forked from pool/tigervnc
Accepting request 955605 from home:jtorres:branches:X11:XOrg
- Update to tigervnc 1.12.0 * The native viewer now supports full screen over a subset of monitors (e.g. 2 out of 3), and reacts properly to monitors being added or removed * Recent server history in the native viewer * The native viewer now has an option to reconnect if the connection is dropped * Translations are now enabled on Windows and macOS for the native viewer * The native viewer now respects the system security policy * Better handling of accented keys in the Java viewer * The Unix servers can now listen to both a Unix socket and a TCP port at the same time * The network code in both the servers and the native viewer has been restructured to give a more responsive experience * The vncserver service now correctly handles settings set to "0" * Fixed the clipboard Unicode handling in both the native viewer and the servers * Support for pointer "warping" in Xvnc and the native viewer, enabling e.g. FPS games - Update to tigervnc 1.11.0 * A security issue has been fixed in how the viewers handle TLS certificate exceptions * vncserver has gotten a major redesign to be compatible with modern distributions * The native viewer now has touch gestures to handle certain mouse actions (e.g. scroll wheel) * Middle mouse button emulation in the native viewer, for devices with only two mouse buttons * The Java viewer now supports Java 9+, but also now requires Java 8+ * Support for alpha cursors in the Java viewer (a feature already supported in the native viewer) * The password and username can now be specified via the environment for the native viewer * Support for building Xvnc/libvnc.so with Xorg 1.20.7+ and deprecate support for Xorg older than 1.16 * The official builds have been fixed to work on the upcoming macOS 11 * The Windows server (WinVNC) is now packaged separately as it is unmaintained and buggy - Removed patches (included in 1.12.0): * U_viewer-reset-ctrl-alt-to-menu-state-on-focus.patch * tigervnc-fix-saving-of-bad-server-certs.patch * u_xorg-server-1.20.7-ddxInputThreadInit.patch * U_0001-Properly-store-certificate-exceptions.patch * U_0002-Properly-store-certificate-exceptions-in-Java-viewer.patch * tigervnc-FIPS-use-RFC7919.patch OBS-URL: https://build.opensuse.org/request/show/955605 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=221
This commit is contained in:
parent
8e4c288f91
commit
325ad8378e
@ -1,228 +0,0 @@
|
||||
From b30f10c681ec87720cff85d490f67098568a9cba Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Thu, 21 May 2020 21:10:38 +0200
|
||||
Subject: [PATCH] Properly store certificate exceptions
|
||||
|
||||
The previous method stored the certificates as authorities, meaning that
|
||||
the owner of that certificate could impersonate any server it wanted
|
||||
after a client had added an exception.
|
||||
|
||||
Handle this more properly by only storing exceptions for specific
|
||||
hostname/certificate combinations, the same way browsers or SSH does
|
||||
things.
|
||||
---
|
||||
common/rfb/CSecurityTLS.cxx | 163 ++++++++++++++++++++------------------------
|
||||
1 file changed, 73 insertions(+), 90 deletions(-)
|
||||
|
||||
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
|
||||
index 5c303a37..99008378 100644
|
||||
--- a/common/rfb/CSecurityTLS.cxx
|
||||
+++ b/common/rfb/CSecurityTLS.cxx
|
||||
@@ -250,22 +250,6 @@ void CSecurityTLS::setParam()
|
||||
if (*cafile && gnutls_certificate_set_x509_trust_file(cert_cred,cafile,GNUTLS_X509_FMT_PEM) < 0)
|
||||
throw AuthFailureException("load of CA cert failed");
|
||||
|
||||
- /* Load previously saved certs */
|
||||
- char *homeDir = NULL;
|
||||
- int err;
|
||||
- if (getvnchomedir(&homeDir) == -1)
|
||||
- vlog.error("Could not obtain VNC home directory path");
|
||||
- else {
|
||||
- CharArray caSave(strlen(homeDir) + 19 + 1);
|
||||
- sprintf(caSave.buf, "%sx509_savedcerts.pem", homeDir);
|
||||
- delete [] homeDir;
|
||||
-
|
||||
- err = gnutls_certificate_set_x509_trust_file(cert_cred, caSave.buf,
|
||||
- GNUTLS_X509_FMT_PEM);
|
||||
- if (err < 0)
|
||||
- vlog.debug("Failed to load saved server certificates from %s", caSave.buf);
|
||||
- }
|
||||
-
|
||||
if (*crlfile && gnutls_certificate_set_x509_crl_file(cert_cred,crlfile,GNUTLS_X509_FMT_PEM) < 0)
|
||||
throw AuthFailureException("load of CRL failed");
|
||||
|
||||
@@ -290,7 +274,10 @@ void CSecurityTLS::checkSession()
|
||||
const gnutls_datum_t *cert_list;
|
||||
unsigned int cert_list_size = 0;
|
||||
int err;
|
||||
+
|
||||
+ char *homeDir;
|
||||
gnutls_datum_t info;
|
||||
+ size_t len;
|
||||
|
||||
if (anon)
|
||||
return;
|
||||
@@ -333,13 +320,13 @@ void CSecurityTLS::checkSession()
|
||||
throw AuthFailureException("decoding of certificate failed");
|
||||
|
||||
if (gnutls_x509_crt_check_hostname(crt, client->getServerName()) == 0) {
|
||||
- char buf[255];
|
||||
+ CharArray text;
|
||||
vlog.debug("hostname mismatch");
|
||||
- snprintf(buf, sizeof(buf), "Hostname (%s) does not match any certificate, "
|
||||
- "do you want to continue?", client->getServerName());
|
||||
- buf[sizeof(buf) - 1] = '\0';
|
||||
- if (!msg->showMsgBox(UserMsgBox::M_YESNO, "hostname mismatch", buf))
|
||||
- throw AuthFailureException("hostname mismatch");
|
||||
+ text.format("Hostname (%s) does not match the server certificate, "
|
||||
+ "do you want to continue?", client->getServerName());
|
||||
+ if (!msg->showMsgBox(UserMsgBox::M_YESNO,
|
||||
+ "Certificate hostname mismatch", text.buf))
|
||||
+ throw AuthFailureException("Certificate hostname mismatch");
|
||||
}
|
||||
|
||||
if (status == 0) {
|
||||
@@ -364,86 +351,82 @@ void CSecurityTLS::checkSession()
|
||||
throw AuthFailureException("Invalid status of server certificate verification");
|
||||
}
|
||||
|
||||
- vlog.debug("Saved server certificates don't match");
|
||||
+ /* Certificate is fine, except we don't know the issuer, so TOFU time */
|
||||
|
||||
- if (gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &info)) {
|
||||
- /*
|
||||
- * GNUTLS doesn't correctly export gnutls_free symbol which is
|
||||
- * a function pointer. Linking with Visual Studio 2008 Express will
|
||||
- * fail when you call gnutls_free().
|
||||
- */
|
||||
-#if WIN32
|
||||
- free(info.data);
|
||||
-#else
|
||||
- gnutls_free(info.data);
|
||||
-#endif
|
||||
- throw AuthFailureException("Could not find certificate to display");
|
||||
+ homeDir = NULL;
|
||||
+ if (getvnchomedir(&homeDir) == -1) {
|
||||
+ throw AuthFailureException("Could not obtain VNC home directory "
|
||||
+ "path for known hosts storage");
|
||||
}
|
||||
|
||||
- size_t out_size = 0;
|
||||
- char *out_buf = NULL;
|
||||
- char *certinfo = NULL;
|
||||
- int len = 0;
|
||||
-
|
||||
- vlog.debug("certificate issuer unknown");
|
||||
-
|
||||
- len = snprintf(NULL, 0, "This certificate has been signed by an unknown "
|
||||
- "authority:\n\n%s\n\nDo you want to save it and "
|
||||
- "continue?\n ", info.data);
|
||||
- if (len < 0)
|
||||
- throw AuthFailureException("certificate decoding error");
|
||||
-
|
||||
- vlog.debug("%s", info.data);
|
||||
-
|
||||
- certinfo = new char[len];
|
||||
-
|
||||
- snprintf(certinfo, len, "This certificate has been signed by an unknown "
|
||||
- "authority:\n\n%s\n\nDo you want to save it and "
|
||||
- "continue? ", info.data);
|
||||
+ CharArray dbPath(strlen(homeDir) + 16 + 1);
|
||||
+ sprintf(dbPath.buf, "%sx509_known_hosts", homeDir);
|
||||
+ delete [] homeDir;
|
||||
|
||||
- for (int i = 0; i < len - 1; i++)
|
||||
- if (certinfo[i] == ',' && certinfo[i + 1] == ' ')
|
||||
- certinfo[i] = '\n';
|
||||
+ err = gnutls_verify_stored_pubkey(dbPath.buf, NULL,
|
||||
+ client->getServerName(), NULL,
|
||||
+ GNUTLS_CRT_X509, &cert_list[0], 0);
|
||||
|
||||
- if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate issuer unknown",
|
||||
- certinfo)) {
|
||||
- delete [] certinfo;
|
||||
- throw AuthFailureException("certificate issuer unknown");
|
||||
+ /* Previously known? */
|
||||
+ if (err == GNUTLS_E_SUCCESS) {
|
||||
+ vlog.debug("Server certificate found in known hosts file");
|
||||
+ gnutls_x509_crt_deinit(crt);
|
||||
+ return;
|
||||
}
|
||||
|
||||
- delete [] certinfo;
|
||||
-
|
||||
- if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, NULL, &out_size)
|
||||
- != GNUTLS_E_SHORT_MEMORY_BUFFER)
|
||||
- throw AuthFailureException("certificate issuer unknown, and certificate "
|
||||
- "export failed");
|
||||
+ if ((err != GNUTLS_E_NO_CERTIFICATE_FOUND) &&
|
||||
+ (err != GNUTLS_E_CERTIFICATE_KEY_MISMATCH)) {
|
||||
+ throw AuthFailureException("Could not load known hosts database");
|
||||
+ }
|
||||
|
||||
- // Save cert
|
||||
- out_buf = new char[out_size];
|
||||
+ if (gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &info))
|
||||
+ throw AuthFailureException("Could not find certificate to display");
|
||||
|
||||
- if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, out_buf, &out_size) < 0)
|
||||
