commit: 7d34efcadf87745e87a111c8ea478b275aed41cd Author: Quentin Retornaz <gentoo <AT> retornaz <DOT> com> AuthorDate: Sun Jan 17 21:07:17 2021 +0000 Commit: Quentin Retornaz <gentoo <AT> retornaz <DOT> com> CommitDate: Sun Jan 17 21:07:17 2021 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=7d34efca
x11-misc/x11vnc: new package Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com> x11-misc/x11vnc/Manifest | 1 + .../files/x11vnc-0.9.16-CVE-2020-29074.patch | 25 ++++++ .../x11vnc/files/x11vnc-0.9.16-anonymous-ssl.patch | 26 ++++++ x11-misc/x11vnc/files/x11vnc-0.9.16-crypto.patch | 23 ++++++ .../x11vnc/files/x11vnc-0.9.16-fno-common.patch | 45 +++++++++++ x11-misc/x11vnc/files/x11vnc-0.9.16-libressl.patch | 93 ++++++++++++++++++++++ x11-misc/x11vnc/files/x11vnc.conf.d | 37 +++++++++ x11-misc/x11vnc/files/x11vnc.init.d | 70 ++++++++++++++++ x11-misc/x11vnc/metadata.xml | 26 ++++++ x11-misc/x11vnc/x11vnc-0.9.16-r4.ebuild | 81 +++++++++++++++++++ 10 files changed, 427 insertions(+) diff --git a/x11-misc/x11vnc/Manifest b/x11-misc/x11vnc/Manifest new file mode 100644 index 0000000..99593c7 --- /dev/null +++ b/x11-misc/x11vnc/Manifest @@ -0,0 +1 @@ +DIST x11vnc-0.9.16.tar.gz 1708009 BLAKE2B a8789f95ef421a78a83703748e1d80fd45539dff24f80493fd75e357bc22378213915853f9d114248c172cd83977880e1e4e8a3f8df0771017e9988d83b7307d SHA512 69f65ee312f8dede6051b401304987502a213c6c28c7f41e855734f11de1fae14d5d493dc9c28b2e4b7c0be55f8dbd3b35dd2610aae910183772c3e626736fec diff --git a/x11-misc/x11vnc/files/x11vnc-0.9.16-CVE-2020-29074.patch b/x11-misc/x11vnc/files/x11vnc-0.9.16-CVE-2020-29074.patch new file mode 100644 index 0000000..12f65b9 --- /dev/null +++ b/x11-misc/x11vnc/files/x11vnc-0.9.16-CVE-2020-29074.patch @@ -0,0 +1,25 @@ +From 69eeb9f7baa14ca03b16c9de821f9876def7a36a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Gu=C3=A9nal=20DAVALAN?= <guenal.dava...@uca.fr> +Date: Wed, 18 Nov 2020 08:40:45 +0100 +Subject: [PATCH] scan: limit access to shared memory segments to current user + +--- + src/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/scan.c b/src/scan.c +index 43e00d2..12994d5 100644 +--- a/src/scan.c ++++ b/src/scan.c +@@ -320,7 +320,7 @@ static int shm_create(XShmSegmentInfo *shm, XImage **ximg_ptr, int w, int h, + + #if HAVE_XSHM + shm->shmid = shmget(IPC_PRIVATE, +- xim->bytes_per_line * xim->height, IPC_CREAT | 0777); ++ xim->bytes_per_line * xim->height, IPC_CREAT | 0600); + + if (shm->shmid == -1) { + rfbErr("shmget(%s) failed.\n", name); +-- +2.26.2 + diff --git a/x11-misc/x11vnc/files/x11vnc-0.9.16-anonymous-ssl.patch b/x11-misc/x11vnc/files/x11vnc-0.9.16-anonymous-ssl.patch new file mode 100644 index 0000000..3dafb9a --- /dev/null +++ b/x11-misc/x11vnc/files/x11vnc-0.9.16-anonymous-ssl.patch @@ -0,0 +1,26 @@ +From b9cf79fd3d61a7586fe6b24b3141e406cdf334eb Mon Sep 17 00:00:00 2001 +From: Jim Broadus <jbroa...@xevo.com> +Date: Wed, 2 Jan 2019 17:37:40 -0800 +Subject: [PATCH] Fix anonymous SSL. In version 1.1.0, openssl introduced a + security level concept. Only level 0 allows the use of unauthenticated cipher + suites such as ADH. + +--- + src/sslhelper.