Accepting request 402733 from X11:XOrg

- Generate VNC key and certificate on first use, not during
  installation. (bnc#982349)

- Add U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch
  * Fix zlib stream reset in tight encoding. (bnc#963417)

OBS-URL: https://build.opensuse.org/request/show/402733
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tigervnc?expand=0&rev=33

U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch

@@ -0,0 +1,159 @@
+From 6f318e4451fcb45054408eaf568ca1c30c2d1ab6 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <ossman@cendio.se>
+Date: Wed, 11 Nov 2015 13:11:09 +0100
+Subject: [PATCH] Clear up ZlibInStream::reset() behaviour
+
+It previously only did a reset of the ZlibInStream object, not the
+underlying zlib stream. It also had the side effect of flushing
+the underlying stream and disassociating from it.
+
+Clear things up by changing the naming, and introducing a proper
+reset function (which is needed by the Tight decoder).
+
+Index: tigervnc-1.5.0/common/rdr/ZlibInStream.cxx
+===================================================================
+--- tigervnc-1.5.0.orig/common/rdr/ZlibInStream.cxx
++++ tigervnc-1.5.0/common/rdr/ZlibInStream.cxx
+@@ -16,6 +16,8 @@
+  * USA.
+  */
+ 
++#include <assert.h>
++
+ #include <rdr/ZlibInStream.h>
+ #include <rdr/Exception.h>
+ #include <zlib.h>
+@@ -26,26 +28,16 @@ enum { DEFAULT_BUF_SIZE = 16384 };
+ 
+ ZlibInStream::ZlibInStream(int bufSize_)
+   : underlying(0), bufSize(bufSize_ ? bufSize_ : DEFAULT_BUF_SIZE), offset(0),
+-    bytesIn(0)
++    zs(NULL), bytesIn(0)
+ {
+-  zs = new z_stream;
+-  zs->zalloc    = Z_NULL;
+-  zs->zfree     = Z_NULL;
+-  zs->opaque    = Z_NULL;
+-  zs->next_in   = Z_NULL;
+-  zs->avail_in  = 0;
+-  if (inflateInit(zs) != Z_OK) {
+-    delete zs;
+-    throw Exception("ZlibInStream: inflateInit failed");
+-  }
+   ptr = end = start = new U8[bufSize];
++  init();
+ }
+ 
+ ZlibInStream::~ZlibInStream()
+ {
++  deinit();
+   delete [] start;
+-  inflateEnd(zs);
+-  delete zs;
+ }
+ 
+ void ZlibInStream::setUnderlying(InStream* is, int bytesIn_)
+@@ -60,7 +52,7 @@ int ZlibInStream::pos()
+   return offset + ptr - start;
+ }
+ 
+-void ZlibInStream::reset()
++void ZlibInStream::removeUnderlying()
+ {
+   ptr = end = start;
+   if (!underlying) return;
+@@ -72,6 +64,38 @@ void ZlibInStream::reset()
+   underlying = 0;
+ }
+ 
++void ZlibInStream::reset()
++{
++  deinit();
++  init();
++}
++
++void ZlibInStream::init()
++{
++  assert(zs == NULL);
++
++  zs = new z_stream;
++  zs->zalloc    = Z_NULL;
++  zs->zfree     = Z_NULL;
++  zs->opaque    = Z_NULL;
++  zs->next_in   = Z_NULL;
++  zs->avail_in  = 0;
++  if (inflateInit(zs) != Z_OK) {
++    delete zs;
++    zs = NULL;
++    throw Exception("ZlibInStream: inflateInit failed");
++  }
++}
++
++void ZlibInStream::deinit()
++{
++  assert(zs != NULL);
++  removeUnderlying();
++  inflateEnd(zs);
++  delete zs;
++  zs = NULL;
++}
++
+ int ZlibInStream::overrun(int itemSize, int nItems, bool wait)
+ {
+   if (itemSize > bufSize)
+Index: tigervnc-1.5.0/common/rdr/ZlibInStream.h
+===================================================================
+--- tigervnc-1.5.0.orig/common/rdr/ZlibInStream.h
++++ tigervnc-1.5.0/common/rdr/ZlibInStream.h
+@@ -38,11 +38,15 @@ namespace rdr {
+     virtual ~ZlibInStream();
+ 
+     void setUnderlying(InStream* is, int bytesIn);
+-    void reset();
++    void removeUnderlying();
+     int pos();
++    void reset();
+ 
+   private:
+ 
++    void init();
++    void deinit();
++
+     int overrun(int itemSize, int nItems, bool wait);
+     bool decompress(bool wait);
+ 
+Index: tigervnc-1.5.0/common/rfb/zrleDecode.h
+===================================================================
+--- tigervnc-1.5.0.orig/common/rfb/zrleDecode.h
++++ tigervnc-1.5.0/common/rfb/zrleDecode.h
+@@ -177,7 +177,7 @@ void ZRLE_DECODE (const Rect& r, rdr::In
+     }
+   }
+ 
+-  zis->reset();
++  zis->removeUnderlying();
+ }
+ 
+ #undef ZRLE_DECODE
+Index: tigervnc-1.5.0/common/rfb/tightDecode.h
+===================================================================
+--- tigervnc-1.5.0.orig/common/rfb/tightDecode.h
++++ tigervnc-1.5.0/common/rfb/tightDecode.h
+@@ -59,7 +59,7 @@ void TIGHT_DECODE (const Rect& r)
+ 
+   rdr::U8 comp_ctl = is->readU8();
+ 
+-  // Flush zlib streams if we are told by the server to do so.
++  // Reset zlib streams if we are told by the server to do so.
+   for (int i = 0; i < 4; i++) {
+     if (comp_ctl & 1) {
+       zis[i].reset();
+@@ -231,7 +231,7 @@ void TIGHT_DECODE (const Rect& r)
+   delete [] netbuf;
+ 
+   if (streamId != -1) {
+-    zis[streamId].reset();
++    zis[streamId].removeUnderlying();
+   }
+ }
+ 

