SConnection.h b/common/rfb/SConnection.h
index f712417..0379b17 100644
--- a/common/rfb/SConnection.h
+++ b/common/rfb/SConnection.h
@@ -122,13 +122,14 @@ namespace rfb {
// is up to the derived class.
typedef rdr::U16 AccessRights;
- static const AccessRights AccessView; // View display contents
- static const AccessRights AccessKeyEvents; // Send key events
- static const AccessRights AccessPtrEvents; // Send pointer events
- static const AccessRights AccessCutText; // Send/receive clipboard events
- static const AccessRights AccessDefault; // The default rights, INCLUDING FUTURE ONES
- static const AccessRights AccessNoQuery; // Connect without local user accepting
- static const AccessRights AccessFull; // All of the available AND FUTURE rights
+ static const AccessRights AccessView; // View display contents
+ static const AccessRights AccessKeyEvents; // Send key events
+ static const AccessRights AccessPtrEvents; // Send pointer events
+ static const AccessRights AccessCutText; // Send/receive clipboard events
+ static const AccessRights AccessSetDesktopSize; // Change desktop size
+ static const AccessRights AccessDefault; // The default rights, INCLUDING FUTURE ONES
+ static const AccessRights AccessNoQuery; // Connect without local user accepting
+ static const AccessRights AccessFull; // All of the available AND FUTURE rights
virtual void setAccessRights(AccessRights ar) = 0;
// Other methods
diff --git a/common/rfb/ServerCore.cxx b/common/rfb/ServerCore.cxx
index ae2fd24..b11a352 100644
--- a/common/rfb/ServerCore.cxx
+++ b/common/rfb/ServerCore.cxx
@@ -89,6 +89,10 @@ rfb::BoolParameter rfb::Server::sendCutText
("SendCutText",
"Send clipboard changes to clients.",
true);
+rfb::BoolParameter rfb::Server::acceptSetDesktopSize
+("AcceptSetDesktopSize",
+ "Accept set desktop size events from clients.",
+ true);
rfb::BoolParameter rfb::Server::queryConnect
("QueryConnect",
"Prompt the local user to accept or reject incoming connections.",
diff --git a/common/rfb/ServerCore.h b/common/rfb/ServerCore.h
index e12a8bc..5fc996f 100644
--- a/common/rfb/ServerCore.h
+++ b/common/rfb/ServerCore.h
@@ -46,6 +46,7 @@ namespace rfb {
static BoolParameter acceptPointerEvents;
static BoolParameter acceptCutText;
static BoolParameter sendCutText;
+ static BoolParameter acceptSetDesktopSize;
static BoolParameter queryConnect;
};
diff --git a/common/rfb/VNCSConnectionST.cxx b/common/rfb/VNCSConnectionST.cxx
index 618048a..274c496 100644
--- a/common/rfb/VNCSConnectionST.cxx
+++ b/common/rfb/VNCSConnectionST.cxx
@@ -584,6 +584,9 @@ void VNCSConnectionST::setDesktopSize(int fb_width, int fb_height,
{
unsigned int result;
+ if (!(accessRights & AccessSetDesktopSize)) return;
+ if (!rfb::Server::acceptSetDesktopSize) return;
+
// Don't bother the desktop with an invalid configuration
if (!layout.validate(fb_width, fb_height)) {
writer()->writeExtendedDesktopSize(reasonClient, resultInvalid,
--
1.8.4.5
++++++ U_tigervnc-Allow-SSecurity-to-specify-AccessRights-for-SConnect.patch ++++++
Subject: Allow SSecurity to specify AccessRights for SConnection.
Patch-Mainline: Upstream
Git-commit: 8d1ee00bea125fa5f3e6ad7cf816e80890fb17d3
References: bnc#901752
Singed-off-by: Michal Srb
SConnection has AccessRights property that specifies what connected client can
do. Set this property to value given by SSecurity after successful
authentication. This way individual SSecurity subclasses can accept clients but
restrict their access.
---
common/rfb/SConnection.cxx | 2 ++
common/rfb/SConnection.h | 1 -
common/rfb/SSecurity.h | 5 +++--
common/rfb/Security.h | 1 -
common/rfb/SecurityServer.h | 3 ++-
5 files changed, 7 insertions(+), 5 deletions(-)
Index: tigervnc-1.4.1/common/rfb/SConnection.cxx
===================================================================
--- tigervnc-1.4.1.orig/common/rfb/SConnection.cxx
+++ tigervnc-1.4.1/common/rfb/SConnection.cxx
@@ -28,6 +28,7 @@
#include
#include
#include
+#include
#include
@@ -223,6 +224,7 @@ void SConnection::processSecurityMsg()
if (done) {
state_ = RFBSTATE_QUERYING;
queryConnection(ssecurity->getUserName());
+ setAccessRights(ssecurity->getAccessRights());
}
} catch (AuthFailureException& e) {
vlog.error("AuthFailureException: %s", e.str());
Index: tigervnc-1.4.1/common/rfb/SConnection.h
===================================================================
--- tigervnc-1.4.1.orig/common/rfb/SConnection.h
+++ tigervnc-1.4.1/common/rfb/SConnection.h
@@ -28,7 +28,6 @@
#include
#include
#include
-#include
namespace rfb {
Index: tigervnc-1.4.1/common/rfb/SSecurity.h
===================================================================
--- tigervnc-1.4.1.orig/common/rfb/SSecurity.h
+++ tigervnc-1.4.1/common/rfb/SSecurity.h
@@ -44,13 +44,12 @@
#define __RFB_SSECURITY_H__
#include
+#include
#include
#include <list>
namespace rfb {
- class SConnection;
-
class SSecurity {
public:
virtual ~SSecurity() {}
@@ -63,6 +62,8 @@ namespace rfb {
// necessary. Null may be returned to indicate that there is no user name
// for this security type.
virtual const char* getUserName() const = 0;
+
+ virtual SConnection::AccessRights getAccessRights() const { return SConnection::AccessDefault; }
};
}
Index: tigervnc-1.4.1/common/rfb/Security.h
===================================================================
--- tigervnc-1.4.1.orig/common/rfb/Security.h
+++ tigervnc-1.4.1/common/rfb/Security.h
@@ -25,7 +25,6 @@
#include
#include
#include
-#include
#include <list>
Index: tigervnc-1.4.1/common/rfb/SecurityServer.h
===================================================================
--- tigervnc-1.4.1.orig/common/rfb/SecurityServer.h
+++ tigervnc-1.4.1/common/rfb/SecurityServer.h
@@ -22,9 +22,10 @@
#include
#include
-#include
namespace rfb {
+
+ class SSecurity;
class SecurityServer : public Security {
public:
++++++ U_tigervnc-Limit-access-to-non-shared-mode.patch ++++++
Subject: Limit access to non-shared mode
Patch-Mainline: Upstream
Git-commit: e7be49b57353e66fcbe8702edbeeed393e254ff9
References: bnc#901752
Singed-off-by: Michal Srb
A read-only client should not be allowed to kick out other clients.
It will be forced into shared mode, or refused the connection, depending
on the neverShared parameter.