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/sslhelper.c b/src/sslhelper.c +index 1a3e7474..04c2e273 100644 +--- a/src/sslhelper.c ++++ b/src/sslhelper.c +@@ -1596,6 +1596,10 @@ static int switch_to_anon_dh(void) { + if (ssl_client_mode) { + return 1; + } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ /* Security level must be set to 0 for unauthenticated suites. */ ++ SSL_CTX_set_security_level(ctx, 0); ++#endif + if (!SSL_CTX_set_cipher_list(ctx, "ADH:@STRENGTH")) { + return 0; + } diff --git a/x11-misc/x11vnc/files/x11vnc-0.9.16-crypto.patch b/x11-misc/x11vnc/files/x11vnc-0.9.16-crypto.patch new file mode 100644 index 0000000..21872e7 --- /dev/null +++ b/x11-misc/x11vnc/files/x11vnc-0.9.16-crypto.patch @@ -0,0 +1,23 @@ +From 3024af3685be9eb618352bd17ba37953d8076946 Mon Sep 17 00:00:00 2001 +From: Christian Beier <dontm...@freeshell.org> +Date: Thu, 17 Jan 2019 14:05:53 +0100 +Subject: [PATCH] unixpw: don't try to use crypt() when it isn't available + +Closes #86 +--- + src/unixpw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/unixpw.c b/src/unixpw.c +index 9a43cec..e2cb016 100644 +--- a/src/unixpw.c ++++ b/src/unixpw.c +@@ -757,7 +757,7 @@ int unixpw_list_match(char *user) { + } + + int crypt_verify(char *user, char *pass) { +-#ifndef UNIXPW_CRYPT ++#if !defined UNIXPW_CRYPT || !defined HAVE_LIBCRYPT + return 0; + #else + struct passwd *pwd; diff --git a/x11-misc/x11vnc/files/x11vnc-0.9.16-fno-common.patch b/x11-misc/x11vnc/files/x11vnc-0.9.16-fno-common.patch new file mode 100644 index 0000000..504159e --- /dev/null +++ b/x11-misc/x11vnc/files/x11vnc-0.9.16-fno-common.patch @@ -0,0 +1,45 @@ +From a48b0b1cd887d7f3ae67f525d7d334bd2feffe60 Mon Sep 17 00:00:00 2001 +From: Alexander Tsoy <alexan...@tsoy.me> +Date: Tue, 28 Jan 2020 22:21:01 +0300 +Subject: [PATCH] Fix build with -fno-common + +GCC 10 defaults to -fno-common +--- + src/util.c | 3 +++ + src/util.h | 6 +++--- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/util.c b/src/util.c +index a82a1a4..6a52ebf 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -47,6 +47,9 @@ int hxl = 0; + #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD + MUTEX(x11Mutex); + MUTEX(scrollMutex); ++MUTEX(clientMutex); ++MUTEX(inputMutex); ++MUTEX(pointerMutex); + #endif + + int nfix(int i, int n); +diff --git a/src/util.h b/src/util.h +index 35c1afd..99b5dd1 100644 +--- a/src/util.h ++++ b/src/util.h +@@ -102,9 +102,9 @@ extern struct timeval _mysleep; + #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD + extern MUTEX(x11Mutex); + extern MUTEX(scrollMutex); +-MUTEX(clientMutex); +-MUTEX(inputMutex); +-MUTEX(pointerMutex); ++extern MUTEX(clientMutex); ++extern MUTEX(inputMutex); ++extern MUTEX(pointerMutex); + #endif + + #define X_INIT INIT_MUTEX(x11Mutex) +-- +2.24.1 + diff --git a/x11-misc/x11vnc/files/x11vnc-0.9.16-libressl.patch b/x11-misc/x11vnc/files/x11vnc-0.9.16-libressl.patch new file mode 100644 index 0000000..8e5d8a6 --- /dev/null +++ b/x11-misc/x11vnc/files/x11vnc-0.9.16-libressl.patch @@ -0,0 +1,93 @@ +diff --git a/src/sslhelper.c b/src/sslhelper.c +index 04c2e27..fb9daa6 100644 +--- a/src/sslhelper.c ++++ b/src/sslhelper.c +@@ -803,7 +803,7 @@ static int pem_passwd_callback(char *buf, int size, int rwflag, + static int crl_callback(X509_STORE_CTX *callback_ctx) { + const ASN1_INTEGER *revoked_serial; + X509_STORE_CTX *store_ctx; +-#if OPENSSL_VERSION_NUMBER > 0x10100000L ++#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + X509_OBJECT *obj; + #else + X509_OBJECT obj; +@@ -829,7 +829,7 @@ static int crl_callback(X509_STORE_CTX *callback_ctx) { + * the