- throw AuthFailureException("certificate issuer unknown, and certificate "
|
||||
- "export failed");
|
||||
+ len = strlen((char*)info.data);
|
||||
+ for (size_t i = 0; i < len - 1; i++) {
|
||||
+ if (info.data[i] == ',' && info.data[i + 1] == ' ')
|
||||
+ info.data[i] = '\n';
|
||||
+ }
|
||||
|
||||
- char *homeDir = NULL;
|
||||
- if (getvnchomedir(&homeDir) == -1)
|
||||
- vlog.error("Could not obtain VNC home directory path");
|
||||
- else {
|
||||
- FILE *f;
|
||||
- CharArray caSave(strlen(homeDir) + 1 + 19);
|
||||
- sprintf(caSave.buf, "%sx509_savedcerts.pem", homeDir);
|
||||
- delete [] homeDir;
|
||||
- f = fopen(caSave.buf, "a+");
|
||||
- if (!f)
|
||||
- msg->showMsgBox(UserMsgBox::M_OK, "certificate save failed",
|
||||
- "Could not save the certificate");
|
||||
- else {
|
||||
- fprintf(f, "%s\n", out_buf);
|
||||
- fclose(f);
|
||||
- }
|
||||
+ /* New host */
|
||||
+ if (err == GNUTLS_E_NO_CERTIFICATE_FOUND) {
|
||||
+ CharArray text;
|
||||
+
|
||||
+ vlog.debug("Server host not previously known");
|
||||
+ vlog.debug("%s", info.data);
|
||||
+
|
||||
+ text.format("This certificate has been signed by an unknown "
|
||||
+ "authority:\n\n%s\n\nSomeone could be trying to "
|
||||
+ "impersonate the site and you should not "
|
||||
+ "continue.\n\nDo you want to make an exception "
|
||||
+ "for this server?", info.data);
|
||||
+
|
||||
+ if (!msg->showMsgBox(UserMsgBox::M_YESNO,
|
||||
+ "Unknown certificate issuer",
|
||||
+ text.buf))
|
||||
+ throw AuthFailureException("Unknown certificate issuer");
|
||||
+ } else if (err == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) {
|
||||
+ CharArray text;
|
||||
+
|
||||
+ vlog.debug("Server host key mismatch");
|
||||
+ vlog.debug("%s", info.data);
|
||||
+
|
||||
+ text.format("This host is previously known with a different "
|
||||
+ "certificate, and the new certificate has been "
|
||||
+ "signed by an unknown authority:\n\n%s\n\nSomeone "
|
||||
+ "could be trying to impersonate the site and you "
|
||||
+ "should not continue.\n\nDo you want to make an "
|
||||
+ "exception for this server?", info.data);
|
||||
+
|
||||
+ if (!msg->showMsgBox(UserMsgBox::M_YESNO,
|
||||
+ "Unexpected server certificate",
|
||||
+ text.buf))
|
||||
+ throw AuthFailureException("Unexpected server certificate");
|
||||
}
|
||||
|
||||
- delete [] out_buf;
|
||||
+ if (gnutls_store_pubkey(dbPath.buf, NULL, client->getServerName(),
|
||||
+ NULL, GNUTLS_CRT_X509, &cert_list[0], 0, 0))
|
||||
+ vlog.error("Failed to store server certificate to known hosts database");
|
||||
|
||||
gnutls_x509_crt_deinit(crt);
|
||||
/*
|
||||
--
|
||||
2.16.4
|
||||
|
@ -1,234 +0,0 @@
|
||||
From f029745f63ac7d22fb91639b2cb5b3ab56134d6e Mon Sep 17 00:00:00 2001
|
||||
From: "Brian P. Hinz" <bphinz@users.sf.net>
|
||||
Date: Tue, 8 Sep 2020 10:13:32 +0200
|
||||
Subject: [PATCH] Properly store certificate exceptions in Java viewer
|
||||
|
||||
Like the native viewer, the Java viewer didn't store certificate
|
||||
exceptions properly. Whilst not as bad as the native viewer, it still
|
||||
failed to check that a stored certificate wouldn't be maliciously used
|
||||
for another server. In practice this can in most cases be used to
|
||||
impersonate another server.
|
||||
|
||||
Handle this like the native viewer by storing exceptions for a specific
|
||||
hostname/certificate combination.
|
||||
---
|
||||
java/com/tigervnc/rfb/CSecurityTLS.java | 164 ++++++++++++++++++++------------
|
||||
1 file changed, 101 insertions(+), 63 deletions(-)
|
||||
|
||||
diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
index ad6f6fe1..e63945dc 100644
|
||||
--- a/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
+++ b/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
@@ -107,12 +107,6 @@ public class CSecurityTLS extends CSecurity {
|
||||
X509CRL.setDefaultStr(getDefaultCRL());
|
||||
}
|
||||
|
||||
-// FIXME:
|
||||
-// Need to shutdown the connection cleanly
|
||||
-
|
||||
-// FIXME?
|
||||
-// add a finalizer method that calls shutdown
|
||||
-
|
||||
public boolean processMsg(CConnection cc) {
|
||||
is = (FdInStream)cc.getInStream();
|
||||
os = (FdOutStream)cc.getOutStream();
|
||||
@@ -269,8 +263,13 @@ public class CSecurityTLS extends CSecurity {
|
||||
{
|
||||
Collection<? extends Certificate> certs = null;
|
||||
X509Certificate cert = chain[0];
|
||||
+ String pk =
|
||||
+ Base64.getEncoder().encodeToString(cert.getPublicKey().getEncoded());
|
||||
try {
|
||||
cert.checkValidity();
|
||||
+ verifyHostname(cert);
|
||||
+ } catch(CertificateParsingException e) {
|
||||
+ throw new SystemException(e.getMessage());
|
||||
} catch(CertificateNotYetValidException e) {
|
||||
throw new AuthFailureException("server certificate has not been activated");
|
||||
} catch(CertificateExpiredException e) {
|
||||
@@ -279,73 +278,111 @@ public class CSecurityTLS extends CSecurity {
|
||||
"do you want to continue?"))
|
||||
throw new AuthFailureException("server certificate has expired");
|
||||
}
|
||||
- String thumbprint = getThumbprint(cert);
|
||||
File vncDir = new File(FileUtils.getVncHomeDir());
|
||||
- File certFile = new File(vncDir, "x509_savedcerts.pem");
|
||||
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
- if (vncDir.exists() && certFile.exists() && certFile.canRead()) {
|
||||
- InputStream certStream = new MyFileInputStream(certFile);
|
||||
- certs = cf.generateCertificates(certStream);
|
||||
- for (Certificate c : certs)
|
||||
- if (thumbprint.equals(getThumbprint((X509Certificate)c)))
|
||||
- return;
|
||||
- }
|
||||
+ if (!vncDir.exists())
|
||||
+ throw new AuthFailureException("Could not obtain VNC home directory "+
|
||||
+ "path for known hosts storage");
|
||||
+ File dbPath = new File(vncDir, "x509_known_hosts");
|
||||
+ String info =
|
||||
+ " Subject: "+cert.getSubjectX500Principal().getName()+"\n"+
|
||||
+ " Issuer: "+cert.getIssuerX500Principal().getName()+"\n"+
|
||||
+ " Serial Number: "+cert.getSerialNumber()+"\n"+
|
||||
+ " Version: "+cert.getVersion()+"\n"+
|
||||
+ " Signature Algorithm: "+cert.getPublicKey().getAlgorithm()+"\n"+
|
||||
+ " Not Valid Before: "+cert.getNotBefore()+"\n"+
|
||||
+ " Not Valid After: "+cert.getNotAfter()+"\n"+
|
||||
+ " SHA-1 Fingerprint: "+getThumbprint(cert)+"\n";
|
||||
try {
|
||||
- verifyHostname(cert);
|
||||
+ if (dbPath.exists()) {
|
||||
+ FileReader db = new FileReader(dbPath);
|
||||
+ BufferedReader dbBuf = new BufferedReader(db);
|
||||
+ String line;
|
||||
+ String server = client.getServerName().toLowerCase();
|
||||
+ while ((line = dbBuf.readLine())!=null) {
|
||||
+ String fields[] = line.split("\\|");
|
||||
+ if (fields.length==6) {
|
||||
+ if (server.equals(fields[2]) && pk.equals(fields[5])) {
|
||||
+ vlog.debug("Server certificate found in known hosts file");
|
||||
+ dbBuf.close();
|
||||
+ return;
|
||||
+ } else if (server.equals(fields[2]) && !pk.equals(fields[5]) ||
|
||||
+ !server.equals(fields[2]) && pk.equals(fields[5])) {
|
||||
+ throw new CertStoreException();
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ dbBuf.close();
|
||||
+ }
|
||||
tm.checkServerTrusted(chain, authType);
|
||||
+ } catch (IOException e) {
|
||||
+ throw new AuthFailureException("Could not load known hosts database");
|
||||
+ } catch (CertStoreException e) {
|
||||
+ vlog.debug("Server host key mismatch");
|
||||
+ vlog.debug(info);
|
||||
+ String text =
|
||||
+ "This host is previously known with a different "+
|
||||
+ "certificate, and the new certificate has been "+
|
||||
+ "signed by an unknown authority\n"+
|
||||
+ "\n"+info+"\n"+
|
||||
+ "Someone could be trying to impersonate the site and you should not continue.\n"+
|
||||
+ "\n"+
|
||||
+ "Do you want to make an exception for this server?";
|
||||
+ if (!msg.showMsgBox(YES_NO_OPTION, "Unexpected certificate issuer", text))
|
||||
+ throw new AuthFailureException("Unexpected certificate issuer");
|
||||
+ store_pubkey(dbPath, client.getServerName().toLowerCase(), pk);
|
||||
} catch (java.lang.Exception e) {
|
||||
if (e.getCause() instanceof CertPathBuilderException) {
|
||||
- String certinfo =
|
||||
+ vlog.debug("Server host not previously known");
|
||||
+ vlog.debug(info);
|
||||
+ String text =
|
||||
"This certificate has been signed by an unknown authority\n"+
|
||||
+ "\n"+info+"\n"+
|
||||
+ "Someone could be trying to impersonate the site and you should not continue.\n"+
|
||||
"\n"+
|
||||
- " Subject: "+cert.getSubjectX500Principal().getName()+"\n"+
|
||||
- " Issuer: "+cert.getIssuerX500Principal().getName()+"\n"+
|
||||
- " Serial Number: "+cert.getSerialNumber()+"\n"+
|
||||
- " Version: "+cert.getVersion()+"\n"+
|
||||
- " Signature Algorithm: "+cert.getPublicKey().getAlgorithm()+"\n"+
|
||||
- " Not Valid Before: "+cert.getNotBefore()+"\n"+
|
||||
- " Not Valid After: "+cert.getNotAfter()+"\n"+
|
||||
- " SHA1 Fingerprint: "+getThumbprint(cert)+"\n"+
|
||||
- "\n"+
|
||||
- "Do you want to save it and continue?";
|
||||