tigervnc.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu Jun 16 13:17:15 UTC 2016 - msrb@suse.com
+
+- Generate VNC key and certificate on first use, not during
+  installation. (bnc#982349)
+
+-------------------------------------------------------------------
+Mon Jun 13 15:21:19 UTC 2016 - msrb@suse.com
+
+- Add U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch
+  * Fix zlib stream reset in tight encoding. (bnc#963417)
+
 -------------------------------------------------------------------
 Tue May 24 12:46:07 UTC 2016 - msrb@suse.com
 

tigervnc.spec

@@ -108,6 +108,7 @@ Source7:        vnc_inetd_httpd
 Source8:        vnc.reg
 Source9:        vncpasswd.arg
 Source10:       vnc.pam
+Source11:       with-vnc-key.sh
 Patch1:         tigervnc-newfbsize.patch
 Patch2:         tigervnc-clean-pressed-key-on-exit.patch
 Patch3:         u_tigervnc-ignore-epipe-on-write.patch
@@ -120,6 +121,7 @@ Patch9:         u_tigervnc_update_default_vncxstartup.patch
 Patch10:        U_add_allowoverride_parameter.patch
 Patch11:        u_build_libXvnc_as_separate_library.patch
 Patch12:        u_tigervnc-show-unencrypted-warning.patch
+Patch13:        U_tigervnc_clear_up_zlibinstream_reset_behaviour.patch
 
 %description
 TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing), 
@@ -129,10 +131,10 @@ it attempts to maintain a common look and feel and re-use components, where poss
 TigerVNC also provides extensions for advanced authentication methods and TLS encryption.
 
 %package -n xorg-x11-Xvnc
-# Needed to generate certificates
-Requires(post): openssl
 Requires(post): /usr/sbin/useradd
 Requires(post): /usr/sbin/groupadd
+# Needed to generate certificates
+Requires:       openssl
 # Needed to serve java applet
 Requires:       icewm
 Requires:       python
@@ -143,6 +145,7 @@ Requires:       xinit
 Requires:       xkbcomp
 Requires:       xkeyboard-config
 Requires:       xorg-x11-fonts-core
+Provides:       xorg-x11-Xvnc:/usr/lib/vnc/with-vnc-key.sh
 Summary:        TigerVNC implementation of Xvnc
 Group:          System/X11/Servers/XF86_4
 
@@ -180,6 +183,7 @@ cp -r /usr/src/xserver/* unix/xserver/
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
 
 pushd unix/xserver
 patch -p1 < ../xserver117.patch
@@ -255,6 +259,9 @@ ln -s -f %{_sysconfdir}/alternatives/vncviewer.1.gz $RPM_BUILD_ROOT%{_mandir}/ma
 
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/vnc
 
+mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/vnc
+install -D -m 755 %{SOURCE11} $RPM_BUILD_ROOT%{_libexecdir}/vnc
+
 rm -rf $RPM_BUILD_ROOT/usr/share/doc/tigervnc-*
 