---
common/rfb/SConnection.cxx | 1 +
common/rfb/SConnection.h | 1 +
common/rfb/VNCSConnectionST.cxx | 3 ++-
3 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/common/rfb/SConnection.cxx b/common/rfb/SConnection.cxx
index 20182a0..99a4850 100644
--- a/common/rfb/SConnection.cxx
+++ b/common/rfb/SConnection.cxx
@@ -42,6 +42,7 @@ const SConnection::AccessRights SConnection::AccessKeyEvents = 0x0002;
const SConnection::AccessRights SConnection::AccessPtrEvents = 0x0004;
const SConnection::AccessRights SConnection::AccessCutText = 0x0008;
const SConnection::AccessRights SConnection::AccessSetDesktopSize = 0x0010;
+const SConnection::AccessRights SConnection::AccessNonShared = 0x0020;
const SConnection::AccessRights SConnection::AccessDefault = 0x03ff;
const SConnection::AccessRights SConnection::AccessNoQuery = 0x0400;
const SConnection::AccessRights SConnection::AccessFull = 0xffff;
diff --git a/common/rfb/SConnection.h b/common/rfb/SConnection.h
index 0379b17..005a7a8 100644
--- a/common/rfb/SConnection.h
+++ b/common/rfb/SConnection.h
@@ -127,6 +127,7 @@ namespace rfb {
static const AccessRights AccessPtrEvents; // Send pointer events
static const AccessRights AccessCutText; // Send/receive clipboard events
static const AccessRights AccessSetDesktopSize; // Change desktop size
+ static const AccessRights AccessNonShared; // Exclusive access to the server
static const AccessRights AccessDefault; // The default rights, INCLUDING FUTURE ONES
static const AccessRights AccessNoQuery; // Connect without local user accepting
static const AccessRights AccessFull; // All of the available AND FUTURE rights
diff --git a/common/rfb/VNCSConnectionST.cxx b/common/rfb/VNCSConnectionST.cxx
index 274c496..e30b4f4 100644
--- a/common/rfb/VNCSConnectionST.cxx
+++ b/common/rfb/VNCSConnectionST.cxx
@@ -445,9 +445,10 @@ void VNCSConnectionST::clientInit(bool shared)
{
lastEventTime = time(0);
if (rfb::Server::alwaysShared || reverseConnection) shared = true;
+ if (!(accessRights & AccessNonShared)) shared = true;
if (rfb::Server::neverShared) shared = false;
if (!shared) {
- if (rfb::Server::disconnectClients) {
+ if (rfb::Server::disconnectClients && (accessRights & AccessNonShared)) {
// - Close all the other connected clients
vlog.debug("non-shared connection - closing clients");
server->closeClients("Non-shared connection requested", getSock());
--
1.8.4.5
++++++ U_tigervnc-Make-sure-attributes-propagate-through-security-wrap.patch ++++++
Subject: Make sure attributes propagate through security wrappers
Patch-Mainline: Upstream
Git-commit: 555815a4e3e14c67ac00130f7affa0138ff47d20
References: bnc#901752
Singed-off-by: Michal Srb
Both SSecurityVeNCrypt and SSecurityStack are wrappers around other
security objects, so they need to delegate the properties of those
sub-objects properly.
---
common/rfb/SSecurityStack.cxx | 17 +++++++++++++++++
common/rfb/SSecurityStack.h | 1 +
common/rfb/SSecurityVeNCrypt.cxx | 13 +++++++++++++
common/rfb/SSecurityVeNCrypt.h | 5 +++--
4 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/common/rfb/SSecurityStack.cxx b/common/rfb/SSecurityStack.cxx
index 9ddc9f2..478ce4f 100644
--- a/common/rfb/SSecurityStack.cxx
+++ b/common/rfb/SSecurityStack.cxx
@@ -65,3 +65,20 @@ const char* SSecurityStack::getUserName() const
return c;
}
+
+SConnection::AccessRights SSecurityStack::getAccessRights() const
+{
+ SConnection::AccessRights accessRights;
+
+ if (!state0 && !state1)
+ return SSecurity::getAccessRights();
+
+ accessRights = SConnection::AccessFull;
+
+ if (state0)
+ accessRights &= state0->getAccessRights();
+ if (state1)
+ accessRights &= state1->getAccessRights();
+
+ return accessRights;
+}
diff --git a/common/rfb/SSecurityStack.h b/common/rfb/SSecurityStack.h
index c80a3b9..dd743d2 100644
--- a/common/rfb/SSecurityStack.h
+++ b/common/rfb/SSecurityStack.h
@@ -31,6 +31,7 @@ namespace rfb {
virtual bool processMsg(SConnection* cc);
virtual int getType() const { return type; };
virtual const char* getUserName() const;
+ virtual SConnection::AccessRights getAccessRights() const;
protected:
short state;
SSecurity* state0;
diff --git a/common/rfb/SSecurityVeNCrypt.cxx b/common/rfb/SSecurityVeNCrypt.cxx
index 39647f6..7c13749 100644
--- a/common/rfb/SSecurityVeNCrypt.cxx
+++ b/common/rfb/SSecurityVeNCrypt.cxx
@@ -171,3 +171,16 @@ bool SSecurityVeNCrypt::processMsg(SConnection* sc)
return ssecurity->processMsg(sc);
}
+const char* SSecurityVeNCrypt::getUserName() const
+{
+ if (ssecurity == NULL)
+ return NULL;
+ return ssecurity->getUserName();
+}
+
+SConnection::AccessRights SSecurityVeNCrypt::getAccessRights() const
+{
+ if (ssecurity == NULL)
+ return SSecurity::getAccessRights();
+ return ssecurity->getAccessRights();
+}
diff --git a/common/rfb/SSecurityVeNCrypt.h b/common/rfb/SSecurityVeNCrypt.h
index 849a702..f9c753f 100644
--- a/common/rfb/SSecurityVeNCrypt.h
+++ b/common/rfb/SSecurityVeNCrypt.h
@@ -39,8 +39,9 @@ namespace rfb {
SSecurityVeNCrypt(SecurityServer *sec);
~SSecurityVeNCrypt();
virtual bool processMsg(SConnection* sc);// { return true; }
- virtual int getType() const { return secTypeVeNCrypt; }
- virtual const char* getUserName() const { return NULL; }
+ virtual int getType() const { return chosenType; }
+ virtual const char* getUserName() const;
+ virtual SConnection::AccessRights getAccessRights() const;
protected:
SSecurity *ssecurity;
--
1.8.4.5
++++++ U_tigervnc-Use-new-API-for-getVncAuthPasswd.patch ++++++
Subject: Use new API for getVncAuthPasswd()
Patch-Mainline: Upstream
Git-commit: e84db6535eb624f5b4c81eefa1703267acf16cc2
References: bnc#901752
Singed-off-by: Michal Srb
---
win/vncconfig/Authentication.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/win/vncconfig/Authentication.h b/win/vncconfig/Authentication.h
index 534646c..c2aba91 100644
--- a/win/vncconfig/Authentication.h
+++ b/win/vncconfig/Authentication.h
@@ -92,7 +92,8 @@ namespace rfb {
static bool haveVncPassword() {
- PlainPasswd password(SSecurityVncAuth::vncAuthPasswd.getVncAuthPasswd());
+ PlainPasswd password, passwordReadOnly;
+ SSecurityVncAuth::vncAuthPasswd.getVncAuthPasswd(&password, &passwordReadOnly);
return password.buf && strlen(password.buf) != 0;
}
--
1.8.4.5
++++++ U_tigervnc-VncAuth-Read-and-use-readonly-password.patch ++++++
Subject: VncAuth: Read and use readonly password.