- if (!msg.showMsgBox(YES_NO_OPTION, "certificate issuer unknown",
|
||||
- certinfo)) {
|
||||
- throw new AuthFailureException("certificate issuer unknown");
|
||||
- }
|
||||
- if (certs == null || !certs.contains(cert)) {
|
||||
- byte[] der = cert.getEncoded();
|
||||
- String pem = Base64.getEncoder().encodeToString(der);
|
||||
- pem = pem.replaceAll("(.{64})", "$1\n");
|
||||
- FileWriter fw = null;
|
||||
- try {
|
||||
- if (!vncDir.exists())
|
||||
- vncDir.mkdir();
|
||||
- if (!certFile.exists() && !certFile.createNewFile()) {
|
||||
- vlog.error("Certificate save failed.");
|
||||
- } else {
|
||||
- fw = new FileWriter(certFile.getAbsolutePath(), true);
|
||||
- fw.write("-----BEGIN CERTIFICATE-----\n");
|
||||
- fw.write(pem+"\n");
|
||||
- fw.write("-----END CERTIFICATE-----\n");
|
||||
- }
|
||||
- } catch (IOException ioe) {
|
||||
- msg.showMsgBox(OK_OPTION, "certificate save failed",
|
||||
- "Could not save the certificate");
|
||||
- } finally {
|
||||
- try {
|
||||
- if (fw != null)
|
||||
- fw.close();
|
||||
- } catch(IOException ioe2) {
|
||||
- throw new Exception(ioe2.getMessage());
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
+ "Do you want to make an exception for this server?";
|
||||
+ if (!msg.showMsgBox(YES_NO_OPTION, "Unknown certificate issuer", text))
|
||||
+ throw new AuthFailureException("Unknown certificate issuer");
|
||||
+ store_pubkey(dbPath, client.getServerName().toLowerCase(), pk);
|
||||
} else {
|
||||
throw new SystemException(e.getMessage());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
+ private void store_pubkey(File dbPath, String serverName, String pk)
|
||||
+ {
|
||||
+ ArrayList<String> lines = new ArrayList<String>();
|
||||
+ File vncDir = new File(FileUtils.getVncHomeDir());
|
||||
+ try {
|
||||
+ if (dbPath.exists()) {
|
||||
+ FileReader db = new FileReader(dbPath);
|
||||
+ BufferedReader dbBuf = new BufferedReader(db);
|
||||
+ String line;
|
||||
+ while ((line = dbBuf.readLine())!=null) {
|
||||
+ String fields[] = line.split("\\|");
|
||||
+ if (fields.length==6)
|
||||
+ if (!serverName.equals(fields[2]) && !pk.equals(fields[5]))
|
||||
+ lines.add(line);
|
||||
+ }
|
||||
+ dbBuf.close();
|
||||
+ }
|
||||
+ } catch (IOException e) {
|
||||
+ throw new AuthFailureException("Could not load known hosts database");
|
||||
+ }
|
||||
+ try {
|
||||
+ if (!dbPath.exists())
|
||||
+ dbPath.createNewFile();
|
||||
+ FileWriter fw = new FileWriter(dbPath.getAbsolutePath(), false);
|
||||
+ Iterator i = lines.iterator();
|
||||
+ while (i.hasNext())
|
||||
+ fw.write((String)i.next()+"\n");
|
||||
+ fw.write("|g0|"+serverName+"|*|0|"+pk+"\n");
|
||||
+ fw.close();
|
||||
+ } catch (IOException e) {
|
||||
+ vlog.error("Failed to store server certificate to known hosts database");
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
public X509Certificate[] getAcceptedIssuers ()
|
||||
{
|
||||
return tm.getAcceptedIssuers();
|
||||
@@ -399,12 +436,13 @@ public class CSecurityTLS extends CSecurity {
|
||||
}
|
||||
Object[] answer = {"YES", "NO"};
|
||||
int ret = JOptionPane.showOptionDialog(null,
|
||||
- "Hostname verification failed. Do you want to continue?",
|
||||
- "Hostname Verification Failure",
|
||||
+ "Hostname ("+client.getServerName()+") does not match the"+
|
||||
+ " server certificate, do you want to continue?",
|
||||
+ "Certificate hostname mismatch",
|
||||
JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE,
|
||||
null, answer, answer[0]);
|
||||
if (ret != JOptionPane.YES_OPTION)
|
||||
- throw new WarningException("Hostname verification failed.");
|
||||
+ throw new WarningException("Certificate hostname mismatch.");
|
||||
} catch (CertificateParsingException e) {
|
||||
throw new SystemException(e.getMessage());
|
||||
} catch (InvalidNameException e) {
|
||||
--
|
||||
2.16.4
|
||||
|
@ -1,29 +0,0 @@
|
||||
From 9f83180219380c690fb743182308bc2d534b8b1b Mon Sep 17 00:00:00 2001
|
||||
From: Dominique Martinet <asmadeus@codewreck.org>
|
||||
Date: Sun, 8 Jul 2018 02:15:43 +0900
|
||||
Subject: [PATCH] viewer: reset ctrl / alt to menu state on focus
|
||||
|
||||
Setting Ctrl or Alt key on menu only sends the key press, and the
|
||||
state is lost when focus is lost and recovered.
|
||||
This checks the menu variable and sends the keys again if needed.
|
||||
---
|
||||
vncviewer/Viewport.cxx | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
Index: b/vncviewer/Viewport.cxx
|
||||
===================================================================
|
||||
--- a/vncviewer/Viewport.cxx
|
||||
+++ b/vncviewer/Viewport.cxx
|
||||
@@ -655,6 +655,12 @@ int Viewport::handle(int event)
|
||||
if (menuAltKey)
|
||||
handleKeyPress(0x38, XK_Alt_L);
|
||||
|
||||
+ // Resend Ctrl/Alt if needed
|
||||
+ if (menuCtrlKey)
|
||||
+ handleKeyPress(0x1d, XK_Control_L);
|
||||
+ if (menuAltKey)
|
||||
+ handleKeyPress(0x38, XK_Alt_L);
|
||||
+
|
||||
// Yes, we would like some focus please!
|
||||
return 1;
|
||||
|
@ -10,8 +10,8 @@ Index: tigervnc-1.9.0/vncviewer/vncviewer.desktop.in.in
|
||||
Name=TigerVNC Viewer
|
||||
GenericName=Remote Desktop Viewer
|
||||
Comment=Connect to VNC server and display remote desktop
|
||||
-Exec=@BIN_DIR@/vncviewer
|
||||
+Exec=@BIN_DIR@/vncviewer-tigervnc
|
||||
-Exec=@CMAKE_INSTALL_FULL_BINDIR@/vncviewer
|
||||
+Exec=@CMAKE_INSTALL_FULL_BINDIR@/vncviewer-tigervnc
|
||||
Icon=tigervnc
|
||||
Terminal=false
|
||||
Type=Application
|
||||
|
@ -1,48 +1,48 @@
|
||||
Index: b/unix/xserver/hw/vnc/buildtime.c
|
||||
Index: tigervnc-1.12.0/unix/xserver/hw/vnc/buildtime.c
|
||||
===================================================================
|
||||
--- a/unix/xserver/hw/vnc/buildtime.c
|
||||
+++ b/unix/xserver/hw/vnc/buildtime.c
|
||||
--- tigervnc-1.12.0.orig/unix/xserver/hw/vnc/buildtime.c
|
||||
+++ tigervnc-1.12.0/unix/xserver/hw/vnc/buildtime.c
|
||||
@@ -15,4 +15,4 @@
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
||||
* USA.
|
||||
*/
|
||||
-char buildtime[] = __DATE__ " " __TIME__;
|
||||
+char buildtime[] = "??? ?? ???? ??:??:??";
|
||||
Index: b/unix/vncconfig/buildtime.c
|
||||
Index: tigervnc-1.12.0/unix/vncconfig/buildtime.c
|
||||
===================================================================
|
||||
--- a/unix/vncconfig/buildtime.c
|
||||
+++ b/unix/vncconfig/buildtime.c
|
||||
--- tigervnc-1.12.0.orig/unix/vncconfig/buildtime.c
|
||||
+++ tigervnc-1.12.0/unix/vncconfig/buildtime.c
|
||||
@@ -15,4 +15,4 @@
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
||||
* USA.
|
||||
*/
|
||||
-char buildtime[] = __DATE__ " " __TIME__;
|
||||
+char buildtime[] = "??? ?? ???? ??:??:??";
|
||||
Index: b/unix/x0vncserver/buildtime.c
|
||||
Index: tigervnc-1.12.0/unix/x0vncserver/buildtime.c
|
||||
===================================================================
|
||||
--- a/unix/x0vncserver/buildtime.c
|
||||
+++ b/unix/x0vncserver/buildtime.c
|
||||
--- tigervnc-1.12.0.orig/unix/x0vncserver/buildtime.c
|
||||
+++ tigervnc-1.12.0/unix/x0vncserver/buildtime.c
|
||||
@@ -15,4 +15,4 @@
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
||||
* USA.
|
||||
*/
|
||||
-char buildtime[] = __DATE__ " " __TIME__;
|
||||
+char buildtime[] = "??? ?? ???? ??:??:??";
|
||||
Index: b/win/winvnc/buildTime.cxx
|
||||
Index: tigervnc-1.12.0/win/winvnc/buildTime.cxx
|
||||
===================================================================
|
||||
--- a/win/winvnc/buildTime.cxx
|
||||
+++ b/win/winvnc/buildTime.cxx
|
||||
--- tigervnc-1.12.0.orig/win/winvnc/buildTime.cxx
|
||||
+++ tigervnc-1.12.0/win/winvnc/buildTime.cxx
|
||||
@@ -15,4 +15,4 @@
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
||||
* USA.
|
||||
*/
|
||||
-const char* buildTime = "Built on " __DATE__ " at " __TIME__;
|
||||
+const char* buildTime = "Built on ??? ?? ???? at ??:??:??";
|
||||
Index: b/CMakeLists.txt
|
||||
Index: tigervnc-1.12.0/CMakeLists.txt
|
||||
===================================================================
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -42,10 +42,6 @@ if(MSVC)
|
||||
--- tigervnc-1.12.0.orig/CMakeLists.txt
|
||||
+++ tigervnc-1.12.0/CMakeLists.txt
|
||||
@@ -44,10 +44,6 @@ if(MSVC)
|
||||
message(FATAL_ERROR "TigerVNC cannot be built with Visual Studio. Please use MinGW")
|
||||
endif()
|
||||
|
||||
@ -53,11 +53,11 @@ Index: b/CMakeLists.txt
|
||||
# Default to optimised builds instead of debug ones. Our code has no bugs ;)
|
||||
# (CMake makes it fairly easy to toggle this back to Debug if needed)
|
||||
if(NOT CMAKE_BUILD_TYPE)
|
||||
Index: b/vncviewer/vncviewer.cxx
|
||||
Index: tigervnc-1.12.0/vncviewer/vncviewer.cxx
|
||||
===================================================================
|
||||
--- a/vncviewer/vncviewer.cxx
|
||||
+++ b/vncviewer/vncviewer.cxx
|
||||
@@ -98,11 +98,9 @@ static const char *about_text()
|
||||
--- tigervnc-1.12.0.orig/vncviewer/vncviewer.cxx
|
||||
+++ tigervnc-1.12.0/vncviewer/vncviewer.cxx
|
||||
@@ -104,11 +104,9 @@ static const char *about_text()
|
||||
// time.
