- Update to tigervnc 1.7.0.

* Multi-threaded decoder in the FLTK viewer
  * Improved SSH integration in the Java viewer
  * Fine grained lock down of Xvnc parameters
  * Compatibility with Xorg 1.18
  * Lots of packaging fixes
  * Better compatibility with Vino, both in the FLTK and Java viewer
- Removed patches:
  * U_add_allowoverride_parameter.patch
  * U_include-vencrypt-only-if-any-subtype-present.patch
  * U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch
  * u_xserver118.patch

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=96
This commit is contained in:
Michal Srb 2016-09-13 14:12:30 +00:00 committed by Git OBS Bridge
parent b25521dd8c
commit 35fddca831
10 changed files with 69 additions and 419 deletions

View File

@ -1,164 +0,0 @@
Git-commit: ef0dd758a3fad048c1f04e144b03a3e69b001f21
Patch-Mainline: To be upstreamed
Author: Michal Srb <michalsrb@gmail.com>
Subject: Add AllowOverride parameter.
References: fate#319319
Allows to specify which configuration parameters can be modified on runtime.
diff --git a/unix/xserver/hw/vnc/vncExt.c b/unix/xserver/hw/vnc/vncExt.c
index 43794da..b27115f 100644
--- a/unix/xserver/hw/vnc/vncExt.c
+++ b/unix/xserver/hw/vnc/vncExt.c
@@ -182,17 +182,16 @@ static int ProcVncExtSetParam(ClientPtr client)
rep.sequenceNumber = client->sequence;
/*
- * Allow to change only certain parameters.
- * Changing other parameters (for example PAM service name)
- * could have negative security impact.
+ * Prevent change of clipboard related parameters if clipboard is disabled.
*/
- if (strncasecmp(param, "desktop", 7) != 0 &&
- strncasecmp(param, "AcceptPointerEvents", 19) != 0 &&
- (vncNoClipboard || strncasecmp(param, "SendCutText", 11) != 0) &&
- (vncNoClipboard || strncasecmp(param, "AcceptCutText", 13) != 0))
+ if (vncNoClipboard &&
+ (strncasecmp(param, "SendCutText", 11) == 0 ||
+ strncasecmp(param, "AcceptCutText", 13) == 0))
+ goto deny;
+
+ if (!vncOverrideParam(param))
goto deny;
- vncSetParamSimple(param);
rep.success = 1;
// Send DesktopName update if desktop name has been changed
diff --git a/unix/xserver/hw/vnc/vncExtInit.cc b/unix/xserver/hw/vnc/vncExtInit.cc
index 863cd36..1d37493 100644
--- a/unix/xserver/hw/vnc/vncExtInit.cc
+++ b/unix/xserver/hw/vnc/vncExtInit.cc
@@ -20,6 +20,9 @@
#include <stdio.h>
#include <errno.h>
+#include <set>
+#include <string>
+
#include <rfb/Configuration.h>
#include <rfb/Logger_stdio.h>
#include <rfb/LogWriter.h>
@@ -52,6 +55,15 @@ int vncFbstride[MAXSCREENS];
int vncInetdSock = -1;
+struct CaseInsensitiveCompare {
+ bool operator() (const std::string &a, const std::string &b) const {
+ return strcasecmp(a.c_str(), b.c_str()) < 0;
+ }
+};
+
+typedef std::set<std::string, CaseInsensitiveCompare> ParamSet;
+static ParamSet allowOverrideSet;
+
rfb::StringParameter httpDir("httpd",
"Directory containing files to serve via HTTP",
"");
@@ -69,6 +81,9 @@ rfb::StringParameter interface("interface",
rfb::BoolParameter avoidShiftNumLock("AvoidShiftNumLock",
"Avoid fake Shift presses for keys affected by NumLock.",
true);
+rfb::StringParameter allowOverride("AllowOverride",
+ "Comma separated list of parameters that can be modified using VNC extension.",
+ "desktop,AcceptPointerEvents,SendCutText,AcceptCutText");
