Accepting request 392822 from home:michalsrb:branches:X11:XOrg
- Add U_add_allowoverride_parameter.patch and u_build_libXvnc_as_separate_library.patch (fate#319319) - Add u_tigervnc-show-unencrypted-warning.patch (fate#319701) OBS-URL: https://build.opensuse.org/request/show/392822 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=83
This commit is contained in:
parent
bc2afa40af
commit
39f8d3ee24
164
U_add_allowoverride_parameter.patch
Normal file
164
U_add_allowoverride_parameter.patch
Normal file
@ -0,0 +1,164 @@
|
||||
Git-commit: ef0dd758a3fad048c1f04e144b03a3e69b001f21
|
||||
Patch-Mainline: To be upstreamed
|
||||
Author: Michal Srb <michalsrb@gmail.com>
|
||||
Subject: Add AllowOverride parameter.
|
||||
References: fate#319319
|
||||
|
||||
Allows to specify which configuration parameters can be modified on runtime.
|
||||
|
||||
diff --git a/unix/xserver/hw/vnc/vncExt.c b/unix/xserver/hw/vnc/vncExt.c
|
||||
index 43794da..b27115f 100644
|
||||
--- a/unix/xserver/hw/vnc/vncExt.c
|
||||
+++ b/unix/xserver/hw/vnc/vncExt.c
|
||||
@@ -182,17 +182,16 @@ static int ProcVncExtSetParam(ClientPtr client)
|
||||
rep.sequenceNumber = client->sequence;
|
||||
|
||||
/*
|
||||
- * Allow to change only certain parameters.
|
||||
- * Changing other parameters (for example PAM service name)
|
||||
- * could have negative security impact.
|
||||
+ * Prevent change of clipboard related parameters if clipboard is disabled.
|
||||
*/
|
||||
- if (strncasecmp(param, "desktop", 7) != 0 &&
|
||||
- strncasecmp(param, "AcceptPointerEvents", 19) != 0 &&
|
||||
- (vncNoClipboard || strncasecmp(param, "SendCutText", 11) != 0) &&
|
||||
- (vncNoClipboard || strncasecmp(param, "AcceptCutText", 13) != 0))
|
||||
+ if (vncNoClipboard &&
|
||||
+ (strncasecmp(param, "SendCutText", 11) == 0 ||
|
||||
+ strncasecmp(param, "AcceptCutText", 13) == 0))
|
||||
+ goto deny;
|
||||
+
|
||||
+ if (!vncOverrideParam(param))
|
||||
goto deny;
|
||||
|
||||
- vncSetParamSimple(param);
|
||||
rep.success = 1;
|
||||
|
||||
// Send DesktopName update if desktop name has been changed
|
||||
diff --git a/unix/xserver/hw/vnc/vncExtInit.cc b/unix/xserver/hw/vnc/vncExtInit.cc
|
||||
index 863cd36..1d37493 100644
|
||||
--- a/unix/xserver/hw/vnc/vncExtInit.cc
|
||||
+++ b/unix/xserver/hw/vnc/vncExtInit.cc
|
||||
@@ -20,6 +20,9 @@
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
|
||||
+#include <set>
|
||||
+#include <string>
|
||||
+
|
||||
#include <rfb/Configuration.h>
|
||||
#include <rfb/Logger_stdio.h>
|
||||
#include <rfb/LogWriter.h>
|
||||
@@ -52,6 +55,15 @@ int vncFbstride[MAXSCREENS];
|
||||
|
||||
int vncInetdSock = -1;
|
||||
|
||||
+struct CaseInsensitiveCompare {
|
||||
+ bool operator() (const std::string &a, const std::string &b) const {
|
||||
+ return strcasecmp(a.c_str(), b.c_str()) < 0;
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+typedef std::set<std::string, CaseInsensitiveCompare> ParamSet;
|
||||
+static ParamSet allowOverrideSet;
|
||||
+
|
||||
rfb::StringParameter httpDir("httpd",
|
||||
"Directory containing files to serve via HTTP",