|
||||
snprintf(buffer, sizeof(buffer),
|
||||
_("TigerVNC Viewer %d-bit v%s\n"
|
||||
@ -65,8 +65,8 @@ Index: b/vncviewer/vncviewer.cxx
|
||||
"Copyright (C) 1999-%d TigerVNC Team and many others (see README.rst)\n"
|
||||
"See https://www.tigervnc.org for information on TigerVNC."),
|
||||
- (int)sizeof(size_t)*8, PACKAGE_VERSION,
|
||||
- BUILD_TIMESTAMP, 2019);
|
||||
+ (int)sizeof(size_t)*8, PACKAGE_VERSION, 2019);
|
||||
- BUILD_TIMESTAMP, 2021);
|
||||
+ (int)sizeof(size_t)*8, PACKAGE_VERSION, 2021);
|
||||
|
||||
return buffer;
|
||||
}
|
||||
|
@ -1,12 +1,12 @@
|
||||
Index: tigervnc-1.10.1/common/rfb/Security.cxx
|
||||
Index: tigervnc-1.12.0/common/rfb/Security.cxx
|
||||
===================================================================
|
||||
--- tigervnc-1.10.1.orig/common/rfb/Security.cxx
|
||||
+++ tigervnc-1.10.1/common/rfb/Security.cxx
|
||||
--- tigervnc-1.12.0.orig/common/rfb/Security.cxx
|
||||
+++ tigervnc-1.12.0/common/rfb/Security.cxx
|
||||
@@ -52,7 +52,7 @@ static LogWriter vlog("Security");
|
||||
#ifdef HAVE_GNUTLS
|
||||
StringParameter Security::GnuTLSPriority("GnuTLSPriority",
|
||||
"GnuTLS priority string that controls the TLS session’s handshake algorithms",
|
||||
- "NORMAL");
|
||||
- "");
|
||||
+ "@SYSTEM");
|
||||
#endif
|
||||
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:19fcc80d7d35dd58115262e53cac87d8903180261d94c2a6b0c19224f50b58c4
|
||||
size 1408105
|
3
tigervnc-1.12.0.tar.gz
Normal file
3
tigervnc-1.12.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:9ff3f3948f2a4e8cc06ee598ee4b1096beb62094c13e0b1462bff78587bed789
|
||||
size 1561898
|
@ -1,129 +0,0 @@
|
||||
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
|
||||
index d5ef47e..2ba787e 100644
|
||||
--- a/common/rfb/SSecurityTLS.cxx
|
||||
+++ b/common/rfb/SSecurityTLS.cxx
|
||||
@@ -37,7 +37,23 @@
|
||||
#include <rdr/TLSOutStream.h>
|
||||
#include <gnutls/x509.h>
|
||||
|
||||
-#define DH_BITS 1024 /* XXX This should be configurable! */
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
+/* FFDHE (RFC-7919) 2048-bit parameters, PEM-encoded */
|
||||
+static unsigned char ffdhe2048[] =
|
||||
+ "-----BEGIN DH PARAMETERS-----\n"
|
||||
+ "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
|
||||
+ "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
|
||||
+ "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
|
||||
+ "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
|
||||
+ "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
|
||||
+ "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAOE=\n"
|
||||
+ "-----END DH PARAMETERS-----\n";
|
||||
+
|
||||
+static const gnutls_datum_t pkcs3_param = {
|
||||
+ ffdhe2048,
|
||||
+ sizeof(ffdhe2048)
|
||||
+};
|
||||
+#endif
|
||||
|
||||
using namespace rfb;
|
||||
|
||||
@@ -50,15 +66,20 @@ StringParameter SSecurityTLS::X509_KeyFile
|
||||
static LogWriter vlog("TLS");
|
||||
|
||||
SSecurityTLS::SSecurityTLS(SConnection* sc, bool _anon)
|
||||
- : SSecurity(sc), session(NULL), dh_params(NULL), anon_cred(NULL),
|
||||
+ : SSecurity(sc), session(NULL), anon_cred(NULL),
|
||||
cert_cred(NULL), anon(_anon), tlsis(NULL), tlsos(NULL),
|
||||
rawis(NULL), rawos(NULL)
|
||||
{
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
+ dh_params = NULL;
|
||||
+#endif
|
||||
+
|
||||
certfile = X509_CertFile.getData();
|
||||
keyfile = X509_KeyFile.getData();
|
||||
|
||||
if (gnutls_global_init() != GNUTLS_E_SUCCESS)
|
||||
throw AuthFailureException("gnutls_global_init failed");
|
||||
+
|
||||
}
|
||||
|
||||
void SSecurityTLS::shutdown()
|
||||
@@ -70,10 +91,12 @@ void SSecurityTLS::shutdown()
|
||||
}
|
||||
}
|
||||
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
if (dh_params) {
|
||||
gnutls_dh_params_deinit(dh_params);
|
||||
dh_params = 0;
|
||||
}
|
||||
+#endif
|
||||
|
||||
if (anon_cred) {
|
||||
gnutls_anon_free_server_credentials(anon_cred);
|
||||
@@ -198,17 +221,21 @@ void SSecurityTLS::setParams(gnutls_session_t session)
|
||||
throw AuthFailureException("gnutls_set_priority_direct failed");
|
||||
}
|
||||
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
|
||||
throw AuthFailureException("gnutls_dh_params_init failed");
|
||||
|
||||
- if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
|
||||
- throw AuthFailureException("gnutls_dh_params_generate2 failed");
|
||||
+ if (gnutls_dh_params_import_pkcs3(dh_params, &pkcs3_param, GNUTLS_X509_FMT_PEM) != GNUTLS_E_SUCCESS)
|
||||
+ throw AuthFailureException("gnutls_dh_params_import_pkcs3 failed");
|
||||
+#endif
|
||||
|
||||
if (anon) {
|
||||
if (gnutls_anon_allocate_server_credentials(&anon_cred) != GNUTLS_E_SUCCESS)
|
||||
throw AuthFailureException("gnutls_anon_allocate_server_credentials failed");
|
||||
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
gnutls_anon_set_server_dh_params(anon_cred, dh_params);
|
||||
+#endif
|
||||
|
||||
if (gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred)
|
||||
!= GNUTLS_E_SUCCESS)
|
||||
@@ -220,7 +247,9 @@ void SSecurityTLS::setParams(gnutls_session_t session)
|
||||
if (gnutls_certificate_allocate_credentials(&cert_cred) != GNUTLS_E_SUCCESS)
|
||||
throw AuthFailureException("gnutls_certificate_allocate_credentials failed");
|
||||
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
gnutls_certificate_set_dh_params(cert_cred, dh_params);
|
||||
+#endif
|
||||
|
||||
switch (gnutls_certificate_set_x509_key_file(cert_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM)) {
|
||||
case GNUTLS_E_SUCCESS:
|
||||
diff --git a/common/rfb/SSecurityTLS.h b/common/rfb/SSecurityTLS.h
|
||||
index 6f71182..4bddae3 100644
|
||||
--- a/common/rfb/SSecurityTLS.h
|
||||
+++ b/common/rfb/SSecurityTLS.h
|
||||
@@ -36,6 +36,14 @@
|
||||
#include <rdr/OutStream.h>
|
||||
#include <gnutls/gnutls.h>
|
||||
|
||||
+
|
||||
+/* In GnuTLS 3.6.0 DH parameter generation was deprecated. RFC7919 is used instead.
|
||||
+ * GnuTLS before 3.6.0 doesn't know about RFC7919 so we will have to import it.
|
||||
+ */
|
||||
+#if GNUTLS_VERSION_NUMBER < 0x030600
|
||||
+#define SSECURITYTLS__USE_DEPRECATED_DH
|
||||
+#endif
|
||||
+
|
||||
namespace rfb {
|
||||
|
||||
class SSecurityTLS : public SSecurity {
|
||||
@@ -54,8 +62,11 @@ namespace rfb {
|
||||
void setParams(gnutls_session_t session);
|
||||
|
||||
private:
|
||||
+ bool isUsingDeprecatedDH;
|
||||
gnutls_session_t session;
|
||||
+#if defined (SSECURITYTLS__USE_DEPRECATED_DH)
|
||||
gnutls_dh_params_t dh_params;
|
||||
+#endif
|
||||
gnutls_anon_server_credentials_t anon_cred;
|
||||
gnutls_certificate_credentials_t cert_cred;
|
||||
char *keyfile, *certfile;
|
@ -1,21 +1,21 @@
|
||||
Index: b/vncviewer/DesktopWindow.cxx
|
||||
Index: tigervnc-1.12.0/vncviewer/DesktopWindow.cxx
|
||||
===================================================================
|
||||
--- a/vncviewer/DesktopWindow.cxx
|
||||
+++ b/vncviewer/DesktopWindow.cxx
|
||||
@@ -207,6 +207,8 @@ DesktopWindow::~DesktopWindow()
|
||||
--- tigervnc-1.12.0.orig/vncviewer/DesktopWindow.cxx
|
||||
+++ tigervnc-1.12.0/vncviewer/DesktopWindow.cxx
|
||||
@@ -236,6 +236,8 @@ DesktopWindow::~DesktopWindow()
|
||||
|
||||
delete statsGraph;
|
||||
|
||||
+ delete viewport;
|
||||
+
|
||||
// FLTK automatically deletes all child widgets, so we shouldn't touch
|
||||
// them ourselves here
|
||||
}
|
||||
Index: b/vncviewer/Viewport.cxx
|
||||
instances.erase(this);
|
||||
|
||||
if (instances.size() == 0)
|
||||
Index: tigervnc-1.12.0/vncviewer/Viewport.cxx
|
||||
===================================================================
|
||||
--- a/vncviewer/Viewport.cxx
|
||||
+++ b/vncviewer/Viewport.cxx
|
||||
@@ -189,6 +189,18 @@ Viewport::Viewport(int w, int h, const r
|
||||
--- tigervnc-1.12.0.orig/vncviewer/Viewport.cxx
|
||||
+++ tigervnc-1.12.0/vncviewer/Viewport.cxx
|
||||
@@ -192,6 +192,18 @@ Viewport::Viewport(int w, int h, const r
|
||||
|
||||
Viewport::~Viewport()
|
||||
{
|
||||
@ -34,20 +34,28 @@ Index: b/vncviewer/Viewport.cxx
|
||||
// Unregister all timeouts in case they get a change tro trigger
|
||||
// again later when this object is already gone.