Patch-Mainline: Upstream
Git-commit: 270a31cf172a5ea15061ae4bffdad5780e4014ad
References: bnc#901752
Singed-off-by: Michal Srb
Try to read second password (for read only access) from rfbauth file. If client
sent second password instead of first one, allow him read only access.
---
common/rfb/SSecurityVncAuth.cxx | 64 ++++++++++++++++++++++++++---------------
common/rfb/SSecurityVncAuth.h | 8 ++++--
2 files changed, 47 insertions(+), 25 deletions(-)
diff --git a/common/rfb/SSecurityVncAuth.cxx b/common/rfb/SSecurityVncAuth.cxx
index ca81bf3..05488f6 100644
--- a/common/rfb/SSecurityVncAuth.cxx
+++ b/common/rfb/SSecurityVncAuth.cxx
@@ -49,10 +49,27 @@ VncAuthPasswdParameter SSecurityVncAuth::vncAuthPasswd
"access the server", &SSecurityVncAuth::vncAuthPasswdFile);
SSecurityVncAuth::SSecurityVncAuth(void)
- : sentChallenge(false), responsePos(0), pg(&vncAuthPasswd)
+ : sentChallenge(false), responsePos(0), pg(&vncAuthPasswd), accessRights(0)
{
}
+bool SSecurityVncAuth::verifyResponse(const PlainPasswd &password)
+{
+ rdr::U8 expectedResponse[vncAuthChallengeSize];
+
+ // Calculate the expected response
+ rdr::U8 key[8];
+ int pwdLen = strlen(password.buf);
+ for (int i=0; i<8; i++)
+ key[i] = igetInStream();
@@ -72,25 +89,23 @@ bool SSecurityVncAuth::processMsg(SConnection* sc)
if (responsePos < vncAuthChallengeSize) return false;
- PlainPasswd passwd(pg->getVncAuthPasswd());
+ PlainPasswd passwd, passwdReadOnly;
+ pg->getVncAuthPasswd(&passwd, &passwdReadOnly);
if (!passwd.buf)
throw AuthFailureException("No password configured for VNC Auth");
- // Calculate the expected response
- rdr::U8 key[8];
- int pwdLen = strlen(passwd.buf);
- for (int i=0; i<8; i++)
- key[i] = igetData());
if (!fname.buf[0]) {
vlog.info("neither %s nor %s params set", getName(), passwdFile->getName());
- return 0;
+ return;
}
FILE* fp = fopen(fname.buf, "r");
if (!fp) {
vlog.error("opening password file '%s' failed",fname.buf);
- return 0;
+ return;
}
vlog.debug("reading password file");
- obfuscated.buf = new char[128];
- obfuscated.length = fread(obfuscated.buf, 1, 128, fp);
+ obfuscated.buf = new char[8];
+ obfuscated.length = fread(obfuscated.buf, 1, 8, fp);
+ obfuscatedReadOnly.buf = new char[8];
+ obfuscatedReadOnly.length = fread(obfuscatedReadOnly.buf, 1, 8, fp);
fclose(fp);
} else {
vlog.info("%s parameter not set", getName());
@@ -127,10 +144,11 @@ char* VncAuthPasswdParameter::getVncAuthPasswd() {
}
try {
- PlainPasswd password(obfuscated);
- return password.takeBuf();
+ PlainPasswd plainPassword(obfuscated);
+ password->replaceBuf(plainPassword.takeBuf());
+ PlainPasswd plainPasswordReadOnly(obfuscatedReadOnly);
+ readOnlyPassword->replaceBuf(plainPasswordReadOnly.takeBuf());
} catch (...) {
- return 0;
}
}
diff --git a/common/rfb/SSecurityVncAuth.h b/common/rfb/SSecurityVncAuth.h
index 8a2d0f6..1aa3a27 100644
--- a/common/rfb/SSecurityVncAuth.h
+++ b/common/rfb/SSecurityVncAuth.h
@@ -25,6 +25,7 @@
#define __RFB_SSECURITYVNCAUTH_H__
#include
+#include
#include
#include
#include
@@ -35,13 +36,13 @@ namespace rfb {
public:
// getPasswd() returns a string or null if unsuccessful. The
// SSecurityVncAuth object delete[]s the string when done.
- virtual char* getVncAuthPasswd()=0;
+ virtual void getVncAuthPasswd(PlainPasswd *password, PlainPasswd *readOnlyPassword)=0;
};
class VncAuthPasswdParameter : public VncAuthPasswdGetter, BinaryParameter {
public:
VncAuthPasswdParameter(const char* name, const char* desc, StringParameter* passwdFile_);
- virtual char* getVncAuthPasswd();
+ virtual void getVncAuthPasswd(PlainPasswd *password, PlainPasswd *readOnlyPassword);
protected:
StringParameter* passwdFile;
};
@@ -52,15 +53,18 @@ namespace rfb {
virtual bool processMsg(SConnection* sc);
virtual int getType() const {return secTypeVncAuth;}
virtual const char* getUserName() const {return 0;}
+ virtual SConnection::AccessRights getAccessRights() const { return accessRights; }
static StringParameter vncAuthPasswdFile;
static VncAuthPasswdParameter vncAuthPasswd;
private:
+ bool verifyResponse(const PlainPasswd &password);
enum {vncAuthChallengeSize = 16};
rdr::U8 challenge[vncAuthChallengeSize];
rdr::U8 response[vncAuthChallengeSize];
bool sentChallenge;
int responsePos;
VncAuthPasswdGetter* pg;
+ SConnection::AccessRights accessRights;
};
}
#endif
--
1.8.4.5
++++++ U_tigervnc-vncpasswd-Ask-for-read-only-password.patch ++++++
Subject: vncpasswd: Ask for read only password.
Patch-Mainline: Upstream
Git-commit: dbf6355cbb69e588a4162debadb5337dd8b14ac0
References: bnc#901752
Singed-off-by: Michal Srb
Ask for optional second password that is used for read only access. Save it
after the main password. This is same format as tightvnc uses.