|
||||
"");
|
||||
@@ -69,6 +81,9 @@ rfb::StringParameter interface("interface",
|
||||
rfb::BoolParameter avoidShiftNumLock("AvoidShiftNumLock",
|
||||
"Avoid fake Shift presses for keys affected by NumLock.",
|
||||
true);
|
||||
+rfb::StringParameter allowOverride("AllowOverride",
|
||||
+ "Comma separated list of parameters that can be modified using VNC extension.",
|
||||
+ "desktop,AcceptPointerEvents,SendCutText,AcceptCutText");
|
||||
|
||||
static PixelFormat vncGetPixelFormat(int scrIdx)
|
||||
{
|
||||
@@ -99,6 +114,19 @@ static PixelFormat vncGetPixelFormat(int scrIdx)
|
||||
redShift, greenShift, blueShift);
|
||||
}
|
||||
|
||||
+static void parseOverrideList(const char *text, ParamSet &out)
|
||||
+{
|
||||
+ for (const char* iter = text; ; ++iter) {
|
||||
+ if (*iter == ',' || *iter == '\0') {
|
||||
+ out.insert(std::string(text, iter));
|
||||
+ text = iter + 1;
|
||||
+
|
||||
+ if (*iter == '\0')
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
void vncExtensionInit(void)
|
||||
{
|
||||
int ret;
|
||||
@@ -128,6 +156,10 @@ void vncExtensionInit(void)
|
||||
try {
|
||||
if (!initialised) {
|
||||
rfb::initStdIOLoggers();
|
||||
+
|
||||
+ parseOverrideList(allowOverride, allowOverrideSet);
|
||||
+ allowOverride.setImmutable();
|
||||
+
|
||||
initialised = true;
|
||||
}
|
||||
|
||||
@@ -379,3 +411,16 @@ void vncRefreshScreenLayout(int scrIdx)
|
||||
{
|
||||
desktop[scrIdx]->refreshScreenLayout();
|
||||
}
|
||||
+
|
||||
+int vncOverrideParam(const char *nameAndValue)
|
||||
+{
|
||||
+ const char* equalSign = strchr(nameAndValue, '=');
|
||||
+ if (!equalSign)
|
||||
+ return 0;
|
||||
+
|
||||
+ std::string key(nameAndValue, equalSign);
|
||||
+ if (allowOverrideSet.find(key) == allowOverrideSet.end())
|
||||
+ return 0;
|
||||
+
|
||||
+ return rfb::Configuration::setParam(nameAndValue);
|
||||
+}
|
||||
diff --git a/unix/xserver/hw/vnc/vncExtInit.h b/unix/xserver/hw/vnc/vncExtInit.h
|
||||
index 6430ac0..be6487c 100644
|
||||
--- a/unix/xserver/hw/vnc/vncExtInit.h
|
||||
+++ b/unix/xserver/hw/vnc/vncExtInit.h
|
||||
@@ -90,6 +90,8 @@ void vncPreScreenResize(int scrIdx);
|
||||
void vncPostScreenResize(int scrIdx, int success, int width, int height);
|
||||
void vncRefreshScreenLayout(int scrIdx);
|
||||
|
||||
+int vncOverrideParam(const char *nameAndValue);
|
||||
+
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
|
||||
index 4a83315..a4d9f8d 100644
|
||||
--- a/unix/xserver/hw/vnc/Xvnc.man
|
||||
+++ b/unix/xserver/hw/vnc/Xvnc.man
|
||||
@@ -300,6 +300,21 @@ Key affected by NumLock often require a fake Shift to be inserted in order
|
||||
for the correct symbol to be generated. Turning on this option avoids these
|
||||
extra fake Shift events but may result in a slightly different symbol
|
||||
(e.g. a Return instead of a keypad Enter).
|
||||
+.
|
||||
+.TP
|
||||
+.B \-AllowOverride
|
||||
+Comma separated list of parameters that can be modified using VNC extension.
|
||||
+Parameters can be modified for example using \fBvncconfig\fP(1) program from
|
||||
+inside a running session.