|
||||
Fl::remove_timeout(handlePointerTimeout, this);
|
||||
Index: b/vncviewer/vncviewer.cxx
|
||||
Index: tigervnc-1.12.0/vncviewer/vncviewer.cxx
|
||||
===================================================================
|
||||
--- a/vncviewer/vncviewer.cxx
|
||||
+++ b/vncviewer/vncviewer.cxx
|
||||
@@ -107,6 +107,8 @@ static const char *about_text()
|
||||
--- tigervnc-1.12.0.orig/vncviewer/vncviewer.cxx
|
||||
+++ tigervnc-1.12.0/vncviewer/vncviewer.cxx
|
||||
@@ -113,6 +113,7 @@ static const char *about_text()
|
||||
return buffer;
|
||||
}
|
||||
|
||||
+static CConn *cc;
|
||||
+
|
||||
void exit_vncviewer(const char *error)
|
||||
|
||||
void abort_vncviewer(const char *error, ...)
|
||||
{
|
||||
// Prioritise the first error we get as that is probably the most
|
||||
@@ -177,6 +179,16 @@ static void CleanupSignalHandler(int sig
|
||||
@@ -176,8 +177,6 @@ void about_vncviewer()
|
||||
static void mainloop(const char* vncserver, network::Socket* sock)
|
||||
{
|
||||
while (true) {
|
||||
- CConn *cc;
|
||||
-
|
||||
exitMainloop = false;
|
||||
|
||||
cc = new CConn(vncServerName, sock);
|
||||
@@ -262,6 +261,16 @@ static void CleanupSignalHandler(int sig
|
||||
// CleanupSignalHandler allows C++ object cleanup to happen because it calls
|
||||
// exit() rather than the default which is to abort.
|
||||
vlog.info(_("Termination signal %d has been received. TigerVNC Viewer will now exit."), sig);
|
||||
@ -64,22 +72,13 @@ Index: b/vncviewer/vncviewer.cxx
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@@ -587,6 +599,9 @@ int main(int argc, char** argv)
|
||||
@@ -744,6 +753,9 @@ int main(int argc, char** argv)
|
||||
XkbSetDetectableAutoRepeat(fl_display, True, NULL);
|
||||
#endif
|
||||
|
||||
+ fl_open_display();
|
||||
+ XSetIOErrorHandler(CleanupXIOErrorHandler);
|
||||
+
|
||||
CSecurity::upg = &dlg;
|
||||
#ifdef HAVE_GNUTLS
|
||||
CSecurityTLS::msg = &dlg;
|
||||
@@ -672,7 +687,7 @@ int main(int argc, char** argv)
|
||||
#endif
|
||||
}
|
||||
init_fltk();
|
||||
enable_touch();
|
||||
|
||||
- CConn *cc = new CConn(vncServerName, sock);
|
||||
+ cc = new CConn(vncServerName, sock);
|
||||
|
||||
while (!exitMainloop)
|
||||
run_mainloop();
|
||||
|
@ -1,60 +0,0 @@
|
||||
From dbad687182ae9093efaf096a069eeafc18b22973 Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Mon, 30 Dec 2019 10:24:11 +0100
|
||||
Subject: [PATCH 1/2] Fix saving of bad server certificates
|
||||
|
||||
This check is completely backwards and it is currently unknown how
|
||||
this ever worked.
|
||||
---
|
||||
common/rfb/CSecurityTLS.cxx | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
|
||||
index aa1910909..c1a00212a 100644
|
||||
--- a/common/rfb/CSecurityTLS.cxx
|
||||
+++ b/common/rfb/CSecurityTLS.cxx
|
||||
@@ -416,8 +416,9 @@ void CSecurityTLS::checkSession()
|
||||
delete [] certinfo;
|
||||
|
||||
if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, NULL, &out_size)
|
||||
- == GNUTLS_E_SHORT_MEMORY_BUFFER)
|
||||
- throw AuthFailureException("Out of memory");
|
||||
+ != GNUTLS_E_SHORT_MEMORY_BUFFER)
|
||||
+ throw AuthFailureException("certificate issuer unknown, and certificate "
|
||||
+ "export failed");
|
||||
|
||||
// Save cert
|
||||
out_buf = new char[out_size];
|
||||
|
||||
From 6208f47dcbf68ff1e751b0b526bb643f0da867a6 Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Mon, 30 Dec 2019 10:26:12 +0100
|
||||
Subject: [PATCH 2/2] Remove unneeded memory checks
|
||||
|
||||
new throws an exception on allocation errors rather than return NULL.
|
||||
---
|
||||
common/rfb/CSecurityTLS.cxx | 4 ----
|
||||
1 file changed, 4 deletions(-)
|
||||
|
||||
diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
|
||||
index c1a00212a..5c303a37c 100644
|
||||
--- a/common/rfb/CSecurityTLS.cxx
|
||||
+++ b/common/rfb/CSecurityTLS.cxx
|
||||
@@ -396,8 +396,6 @@ void CSecurityTLS::checkSession()
|
||||
vlog.debug("%s", info.data);
|
||||
|
||||
certinfo = new char[len];
|
||||
- if (certinfo == NULL)
|
||||
- throw AuthFailureException("Out of memory");
|
||||
|
||||
snprintf(certinfo, len, "This certificate has been signed by an unknown "
|
||||
"authority:\n\n%s\n\nDo you want to save it and "
|
||||
@@ -422,8 +420,6 @@ void CSecurityTLS::checkSession()
|
||||
|
||||
// Save cert
|
||||
out_buf = new char[out_size];
|
||||
- if (out_buf == NULL)
|
||||
- throw AuthFailureException("Out of memory");
|
||||
|
||||
if (gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, out_buf, &out_size) < 0)
|
||||
throw AuthFailureException("certificate issuer unknown, and certificate "
|
@ -1,13 +1,13 @@
|
||||
Index: b/vncviewer/CConn.cxx
|
||||
Index: tigervnc-1.12.0/vncviewer/CConn.cxx
|
||||
===================================================================
|
||||
--- a/vncviewer/CConn.cxx
|
||||
+++ b/vncviewer/CConn.cxx
|
||||
@@ -388,6 +388,8 @@ void CConn::dataRect(const Rect& r, int
|
||||
--- tigervnc-1.12.0.orig/vncviewer/CConn.cxx
|
||||
+++ tigervnc-1.12.0/vncviewer/CConn.cxx
|
||||
@@ -416,6 +416,8 @@ bool CConn::dataRect(const Rect& r, int
|
||||
|
||||
if (encoding != encodingCopyRect)
|
||||
lastServerEncoding = encoding;
|
||||
+ if (encoding == pseudoEncodingDesktopSize)
|
||||
+ setDesktopSize( r.width(), r.height() );
|
||||
|
||||
CConnection::dataRect(r, encoding);
|
||||
ret = CConnection::dataRect(r, encoding);
|
||||
|
||||
|
@ -1,3 +1,51 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 17 09:22:52 UTC 2022 - Joan Torres <joan.torres@suse.com>
|
||||
|
||||
- Update to tigervnc 1.12.0
|
||||
* The native viewer now supports full screen over a subset of monitors (e.g. 2 out of 3), and reacts properly to monitors being added or removed
|
||||
* Recent server history in the native viewer
|
||||
* The native viewer now has an option to reconnect if the connection is dropped
|
||||
* Translations are now enabled on Windows and macOS for the native viewer
|
||||
* The native viewer now respects the system security policy
|
||||
* Better handling of accented keys in the Java viewer
|
||||
* The Unix servers can now listen to both a Unix socket and a TCP port at the same time
|
||||
* The network code in both the servers and the native viewer has been restructured to give a more responsive experience
|
||||
* The vncserver service now correctly handles settings set to "0"
|
||||
* Fixed the clipboard Unicode handling in both the native viewer and the servers
|
||||
* Support for pointer "warping" in Xvnc and the native viewer, enabling e.g. FPS games
|
||||
- Update to tigervnc 1.11.0
|
||||
* A security issue has been fixed in how the viewers handle TLS certificate exceptions
|
||||
* vncserver has gotten a major redesign to be compatible with modern distributions
|
||||
* The native viewer now has touch gestures to handle certain mouse actions (e.g. scroll wheel)
|
||||
* Middle mouse button emulation in the native viewer, for devices with only two mouse buttons
|
||||
* The Java viewer now supports Java 9+, but also now requires Java 8+
|
||||
* Support for alpha cursors in the Java viewer (a feature already supported in the native viewer)
|
||||
* The password and username can now be specified via the environment for the native viewer
|
||||
* Support for building Xvnc/libvnc.so with Xorg 1.20.7+ and deprecate support for Xorg older than 1.16
|
||||
* The official builds have been fixed to work on the upcoming macOS 11
|
||||
* The Windows server (WinVNC) is now packaged separately as it is unmaintained and buggy
|
||||
- Removed patches (included in 1.12.0):
|
||||
* U_viewer-reset-ctrl-alt-to-menu-state-on-focus.patch
|
||||
* tigervnc-fix-saving-of-bad-server-certs.patch
|
||||
* u_xorg-server-1.20.7-ddxInputThreadInit.patch
|
||||
* U_0001-Properly-store-certificate-exceptions.patch
|
||||
* U_0002-Properly-store-certificate-exceptions-in-Java-viewer.patch
|
||||
* tigervnc-FIPS-use-RFC7919.patch
|
||||
* u_Fix-non-functional-MaxDisconnectionTime.patch
|
||||
- Removed patches (no longer needed):
|
||||
* u_tigervnc-cve-2014-8240.patch (https://github.com/TigerVNC/tigervnc/pull/1258)
|
||||
* u_tigervnc_update_default_vncxstartup.patch
|
||||
- Refreshed patches:
|
||||
* n_correct_path_in_desktop_file.patch
|
||||
* n_tigervnc-date-time.patch
|
||||