---
unix/vncpasswd/vncpasswd.cxx | 68 ++++++++++++++++++++++++++++----------------
1 file changed, 44 insertions(+), 24 deletions(-)
diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx
index 7ba0b22..16c925e 100644
--- a/unix/vncpasswd/vncpasswd.cxx
+++ b/unix/vncpasswd/vncpasswd.cxx
@@ -81,6 +81,36 @@ static int encrypt_pipe() {
else return 1;
}
+static ObfuscatedPasswd* readpassword() {
+ while (true) {
+ PlainPasswd passwd(getpassword("Password:"));
+ if (!passwd.buf) {
+ perror("getpassword error");
+ exit(1);
+ }
+ if (strlen(passwd.buf) < 6) {
+ if (strlen(passwd.buf) == 0) {
+ fprintf(stderr,"Password not changed\n");
+ exit(1);
+ }
+ fprintf(stderr,"Password must be at least 6 characters - try again\n");
+ continue;
+ }
+
+ PlainPasswd passwd2(getpassword("Verify:"));
+ if (!passwd2.buf) {
+ perror("getpass error");
+ exit(1);
+ }
+ if (strcmp(passwd.buf, passwd2.buf) != 0) {
+ fprintf(stderr,"Passwords don't match - try again\n");
+ continue;
+ }
+
+ return new ObfuscatedPasswd(passwd);
+ }
+}
+
int main(int argc, char** argv)
{
prog = argv[0];
@@ -113,28 +143,13 @@ int main(int argc, char** argv)
}
while (true) {
- PlainPasswd passwd(getpassword("Password:"));
- if (!passwd.buf) {
- perror("getpassword error");
- exit(1);
- }
- if (strlen(passwd.buf) < 6) {
- if (strlen(passwd.buf) == 0) {
- fprintf(stderr,"Password not changed\n");
- exit(1);
- }
- fprintf(stderr,"Password must be at least 6 characters - try again\n");
- continue;
- }
+ ObfuscatedPasswd* obfuscated = readpassword();
+ ObfuscatedPasswd* obfuscatedReadOnly = 0;
- PlainPasswd passwd2(getpassword("Verify:"));
- if (!passwd2.buf) {
- perror("getpass error");
- exit(1);
- }
- if (strcmp(passwd.buf, passwd2.buf) != 0) {
- fprintf(stderr,"Passwords don't match - try again\n");
- continue;
+ fprintf(stderr, "Would you like to enter a view-only password (y/n)? ");
+ char yesno[3];
+ if (fgets(yesno, 3, stdin) != NULL && (yesno[0] == 'y' || yesno[0] == 'Y')) {
+ obfuscatedReadOnly = readpassword();
}
FILE* fp = fopen(fname,"w");
@@ -144,13 +159,18 @@ int main(int argc, char** argv)
}
chmod(fname, S_IRUSR|S_IWUSR);
- ObfuscatedPasswd obfuscated(passwd);
-
- if (fwrite(obfuscated.buf, obfuscated.length, 1, fp) != 1) {
+ if (fwrite(obfuscated->buf, obfuscated->length, 1, fp) != 1) {
fprintf(stderr,"Writing to %s failed\n",fname);
exit(1);
}
+ if (obfuscatedReadOnly) {
+ if (fwrite(obfuscatedReadOnly->buf, obfuscatedReadOnly->length, 1, fp) != 1) {
+ fprintf(stderr,"Writing to %s failed\n",fname);
+ exit(1);
+ }
+ }
+
fclose(fp);
return 0;
--
1.8.4.5
++++++ U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch ++++++
Subject: unchecked malloc may allow unauthed client to crash Xserver
References: bnc#907268, CVE-2014-8091
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
os/rpcauth.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/os/rpcauth.c b/os/rpcauth.c
index d60ea35..413cc61 100644
--- a/os/rpcauth.c
+++ b/os/rpcauth.c
@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len)
SVCXPRT xprt;
temp_inmsg = malloc(len);
+ if (temp_inmsg == NULL) {
+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+ return NULL;
+ }
memmove(temp_inmsg, inmsg, len);
memset((char *) &msg, 0, sizeof(msg));
--
1.7.9.2
++++++ U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch ++++++
Subject: xcmisc: unvalidated length in SProcXCMiscGetXIDList()
References: bnc#907268, CVE-2014-8096
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
Xext/xcmisc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c
index 034bfb6..1e91010 100644
--- a/Xext/xcmisc.c
+++ b/Xext/xcmisc.c
@@ -167,6 +167,7 @@ static int
SProcXCMiscGetXIDList(ClientPtr client)
{
REQUEST(xXCMiscGetXIDListReq);
+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
swaps(&stuff->length);
swapl(&stuff->count);
--
1.7.9.2
++++++ U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch ++++++
Subject: xfixes: unvalidated length in SProcXFixesSelectSelectionInput
References: bnc#907268, CVE-2014-8102
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
xfixes/select.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/xfixes/select.c b/xfixes/select.c
index c088ed3..e964d58 100644
--- a/xfixes/select.c
+++ b/xfixes/select.c
@@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client)
{
REQUEST(xXFixesSelectSelectionInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
swapl(&stuff->selection);
--
1.7.9.2
++++++ U_xkb-check-strings-length-against-request-size.patch ++++++
Git-commit: cc830bd3a5b44796f1e8721f336dca4f565a8130
Author: Olivier Fourdan
Subject: xkb: Check strings length against request size
References: bnc#915810, CVE-2015-0255
Signed-off-by: Michal Srb
Ensure that the given strings length in an XkbSetGeometry request remain
within the limits of the size of the request.
Signed-off-by: Olivier Fourdan
---
xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++++------------------------
1 file changed, 40 insertions(+), 25 deletions(-)
Index: xorg-server-1.15.2/xkb/xkb.c
===================================================================
--- xorg-server-1.15.2.orig/xkb/xkb.c
+++ xorg-server-1.15.2/xkb/xkb.c
@@ -4957,26 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client)
/***====================================================================***/
-static char *
-_GetCountedString(char **wire_inout, Bool swap)
+static Status
+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
{
- char *wire, *str;
- CARD16 len, *plen;
+ char *wire, *next;
+ CARD16 len;
wire = *wire_inout;
- plen = (CARD16 *) wire;
- if (swap) {
- swaps(plen);
- }
- len = *plen;
- str = malloc(len + 1);
- if (str) {
- memcpy(str, &wire[2], len);
- str[len] = '\0';
+ len = *(CARD16 *) wire;
+ if (client->swapped) {
+ swaps(&len);
}
- wire += XkbPaddedSize(len + 2);
- *wire_inout = wire;
- return str;
+ next = wire + XkbPaddedSize(len + 2);
+ /* Check we're still within the size of the request */
+ if (client->req_len <
+ bytes_to_int32(next - (char *) client->requestBuffer))
+ return BadValue;
+ *str = malloc(len + 1);
+ if (!*str)
+ return BadAlloc;
+ memcpy(*str, &wire[2], len);
+ *(*str + len) = '\0';
+ *wire_inout = next;
+ return Success;
}
static Status
@@ -4986,6 +4989,7 @@ _CheckSetDoodad(char **wire_inout,
char *wire;
xkbDoodadWireDesc *dWire;
XkbDoodadPtr doodad;
+ Status status;
dWire = (xkbDoodadWireDesc *) (*wire_inout);
wire = (char *) &dWire[1];
@@ -5033,8 +5037,14 @@ _CheckSetDoodad(char **wire_inout,
doodad->text.width = dWire->text.width;
doodad->text.height = dWire->text.height;
doodad->text.color_ndx = dWire->text.colorNdx;
- doodad->text.text = _GetCountedString(&wire, client->swapped);
- doodad->text.font = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->text.text);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &doodad->text.font);
+ if (status != Success) {
+ free (doodad->text.text);
+ return status;
+ }
break;
case XkbIndicatorDoodad:
if (dWire->indicator.onColorNdx >= geom->num_colors) {
@@ -5069,7 +5079,9 @@ _CheckSetDoodad(char **wire_inout,
}
doodad->logo.color_ndx = dWire->logo.colorNdx;
doodad->logo.shape_ndx = dWire->logo.shapeNdx;
- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
+ if (status != Success)
+ return status;
break;
default:
client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
@@ -5301,18 +5313,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
char *wire;
wire = (char *) &req[1];
- geom->label_font = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &geom->label_font);
+ if (status != Success)
+ return status;
for (i = 0; i < req->nProperties; i++) {
char *name, *val;
- name = _GetCountedString(&wire, client->swapped);
- if (!name)
- return BadAlloc;
- val = _GetCountedString(&wire, client->swapped);
- if (!val) {
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &val);
+ if (status != Success) {
free(name);
- return BadAlloc;
+ return status;
}
if (XkbAddGeomProperty(geom, name, val) == NULL) {
free(name);
@@ -5346,9 +5360,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
for (i = 0; i < req->nColors; i++) {
char *name;
- name = _GetCountedString(&wire, client->swapped);
- if (!name)
- return BadAlloc;
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
free(name);
return BadAlloc;
++++++ index.vnc ++++++
<!--
index.vnc - default HTML page for TigerVNC Java viewer applet, to be
used with Xvnc. On any file ending in .vnc, the HTTP server embedded in
Xvnc will substitute the following variables when preceded by a dollar:
USER, DESKTOP, DISPLAY, APPLETWIDTH, APPLETHEIGHT, WIDTH, HEIGHT, PORT,
Use two dollar signs ($$) to get a dollar sign in the generated
HTML page.
