diff --git a/U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch b/U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch new file mode 100644 index 0000000..b3b0a14 --- /dev/null +++ b/U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch @@ -0,0 +1,159 @@ +From 6f318e4451fcb45054408eaf568ca1c30c2d1ab6 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Wed, 11 Nov 2015 13:11:09 +0100 +Subject: [PATCH] Clear up ZlibInStream::reset() behaviour + +It previously only did a reset of the ZlibInStream object, not the +underlying zlib stream. It also had the side effect of flushing +the underlying stream and disassociating from it. + +Clear things up by changing the naming, and introducing a proper +reset function (which is needed by the Tight decoder). + +Index: tigervnc-1.5.0/common/rdr/ZlibInStream.cxx +=================================================================== +--- tigervnc-1.5.0.orig/common/rdr/ZlibInStream.cxx ++++ tigervnc-1.5.0/common/rdr/ZlibInStream.cxx +@@ -16,6 +16,8 @@ + * USA. + */ + ++#include ++ + #include + #include + #include +@@ -26,26 +28,16 @@ enum { DEFAULT_BUF_SIZE = 16384 }; + + ZlibInStream::ZlibInStream(int bufSize_) + : underlying(0), bufSize(bufSize_ ? bufSize_ : DEFAULT_BUF_SIZE), offset(0), +- bytesIn(0) ++ zs(NULL), bytesIn(0) + { +- zs = new z_stream; +- zs->zalloc = Z_NULL; +- zs->zfree = Z_NULL; +- zs->opaque = Z_NULL; +- zs->next_in = Z_NULL; +- zs->avail_in = 0; +- if (inflateInit(zs) != Z_OK) { +- delete zs; +- throw Exception("ZlibInStream: inflateInit failed"); +- } + ptr = end = start = new U8[bufSize]; ++ init(); + } + + ZlibInStream::~ZlibInStream() + { ++ deinit(); + delete [] start; +- inflateEnd(zs); +- delete zs; + } + + void ZlibInStream::setUnderlying(InStream* is, int bytesIn_) +@@ -60,7 +52,7 @@ int ZlibInStream::pos() + return offset + ptr - start; + } + +-void ZlibInStream::reset() ++void ZlibInStream::removeUnderlying() + { + ptr = end = start; + if (!underlying) return; +@@ -72,6 +64,38 @@ void ZlibInStream::reset() + underlying = 0; + } + ++void ZlibInStream::reset() ++{ ++ deinit(); ++ init(); ++} ++ ++void ZlibInStream::init() ++{ ++ assert(zs == NULL); ++ ++ zs = new z_stream; ++ zs->zalloc = Z_NULL; ++ zs->zfree = Z_NULL; ++ zs->opaque = Z_NULL; ++ zs->next_in = Z_NULL; ++ zs->avail_in = 0; ++ if (inflateInit(zs) != Z_OK) { ++ delete zs; ++ zs = NULL; ++ throw Exception("ZlibInStream: inflateInit failed"); ++ } ++} ++ ++void ZlibInStream::deinit() ++{ ++ assert(zs != NULL); ++ removeUnderlying(); ++ inflateEnd(zs); ++ delete zs; ++ zs = NULL; ++} ++ + int ZlibInStream::overrun(int itemSize, int nItems, bool wait) + { + if (itemSize > bufSize) +Index: tigervnc-1.5.0/common/rdr/ZlibInStream.h +=================================================================== +--- tigervnc-1.5.0.orig/common/rdr/ZlibInStream.h ++++ tigervnc-1.5.0/common/rdr/ZlibInStream.h +@@ -38,11 +38,15 @@ namespace rdr { + virtual ~ZlibInStream(); + + void setUnderlying(InStream* is, int bytesIn); +- void reset(); ++ void removeUnderlying(); + int pos(); ++ void reset(); + + private: + ++ void init(); ++ void deinit(); ++ + int overrun(int itemSize, int nItems, bool wait); + bool decompress(bool wait); + +Index: tigervnc-1.5.0/common/rfb/zrleDecode.h +=================================================================== +--- tigervnc-1.5.0.orig/common/rfb/zrleDecode.h ++++ tigervnc-1.5.0/common/rfb/zrleDecode.h +@@ -177,7 +177,7 @@ void ZRLE_DECODE (const Rect& r, rdr::In + } + } + +- zis->reset(); ++ zis->removeUnderlying(); + } + + #undef ZRLE_DECODE +Index: tigervnc-1.5.0/common/rfb/tightDecode.h +=================================================================== +--- tigervnc-1.5.0.orig/common/rfb/tightDecode.h ++++ tigervnc-1.5.0/common/rfb/tightDecode.h +@@ -59,7 +59,7 @@ void TIGHT_DECODE (const Rect& r) + + rdr::U8 comp_ctl = is->readU8(); + +- // Flush zlib streams if we are told by the server to do so. ++ // Reset zlib streams if we are told by the server to do so. + for (int i = 0; i < 4; i++) { + if (comp_ctl & 1) { + zis[i].reset(); +@@ -231,7 +231,7 @@ void TIGHT_DECODE (const Rect& r) + delete [] netbuf; + + if (streamId != -1) { +- zis[streamId].reset(); ++ zis[streamId].removeUnderlying(); + } + } + diff --git a/tigervnc.changes b/tigervnc.changes index 9c0b431..8c9780f 100644 --- a/tigervnc.changes +++ b/tigervnc.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Jun 16 13:17:15 UTC 2016 - msrb@suse.com + +- Generate VNC key and certificate on first use, not during + installation. (bnc#982349) + +------------------------------------------------------------------- +Mon Jun 13 15:21:19 UTC 2016 - msrb@suse.com + +- Add U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch + * Fix zlib stream reset in tight encoding. (bnc#963417) + ------------------------------------------------------------------- Tue May 24 12:46:07 UTC 2016 - msrb@suse.com diff --git a/tigervnc.spec b/tigervnc.spec index c302225..dce26e6 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -108,6 +108,7 @@ Source7: vnc_inetd_httpd Source8: vnc.reg Source9: vncpasswd.arg Source10: vnc.pam +Source11: with-vnc-key.sh Patch1: tigervnc-newfbsize.patch Patch2: tigervnc-clean-pressed-key-on-exit.patch Patch3: u_tigervnc-ignore-epipe-on-write.patch @@ -120,6 +121,7 @@ Patch9: u_tigervnc_update_default_vncxstartup.patch Patch10: U_add_allowoverride_parameter.patch Patch11: u_build_libXvnc_as_separate_library.patch Patch12: u_tigervnc-show-unencrypted-warning.patch +Patch13: U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch %description TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing), @@ -129,10 +131,10 @@ it attempts to maintain a common look and feel and re-use components, where poss TigerVNC also provides extensions for advanced authentication methods and TLS encryption. %package -n xorg-x11-Xvnc -# Needed to generate certificates -Requires(post): openssl Requires(post): /usr/sbin/useradd Requires(post): /usr/sbin/groupadd +# Needed to generate certificates +Requires: openssl # Needed to serve java applet Requires: icewm Requires: python @@ -143,6 +145,7 @@ Requires: xinit Requires: xkbcomp Requires: xkeyboard-config Requires: xorg-x11-fonts-core +Provides: xorg-x11-Xvnc:/usr/lib/vnc/with-vnc-key.sh Summary: TigerVNC implementation of Xvnc Group: System/X11/Servers/XF86_4 @@ -180,6 +183,7 @@ cp -r /usr/src/xserver/* unix/xserver/ %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 pushd unix/xserver patch -p1 < ../xserver117.patch @@ -255,6 +259,9 @@ ln -s -f %{_sysconfdir}/alternatives/vncviewer.1.gz $RPM_BUILD_ROOT%{_mandir}/ma mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/vnc +mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/vnc +install -D -m 755 %{SOURCE11} $RPM_BUILD_ROOT%{_libexecdir}/vnc + rm -rf $RPM_BUILD_ROOT/usr/share/doc/tigervnc-* %find_lang '%{name}' @@ -264,18 +271,6 @@ getent group %{vncgroup} > /dev/null || groupadd -r %{vncgroup} || : getent passwd %{vncuser} > /dev/null || useradd -r -g %{vncgroup} -d /var/lib/empty -s /sbin/nologin -c "user for VNC" %{vncuser} || : usermod -G shadow -a %{vncuser} || : -%post -n xorg-x11-Xvnc -if ! test -e %{tlskey} ; then - (umask 077 && openssl genrsa -out %{tlskey} 2048) - chown %{vncuser}:%{vncgroup} %{tlskey} -fi -if ! test -e %{tlscert} ; then - cn="Automatically generated certificate for the VNC service" - openssl req -new -x509 -extensions usr_cert \ - -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/" - chown %{vncuser}:%{vncgroup} %{tlscert} -fi - %post %if 0%{?suse_version} >= 1315 %_sbindir/update-alternatives \ @@ -358,10 +353,12 @@ fi %doc java/com/tigervnc/vncviewer/README %{_datadir}/vnc -%dir %{_sysconfdir}/vnc +%dir %attr(0755,%{vncuser},%{vncuser}) %{_sysconfdir}/vnc %ghost %attr(0600,%{vncuser},%{vncuser}) %config(noreplace) %{tlskey} %ghost %attr(0644,%{vncuser},%{vncuser}) %config(noreplace) %{tlscert} +%{_libexecdir}/vnc + %files -n libXvnc1 %defattr(-,root,root) %{_libdir}/libXvnc.so.1* diff --git a/vnc.xinetd b/vnc.xinetd index d683da5..a42b1fd 100644 --- a/vnc.xinetd +++ b/vnc.xinetd @@ -9,8 +9,8 @@ service vnc1 protocol = tcp wait = no user = vnc - server = /usr/bin/Xvnc - server_args = -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 disable = yes } # default: off @@ -24,8 +24,8 @@ service vnc2 protocol = tcp wait = no user = vnc - server = /usr/bin/Xvnc - server_args = -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 disable = yes } # default: off @@ -39,8 +39,8 @@ service vnc3 protocol = tcp wait = no user = vnc - server = /usr/bin/Xvnc - server_args = -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30 disable = yes } # default: off @@ -54,8 +54,8 @@ service vnchttpd1 protocol = tcp wait = no user = vnc - server = /usr/bin/vnc_inetd_httpd - server_args = 1024 768 5901 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/vnc_inetd_httpd 1024 768 5901 disable = yes } # default: off @@ -69,8 +69,8 @@ service vnchttpd2 protocol = tcp wait = no user = vnc - server = /usr/bin/vnc_inetd_httpd - server_args = 1280 1024 5902 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/vnc_inetd_httpd 1280 1024 5902 disable = yes } # default: off @@ -84,7 +84,7 @@ service vnchttpd3 protocol = tcp wait = no user = vnc - server = /usr/bin/vnc_inetd_httpd - server_args = 1600 1200 5903 + server = /usr/lib/vnc/with-vnc-key.sh + server_args = /usr/bin/vnc_inetd_httpd 1600 1200 5903 disable = yes } diff --git a/with-vnc-key.sh b/with-vnc-key.sh new file mode 100644 index 0000000..14a43f6 --- /dev/null +++ b/with-vnc-key.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +# Wrapper that makes sure /etc/vnc/tls.{key,cert} exist before executing given command. + + +TLSKEY=/etc/vnc/tls.key +TLSCERT=/etc/vnc/tls.cert + + +if test -s $TLSKEY -a -s $TLSCERT; then + # Execute the command we were given. + exec "$@" +fi + +( + # Wait for lock on the key file. We must not proceed while someone else is creating it. + flock 200 + + # If the key file doesn't exist or has zero size (because it doubles as lock), generate it. + if ! test -s $TLSKEY ; then + (umask 077 && openssl genrsa -out $TLSKEY 2048) >&200 + chown vnc:vnc $TLSKEY + fi + + # If the cert file doesn't exist, generate it. + if ! test -e $TLSCERT ; then + CN="Automatically generated certificate for the VNC service" + openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/" + chown vnc:vnc $TLSCERT + fi + +) 200>>$TLSKEY 2>/dev/null + +# Execute the command we were given. +exec "$@"