 %find_lang '%{name}'
@@ -264,18 +271,6 @@ getent group %{vncgroup} > /dev/null || groupadd -r %{vncgroup} || :
 getent passwd %{vncuser} > /dev/null || useradd -r -g %{vncgroup} -d /var/lib/empty -s /sbin/nologin -c "user for VNC" %{vncuser} || :
 usermod -G shadow -a %{vncuser} || :
 
-%post -n xorg-x11-Xvnc
-if ! test -e %{tlskey} ; then
-  (umask 077 && openssl genrsa -out %{tlskey} 2048)
-  chown %{vncuser}:%{vncgroup} %{tlskey}
-fi
-if ! test -e %{tlscert} ; then
-  cn="Automatically generated certificate for the VNC service"
-  openssl req -new -x509 -extensions usr_cert \
-    -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/"
-  chown %{vncuser}:%{vncgroup} %{tlscert}
-fi
-
 %post
 %if 0%{?suse_version} >= 1315
 %_sbindir/update-alternatives \
@@ -358,10 +353,12 @@ fi
 %doc java/com/tigervnc/vncviewer/README
 %{_datadir}/vnc
 
-%dir %{_sysconfdir}/vnc
+%dir %attr(0755,%{vncuser},%{vncuser}) %{_sysconfdir}/vnc
 %ghost %attr(0600,%{vncuser},%{vncuser}) %config(noreplace) %{tlskey}
 %ghost %attr(0644,%{vncuser},%{vncuser}) %config(noreplace) %{tlscert}
 
+%{_libexecdir}/vnc
+
 %files -n libXvnc1
 %defattr(-,root,root)
 %{_libdir}/libXvnc.so.1*

vnc.xinetd

@@ -9,8 +9,8 @@ service vnc1
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/Xvnc
+	server		= /usr/lib/vnc/with-vnc-key.sh
-	server_args	= -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
+	server_args	= /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
 	disable		= yes
 }
 # default: off
@@ -24,8 +24,8 @@ service vnc2
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/Xvnc
+	server		= /usr/lib/vnc/with-vnc-key.sh
-	server_args	= -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
+	server_args	= /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
 	disable		= yes
 }
 # default: off
@@ -39,8 +39,8 @@ service vnc3
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/Xvnc
+	server		= /usr/lib/vnc/with-vnc-key.sh
-	server_args	= -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
+	server_args	= /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
 	disable		= yes
 }
 # default: off
@@ -54,8 +54,8 @@ service vnchttpd1
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/vnc_inetd_httpd
+	server		= /usr/lib/vnc/with-vnc-key.sh
-	server_args	= 1024 768 5901
+	server_args	= /usr/bin/vnc_inetd_httpd 1024 768 5901
 	disable		= yes
 }
 # default: off
@@ -69,8 +69,8 @@ service vnchttpd2
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/vnc_inetd_httpd
+	server		= /usr/lib/vnc/with-vnc-key.sh
-	server_args	= 1280 1024 5902
+	server_args	= /usr/bin/vnc_inetd_httpd 1280 1024 5902
 	disable		= yes
 }
 # default: off
@@ -84,7 +84,7 @@ service vnchttpd3
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/vnc_inetd_httpd
+	server		= /usr/lib/vnc/with-vnc-key.sh
-	server_args	= 1600 1200 5903
+	server_args	= /usr/bin/vnc_inetd_httpd 1600 1200 5903
 	disable		= yes
 }

with-vnc-key.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Wrapper that makes sure /etc/vnc/tls.{key,cert} exist before executing given command.
+
+
+TLSKEY=/etc/vnc/tls.key
+TLSCERT=/etc/vnc/tls.cert
+
+
+if test -s $TLSKEY -a -s $TLSCERT; then
+    # Execute the command we were given.
+    exec "$@"
+fi
+
+(
+    # Wait for lock on the key file. We must not proceed while someone else is creating it.
+    flock 200
+
+    # If the key file doesn't exist or has zero size (because it doubles as lock), generate it.
+    if ! test -s $TLSKEY ; then
+        (umask 077 && openssl genrsa -out $TLSKEY 2048) >&200
+        chown vnc:vnc $TLSKEY
+    fi
+
+    # If the cert file doesn't exist, generate it.
+    if ! test -e $TLSCERT ; then
+        CN="Automatically generated certificate for the VNC service"
+        openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/"
+        chown vnc:vnc $TLSCERT
+    fi
+
+) 200>>$TLSKEY 2>/dev/null
+
+# Execute the command we were given.
+exec "$@"