* n_utilize-system-crypto-policies.patch
|
||||
* tigervnc-clean-pressed-key-on-exit.patch
|
||||
* tigervnc-newfbsize.patch
|
||||
* u_build_libXvnc_as_separate_library.patch
|
||||
* u_change-button-layout-in-ServerDialog.patch
|
||||
* u_tigervnc-add-autoaccept-parameter.patch
|
||||
* u_tigervnc-211.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 10 12:17:07 UTC 2022 - Joan Torres <joan.torres@suse.com>
|
||||
|
||||
|
@ -22,8 +22,6 @@
|
||||
%define tlskey %{_sysconfdir}/vnc/tls.key
|
||||
%define tlscert %{_sysconfdir}/vnc/tls.cert
|
||||
|
||||
%define _unitdir %{_prefix}/lib/systemd/system
|
||||
|
||||
%if 0%{?suse_version} >= 1500
|
||||
%define use_firewalld 1
|
||||
%else
|
||||
@ -35,7 +33,7 @@
|
||||
%endif
|
||||
|
||||
Name: tigervnc
|
||||
Version: 1.10.1
|
||||
Version: 1.12.0
|
||||
Release: 0
|
||||
URL: http://tigervnc.org/
|
||||
Summary: An implementation of VNC
|
||||
@ -63,24 +61,15 @@ Patch1: tigervnc-newfbsize.patch
|
||||
Patch2: tigervnc-clean-pressed-key-on-exit.patch
|
||||
Patch3: u_tigervnc-ignore-epipe-on-write.patch
|
||||
Patch4: n_tigervnc-date-time.patch
|
||||
Patch5: u_tigervnc-cve-2014-8240.patch
|
||||
Patch6: u_tigervnc_update_default_vncxstartup.patch
|
||||
Patch7: u_build_libXvnc_as_separate_library.patch
|
||||
Patch8: u_tigervnc-add-autoaccept-parameter.patch
|
||||
Patch9: u_change-button-layout-in-ServerDialog.patch
|
||||
Patch10: n_correct_path_in_desktop_file.patch
|
||||
Patch11: U_viewer-reset-ctrl-alt-to-menu-state-on-focus.patch
|
||||
Patch12: tigervnc-fix-saving-of-bad-server-certs.patch
|
||||
Patch13: u_xorg-server-1.20.7-ddxInputThreadInit.patch
|
||||
Patch21: U_0001-Properly-store-certificate-exceptions.patch
|
||||
Patch22: U_0002-Properly-store-certificate-exceptions-in-Java-viewer.patch
|
||||
Patch23: n_utilize-system-crypto-policies.patch
|
||||
Patch24: tigervnc-FIPS-use-RFC7919.patch
|
||||
Patch25: u_tigervnc-211.patch
|
||||
Patch26: u_Fix-non-functional-MaxDisconnectionTime.patch
|
||||
Patch27: xserver211.patch
|
||||
Provides: tightvnc = 1.3.9
|
||||
Obsoletes: tightvnc < 1.3.9
|
||||
Patch5: u_build_libXvnc_as_separate_library.patch
|
||||
Patch6: u_tigervnc-add-autoaccept-parameter.patch
|
||||
Patch7: u_change-button-layout-in-ServerDialog.patch
|
||||
Patch8: n_correct_path_in_desktop_file.patch
|
||||
Patch9: n_utilize-system-crypto-policies.patch
|
||||
Patch10: u_tigervnc-211.patch
|
||||
Patch11: xserver211.patch
|
||||
Provides: tightvnc = 1.5.0
|
||||
Obsoletes: tightvnc < 1.5.0
|
||||
Provides: vnc
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
@ -185,9 +174,9 @@ Requires: /bin/hostname
|
||||
%ifnarch s390 s390x
|
||||
Recommends: xorg-x11-Xvnc-module
|
||||
%endif
|
||||
Provides: tightvnc = 1.3.9
|
||||
Provides: tightvnc = 1.5.0
|
||||
Obsoletes: tightvnc < 1.5.0
|
||||
Provides: xorg-x11-Xvnc:/usr/lib/vnc/with-vnc-key.sh
|
||||
Obsoletes: tightvnc < 1.3.9
|
||||
|
||||
%description -n xorg-x11-Xvnc
|
||||
This is the TigerVNC implementation of Xvnc.
|
||||
@ -262,25 +251,15 @@ It maps common x11vnc arguments to x0vncserver arguments.
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch8 -p1
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||
%patch23 -p1
|
||||
%patch9 -p1
|
||||
%endif
|
||||
%patch24 -p1
|
||||
%patch25 -p0
|
||||
%patch26 -p1
|
||||
%patch10 -p0
|
||||
|
||||
cp -r %{_prefix}/src/xserver/* unix/xserver/
|
||||
pushd unix/xserver
|
||||
#patch -p1 < ../xserver120.patch
|
||||
%patch27 -p1
|
||||
%patch11 -p1
|
||||
popd
|
||||
|
||||
%build
|
||||
@ -290,7 +269,10 @@ export CFLAGS="%optflags"
|
||||
sed "s|@LIBEXECDIR@|%{_libexecdir}|g" %{SOURCE13} > xvnc@.service
|
||||
sed "s|@LIBEXECDIR@|%{_libexecdir}|g" %{SOURCE21} > xvnc-novnc.service
|
||||
# Build all tigervnc
|
||||
cmake -DCMAKE_VERBOSE_MAKEFILE=ON -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix} -DCMAKE_BUILD_TYPE=RelWithDebInfo .
|
||||
cmake -DCMAKE_VERBOSE_MAKEFILE=ON \
|
||||
-DCMAKE_INSTALL_PREFIX:PATH=%{_prefix} \
|
||||
-DCMAKE_INSTALL_LIBEXECDIR:PATH=%{_libexecdir} \
|
||||
-DCMAKE_BUILD_TYPE=RelWithDebInfo .
|
||||
%make_build
|
||||
|
||||
# Build Xvnc server
|
||||
@ -319,7 +301,7 @@ popd
|
||||
|
||||
# Build java client
|
||||
pushd java
|
||||
cmake -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix} -DJAVACFLAGS="-encoding utf8 -source 1.6 -target 1.6" .
|
||||
cmake -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix} .
|
||||
%make_build
|
||||
popd
|
||||
|
||||
@ -351,7 +333,7 @@ install -D -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.
|
||||
install -D -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/vnc-httpd
|
||||
%endif
|
||||
|
||||
# only package as %doc (boo#1173045)
|
||||
# only package as %%doc (boo#1173045)
|
||||
cp %{SOURCE7} .
|
||||
install -D -m 755 %{SOURCE8} %{buildroot}%{_bindir}/vncpasswd.arg
|
||||
install -D -m 644 %{SOURCE9} %{buildroot}%{_distconfdir}/pam.d/vnc
|
||||
@ -380,7 +362,7 @@ install -D xvnc-novnc.service -m 0444 %{buildroot}%{_unitdir}/xvnc-novnc.service
|
||||
|
||||
install -Dm0644 %{SOURCE22} %{buildroot}%{_sysusersdir}/vnc.conf
|
||||
|
||||
rm -rf %{buildroot}%{_datadir}/doc/tigervnc-*
|
||||
rm -rf %{buildroot}%{_datadir}/doc/tigervnc*
|
||||
|
||||
%find_lang '%{name}'
|
||||
|
||||
@ -475,27 +457,37 @@ fi
|
||||
|
||||
%files -n xorg-x11-Xvnc
|
||||
%doc LICENCE.TXT README.rst vnc.reg
|
||||
%doc unix/vncserver/HOWTO.md
|
||||
|
||||
%{_bindir}/Xvnc
|
||||
%{_bindir}/vncconfig
|
||||
%{_bindir}/vncpasswd
|
||||
%{_bindir}/vncpasswd.arg
|
||||
%{_bindir}/vncserver
|
||||
%{_bindir}/x0vncserver
|
||||
%{_sbindir}/vncsession
|
||||
|
||||
%{_libexecdir}/vncserver
|
||||
%{_libexecdir}/vncsession-start
|
||||
|
||||
%exclude %{_mandir}/man1/Xserver.1*
|
||||
%{_mandir}/man1/Xvnc.1*
|
||||
%{_mandir}/man1/vncconfig.1*
|
||||
%{_mandir}/man1/vncpasswd.1*
|
||||
%{_mandir}/man1/vncserver.1*
|
||||
%{_mandir}/man1/x0vncserver.1*
|
||||
%{_mandir}/man8/vncserver.8*
|
||||
%{_mandir}/man8/vncsession.8*
|
||||
|
||||
%{_unitdir}/vncserver@.service
|
||||
%{_unitdir}/xvnc@.service
|
||||
%{_unitdir}/xvnc.socket
|
||||
%{_unitdir}/xvnc.target
|
||||
%{_sysusersdir}/vnc.conf
|
||||
%{_sbindir}/rcxvnc
|
||||
|
||||
%dir %{_sysconfdir}/tigervnc
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/tigervnc
|
||||
%config(noreplace) %{_sysconfdir}/tigervnc/vncserver*
|
||||
|
||||
%exclude %{_sharedstatedir}/xkb/compiled/README.compiled
|
||||
|
||||
%if %{use_firewalld}
|
||||
|
@ -1,45 +0,0 @@
|
||||
From 38726ce083db1a9227325bf87989513499bfa698 Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Ossman <ossman@cendio.se>
|
||||
Date: Thu, 18 Jun 2020 09:20:17 +0200
|
||||
Subject: [PATCH] Fix non-functional MaxDisconnectionTime
|
||||
References: bsc#1195661
|
||||
Upstream: Merged
|
||||
|
||||
Since 8e09912 this wasn't triggered properly as we checked if all
|
||||
clients were gone before we actually removed the last client from our
|
||||
list.
|
||||
---
|
||||
common/rfb/VNCServerST.cxx | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/common/rfb/VNCServerST.cxx b/common/rfb/VNCServerST.cxx
|
||||
index 8329bb23..35f65a2e 100644
|
||||
--- a/common/rfb/VNCServerST.cxx
|
||||
+++ b/common/rfb/VNCServerST.cxx
|
||||
@@ -172,11 +172,6 @@ void VNCServerST::removeSocket(network::Socket* sock) {
|
||||
clipboardClient = NULL;
|
||||
clipboardRequestors.remove(*ci);
|
||||
|
||||
- // Adjust the exit timers
|
||||
- connectTimer.stop();
|
||||
- if (rfb::Server::maxDisconnectionTime && clients.empty())
|
||||
- disconnectTimer.start(secsToMillis(rfb::Server::maxDisconnectionTime));
|
||||
-
|
||||
// - Delete the per-Socket resources
|
||||
delete *ci;
|
||||
|
||||
@@ -193,6 +188,11 @@ void VNCServerST::removeSocket(network::Socket* sock) {
|
||||
if (comparer)
|
||||
comparer->logStats();
|
||||
|
||||
+ // Adjust the exit timers
|
||||
+ connectTimer.stop();
|
||||
+ if (rfb::Server::maxDisconnectionTime && clients.empty())
|
||||
+ disconnectTimer.start(secsToMillis(rfb::Server::maxDisconnectionTime));
|
||||
+
|
||||
return;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -4,10 +4,10 @@ Subject: [PATCH] Build libXvnc as separate library.
|
||||
|
||||
So it can be used by others, not only vncconfig.