-->
<HTML>
<TITLE>
$USER's $DESKTOP desktop ($DISPLAY)
</TITLE>
<APPLET CODE="com.tigervnc.vncviewer.VncViewer" ARCHIVE="VncViewer.jar" WIDTH="$APPLETWIDTH" HEIGHT="$APPLETHEIGHT">
<PARAM NAME="Port" VALUE="$PORT">
<PARAM NAME="Embed" VALUE="true">
<PARAM NAME="AlwaysShowServerDialog" VALUE="false">
</APPLET>
<BR>
<A href="http://www.tigervnc.org/">TigerVNC site</A>
</HTML>
++++++ n_tigervnc-date-time.patch ++++++
Index: tigervnc-1.4.1/unix/xserver/hw/vnc/buildtime.c
===================================================================
--- tigervnc-1.4.1.orig/unix/xserver/hw/vnc/buildtime.c
+++ tigervnc-1.4.1/unix/xserver/hw/vnc/buildtime.c
@@ -15,4 +15,4 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
* USA.
*/
-char buildtime[] = __DATE__ " " __TIME__;
+char buildtime[] = "??? ?? ???? ??:??:??";
Index: tigervnc-1.4.1/unix/vncconfig/buildtime.c
===================================================================
--- tigervnc-1.4.1.orig/unix/vncconfig/buildtime.c
+++ tigervnc-1.4.1/unix/vncconfig/buildtime.c
@@ -15,4 +15,4 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
* USA.
*/
-char buildtime[] = __DATE__ " " __TIME__;
+char buildtime[] = "??? ?? ???? ??:??:??";
Index: tigervnc-1.4.1/unix/x0vncserver/buildtime.c
===================================================================
--- tigervnc-1.4.1.orig/unix/x0vncserver/buildtime.c
+++ tigervnc-1.4.1/unix/x0vncserver/buildtime.c
@@ -15,4 +15,4 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
* USA.
*/
-char buildtime[] = __DATE__ " " __TIME__;
+char buildtime[] = "??? ?? ???? ??:??:??";
Index: tigervnc-1.4.1/win/winvnc/buildTime.cxx
===================================================================
--- tigervnc-1.4.1.orig/win/winvnc/buildTime.cxx
+++ tigervnc-1.4.1/win/winvnc/buildTime.cxx
@@ -15,4 +15,4 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
* USA.
*/
-const char* buildTime = "Built on " __DATE__ " at " __TIME__;
+const char* buildTime = "Built on ??? ?? ???? at ??:??:??";
Index: tigervnc-1.4.1/CMakeLists.txt
===================================================================
--- tigervnc-1.4.1.orig/CMakeLists.txt
+++ tigervnc-1.4.1/CMakeLists.txt
@@ -39,8 +39,7 @@ if(MSVC)
message(FATAL_ERROR "TigerVNC cannot be built with Visual Studio. Please use MinGW")
endif()
-set(BUILD_TIMESTAMP "")
-execute_process(COMMAND "date" "+%Y-%m-%d %H:%M" OUTPUT_VARIABLE BUILD_TIMESTAMP)
+set(BUILD_TIMESTAMP "??-??-?? ??:??")
if(NOT BUILD_TIMESTAMP)
set(BUILD_TIMESTAMP "")
++++++ n_tigervnc-dont-build-gtf.patch ++++++
diff -ur xorg-server-1.13.0.orig/configure.ac xorg-server-1.13.0/configure.ac
--- xorg-server-1.13.0.orig/configure.ac 2012-09-06 00:45:08.000000000 +0300
+++ xorg-server-1.13.0/configure.ac 2013-12-16 13:50:39.880775219 +0200
@@ -2268,7 +2268,6 @@
hw/xfree86/utils/Makefile
hw/xfree86/utils/man/Makefile
hw/xfree86/utils/cvt/Makefile
-hw/xfree86/utils/gtf/Makefile
hw/dmx/config/Makefile
hw/dmx/config/man/Makefile
hw/dmx/doc/Makefile
diff -ur xorg-server-1.13.0.orig/hw/xfree86/modes/Makefile.am xorg-server-1.13.0/hw/xfree86/modes/Makefile.am
--- xorg-server-1.13.0.orig/hw/xfree86/modes/Makefile.am 2012-09-06 00:45:08.000000000 +0300
+++ xorg-server-1.13.0/hw/xfree86/modes/Makefile.am 2013-12-16 13:46:37.130679730 +0200
@@ -9,7 +9,6 @@
xf86Crtc.h \
xf86Cursors.c \
xf86cvt.c \
- xf86gtf.c \
xf86DisplayIDModes.c \
xf86EdidModes.c \
xf86Modes.c \
Only in xorg-server-1.13.0.orig/hw/xfree86/modes: xf86gtf.c
Only in xorg-server-1.13.0.orig/hw/xfree86/utils: gtf
diff -ur xorg-server-1.13.0.orig/hw/xfree86/utils/Makefile.am xorg-server-1.13.0/hw/xfree86/utils/Makefile.am
--- xorg-server-1.13.0.orig/hw/xfree86/utils/Makefile.am 2012-09-06 00:45:08.000000000 +0300
+++ xorg-server-1.13.0/hw/xfree86/utils/Makefile.am 2013-12-16 13:46:24.175393782 +0200
@@ -1,4 +1,3 @@
SUBDIRS = \
- gtf \
cvt \
man
++++++ n_tigervnc_Revert_Attempt_to_handle_Ctrl-key.patch ++++++
From 5e6450db2c0ecdf458b09a53e9fbcce7f4ab408f Mon Sep 17 00:00:00 2001
From: Michal Srb
Date: Mon, 2 Feb 2015 09:12:12 +0200
Subject: [PATCH] Revert "Attempt to handle Ctrl+key"
This reverts commit 13a809a6baca9572ab4a9cb992121fbc4e4ffba6.
---
vncviewer/Viewport.cxx | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
Index: tigervnc-1.4.1/vncviewer/Viewport.cxx
===================================================================
--- tigervnc-1.4.1.orig/vncviewer/Viewport.cxx
+++ tigervnc-1.4.1/vncviewer/Viewport.cxx
@@ -31,7 +31,6 @@
// FLTK can pull in the X11 headers on some systems
#ifndef XK_VoidSymbol
-#define XK_LATIN1
#define XK_MISCELLANY
#define XK_XKB_KEYS
#include
@@ -1010,25 +1009,10 @@ rdr::U32 Viewport::translateKeyEvent(voi
}
// Unknown special key?
