Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tigervnc for openSUSE:Factory checked in at 2026-03-31 15:22:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tigervnc (Old) and /work/SRC/openSUSE:Factory/.tigervnc.new.1999 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tigervnc" Tue Mar 31 15:22:10 2026 rev:116 rq:1343639 version:1.16.1 Changes: -------- --- /work/SRC/openSUSE:Factory/tigervnc/tigervnc.changes 2026-03-27 06:51:08.354005475 +0100 +++ /work/SRC/openSUSE:Factory/.tigervnc.new.1999/tigervnc.changes 2026-03-31 15:22:33.141000570 +0200 @@ -1,0 +2,9 @@ +Sat Mar 28 00:48:43 UTC 2026 - Stefan Dirsch <[email protected]> + +- U_Prevent-other-users-reading-x0vncserver-screen.patch + * Prevent other users from observing the screen, or modifying + what is sent to the client. Malicious attackers could even + crash x0vncserver if they timed the modifications right. + (CVE-2026-34352, bsc#1260871) + +------------------------------------------------------------------- New: ---- U_Prevent-other-users-reading-x0vncserver-screen.patch ----------(New B)---------- New: - U_Prevent-other-users-reading-x0vncserver-screen.patch * Prevent other users from observing the screen, or modifying ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tigervnc.spec ++++++ --- /var/tmp/diff_new_pack.4aGgLJ/_old 2026-03-31 15:22:34.561058093 +0200 +++ /var/tmp/diff_new_pack.4aGgLJ/_new 2026-03-31 15:22:34.561058093 +0200 @@ -75,6 +75,7 @@ %if %{?pkg_vcmp:%pkg_vcmp java-devel >= 17}%{!?pkg_vcmp:0} Patch8: n_tigervnc-reproducible-jar-mtime.patch %endif +Patch1260871: U_Prevent-other-users-reading-x0vncserver-screen.patch Provides: tightvnc = 1.5.0 Obsoletes: tightvnc < 1.5.0 Provides: vnc ++++++ U_Prevent-other-users-reading-x0vncserver-screen.patch ++++++ >From 0b5cab169d847789efa54459a87659d3fd484393 Mon Sep 17 00:00:00 2001 From: Pierre Ossman <[email protected]> Date: Tue, 24 Mar 2026 09:52:01 +0100 Subject: [PATCH] Prevent other users reading x0vncserver screen Prevent other users from observing the screen, or modifying what is sent to the client. Malicious attackers can even crash x0vncserver if they time the modifications right. --- unix/x0vncserver/Image.cxx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx index 88467c61..4e152f18 100644 --- a/unix/x0vncserver/Image.cxx +++ b/unix/x0vncserver/Image.cxx @@ -269,7 +269,7 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo) shminfo->shmid = shmget(IPC_PRIVATE, xim->bytes_per_line * xim->height, - IPC_CREAT|0777); + IPC_CREAT|0600); if (shminfo->shmid == -1) { perror("shmget"); vlog.error("shmget() failed (%d bytes requested)", -- 2.51.0