|
||||
|
||||
Index: b/unix/vncconfig/CMakeLists.txt
|
||||
Index: tigervnc-1.12.0/unix/vncconfig/CMakeLists.txt
|
||||
===================================================================
|
||||
--- a/unix/vncconfig/CMakeLists.txt
|
||||
+++ b/unix/vncconfig/CMakeLists.txt
|
||||
--- tigervnc-1.12.0.orig/unix/vncconfig/CMakeLists.txt
|
||||
+++ tigervnc-1.12.0/unix/vncconfig/CMakeLists.txt
|
||||
@@ -3,13 +3,25 @@ include_directories(${X11_INCLUDE_DIR})
|
||||
include_directories(${CMAKE_SOURCE_DIR}/common)
|
||||
include_directories(${CMAKE_SOURCE_DIR}/unix/tx)
|
||||
@ -32,7 +32,7 @@ Index: b/unix/vncconfig/CMakeLists.txt
|
||||
-target_link_libraries(vncconfig tx rfb network rdr ${X11_LIBRARIES})
|
||||
+target_link_libraries(vncconfig tx rfb network rdr Xvnc ${X11_LIBRARIES})
|
||||
|
||||
install(TARGETS vncconfig DESTINATION ${BIN_DIR})
|
||||
install(TARGETS vncconfig DESTINATION ${CMAKE_INSTALL_FULL_BINDIR})
|
||||
+install(TARGETS Xvnc LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} RENAME libXvnc.so)
|
||||
install(FILES vncconfig.man DESTINATION ${MAN_DIR}/man1 RENAME vncconfig.1)
|
||||
install(FILES vncconfig.man DESTINATION ${CMAKE_INSTALL_FULL_MANDIR}/man1 RENAME vncconfig.1)
|
||||
+install(FILES vncExt.h DESTINATION ${X11_INCLUDE_DIR}/X11/extensions RENAME Xvnc.h)
|
||||
|
@ -8,20 +8,20 @@ To fit strings in languages with longer words...
|
||||
vncviewer/ServerDialog.cxx | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/vncviewer/ServerDialog.cxx b/vncviewer/ServerDialog.cxx
|
||||
index de67f87b..0a8aa775 100644
|
||||
--- a/vncviewer/ServerDialog.cxx
|
||||
+++ b/vncviewer/ServerDialog.cxx
|
||||
@@ -53,7 +53,7 @@ ServerDialog::ServerDialog()
|
||||
Index: tigervnc-1.12.0/vncviewer/ServerDialog.cxx
|
||||
===================================================================
|
||||
--- tigervnc-1.12.0.orig/vncviewer/ServerDialog.cxx
|
||||
+++ tigervnc-1.12.0/vncviewer/ServerDialog.cxx
|
||||
@@ -68,7 +68,7 @@ ServerDialog::ServerDialog()
|
||||
|
||||
serverName = new Fl_Input(x, y, w() - margin*2 - server_label_width, INPUT_HEIGHT, _("VNC server:"));
|
||||
serverName = new Fl_Input_Choice(x, y, w() - margin*2 - server_label_width, INPUT_HEIGHT, _("VNC server:"));
|
||||
|
||||
- int adjust = (w() - 20) / 4;
|
||||
+ int adjust = (w() - 20) / 3;
|
||||
int button_width = adjust - margin/2;
|
||||
|
||||
x = margin;
|
||||
@@ -76,6 +76,8 @@ ServerDialog::ServerDialog()
|
||||
@@ -91,6 +91,8 @@ ServerDialog::ServerDialog()
|
||||
|
||||
x = 0;
|
||||
y += margin/2 + BUTTON_HEIGHT;
|
||||
@ -30,6 +30,3 @@ index de67f87b..0a8aa775 100644
|
||||
|
||||
divider = new Fl_Box(x, y, w(), 2);
|
||||
divider->box(FL_THIN_DOWN_FRAME);
|
||||
--
|
||||
2.13.6
|
||||
|
||||
|
@ -1,11 +1,13 @@
|
||||
--- ./unix/xserver/hw/vnc/xorg-version.h.orig 2021-10-28 13:58:20.309981257 +0200
|
||||
+++ ./unix/xserver/hw/vnc/xorg-version.h 2021-10-28 13:59:33.179368585 +0200
|
||||
@@ -54,6 +54,8 @@
|
||||
#define XORG 119
|
||||
#elif XORG_VERSION_CURRENT < ((1 * 10000000) + (20 * 100000) + (99 * 1000))
|
||||
#define XORG 120
|
||||
+#elif XORG_VERSION_CURRENT < ((21 * 10000000) + (1 * 100000) + (99 * 1000))
|
||||
+#define XORG 211
|
||||
#else
|
||||
Index: unix/xserver/hw/vnc/xorg-version.h
|
||||
===================================================================
|
||||
--- unix/xserver/hw/vnc/xorg-version.h.orig
|
||||
+++ unix/xserver/hw/vnc/xorg-version.h
|
||||
@@ -33,7 +33,7 @@
|
||||
#error "X.Org older than 1.16 is not supported"
|
||||
#endif
|
||||
|
||||
-#if XORG_AT_LEAST(1, 21, 0)
|
||||
+#if XORG_AT_LEAST(1, 22, 0)
|
||||
#error "X.Org newer than 1.20 is not supported"
|
||||
#endif
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
Index: tigervnc-1.10.1/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
Index: tigervnc-1.12.0/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
===================================================================
|
||||
--- tigervnc-1.10.1.orig/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
+++ tigervnc-1.10.1/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
--- tigervnc-1.12.0.orig/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
+++ tigervnc-1.12.0/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
@@ -66,6 +66,9 @@ public class CSecurityTLS extends CSecur
|
||||
public static StringParameter X509CRL
|
||||
= new StringParameter("X509CRL",
|
||||
@ -26,9 +26,9 @@ Index: tigervnc-1.10.1/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
}
|
||||
+ String thumbprint = getThumbprint(cert);
|
||||
File vncDir = new File(FileUtils.getVncHomeDir());
|
||||
if (!vncDir.exists())
|
||||
throw new AuthFailureException("Could not obtain VNC home directory "+
|
||||
@@ -332,6 +337,9 @@ public class CSecurityTLS extends CSecur
|
||||
if (!vncDir.exists()) {
|
||||
try {
|
||||
@@ -337,6 +342,9 @@ public class CSecurityTLS extends CSecur
|
||||
store_pubkey(dbPath, client.getServerName().toLowerCase(), pk);
|
||||
} catch (java.lang.Exception e) {
|
||||
if (e.getCause() instanceof CertPathBuilderException) {
|
||||
@ -38,7 +38,7 @@ Index: tigervnc-1.10.1/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
vlog.debug("Server host not previously known");
|
||||
vlog.debug(info);
|
||||
String text =
|
||||
@@ -519,7 +527,7 @@ public class CSecurityTLS extends CSecur
|
||||
@@ -524,7 +532,7 @@ public class CSecurityTLS extends CSecur
|
||||
private SSLEngineManager manager;
|
||||
private boolean anon;
|
||||
|
||||
@ -47,16 +47,3 @@ Index: tigervnc-1.10.1/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||
private FdInStream is;
|
||||
private FdOutStream os;
|
||||
|
||||
Index: tigervnc-1.10.1/java/com/tigervnc/vncviewer/VncViewer.java
|
||||
===================================================================
|
||||
--- tigervnc-1.10.1.orig/java/com/tigervnc/vncviewer/VncViewer.java
|
||||
+++ tigervnc-1.10.1/java/com/tigervnc/vncviewer/VncViewer.java
|
||||
@@ -393,6 +393,8 @@ public class VncViewer extends javax.swi
|
||||
// Called right after zero-arg constructor in applet mode
|
||||
setLookAndFeel();
|
||||
setBackground(Color.white);
|
||||
+
|
||||
+ SecurityClient.setDefaults();
|
||||
applet = this;
|
||||
vncServerName.put(loadAppletParameters(applet).toCharArray()).flip();
|
||||
if (embed.getValue()) {
|
||||
|
@ -1,41 +0,0 @@
|
||||
Patch-Mainline: To be upstreamed
|
||||
References: bnc#900896 CVE-2014-8240
|
||||
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||
|
||||
Index: b/unix/x0vncserver/Image.cxx
|
||||
===================================================================
|
||||
--- a/unix/x0vncserver/Image.cxx
|
||||
+++ b/unix/x0vncserver/Image.cxx
|
||||
@@ -82,6 +82,14 @@ void Image::Init(int width, int height)
|
||||
xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
|
||||
ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
|
||||
|
||||
+ if (xim->bytes_per_line <= 0 ||
|
||||
+ xim->height <= 0 ||
|
||||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
|
||||
+ vlog.error("Invalid display size");
|
||||
+ XDestroyImage(xim);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
|
||||
if (xim->data == NULL) {
|
||||
vlog.error("malloc() failed");
|
||||
@@ -257,6 +265,17 @@ void ShmImage::Init(int width, int heigh
|
||||
delete shminfo;
|
||||
shminfo = NULL;
|
||||
return;
|
||||
+ }
|
||||
+
|
||||
+ if (xim->bytes_per_line <= 0 ||
|
||||
+ xim->height <= 0 ||
|
||||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
|
||||
+ vlog.error("Invalid display size");
|
||||
+ XDestroyImage(xim);
|
||||
+ xim = NULL;
|
||||
+ delete shminfo;
|
||||
+ shminfo = NULL;
|
||||
+ return;
|
||||
}
|
||||
|
||||
shminfo->shmid = shmget(IPC_PRIVATE,
|
@ -9,7 +9,7 @@ Index: common/rdr/FdOutStream.cxx
|
||||
===================================================================
|
||||
--- common/rdr/FdOutStream.cxx.orig
|
||||
+++ common/rdr/FdOutStream.cxx
|
||||
@@ -204,8 +204,12 @@ int FdOutStream::writeWithTimeout(const
|
||||
@@ -128,8 +128,12 @@ size_t FdOutStream::writeFd(const void*
|
||||
#endif
|
||||
} while (n < 0 && (errno == EINTR));
|
||||
|
||||
|
@ -1,57 +0,0 @@
|
||||
Author: Michal Srb <msrb@suse.com>
|
||||
References: bnc#956537
|
||||
Subject: Update default vnc xstartup script.
|
||||
|
||||
Index: tigervnc-1.10.1/unix/vncserver
|
||||
===================================================================
|
||||
--- tigervnc-1.10.1.orig/unix/vncserver
|
||||
+++ tigervnc-1.10.1/unix/vncserver
|
||||
@@ -58,27 +58,33 @@ $defaultXStartup
|
||||
= ("#!/bin/sh\n\n".
|
||||
"unset SESSION_MANAGER\n".
|
||||
"unset DBUS_SESSION_BUS_ADDRESS\n".
|
||||
- "OS=`uname -s`\n".