current certificate in order to verify it's integrity. */ + store_ctx = X509_STORE_CTX_new(); + X509_STORE_CTX_init(store_ctx, revocation_store, NULL, NULL); +-#if OPENSSL_VERSION_NUMBER > 0x10100000L ++#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + obj = X509_OBJECT_new(); + rc=X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, obj); + crl = X509_OBJECT_get0_X509_CRL(obj); +@@ -865,7 +865,7 @@ static int crl_callback(X509_STORE_CTX *callback_ctx) { + rfbLog("Invalid signature on CRL\n"); + X509_STORE_CTX_set_error(callback_ctx, + X509_V_ERR_CRL_SIGNATURE_FAILURE); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + X509_OBJECT_free(obj); + #else + X509_OBJECT_free_contents(&obj); +@@ -883,7 +883,7 @@ static int crl_callback(X509_STORE_CTX *callback_ctx) { + rfbLog("Found CRL has invalid nextUpdate field\n"); + X509_STORE_CTX_set_error(callback_ctx, + X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + X509_OBJECT_free(obj); + #else + X509_OBJECT_free_contents(&obj); +@@ -894,14 +894,14 @@ static int crl_callback(X509_STORE_CTX *callback_ctx) { + rfbLog("Found CRL is expired - " + "revoking all certificates until you get updated CRL\n"); + X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CRL_HAS_EXPIRED); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + X509_OBJECT_free(obj); + #else + X509_OBJECT_free_contents(&obj); + #endif + return 0; /* Reject connection */ + } +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + X509_OBJECT_free(obj); + #else + X509_OBJECT_free_contents(&obj); +@@ -912,7 +912,7 @@ static int crl_callback(X509_STORE_CTX *callback_ctx) { + * the current certificate in order to check for revocation. */ + store_ctx = X509_STORE_CTX_new(); + X509_STORE_CTX_init(store_ctx, revocation_store, NULL, NULL); +-#if OPENSSL_VERSION_NUMBER > 0x10100000L ++#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + obj = X509_OBJECT_new(); + rc=X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj); + crl = X509_OBJECT_get0_X509_CRL(obj); +@@ -942,7 +942,7 @@ static int crl_callback(X509_STORE_CTX *callback_ctx) { + "revoked per CRL from issuer %s\n", serial, serial, cp); + OPENSSL_free(cp); + X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REVOKED); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + X509_OBJECT_free(obj); + #else + X509_OBJECT_free_contents(&obj); +@@ -950,7 +950,7 @@ static int crl_callback(X509_STORE_CTX *callback_ctx) { + return 0; /* Reject connection */ + } + } +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + X509_OBJECT_free(obj); + #else + X509_OBJECT_free_contents(&obj); +@@ -1596,7 +1596,7 @@ static int switch_to_anon_dh(void) { + if (ssl_client_mode) { + return 1; + } +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* Security level must be set to 0 for unauthenticated suites. */ + SSL_CTX_set_security_level(ctx, 0); + #endif diff --git a/x11-misc/x11vnc/files/x11vnc.conf.d b/x11-misc/x11vnc/files/x11vnc.conf.d new file mode 100644 index 0000000..91f2a13 --- /dev/null +++ b/x11-misc/x11vnc/files/x11vnc.conf.d @@ -0,0 +1,37 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# Configuration for running x11vnc as a service. This allows VNC +# connections prior to logging in to the X display manager. + +# Password file location of the password file for VNC Connections +# Prior to first run, you must configure