static PixelFormat vncGetPixelFormat(int scrIdx)
{
@@ -99,6 +114,19 @@ static PixelFormat vncGetPixelFormat(int scrIdx)
redShift, greenShift, blueShift);
}
+static void parseOverrideList(const char *text, ParamSet &out)
+{
+ for (const char* iter = text; ; ++iter) {
+ if (*iter == ',' || *iter == '\0') {
+ out.insert(std::string(text, iter));
+ text = iter + 1;
+
+ if (*iter == '\0')
+ break;
+ }
+ }
+}
+
void vncExtensionInit(void)
{
int ret;
@@ -128,6 +156,10 @@ void vncExtensionInit(void)
try {
if (!initialised) {
rfb::initStdIOLoggers();
+
+ parseOverrideList(allowOverride, allowOverrideSet);
+ allowOverride.setImmutable();
+
initialised = true;
}
@@ -379,3 +411,16 @@ void vncRefreshScreenLayout(int scrIdx)
{
desktop[scrIdx]->refreshScreenLayout();
}
+
+int vncOverrideParam(const char *nameAndValue)
+{
+ const char* equalSign = strchr(nameAndValue, '=');
+ if (!equalSign)
+ return 0;
+
+ std::string key(nameAndValue, equalSign);
+ if (allowOverrideSet.find(key) == allowOverrideSet.end())
+ return 0;
+
+ return rfb::Configuration::setParam(nameAndValue);
+}
diff --git a/unix/xserver/hw/vnc/vncExtInit.h b/unix/xserver/hw/vnc/vncExtInit.h
index 6430ac0..be6487c 100644
--- a/unix/xserver/hw/vnc/vncExtInit.h
+++ b/unix/xserver/hw/vnc/vncExtInit.h
@@ -90,6 +90,8 @@ void vncPreScreenResize(int scrIdx);
void vncPostScreenResize(int scrIdx, int success, int width, int height);
void vncRefreshScreenLayout(int scrIdx);
+int vncOverrideParam(const char *nameAndValue);
+
#ifdef __cplusplus
}
#endif
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
index 4a83315..a4d9f8d 100644
--- a/unix/xserver/hw/vnc/Xvnc.man
+++ b/unix/xserver/hw/vnc/Xvnc.man
@@ -300,6 +300,21 @@ Key affected by NumLock often require a fake Shift to be inserted in order
for the correct symbol to be generated. Turning on this option avoids these
extra fake Shift events but may result in a slightly different symbol
(e.g. a Return instead of a keypad Enter).
+.
+.TP
+.B \-AllowOverride
+Comma separated list of parameters that can be modified using VNC extension.
+Parameters can be modified for example using \fBvncconfig\fP(1) program from
+inside a running session.
+
+Allowing override of parameters such as \fBPAMService\fP or \fBPasswordFile\fP
+can negatively impact security if Xvnc runs under different user than the
+programs allowed to override the parameters.
+
+When \fBNoClipboard\fP parameter is set, allowing override of \fBSendCutText\fP
+and \fBAcceptCutText\fP has no effect.
+
+Default is \fBdesktop,AcceptPointerEvents,SendCutText,AcceptCutText\fP.
.SH USAGE WITH INETD
By configuring the \fBinetd\fP(1) service appropriately, Xvnc can be launched

View File

@ -1,22 +0,0 @@
Index: common/rfb/Security.cxx
===================================================================
--- common/rfb/Security.cxx (revision 5186)
+++ common/rfb/Security.cxx (working copy)
@@ -71,10 +71,15 @@
list<rdr::U8> result;
list<U32>::iterator i;
- result.push_back(secTypeVeNCrypt);
+ bool VeNCryptPresent = false;
for (i = enabledSecTypes.begin(); i != enabledSecTypes.end(); i++)
- if (*i < 0x100)
+ if (*i < 0x100) {
result.push_back(*i);
+ } else {
+ if(!VeNCryptPresent)
+ result.push_back(secTypeVeNCrypt);
+ VeNCryptPresent = true;
+ }
return result;
}