|
||||
- "if [ \$OS = 'Linux' ]; then\n".
|
||||
- " case \"\$WINDOWMANAGER\" in\n".
|
||||
- " \*gnome\*)\n".
|
||||
- " if [ -e /etc/SuSE-release ]; then\n".
|
||||
- " PATH=\$PATH:/opt/gnome/bin\n".
|
||||
- " export PATH\n".
|
||||
- " fi\n".
|
||||
- " ;;\n".
|
||||
- " esac\n".
|
||||
+ "\n".
|
||||
+ "userclientrc=\$HOME/.xinitrc\n".
|
||||
+ "sysclientrc=/usr/libexec/xinit/xinitrc\n".
|
||||
+ "\n".
|
||||
+ "if [ -f \"\$userclientrc\" ]; then\n".
|
||||
+ " client=\"\$userclientrc\"\n".
|
||||
+ "elif [ -f \"\$sysclientrc\" ]; then\n".
|
||||
+ " client=\"\$sysclientrc\"\n".
|
||||
+ "elif [ -f \"/etc/X11/xinit/xinitrc\" ]; then\n".
|
||||
+ " client=\"/etc/X11/xinit/xinitrc\"\n".
|
||||
"fi\n".
|
||||
- "if [ -x /etc/X11/xinit/xinitrc ]; then\n".
|
||||
- " exec /etc/X11/xinit/xinitrc\n".
|
||||
+ "\n".
|
||||
+ "if [ -x \"\$client\" ]; then\n".
|
||||
+ " exec dbus-launch --exit-with-x11 \"\$client\"\n".
|
||||
"fi\n".
|
||||
- "if [ -f /etc/X11/xinit/xinitrc ]; then\n".
|
||||
- " exec sh /etc/X11/xinit/xinitrc\n".
|
||||
+ "if [ -f \"\$client\" ]; then\n".
|
||||
+ " exec dbus-launch --exit-with-x11 sh \"\$client\"\n".
|
||||
"fi\n".
|
||||
+ "\n".
|
||||
"[ -r \$HOME/.Xresources ] && xrdb \$HOME/.Xresources\n".
|
||||
"xsetroot -solid grey\n".
|
||||
"xterm -geometry 80x24+10+10 -ls -title \"\$VNCDESKTOP Desktop\" &\n".
|
||||
- "twm &\n");
|
||||
+ "if [ -x /usr/bin/twm ]; then\n".
|
||||
+ " /usr/bin/twm &\n".
|
||||
+ "else\n".
|
||||
+ " echo \"No window manager found. You should install a window manager to get properly working VNC session.\"\n".
|
||||
+ "fi\n");
|
||||
|
||||
$defaultConfig
|
||||
= ("## Supported server options to pass to vncserver upon invocation can be listed\n".
|
@ -1,19 +0,0 @@
|
||||
diff -u -p -r tigervnc-1.10.0.old/unix/xserver/hw/vnc/xvnc.c tigervnc-1.10.0/unix/xserver/hw/vnc/xvnc.c
|
||||
--- tigervnc-1.10.0.old/unix/xserver/hw/vnc/xvnc.c 2020-01-15 11:19:19.486731848 +0000
|
||||
+++ tigervnc-1.10.0/unix/xserver/hw/vnc/xvnc.c 2020-01-15 11:37:33.275445409 +0000
|
||||
@@ -295,6 +295,15 @@ void ddxBeforeReset(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
+#if INPUTTHREAD
|
||||
+/** This function is called in Xserver/os/inputthread.c when starting
|
||||
+ the input thread. */
|
||||
+void
|
||||
+ddxInputThreadInit(void)
|
||||
+{
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
void ddxUseMsg(void)
|
||||
{
|
||||
vncPrintBanner();
|
@ -1,7 +1,8 @@
|
||||
diff -u -r xserver.orig/configure.ac xserver/configure.ac
|
||||
--- xserver.orig/configure.ac 2021-10-28 11:39:43.200727345 +0000
|
||||
+++ xserver/configure.ac 2021-10-28 11:39:57.993008591 +0000
|
||||
@@ -72,6 +72,7 @@
|
||||
Index: xserver/configure.ac
|
||||
===================================================================
|
||||
--- xserver.orig/configure.ac
|
||||
+++ xserver/configure.ac
|
||||
@@ -72,6 +72,7 @@ dnl forcing an entire recompile.x
|
||||
AC_CONFIG_HEADERS(include/version-config.h)
|
||||
|
||||
AM_PROG_AS
|
||||
@ -9,7 +10,7 @@ diff -u -r xserver.orig/configure.ac xserver/configure.ac
|
||||
AC_PROG_LN_S
|
||||
LT_PREREQ([2.2])
|
||||
LT_INIT([disable-static win32-dll])
|
||||
@@ -1713,6 +1714,10 @@
|
||||
@@ -1713,6 +1714,10 @@ if test "x$XVFB" = xyes; then
|
||||
AC_SUBST([XVFB_SYS_LIBS])
|
||||
fi
|
||||
|
||||
@ -20,7 +21,7 @@ diff -u -r xserver.orig/configure.ac xserver/configure.ac
|
||||
|
||||
dnl Xnest DDX
|
||||
|
||||
@@ -1748,6 +1753,8 @@
|
||||
@@ -1748,6 +1753,8 @@ if test "x$XORG" = xauto; then
|
||||
fi
|
||||
AC_MSG_RESULT([$XORG])
|
||||
|
||||
@ -29,7 +30,7 @@ diff -u -r xserver.orig/configure.ac xserver/configure.ac
|
||||
if test "x$XORG" = xyes; then
|
||||
PKG_CHECK_MODULES([LIBXCVT], $LIBXCVT)
|
||||
|
||||
@@ -1956,7 +1963,6 @@
|
||||
@@ -1956,7 +1963,6 @@ if test "x$XORG" = xyes; then
|
||||
AC_DEFINE(XORG_SERVER, 1, [Building Xorg server])
|
||||
AC_DEFINE(XORGSERVER, 1, [Building Xorg server])
|
||||
AC_DEFINE(XFree86Server, 1, [Building XFree86 server])
|
||||
@ -37,7 +38,7 @@ diff -u -r xserver.orig/configure.ac xserver/configure.ac
|
||||
AC_DEFINE(NEED_XF86_TYPES, 1, [Need XFree86 typedefs])
|
||||
AC_DEFINE(NEED_XF86_PROTOTYPES, 1, [Need XFree86 helper functions])
|
||||
AC_DEFINE(__XSERVERNAME__, "Xorg", [Name of X server])
|
||||
@@ -2339,6 +2345,7 @@
|
||||
@@ -2339,6 +2345,7 @@ hw/xfree86/utils/man/Makefile
|
||||
hw/xfree86/utils/gtf/Makefile
|
||||
hw/vfb/Makefile
|
||||
hw/vfb/man/Makefile
|
||||
@ -45,10 +46,11 @@ diff -u -r xserver.orig/configure.ac xserver/configure.ac
|
||||
hw/xnest/Makefile
|
||||
hw/xnest/man/Makefile
|
||||
hw/xwin/Makefile
|
||||
diff -u -r xserver.orig/hw/Makefile.am xserver/hw/Makefile.am
|
||||
--- xserver.orig/hw/Makefile.am 2021-10-28 11:39:43.156726511 +0000
|
||||
+++ xserver/hw/Makefile.am 2021-10-28 11:41:02.890242547 +0000
|
||||
@@ -28,7 +28,8 @@
|
||||
Index: xserver/hw/Makefile.am
|
||||
===================================================================
|
||||
--- xserver.orig/hw/Makefile.am
|
||||
+++ xserver/hw/Makefile.am
|
||||
@@ -28,7 +28,8 @@ SUBDIRS = \
|
||||
$(XVFB_SUBDIRS) \
|
||||
$(XNEST_SUBDIRS) \
|
||||
$(KDRIVE_SUBDIRS) \
|
||||
@ -58,10 +60,11 @@ diff -u -r xserver.orig/hw/Makefile.am xserver/hw/Makefile.am
|
||||
|
||||
DIST_SUBDIRS = xfree86 vfb xnest xwin xquartz kdrive
|
||||
|
||||
diff -u -r xserver.orig/mi/miinitext.c xserver/mi/miinitext.c
|
||||
--- xserver.orig/mi/miinitext.c 2021-10-28 11:39:43.232727953 +0000
|
||||
+++ xserver/mi/miinitext.c 2021-10-28 11:39:57.993008591 +0000
|
||||
@@ -106,8 +106,15 @@
|
||||
Index: xserver/mi/miinitext.c
|
||||
===================================================================
|
||||
--- xserver.orig/mi/miinitext.c
|
||||
+++ xserver/mi/miinitext.c
|
||||
@@ -106,8 +106,15 @@ SOFTWARE.
|
||||
|
||||
#include "miinitext.h"
|
||||
|
||||
@ -77,10 +80,11 @@ diff -u -r xserver.orig/mi/miinitext.c xserver/mi/miinitext.c
|
||||
{GEExtensionInit, "Generic Event Extension", &noGEExtension},
|
||||
{ShapeExtensionInit, "SHAPE", NULL},
|
||||
#ifdef MITSHM
|
||||
diff -u -r xserver.old/hw/vnc/xvnc.c xserver/hw/vnc/xvnc.c
|
||||
--- xserver.old/hw/vnc/xvnc.c 2021-10-28 12:14:39.360628791 +0000
|
||||
+++ xserver/hw/vnc/xvnc.c 2021-10-28 12:30:56.599310018 +0000
|
||||
@@ -85,7 +85,18 @@
|
||||
Index: xserver/hw/vnc/xvnc.c
|
||||
===================================================================
|
||||
--- xserver.orig/hw/vnc/xvnc.c
|
||||
+++ xserver/hw/vnc/xvnc.c
|
||||
@@ -69,7 +69,18 @@ extern char buildtime[];
|
||||
#undef VENDOR_RELEASE
|
||||
#undef VENDOR_STRING
|
||||
#include "version-config.h"
|
||||
@ -98,5 +102,5 @@ diff -u -r xserver.old/hw/vnc/xvnc.c xserver/hw/vnc/xvnc.c
|
||||
+#define DEFAULT_LOG_FILE_VERBOSITY 3
|
||||
+#endif
|
||||
|
||||
#define XVNCVERSION "TigerVNC 1.10.0"
|
||||
#define XVNCCOPYRIGHT ("Copyright (C) 1999-2019 TigerVNC Team and many others (see README.rst)\n" \
|
||||
#define XVNCVERSION "TigerVNC 1.12.0"
|
||||
#define XVNCCOPYRIGHT ("Copyright (C) 1999-2021 TigerVNC Team and many others (see README.rst)\n" \
|
||||
|
Loading…
Reference in New Issue
Block a user