|
||||
+
|
||||
+Allowing override of parameters such as \fBPAMService\fP or \fBPasswordFile\fP
|
||||
+can negatively impact security if Xvnc runs under different user than the
|
||||
+programs allowed to override the parameters.
|
||||
+
|
||||
+When \fBNoClipboard\fP parameter is set, allowing override of \fBSendCutText\fP
|
||||
+and \fBAcceptCutText\fP has no effect.
|
||||
+
|
||||
+Default is \fBdesktop,AcceptPointerEvents,SendCutText,AcceptCutText\fP.
|
||||
|
||||
.SH USAGE WITH INETD
|
||||
By configuring the \fBinetd\fP(1) service appropriately, Xvnc can be launched
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 29 14:13:22 UTC 2016 - msrb@suse.com
|
||||
|
||||
- Add U_add_allowoverride_parameter.patch and
|
||||
u_build_libXvnc_as_separate_library.patch (fate#319319)
|
||||
- Add u_tigervnc-show-unencrypted-warning.patch (fate#319701)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 27 10:34:05 UTC 2016 - msrb@suse.com
|
||||
|
||||
|
@ -116,6 +116,9 @@ Patch6: u_tigervnc-cve-2014-8240.patch
|
||||
Patch7: u_tigervnc-add-autoaccept-parameter.patch
|
||||
Patch8: u_xserver118.patch
|
||||
Patch9: u_tigervnc_update_default_vncxstartup.patch
|
||||
Patch10: U_add_allowoverride_parameter.patch
|
||||
Patch11: u_build_libXvnc_as_separate_library.patch
|
||||
Patch12: u_tigervnc-show-unencrypted-warning.patch
|
||||
|
||||
%description
|
||||
TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing),
|
||||
@ -145,6 +148,21 @@ Group: System/X11/Servers/XF86_4
|
||||
%description -n xorg-x11-Xvnc
|
||||
This is the TigerVNC implementation of Xvnc.
|
||||
|
||||
%package -n libXvnc1
|
||||
Summary: X extension to control VNC module
|
||||
Group: System/Libraries
|
||||
|
||||
%description -n libXvnc1
|
||||
Xvnc extension allows X clients to read and change VNC configuration.
|
||||
|
||||
%package -n libXvnc-devel
|
||||
Summary: X extension to control VNC module
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: libXvnc1 = %version
|
||||
|
||||
%description -n libXvnc-devel
|
||||
Xvnc extension allows X clients to read and change VNC configuration.
|
||||
|
||||
%prep
|
||||
%setup -T -b1 -q
|
||||
cp -r /usr/src/xserver/* unix/xserver/
|
||||
@ -158,6 +176,9 @@ cp -r /usr/src/xserver/* unix/xserver/
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
|
||||
pushd unix/xserver
|
||||
patch -p1 < ../xserver117.patch
|
||||
@ -266,6 +287,10 @@ if [ "$1" = 0 ] ; then
|
||||
fi
|
||||
%endif
|
||||
|
||||
%post -n libXvnc1 -p /sbin/ldconfig
|
||||
|
||||
%postun -n libXvnc1 -p /sbin/ldconfig
|
||||
|
||||
%files -f %{name}.lang
|
||||
%defattr(-,root,root,-)
|
||||
%ghost %{_bindir}/vncviewer
|
||||
@ -332,4 +357,13 @@ fi
|
||||
%ghost %attr(0600,%{vncuser},%{vncuser}) %config(noreplace) %{tlskey}
|
||||
%ghost %attr(0644,%{vncuser},%{vncuser}) %config(noreplace) %{tlscert}
|
||||
|
||||
%files -n libXvnc1
|
||||
%defattr(-,root,root)
|
||||
%{_libdir}/libXvnc.so.1*
|
||||
|
||||
%files -n libXvnc-devel
|
||||
%defattr(-,root,root)
|
||||
%{_libdir}/libXvnc.so
|
||||
%{_includedir}/X11/extensions/Xvnc.h
|
||||
|
||||
%changelog
|
||||
|
38
u_build_libXvnc_as_separate_library.patch
Normal file
38
u_build_libXvnc_as_separate_library.patch
Normal file
@ -0,0 +1,38 @@
|
||||
Author: Michal Srb <michalsrb@gmail.com>
|
||||
Patch-Mainline: To be upstreamed
|
||||
Subject: [PATCH] Build libXvnc as separate library.