- if (keyTextLen == 0) {
+ if (keyText[0] == '\0') {
return keyCode;
}
- // Control character?
- if ((keyTextLen == 1) && ((keyText[0] < 0x20) | (keyText[0] == 0x7f))) {
- if (keyText[0] == 0x00)
- return XK_2;
- else if (keyText[0] < 0x1b) {
- if (!!Fl::event_state(FL_SHIFT) != !!Fl::event_state(FL_CAPS_LOCK))
- return keyText[0] + XK_A - 0x01;
- else
- return keyText[0] + XK_a - 0x01;
- } else if (keyText[0] < 0x20)
- return keyText[0] + XK_3 - 0x1b;
- else
- return XK_8;
- }
-
// Look up the symbol the key produces and translate that from Unicode
// to a X11 keysym.
if (fl_utf_nb_char((const unsigned char*)keyText, strlen(keyText)) != 1) {
++++++ tigervnc-clean-pressed-key-on-exit.patch ++++++
Index: tigervnc-1.4.1/vncviewer/DesktopWindow.cxx
===================================================================
--- tigervnc-1.4.1.orig/vncviewer/DesktopWindow.cxx
+++ tigervnc-1.4.1/vncviewer/DesktopWindow.cxx
@@ -188,6 +188,8 @@ DesktopWindow::~DesktopWindow()
OptionsDialog::removeCallback(handleOptions);
+ delete viewport;
+
// FLTK automatically deletes all child widgets, so we shouldn't touch
// them ourselves here
}
Index: tigervnc-1.4.1/vncviewer/Viewport.cxx
===================================================================
--- tigervnc-1.4.1.orig/vncviewer/Viewport.cxx
+++ tigervnc-1.4.1/vncviewer/Viewport.cxx
@@ -144,6 +144,11 @@ Viewport::Viewport(int w, int h, const r
Viewport::~Viewport()
{
+ // Send release for every pressed key
+ for(DownMap::iterator iter = downKeySym.begin(); iter != downKeySym.end(); ++iter) {
+ cc->writer()->keyEvent(iter->second, false);
+ }
+
// Unregister all timeouts in case they get a change tro trigger
// again later when this object is already gone.
Fl::remove_timeout(handlePointerTimeout, this);
Index: tigervnc-1.4.1/vncviewer/vncviewer.cxx
===================================================================
--- tigervnc-1.4.1.orig/vncviewer/vncviewer.cxx
+++ tigervnc-1.4.1/vncviewer/vncviewer.cxx
@@ -88,6 +88,8 @@ char vncServerName[VNCSERVERNAMELEN] = {
static bool exitMainloop = false;
static const char *exitError = NULL;
+static CConn *cc;
+
void exit_vncviewer(const char *error)
{
// Prioritise the first error we get as that is probably the most
@@ -114,6 +116,16 @@ static void CleanupSignalHandler(int sig
// CleanupSignalHandler allows C++ object cleanup to happen because it calls
// exit() rather than the default which is to abort.
vlog.info(_("CleanupSignalHandler called"));
+ delete cc;
+ exit(1);
+}
+
+static int CleanupXIOErrorHandler(Display *dpy)
+{
+ // CleanupSignalHandler allows C++ object cleanup to happen because it calls
+ // exit() rather than the default which is to abort.
+ vlog.info("XErrorHandler called");
+ delete cc;
exit(1);
}
@@ -392,11 +404,19 @@ int main(int argc, char** argv)
init_fltk();
+ fl_open_display();
+
+ XSetIOErrorHandler(CleanupXIOErrorHandler);
+
#if !defined(WIN32) && !defined(__APPLE__)
fl_open_display();
XkbSetDetectableAutoRepeat(fl_display, True, NULL);
#endif
+ fl_open_display();
+
+ XSetIOErrorHandler(CleanupXIOErrorHandler);
+
Configuration::enableViewerParams();
/* Load the default parameter settings */
@@ -497,7 +517,7 @@ int main(int argc, char** argv)
#endif
}
- CConn *cc = new CConn(vncServerName, sock);
+ cc = new CConn(vncServerName, sock);
while (!exitMainloop) {
int next_timer;
++++++ tigervnc-newfbsize.patch ++++++
Index: tigervnc-1.4.1/vncviewer/CConn.cxx
===================================================================
--- tigervnc-1.4.1.orig/vncviewer/CConn.cxx
+++ tigervnc-1.4.1/vncviewer/CConn.cxx
@@ -424,6 +424,8 @@ void CConn::dataRect(const Rect& r, int
if (encoding != encodingCopyRect)
lastServerEncoding = encoding;
+ if (encoding == pseudoEncodingDesktopSize)
+ setDesktopSize( r.width(), r.height() );
if (!Decoder::supported(encoding)) {
vlog.error(_("Unknown rect encoding %d"), encoding);
++++++ tigervnc-sf3495623.patch ++++++
diff -ur tigervnc-1.3.0.orig/common/network/TcpSocket.cxx tigervnc-1.3.0/common/network/TcpSocket.cxx
--- tigervnc-1.3.0.orig/common/network/TcpSocket.cxx 2014-02-07 16:35:24.644388330 +0200
+++ tigervnc-1.3.0/common/network/TcpSocket.cxx 2014-02-07 16:39:50.608078320 +0200
@@ -31,6 +31,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -450,7 +451,10 @@
}
void TcpListener::getMyAddresses(std::list* result) {
- const hostent* addrs = gethostbyname(0);
+ char hostname[HOST_NAME_MAX];
+ if (gethostname(hostname, HOST_NAME_MAX) < 0)
+ throw rdr::SystemException("gethostname", errorNumber);
+ const hostent* addrs = gethostbyname(hostname);
if (addrs == 0)
throw rdr::SystemException("gethostbyname", errorNumber);
if (addrs->h_addrtype != AF_INET)
++++++ u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch ++++++
From: Egbert Eich
Date: Fri May 30 19:08:00 2014 -0400
Subject: [PATCH]render: Cast color masks to unsigned long before shifting them
Patch-mainline: to be upstreamed
Git-commit: 6ec9a78f9b79668239c3a1519d715cbecf186cef
Git-repo:
References: bnc#876757
Signed-off-by: Egbert Eich
The color masks in DirectFormatRec are CARD16. Shifting them may lead
to unexpected results. Cast them to unsigned long to make sure the
shifted value will still fit into that type.