View File

@ -1,159 +0,0 @@
From 6f318e4451fcb45054408eaf568ca1c30c2d1ab6 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Wed, 11 Nov 2015 13:11:09 +0100
Subject: [PATCH] Clear up ZlibInStream::reset() behaviour
It previously only did a reset of the ZlibInStream object, not the
underlying zlib stream. It also had the side effect of flushing
the underlying stream and disassociating from it.
Clear things up by changing the naming, and introducing a proper
reset function (which is needed by the Tight decoder).
Index: tigervnc-1.5.0/common/rdr/ZlibInStream.cxx
===================================================================
--- tigervnc-1.5.0.orig/common/rdr/ZlibInStream.cxx
+++ tigervnc-1.5.0/common/rdr/ZlibInStream.cxx
@@ -16,6 +16,8 @@
* USA.
*/
+#include <assert.h>
+
#include <rdr/ZlibInStream.h>
#include <rdr/Exception.h>
#include <zlib.h>
@@ -26,26 +28,16 @@ enum { DEFAULT_BUF_SIZE = 16384 };
ZlibInStream::ZlibInStream(int bufSize_)
: underlying(0), bufSize(bufSize_ ? bufSize_ : DEFAULT_BUF_SIZE), offset(0),
- bytesIn(0)
+ zs(NULL), bytesIn(0)
{
- zs = new z_stream;
- zs->zalloc = Z_NULL;
- zs->zfree = Z_NULL;
- zs->opaque = Z_NULL;
- zs->next_in = Z_NULL;
- zs->avail_in = 0;
- if (inflateInit(zs) != Z_OK) {
- delete zs;
- throw Exception("ZlibInStream: inflateInit failed");
- }
ptr = end = start = new U8[bufSize];
+ init();
}
ZlibInStream::~ZlibInStream()
{
+ deinit();
delete [] start;
- inflateEnd(zs);
- delete zs;
}
void ZlibInStream::setUnderlying(InStream* is, int bytesIn_)
@@ -60,7 +52,7 @@ int ZlibInStream::pos()
return offset + ptr - start;
}
-void ZlibInStream::reset()
+void ZlibInStream::removeUnderlying()
{
ptr = end = start;
if (!underlying) return;
@@ -72,6 +64,38 @@ void ZlibInStream::reset()
underlying = 0;
}
+void ZlibInStream::reset()
+{
+ deinit();
+ init();
+}
+
+void ZlibInStream::init()
+{
+ assert(zs == NULL);
+
+ zs = new z_stream;
+ zs->zalloc = Z_NULL;
+ zs->zfree = Z_NULL;
+ zs->opaque = Z_NULL;
+ zs->next_in = Z_NULL;
+ zs->avail_in = 0;
+ if (inflateInit(zs) != Z_OK) {
+ delete zs;
+ zs = NULL;
+ throw Exception("ZlibInStream: inflateInit failed");
+ }
+}
+
+void ZlibInStream::deinit()
+{
+ assert(zs != NULL);
+ removeUnderlying();
+ inflateEnd(zs);
+ delete zs;
+ zs = NULL;
+}
+
int ZlibInStream::overrun(int itemSize, int nItems, bool wait)
{
if (itemSize > bufSize)
Index: tigervnc-1.5.0/common/rdr/ZlibInStream.h
===================================================================
--- tigervnc-1.5.0.orig/common/rdr/ZlibInStream.h
+++ tigervnc-1.5.0/common/rdr/ZlibInStream.h
@@ -38,11 +38,15 @@ namespace rdr {
virtual ~ZlibInStream();
void setUnderlying(InStream* is, int bytesIn);
- void reset();
+ void removeUnderlying();
int pos();
+ void reset();
private:
+ void init();
+ void deinit();
+
int overrun(int itemSize, int nItems, bool wait);
bool decompress(bool wait);
Index: tigervnc-1.5.0/common/rfb/zrleDecode.h
===================================================================
--- tigervnc-1.5.0.orig/common/rfb/zrleDecode.h
+++ tigervnc-1.5.0/common/rfb/zrleDecode.h
@@ -177,7 +177,7 @@ void ZRLE_DECODE (const Rect& r, rdr::In
}
}
- zis->reset();
+ zis->removeUnderlying();
}
#undef ZRLE_DECODE
Index: tigervnc-1.5.0/common/rfb/tightDecode.h
===================================================================
--- tigervnc-1.5.0.orig/common/rfb/tightDecode.h
+++ tigervnc-1.5.0/common/rfb/tightDecode.h
@@ -59,7 +59,7 @@ void TIGHT_DECODE (const Rect& r)
rdr::U8 comp_ctl = is->readU8();
- // Flush zlib streams if we are told by the server to do so.
+ // Reset zlib streams if we are told by the server to do so.
for (int i = 0; i < 4; i++) {
if (comp_ctl & 1) {
zis[i].reset();
@@ -231,7 +231,7 @@ void TIGHT_DECODE (const Rect& r)
delete [] netbuf;
if (streamId != -1) {
- zis[streamId].reset();
+ zis[streamId].removeUnderlying();
}
}