|
||||
|
||||
So it can be used by others, not only vncconfig.
|
||||
|
||||
diff --git a/unix/vncconfig/CMakeLists.txt b/unix/vncconfig/CMakeLists.txt
|
||||
index 959681f..5fe1fb8 100644
|
||||
--- a/unix/vncconfig/CMakeLists.txt
|
||||
+++ b/unix/vncconfig/CMakeLists.txt
|
||||
@@ -3,13 +3,25 @@ include_directories(${X11_INCLUDE_DIR})
|
||||
include_directories(${CMAKE_SOURCE_DIR}/common)
|
||||
include_directories(${CMAKE_SOURCE_DIR}/unix/tx)
|
||||
|
||||
+include(GNUInstallDirs)
|
||||
+
|
||||
+add_library(Xvnc SHARED
|
||||
+ vncExt.c)
|
||||
+
|
||||
+set_target_properties(Xvnc
|
||||
+ PROPERTIES
|
||||
+ VERSION 1.0.0
|
||||
+ SOVERSION 1
|
||||
+)
|
||||
+
|
||||
add_executable(vncconfig
|
||||
buildtime.c
|
||||
- vncExt.c
|
||||
vncconfig.cxx
|
||||
QueryConnectDialog.cxx)
|
||||
|
||||
-target_link_libraries(vncconfig tx rfb network rdr ${X11_LIBRARIES})
|
||||
+target_link_libraries(vncconfig tx rfb network rdr Xvnc ${X11_LIBRARIES})
|
||||
|
||||
install(TARGETS vncconfig DESTINATION ${BIN_DIR})
|
||||
+install(TARGETS Xvnc LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} RENAME libXvnc.so)
|
||||
install(FILES vncconfig.man DESTINATION ${MAN_DIR}/man1 RENAME vncconfig.1)
|
||||
+install(FILES vncExt.h DESTINATION ${X11_INCLUDE_DIR}/X11/extensions RENAME Xvnc.h)
|
178
u_tigervnc-show-unencrypted-warning.patch
Normal file
178
u_tigervnc-show-unencrypted-warning.patch
Normal file
@ -0,0 +1,178 @@
|
||||
Author: Michal Srb <michalsrb@gmail.com>
|
||||
Subject: Display warning in window title when no encryption is in use.
|
||||
Patch-Mainline: To be upstreamed
|
||||
References: fate#319701
|
||||
|
||||
Index: tigervnc-1.6.0/common/rfb/CSecurityPlain.cxx
|
||||
===================================================================
|
||||
--- tigervnc-1.6.0.orig/common/rfb/CSecurityPlain.cxx
|
||||
+++ tigervnc-1.6.0/common/rfb/CSecurityPlain.cxx
|
||||
@@ -31,7 +31,7 @@ bool CSecurityPlain::processMsg(CConnect
|
||||
CharArray username;
|
||||
CharArray password;
|
||||
|
||||
- (CSecurity::upg)->getUserPasswd(&username.buf, &password.buf);
|
||||
+ (CSecurity::upg)->getUserPasswd(&username.buf, &password.buf, cc->csecurity->getType());
|
||||
|
||||
// Return the response to the server
|
||||
os->writeU32(strlen(username.buf));
|
||||
Index: tigervnc-1.6.0/common/rfb/CSecurityVncAuth.cxx
|
||||
===================================================================
|
||||