Signed-off-by: Egbert Eich
---
render/picture.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/render/picture.c b/render/picture.c
index 2908b76..74369de 100644
--- a/render/picture.c
+++ b/render/picture.c
@@ -548,12 +548,12 @@ PictureMatchVisual(ScreenPtr pScreen, int depth, VisualPtr pVisual)
return format;
}
else {
- if (format->direct.redMask << format->direct.red ==
- pVisual->redMask &&
- format->direct.greenMask << format->direct.green ==
- pVisual->greenMask &&
- format->direct.blueMask << format->direct.blue ==
- pVisual->blueMask) {
+ if (((unsigned long)format->direct.redMask) <<
+ format->direct.red == pVisual->redMask &&
+ ((unsigned long)format->direct.greenMask) <<
+ format->direct.green == pVisual->greenMask &&
+ ((unsigned long)format->direct.blueMask) <<
+ format->direct.blue == pVisual->blueMask) {
return format;
}
}
++++++ u_terminate_instead_of_ignoring_restart.patch ++++++
Author: Michal Srb
Subject: Terminate instead of ignoring reset
Patch-Mainline: To be upstreamed
References: bnc#920969
Index: tigervnc-1.3.0/unix/xserver/hw/vnc/xvnc.cc
===================================================================
--- tigervnc-1.3.0.orig/unix/xserver/hw/vnc/xvnc.cc
+++ tigervnc-1.3.0/unix/xserver/hw/vnc/xvnc.cc
@@ -1607,7 +1607,12 @@ vfbScreenInit(ScreenPtr pScreen, int arg
static void vfbClientStateChange(CallbackListPtr*, void *, void *) {
- dispatchException &= ~DE_RESET;
+ if (dispatchException & DE_RESET) {
+ ErrorF("Warning: VNC extension does not support -reset, terminating instead. Use -noreset to prevent termination.\n");
+
+ dispatchException |= DE_TERMINATE;
+ dispatchException &= ~DE_RESET;
+ }
}
#if XORG >= 113
++++++ u_tigervnc-dont-send-ascii-control-characters.patch ++++++
Author: Michal Srb
Subject: Do not send ascii control characters for CTRL+[A-Z] combinations.
Patch-Mainline: To be upstreamed
References: bnc#864666
Index: vncviewer/Viewport.cxx
===================================================================
--- vncviewer/Viewport.cxx.orig
+++ vncviewer/Viewport.cxx
@@ -1044,7 +1044,13 @@ rdr::U32 Viewport::translateKeyEvent(voi
return NoSymbol;
}
- ucs = fl_utf8decode(keyText, NULL, NULL);
+ if (keyCode >= 'a' && keyCode <= 'z' && keyText[0] < 0x20) {
+ // Do not send ascii control characters - send the original key combination that caused them.
+ ucs = keyCode;
+ } else {
+ ucs = fl_utf8decode(keyText, NULL, NULL);
+ }
+
return ucs2keysym(ucs);
}
++++++ u_tigervnc-ignore-epipe-on-write.patch ++++++
Author: Michal Srb
Subject: Ignore EPIPE on write.
Patch-Mainline: To be upstreamed
References: bnc#864676
If the VNC server closes connection after our last read and before this write, we will report error message about EPIPE.
This situation is no error, however, we should quit normally same as when we find out that connection was closed during read.
Index: common/rdr/FdOutStream.cxx
===================================================================
--- common/rdr/FdOutStream.cxx (revision 5178)
+++ common/rdr/FdOutStream.cxx (working copy)
@@ -225,7 +225,12 @@
// network connections. Should in fact never ever happen...
} while (n < 0 && (errno == EWOULDBLOCK));
- if (n < 0) throw SystemException("write",errno);
+ if (n < 0) {
+ if(errno == EPIPE)
+ n = length; // Ignore EPIPE and fake successfull write, it doesn't matter that we are writing to closed socket, we will find out once we try to read from it.
+ else
+ throw SystemException("write", errno);
+ }
gettimeofday(&lastWrite, NULL);
++++++ u_tigervnc-prioritize-anon-ecdh.patch ++++++
Index: tigervnc-1.4.1/common/rfb/CSecurityTLS.cxx
===================================================================
--- tigervnc-1.4.1.orig/common/rfb/CSecurityTLS.cxx
+++ tigervnc-1.4.1/common/rfb/CSecurityTLS.cxx
@@ -202,7 +202,7 @@ bool CSecurityTLS::processMsg(CConnectio
void CSecurityTLS::setParam()
{
- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
+ static const int kx_anon_priority[] = { GNUTLS_KX_ANON_ECDH, GNUTLS_KX_ANON_DH, 0 };
static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
Index: tigervnc-1.4.1/common/rfb/SSecurityTLS.cxx
===================================================================
--- tigervnc-1.4.1.orig/common/rfb/SSecurityTLS.cxx
+++ tigervnc-1.4.1/common/rfb/SSecurityTLS.cxx
@@ -166,7 +166,7 @@ bool SSecurityTLS::processMsg(SConnectio
void SSecurityTLS::setParams(gnutls_session session)
{
- static const int kx_anon_priority[] = { GNUTLS_KX_ANON_DH, 0 };
+ static const int kx_anon_priority[] = { GNUTLS_KX_ANON_ECDH, GNUTLS_KX_ANON_DH, 0 };
static const int kx_priority[] = { GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 };
++++++ u_tigervnc-send-special-keys-directly.patch ++++++
Author: Michal Srb
Subject: Send special keys directly to server.
Patch-Mainline: To be upstreamed
References: bnc#906922
Any key that doesn't have textual interpretation should be forwarded to server.
Index: tigervnc-1.4.1/vncviewer/Viewport.cxx
===================================================================
--- tigervnc-1.4.1.orig/vncviewer/Viewport.cxx
+++ tigervnc-1.4.1/vncviewer/Viewport.cxx
@@ -1007,18 +1007,11 @@ rdr::U32 Viewport::translateKeyEvent(voi
case FL_Favorites:
return XF86XK_Favorites;
#endif
- case XK_ISO_Level3_Shift:
- // FLTK tends to let this one leak through on X11...
- return XK_ISO_Level3_Shift;
- case XK_Multi_key:
- // Same for this...
- return XK_Multi_key;
}
// Unknown special key?
if (keyTextLen == 0) {
- vlog.error(_("Unknown FLTK key code %d (0x%04x)"), keyCode, keyCode);
- return NoSymbol;
+ return keyCode;
}
// Control character?
++++++ u_tigervnc-use_preferred_mode.patch ++++++
Author: Michal Srb
Subject: Use preferred mode.
Patch-Mainline: To be upstreamed
References: bnc#896540
If there is any resolution specified with -geometry or -screen parameters,
report this resolution as preferred one. That way desktop environments won't
change it immediately after start.
Index: unix/xserver/hw/vnc/xvnc.cc
===================================================================
--- unix/xserver/hw/vnc/xvnc.cc (revision 5186)
+++ unix/xserver/hw/vnc/xvnc.cc (working copy)
@@ -1319,12 +1319,22 @@
/* Make sure the CRTC has this output set */
vncRandRCrtcSet(pScreen, crtc, NULL, 0, 0, RR_Rotate_0, 1, &output);
- /* Populate a list of default modes */
- RRModePtr modes[sizeof(vncRandRWidths)/sizeof(*vncRandRWidths)];
- int num_modes;
+ /* Populate a list of modes */
+ RRModePtr modes[sizeof(vncRandRWidths)/sizeof(*vncRandRWidths) + 1];
+ int num_modes = 0;
- num_modes = 0;
+ /* Start with requested mode */
+ mode = vncRandRModeGet(pScreen->width, pScreen->height);
+ if(mode != NULL) {
+ modes[num_modes] = mode;
+ num_modes++;
+ }
+
+ /* Add default modes */
for (int i = 0;i < sizeof(vncRandRWidths)/sizeof(*vncRandRWidths);i++) {
+ if (vncRandRWidths[i] == pScreen->width && vncRandRHeights[i] == pScreen->height)
+ continue;
+
mode = vncRandRModeGet(vncRandRWidths[i], vncRandRHeights[i]);
if (mode != NULL) {
modes[num_modes] = mode;
@@ -1332,7 +1342,7 @@
}
}
- RROutputSetModes(output, modes, num_modes, 0);
+ RROutputSetModes(output, modes, num_modes, 1);
return crtc;
}
++++++ u_tigervnc-vncserver-clean-pid-files.patch ++++++
Author: Egbert Eich
Subject: Clean pid files of dead processes.