View File

@ -1,7 +1,7 @@
Index: tigervnc-1.5.0/vncviewer/DesktopWindow.cxx
Index: tigervnc-1.7.0/vncviewer/DesktopWindow.cxx
===================================================================
--- tigervnc-1.5.0.orig/vncviewer/DesktopWindow.cxx
+++ tigervnc-1.5.0/vncviewer/DesktopWindow.cxx
--- tigervnc-1.7.0.orig/vncviewer/DesktopWindow.cxx
+++ tigervnc-1.7.0/vncviewer/DesktopWindow.cxx
@@ -177,6 +177,8 @@ DesktopWindow::~DesktopWindow()
OptionsDialog::removeCallback(handleOptions);
@ -11,11 +11,11 @@ Index: tigervnc-1.5.0/vncviewer/DesktopWindow.cxx
// FLTK automatically deletes all child widgets, so we shouldn't touch
// them ourselves here
}
Index: tigervnc-1.5.0/vncviewer/Viewport.cxx
Index: tigervnc-1.7.0/vncviewer/Viewport.cxx
===================================================================
--- tigervnc-1.5.0.orig/vncviewer/Viewport.cxx
+++ tigervnc-1.5.0/vncviewer/Viewport.cxx
@@ -139,6 +139,11 @@ Viewport::Viewport(int w, int h, const r
--- tigervnc-1.7.0.orig/vncviewer/Viewport.cxx
+++ tigervnc-1.7.0/vncviewer/Viewport.cxx
@@ -140,6 +140,11 @@ Viewport::Viewport(int w, int h, const r
Viewport::~Viewport()
{
@ -27,10 +27,10 @@ Index: tigervnc-1.5.0/vncviewer/Viewport.cxx
// Unregister all timeouts in case they get a change tro trigger
// again later when this object is already gone.
Fl::remove_timeout(handlePointerTimeout, this);
Index: tigervnc-1.5.0/vncviewer/vncviewer.cxx
Index: tigervnc-1.7.0/vncviewer/vncviewer.cxx
===================================================================
--- tigervnc-1.5.0.orig/vncviewer/vncviewer.cxx
+++ tigervnc-1.5.0/vncviewer/vncviewer.cxx
--- tigervnc-1.7.0.orig/vncviewer/vncviewer.cxx
+++ tigervnc-1.7.0/vncviewer/vncviewer.cxx
@@ -107,6 +107,8 @@ static const char *about_text()
return buffer;
}
@ -40,7 +40,7 @@ Index: tigervnc-1.5.0/vncviewer/vncviewer.cxx
void exit_vncviewer(const char *error)
{
// Prioritise the first error we get as that is probably the most
@@ -158,6 +160,16 @@ static void CleanupSignalHandler(int sig
@@ -177,6 +179,16 @@ static void CleanupSignalHandler(int sig
// CleanupSignalHandler allows C++ object cleanup to happen because it calls
// exit() rather than the default which is to abort.
vlog.info(_("Termination signal %d has been received. TigerVNC Viewer will now exit."), sig);
@ -57,7 +57,7 @@ Index: tigervnc-1.5.0/vncviewer/vncviewer.cxx
exit(1);
}
@@ -460,11 +472,19 @@ int main(int argc, char** argv)
@@ -481,11 +493,19 @@ int main(int argc, char** argv)
init_fltk();
@ -77,12 +77,12 @@ Index: tigervnc-1.5.0/vncviewer/vncviewer.cxx
Configuration::enableViewerParams();
/* Load the default parameter settings */
@@ -577,7 +597,7 @@ int main(int argc, char** argv)
@@ -602,7 +622,7 @@ int main(int argc, char** argv)
#endif
}
- CConn *cc = new CConn(vncServerName, sock);
+ cc = new CConn(vncServerName, sock);
while (!exitMainloop) {
int next_timer;
while (!exitMainloop)
run_mainloop();