--- tigervnc-1.6.0.orig/common/rfb/CSecurityVncAuth.cxx
|
||||
+++ tigervnc-1.6.0/common/rfb/CSecurityVncAuth.cxx
|
||||
@@ -46,7 +46,7 @@ bool CSecurityVncAuth::processMsg(CConne
|
||||
rdr::U8 challenge[vncAuthChallengeSize];
|
||||
is->readBytes(challenge, vncAuthChallengeSize);
|
||||
PlainPasswd passwd;
|
||||
- (CSecurity::upg)->getUserPasswd(0, &passwd.buf);
|
||||
+ (CSecurity::upg)->getUserPasswd(0, &passwd.buf, cc->csecurity->getType());
|
||||
|
||||
// Calculate the correct response
|
||||
rdr::U8 key[8];
|
||||
Index: tigervnc-1.6.0/common/rfb/Security.cxx
|
||||
===================================================================
|
||||
--- tigervnc-1.6.0.orig/common/rfb/Security.cxx
|
||||
+++ tigervnc-1.6.0/common/rfb/Security.cxx
|
||||
@@ -206,3 +206,19 @@ std::list<rdr::U32> rfb::parseSecTypes(c
|
||||
}
|
||||
return result;
|
||||
}
|
||||
+
|
||||
+bool rfb::isSecTypeEncrypted(rdr::U32 num)
|
||||
+{
|
||||
+ switch (num) {
|
||||
+ case secTypeTLSNone:
|
||||
+ case secTypeTLSVnc:
|
||||
+ case secTypeTLSPlain:
|
||||
+ case secTypeX509None:
|
||||
+ case secTypeX509Vnc:
|
||||
+ case secTypeX509Plain:
|
||||
+ return true;
|
||||
+
|
||||
+ default:
|
||||
+ return false;
|
||||
+ }
|
||||
+}
|
||||
Index: tigervnc-1.6.0/common/rfb/Security.h
|
||||
===================================================================
|
||||
--- tigervnc-1.6.0.orig/common/rfb/Security.h
|
||||
+++ tigervnc-1.6.0/common/rfb/Security.h
|
||||
@@ -104,6 +104,8 @@ namespace rfb {
|
||||
const char* secTypeName(rdr::U32 num);
|
||||
rdr::U32 secTypeNum(const char* name);
|
||||
std::list<rdr::U32> parseSecTypes(const char* types);
|
||||
+
|
||||
+ bool isSecTypeEncrypted(rdr::U32 num);
|
||||
}
|
||||
|
||||
#endif
|
||||
Index: tigervnc-1.6.0/common/rfb/UserPasswdGetter.h
|
||||
===================================================================
|
||||
--- tigervnc-1.6.0.orig/common/rfb/UserPasswdGetter.h
|
||||
+++ tigervnc-1.6.0/common/rfb/UserPasswdGetter.h
|
||||
@@ -17,6 +17,9 @@
|
||||
*/
|
||||
#ifndef __RFB_USERPASSWDGETTER_H__
|
||||
#define __RFB_USERPASSWDGETTER_H__
|
||||
+
|
||||
+#include <rdr/types.h>
|
||||
+
|
||||
namespace rfb {
|
||||
class UserPasswdGetter {
|
||||
public:
|
||||
@@ -24,7 +27,7 @@ namespace rfb {
|
||||
// dialog, getpass(), etc. The user buffer pointer can be null, in which
|
||||
// case no user name will be retrieved. The caller MUST delete [] the
|
||||
// result(s).
