Accepting request 1296230 from X11:Wayland

- Update to 0.9.5:
  * Sending an illegal security type would result in use-after-free.
  * The required size for the alpha map for cursors was incorrectly
    calculated. This resulted in a heap-overflow under some circumstances.
  * The buffer transform for the cursor was being applied to the
    cursor hotspot. The buffer transform does not apply to the hotspot,
    so undoing the transform is incorrect. This resulted in the cursor
    being offset from the correct hotspot.

OBS-URL: https://build.opensuse.org/request/show/1296230
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/neatvnc?expand=0&rev=18

_service

@@ -0,0 +1,15 @@
+<?xml version="1.0"?>
+<services>
+  <service name="obs_scm" mode="manual">
+    <param name="scm">git</param>
+    <param name="url">https://github.com/any1/neatvnc.git</param>
+    <param name="revision">af5811b75e63f53d1d1f1f3f337387553a96786a</param>
+    <param name="versionformat">0.9.5</param>
+  </service>
+  <service name="tar" mode="manual"/>
+  <service name="recompress" mode="manual">
+    <param name="file">*.tar</param>
+    <param name="compression">xz</param>
+  </service>
+  <service name="set_version" mode="manual" />
+</services>

fix-build-in-15.6.patch

@@ -0,0 +1,13 @@
+Index: neatvnc-0.9.2/meson.build
+===================================================================
+--- neatvnc-0.9.2.orig/meson.build
++++ neatvnc-0.9.2/meson.build
+@@ -54,7 +54,7 @@ libturbojpeg = dependency('libturbojpeg'
+ gnutls = dependency('gnutls', required: get_option('tls'))
+ nettle = dependency('nettle', required: get_option('nettle'))
+ hogweed = dependency('hogweed', required: get_option('nettle'))
+-gmp = dependency('gmp', required: get_option('nettle'))
++gmp = cc.find_library('gmp')
+ zlib = dependency('zlib')
+ gbm = dependency('gbm', required: get_option('gbm'))
+ libdrm = dependency('libdrm', required: get_option('h264'))

neatvnc-0.9.5.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:99cdddd640aa00f649f5dd1325f1ed8169c50aacdc057ea4b6cf4287eea52a3f
+size 785396

neatvnc.changes

@@ -1,3 +1,94 @@
+-------------------------------------------------------------------
+Tue Jul 29 05:19:43 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- Update to 0.9.5:
+  * Sending an illegal security type would result in use-after-free.
+  * The required size for the alpha map for cursors was incorrectly
+    calculated. This resulted in a heap-overflow under some circumstances.
+  * The buffer transform for the cursor was being applied to the
+    cursor hotspot. The buffer transform does not apply to the hotspot,
+    so undoing the transform is incorrect. This resulted in the cursor
+    being offset from the correct hotspot.
+
+-------------------------------------------------------------------
+Mon Mar  3 08:09:46 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- Update to 0.9.4:
+  * The last release leaked client resources and would keep capturing
+    after all clients closed their connection. This release fixes
+    that and a double-free on exit.
+
+-------------------------------------------------------------------
+Sun Feb 23 18:23:21 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- Update to 0.9.3:
+  * Fix some instances of use-after-free that can be reached before
+    authentication takes place. Those should be viewed as potential
+    vulnerabilities, so it would be prudent to upgrade ASAP if you're
+    running Neat VNC on the internet.
+  * Fix a few issues with WebSockets. One of those bugs will allow
+    an unauthenticated client to put the server into an endless
+    loop when parsing HTTP headers. There were also problems with
+    ping message handling and the way some legacy clients/browsers
+    were being dealt with that he fixed.
+
+-------------------------------------------------------------------
+Mon Dec 30 11:06:23 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 0.9.2:
+  * This patch release adds missing bounds checks.
+    Two buffer overflow vulnerabilities were reported by Frederik
+    Reiter who also provided patches to fix them.
+    There are potential security implications, but only authenticated
+    clients would be able to exploit these vulnerabilities, if at all.
+    Nevertheless, it is prudent to update as soon as possible.
+
+-------------------------------------------------------------------
+Mon Dec 30 11:05:56 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 0.9.1:
+  * Fix a data type mismatch in the clipboard code that caused the
+    build to fail for 32 bit architectures.
+
+-------------------------------------------------------------------
+Mon Dec 30 11:05:23 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 0.9.0:
+  Highlights:
+  * A v4l2m2m based H.264 encoder that works on Raspberry Pi 1 to 4,
+    sponsored by Raspberry Pi Ltd.
+  * Extended clipboard for UTF-8 text was implemented by Attila Fidan.
+  * Listening on a pre-bound file descriptor, implemented by Attila Fidan.
+  * The continuous updates extension was implemented by Philipp Zabel.
+  * We now have simple bandwidth estimation and improved frame pacing.
+  * Methods for rating pixel formats and modifiers have according to Neat VNC's
+    preferences have been added.
+  * The Qemu/VMWare LED state extensions have been implemented.
+  * H.264 encoders will now encode the correct colour space into the elementary
+    stream.
+  Bug fixes:
+  * Some memory leaks and reference counting errors have been eradicated.
+  * A race between resizing events and framebuffer updates that would cause a
+    buffer with the previous size to be sent after a resize event has been fixed.
+  * Buffers with 24 bits per pixel will now result in 32 bpp being reported to
+    the client because 24 bpp is not allowed by the protocol. Nvidia users should
+    now be able to use a wider selection of clients as a result of this change.
+- Update fix-build-in-15.6.patch
+  15e56b8e444532d299598b753f760cf0d4d9a4e2 added the LIBAVFILTER_VERSION_INT
+
+-------------------------------------------------------------------
+Wed Oct 23 07:57:14 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Update to 0.8.1+git20241008.b539421 adding a _service file to
+  get the sources from git. This fixes a FTBFS with ffmpeg-7 in
+  Factory. Note that we can't use @PARENT_TAG@ in the _service
+  file because 0.8.1 was branched from the v0.8 branch so using it
+  would look like going back to 0.8.0.
+- Add a patch to keep building with older ffmpeg versions too
+  as well as find the gmp dependency, which can't be found using
+  pkgconfig in 15.6:
+  * fix-build-in-15.6.patch
+
 -------------------------------------------------------------------
 Fri Aug  2 06:25:29 UTC 2024 - Michael Vetter <mvetter@suse.com>
 

neatvnc.obsinfo

@@ -0,0 +1,4 @@
+name: neatvnc
+version: 0.9.5
+mtime: 1740304370
+commit: af5811b75e63f53d1d1f1f3f337387553a96786a

neatvnc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package neatvnc
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,13 +19,14 @@
 %define libsoname libneatvnc0
 
 Name:           neatvnc
-Version:        0.8.1
+Version:        0.9.5
 Release:        0
 Summary:        A VNC server library
 License:        ISC
 Group:          System/GUI/Other
 URL:            https://github.com/any1/neatvnc
-Source0:        %url/archive/v%{version}.tar.gz
+Source0:        %{name}-%{version}.tar.xz
+Patch0:         fix-build-in-15.6.patch
 
 BuildRequires:  meson
 BuildRequires:  pkgconfig

v0.8.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:51ef4d02f1621c947d58f2454e8fd4582a66439f09d409c103424c9d34839757
-size 661911