View File

@ -9,5 +9,5 @@ Index: tigervnc-1.6.0/vncviewer/CConn.cxx
+ if (encoding == pseudoEncodingDesktopSize)
+ setDesktopSize( r.width(), r.height() );
if (!Decoder::supported(encoding)) {
// TRANSLATORS: Refers to a VNC protocol encoding type
CConnection::dataRect(r, encoding);

View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Tue Sep 13 14:10:08 UTC 2016 - msrb@suse.com
- Update to tigervnc 1.7.0.
* Multi-threaded decoder in the FLTK viewer
* Improved SSH integration in the Java viewer
* Fine grained lock down of Xvnc parameters
* Compatibility with Xorg 1.18
* Lots of packaging fixes
* Better compatibility with Vino, both in the FLTK and Java viewer
- Removed patches:
* U_add_allowoverride_parameter.patch
* U_include-vencrypt-only-if-any-subtype-present.patch
* U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch
* u_xserver118.patch
-------------------------------------------------------------------
Mon Aug 8 20:05:19 UTC 2016 - eich@suse.com

View File

@ -23,7 +23,7 @@
%define tlscert %{_sysconfdir}/vnc/tls.cert
Name: tigervnc
Version: 1.6.0
Version: 1.7.0
Release: 0
Provides: tightvnc = 1.3.9
Obsoletes: tightvnc < 1.3.9
@ -113,15 +113,11 @@ Patch1: tigervnc-newfbsize.patch
Patch2: tigervnc-clean-pressed-key-on-exit.patch
Patch3: u_tigervnc-ignore-epipe-on-write.patch
Patch4: n_tigervnc-date-time.patch
Patch5: U_include-vencrypt-only-if-any-subtype-present.patch
Patch6: u_tigervnc-cve-2014-8240.patch
Patch7: u_tigervnc-add-autoaccept-parameter.patch
Patch8: u_xserver118.patch
Patch9: u_tigervnc_update_default_vncxstartup.patch
Patch10: U_add_allowoverride_parameter.patch
Patch11: u_build_libXvnc_as_separate_library.patch
Patch12: u_tigervnc-show-unencrypted-warning.patch
Patch13: U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch
Patch5: u_tigervnc-cve-2014-8240.patch
Patch6: u_tigervnc-add-autoaccept-parameter.patch
Patch7: u_tigervnc_update_default_vncxstartup.patch
Patch8: u_build_libXvnc_as_separate_library.patch
Patch9: u_tigervnc-show-unencrypted-warning.patch
%description
TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing),
@ -175,15 +171,11 @@ cp -r /usr/src/xserver/* unix/xserver/
%patch2 -p1
%patch3 -p0
%patch4 -p1
%patch5 -p0
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
pushd unix/xserver
patch -p1 < ../xserver117.patch
@ -222,7 +214,7 @@ popd
# Build java client
pushd java
cmake -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix}
cmake -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix} -DJAVACFLAGS="-encoding utf8"
make %{?_smp_mflags}
popd
@ -301,6 +293,24 @@ fi
%ghost %_sysconfdir/alternatives/vncviewer.1.gz
%endif
%dir %_datadir/icons/hicolor/16x16
%dir %_datadir/icons/hicolor/16x16/apps
%dir %_datadir/icons/hicolor/22x22
%dir %_datadir/icons/hicolor/22x22/apps
%dir %_datadir/icons/hicolor/24x24
%dir %_datadir/icons/hicolor/24x24/apps
%dir %_datadir/icons/hicolor/32x32
%dir %_datadir/icons/hicolor/32x32/apps
%dir %_datadir/icons/hicolor/48x48
%dir %_datadir/icons/hicolor/48x48/apps
%dir %_datadir/icons/hicolor/scalable
%dir %_datadir/icons/hicolor/scalable/apps
%_datadir/icons/hicolor/*/apps/tigervnc.png
%_datadir/icons/hicolor/scalable/apps/tigervnc.svg
%_datadir/applications/vncviewer.desktop
%files -n xorg-x11-Xvnc
%doc LICENCE.TXT README.txt
%defattr(-,root,root)