|
||||
- virtual void getUserPasswd(char** user, char** password)=0;
|
||||
+ virtual void getUserPasswd(char** user, char** password, rdr::U32 secType)=0;
|
||||
};
|
||||
}
|
||||
#endif
|
||||
Index: tigervnc-1.6.0/vncviewer/DesktopWindow.cxx
|
||||
===================================================================
|
||||
--- tigervnc-1.6.0.orig/vncviewer/DesktopWindow.cxx
|
||||
+++ tigervnc-1.6.0/vncviewer/DesktopWindow.cxx
|
||||
@@ -27,6 +27,7 @@
|
||||
|
||||
#include <rfb/LogWriter.h>
|
||||
#include <rfb/CMsgWriter.h>
|
||||
+#include <rfb/Security.h>
|
||||
|
||||
#include "DesktopWindow.h"
|
||||
#include "OptionsDialog.h"
|
||||
@@ -206,7 +207,11 @@ void DesktopWindow::setName(const char *
|
||||
CharArray windowNameStr;
|
||||
windowNameStr.replaceBuf(new char[256]);
|
||||
|
||||
- snprintf(windowNameStr.buf, 256, "%.240s - TigerVNC", name);
|
||||
+ const char *warning = "";
|
||||
+ if (!rfb::isSecTypeEncrypted(cc->csecurity->getType()))
|
||||
+ warning = _("(Connection not encrypted!)");
|
||||
+
|
||||
+ snprintf(windowNameStr.buf, 256, "%.240s - TigerVNC %s", name, warning);
|
||||
|
||||
copy_label(windowNameStr.buf);
|
||||
}
|
||||
Index: tigervnc-1.6.0/vncviewer/UserDialog.cxx
|
||||
===================================================================
|
||||
--- tigervnc-1.6.0.orig/vncviewer/UserDialog.cxx
|
||||
+++ tigervnc-1.6.0/vncviewer/UserDialog.cxx
|
||||
@@ -32,10 +32,12 @@
|
||||
#include <FL/Fl_Secret_Input.H>
|
||||
#include <FL/Fl_Button.H>
|
||||
#include <FL/Fl_Return_Button.H>
|
||||
+#include <FL/Fl_Text_Display.H>
|
||||
|
||||
#include <rfb/util.h>
|
||||
#include <rfb/Password.h>
|
||||
#include <rfb/Exception.h>
|
||||
+#include <rfb/Security.h>
|
||||
|
||||
#include "i18n.h"
|
||||
#include "fltk_layout.h"
|
||||
@@ -59,7 +61,7 @@ UserDialog::~UserDialog()
|
||||
{
|
||||
}
|
||||
|
||||
-void UserDialog::getUserPasswd(char** user, char** password)
|
||||
+void UserDialog::getUserPasswd(char** user, char** password, rdr::U32 secType)
|
||||
{
|
||||
CharArray passwordFileStr(passwordFile.getData());
|
||||
|
||||
@@ -82,8 +84,12 @@ void UserDialog::getUserPasswd(char** us
|
||||
return;
|
||||
}
|
||||
|
||||
+ const char* title = _("VNC authentication");
|
||||
+ if (!rfb::isSecTypeEncrypted(secType))
|
||||
+ title = _("VNC authentication (Connection not encrypted!)");
|
||||
+
|
||||
if (!user) {
|
||||
- fl_message_title(_("VNC authentication"));
|
||||
+ fl_message_title(title);
|
||||
*password = strDup(fl_password(_("Password:"), ""));
|
||||
if (!*password)
|
||||
throw rfb::Exception(_("Authentication cancelled"));
|
||||
@@ -93,7 +99,7 @@ void UserDialog::getUserPasswd(char** us
|
||||
|
||||
// Largely copied from FLTK so that we get the same look and feel
|
||||
// as the simpler password input.
|
||||
- Fl_Window *win = new Fl_Window(410, 145, _("VNC authentication"));
|
||||
+ Fl_Window *win = new Fl_Window(410, 145, title);
|
||||
win->callback(button_cb,(void *)0);
|
||||
|
||||
Fl_Input *username = new Fl_Input(70, 25, 300, 25, _("Username:"));
|
||||
Index: tigervnc-1.6.0/vncviewer/UserDialog.h
|
||||
===================================================================
|
||||
--- tigervnc-1.6.0.orig/vncviewer/UserDialog.h
|
||||
+++ tigervnc-1.6.0/vncviewer/UserDialog.h
|
||||
@@ -31,7 +31,7 @@ public:
|
||||
|
||||
// UserPasswdGetter callbacks
|
||||
|
||||
- void getUserPasswd(char** user, char** password);
|
||||
+ void getUserPasswd(char** user, char** password, rdr::U32 secType);
|
||||
|
||||
// UserMsgBox callbacks
|
||||
|
Loading…
Reference in New Issue
Block a user