Patch-Mainline: To be upstreamed
References: bnc#948392
Signed-off-by: Michal Srb
--- a/unix/vncserver 2015-05-19 18:01:12.000000000 +0200
+++ b/unix/vncserver 2015-10-01 15:52:50.920363305 +0200
@@ -302,6 +302,7 @@
}
unless (kill 0, `cat $pidFile`) {
warn "Could not start Xvnc.\n\n";
+ unlink $pidFile;
open(LOG, "<$desktopLog");
while (<LOG>) { print; }
close(LOG);
@@ -587,7 +588,12 @@
print "X DISPLAY #\tPROCESS ID\n";
foreach my $file (@filelist) {
if ($file =~ /$host:(\d+)$\.pid/) {
- print ":".$1."\t\t".`cat $vncUserDir/$file`;
+ chop($tmp_pid = `cat $vncUserDir/$file`);
+ if (kill 0, $tmp_pid) {
+ print ":".$1."\t\t".`cat $vncUserDir/$file`;
+ } else {
+ unlink ($vncUserDir . "/" . $file);
+ }
}
}
exit 1;
++++++ u_xorg-server-xdmcp.patch ++++++
Author: Reinhard Max
XDMCP: For IPv6 add IPv6 link local addresses to the end of the list
For IPv6 add a link local addresses to the end of the list passed to
the XDMCP servers.
Reason: for link local addresses the XDMCP server would need to either
know the interface thru a scope identifier or try all available interfaces.
If they don't this address will fail in which case the XDMCP server
could still try the other addresses passed - however some only try
the first address and then give up.
Even if this seems to be the wrong place to fix this it seems to be
easier than fixing all display servers.
Index: xorg-server-1.12.1/os/access.c
===================================================================
--- xorg-server-1.12.1.orig/os/access.c
+++ xorg-server-1.12.1/os/access.c
@@ -714,7 +714,9 @@ DefineSelf(int fd)
/*
* ignore 'localhost' entries as they're not useful
- * on the other end of the wire
+ * on the other end of the wire and because on hosts
+ * with shared home dirs they'll result in conflicting
+ * entries in ~/.Xauthority
*/
if (ifr->ifa_flags & IFF_LOOPBACK)
continue;
@@ -735,6 +737,14 @@ DefineSelf(int fd)
else if (family == FamilyInternet6 &&
IN6_IS_ADDR_LOOPBACK((struct in6_addr *) addr))
continue;
+
+ /* Ignore IPv6 link local addresses (fe80::/10), because
+ * they need a scope identifier, which we have no way
+ * of telling to the other end.
+ */
+ if (family == FamilyInternet6 &&
+ IN6_IS_ADDR_LINKLOCAL((struct in6_addr *)addr))
+ continue;
#endif
XdmcpRegisterConnection(family, (char *) addr, len);
#if defined(IPv6) && defined(AF_INET6)
++++++ vnc-httpd.firewall ++++++
## Name: VNC mini-HTTP server
## Description: Opens the VNC HTTP ports so that browsers can connect.
TCP="5800:5899"
++++++ vnc-server.firewall ++++++
## Name: VNC
## Description: Opens VNC server ports so that viewers can connect.
TCP="5900:5999"
++++++ vnc.reg ++++++
#############################################################################
#
# OpenSLP registration file
#
# register VNC remote logins via kdm
# You need also to allow remote logins
#
#############################################################################
# Register VNC service for krdc (KDE VNC client in kdenetwork)
service:remotedesktop.kde:vnc://$HOSTNAME:5901,en,65535
tcp-port=5901
description=VNC remote login [1024x768]
# Register VNC service for krdc (KDE VNC client in kdenetwork)
service:remotedesktop.kde:vnc://$HOSTNAME:5902,en,65535
tcp-port=5902
description=VNC remote login [1280x1024]
# Register VNC service for krdc (KDE VNC client in kdenetwork)
service:remotedesktop.kde:vnc://$HOSTNAME:5903,en,65535
tcp-port=5903
description=VNC remote login [1600x1200]
# Register VNC service for Java clients
# Can be used with every Web browser with enabled Java
service:remotedesktop.java:http://$HOSTNAME:5801,en,65535
tcp-port=5801
description=VNC remote login [1024x768]
# Register VNC service for Java clients
# Can be used with every Web browser with enabled Java
service:remotedesktop.java:http://$HOSTNAME:5802,en,65535
tcp-port=5802
description=VNC remote login [1280x1024]
# Register VNC service for Java clients
# Can be used with every Web browser with enabled Java
service:remotedesktop.java:http://$HOSTNAME:5803,en,65535
tcp-port=5803
description=VNC remote login [1600x1200]
++++++ vnc.xinetd ++++++
# default: off
# description: This serves out a VNC connection which starts at a KDM login \
# prompt. This VNC connection has a resolution of 1024x768, 16bit depth.
service vnc1
{
type = UNLISTED
port = 5901
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/Xvnc
server_args = -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes none
disable = yes
}
# default: off
# description: This serves out a VNC connection which starts at a KDM login \
# prompt. This VNC connection has a resolution of 1280x1024, 16bit depth.
service vnc2
{
type = UNLISTED
port = 5902
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/Xvnc
server_args = -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes none
disable = yes
}
# default: off
# description: This serves out a VNC connection which starts at a KDM login \
# prompt. This VNC connection has a resolution of 1600x1200, 16bit depth.
service vnc3
{
type = UNLISTED
port = 5903
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/Xvnc
server_args = -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes none
disable = yes
}
# default: off
# description: This serves out the vncviewer Java applet for the VNC \
# server running on port 5901, (vnc port 1).
service vnchttpd1
{
type = UNLISTED
port = 5801
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/vnc_inetd_httpd
server_args = 1024 768 5901
disable = yes
}
# default: off
# description: This serves out the vncviewer Java applet for the VNC \
# server running on port 5902, (vnc port 2).
service vnchttpd2
{
type = UNLISTED
port = 5802
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/vnc_inetd_httpd
server_args = 1280 1024 5902
disable = yes
}
# default: off
# description: This serves out the vncviewer Java applet for the VNC \
# server running on port 5902, (vnc port 3).
service vnchttpd3
{
type = UNLISTED
port = 5803
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/vnc_inetd_httpd
server_args = 1600 1200 5903
disable = yes
}
++++++ vnc_inetd_httpd ++++++
#!/bin/bash
read request url httptype || exit 0
url="${url/
/}"
httptype="${httptype/
/}"
width=$1
height=$2
port=$3
if [ "x$httptype" != "x" ]; then
line="x"
while [ -n "$line" ]; do
read line || exit 0
line="${line/
/}"
done
fi
case "$url" in
/)
# We need the size of the display for the current applet.
# The VNC menubar is 20 pixels high ...
height=$((height+20))
ctype="text/html"
content="
<HTML><HEAD><TITLE>Remote Desktop</TITLE></HEAD>
<BODY>