View File

@ -7,13 +7,14 @@ If the VNC server closes connection after our last read and before this write, w
This situation is no error, however, we should quit normally same as when we find out that connection was closed during read.
Index: common/rdr/FdOutStream.cxx
===================================================================
--- common/rdr/FdOutStream.cxx (revision 5178)
+++ common/rdr/FdOutStream.cxx (working copy)
@@ -225,7 +225,12 @@
// network connections. Should in fact never ever happen...
} while (n < 0 && (errno == EWOULDBLOCK));
--- common/rdr/FdOutStream.cxx.orig
+++ common/rdr/FdOutStream.cxx
@@ -191,8 +191,12 @@ int FdOutStream::writeWithTimeout(const
n = ::write(fd, data, length);
} while (n < 0 && (errno == EINTR));
- if (n < 0) throw SystemException("write",errno);
- if (n < 0)
- throw SystemException("write", errno);
+ if (n < 0) {
+ if(errno == EPIPE)
+ n = length; // Ignore EPIPE and fake successfull write, it doesn't matter that we are writing to closed socket, we will find out once we try to read from it.

View File

@ -1,35 +0,0 @@
Subject: Support X server 1.18.0
Author: Michal Srb <msrb@suse.com>
Patch-Mainline: To be upstreamed
diff --git a/unix/xserver/hw/vnc/xorg-version.h b/unix/xserver/hw/vnc/xorg-version.h
index 8cc1c86..60610cb 100644
--- a/unix/xserver/hw/vnc/xorg-version.h
+++ b/unix/xserver/hw/vnc/xorg-version.h
@@ -48,8 +48,10 @@
#define XORG 116
#elif XORG_VERSION_CURRENT < ((1 * 10000000) + (17 * 100000) + (99 * 1000))
#define XORG 117
+#elif XORG_VERSION_CURRENT < ((1 * 10000000) + (18 * 100000) + (99 * 1000))
+#define XORG 118
#else
-#error "X.Org newer than 1.17 is not supported"
+#error "X.Org newer than 1.18 is not supported"
#endif
#endif
index 4c90a95..55befa7 100644
--- a/unix/xserver/hw/vnc/Input.c
+++ b/unix/xserver/hw/vnc/Input.c
@@ -300,8 +300,10 @@ static inline void pressKey(DeviceIntPtr dev, int kc, Bool down, const char *msg
#if XORG < 111
n = GetKeyboardEvents(eventq, dev, action, kc);
enqueueEvents(dev, n);
-#else
+#elif XORG < 118
QueueKeyboardEvents(dev, action, kc, NULL);
+#else
+ QueueKeyboardEvents(dev, action, kc);
#endif
}

3
v1.7.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4aa704747b4f8f1d59768b663c488fa937e6783db2a46ae407cd2a599cfbf8b1
size 1405952