a password, to do so please +# run `x11vnc -storepasswd /etc/x11vnc.pass`. Replace /etc/x11vnc.pass +# ith the location you have specified below +#X11VNC_RFBAUTH="/etc/x11vnc.pass" + +# Port to listen on for incoming connections +#X11VNC_RFBPORT="5900" + +# Automatically probe for a free port to listen on for incoming connections +# starting from the port number specified +# Setting this will diable X11VNC_RFBPORT above +# See `man x11vnc`, option `-autoport` for more information +#X11VNC_AUTOPORT="" + +# X Display to attach to +# This should match the display your DM is running on +#X11VNC_DISPLAY=":0" + +# Location of the x11vnc logfile +#X11VNC_LOG="/var/log/x11vnc" + +# Miscelaneous options to pass to x11vnc. +# Do not set options that are configurable above. +# Check `x11vnc -help` or `man x11vnc` for more options. +# * Modern composting DMs/WMs will require "-noxdamage" +# * If you experience crashes on logging in, try "-noxfixes" +# * Other suggested options include "-noxrecord" and "-ncache ##" +# Refer to the x11vnc man page for further explanations. +#X11VNC_OPTS="" + diff --git a/x11-misc/x11vnc/files/x11vnc.init.d b/x11-misc/x11vnc/files/x11vnc.init.d new file mode 100644 index 0000000..4adcb23 --- /dev/null +++ b/x11-misc/x11vnc/files/x11vnc.init.d @@ -0,0 +1,70 @@ +#!/sbin/openrc-run +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +description="The x11vnc daemon init script" + +depend() { + need net + need xdm +} + +checkconfig() { + + # Set Defaults + X11VNC_RFBAUTH=${X11VNC_RFBAUTH:-/etc/x11vnc.pass} + X11VNC_RFBPORT=${X11VNC_RFBPORT:-5900} + X11VNC_DISPLAY=${X11VNC_DISPLAY:-:0} + X11VNC_LOG=${X11VNC_LOG:-/var/log/x11vnc} + + X11VNC_AUTH="/var/run/x11vnc-${X11VNC_DISPLAY}" + + if [ -n "${X11VNC_AUTOPORT}" ]; then + X11VNC_PORT="" + fi + + if [ ! -f "${X11VNC_RFBAUTH}" -o ! -s "${X11VNC_RFBAUTH}" ]; then + eerror "VNC Password not set, please set one by running: \`x11vnc -storepasswd ${X11VNC_RFBAUTH}\`" + return 1 + fi + checkpath -q -f -m 0600 -o root:root "${X11VNC_RFBAUTH}" + + # Attempt to find X-Auth file + if ! type xauth > /dev/null 2>&1 || + ! xauth -f /root/.Xauthority extract - "${X11VNC_DISPLAY}" > "${X11VNC_AUTH}" 2>/dev/null || + [ ! -s "${X11VNC_AUTH}" ]; then + # Let x11vnc guess at auth + X11VNC_AUTH_OPTS="--env FD_XDM=1 -auth guess" + else + # We found the proper auth + X11VNC_AUTH_OPTS="-auth ${X11VNC_AUTH}" + fi + + if [ ! -f "${X11VNC_AUTH}" ]; then + eerror "Specified X-Authority file '${X11VNC_AUTH}' not found!" + return 1 + fi +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start \ + --exec /usr/bin/x11vnc -- \ + ${X11VNC_AUTH_OPTS} \ + -rfbauth ${X11VNC_RFBAUTH} \ + ${X11VNC_RFBPORT:+-rfbport} ${X11VNC_RFBPORT} \ + ${X11VNC_AUTOPORT:+-autoport} ${X11VNC_AUTOPORT} \ + -display ${X11VNC_DISPLAY} \ + -o ${X11VNC_LOG} \ + -bg -forever \ + ${X11VNC_OPTS} + eend $? +} + +stop() { + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop /usr/bin/x11vnc + eend $? +} diff --git a/x11-misc/x11vnc/metadata.xml b/x11-misc/x11vnc/metadata.xml new file mode 100644 index 0000000..40fa318 --- /dev/null +++ b/x11-misc/x11vnc/metadata.xml @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer type="person"> + <email>alexan...@tsoy.me</email> + <name>Alexander Tsoy</name> + </maintainer> + <maintainer type="project"> + <email>proxy-ma...@gentoo.org</email> + <name>Proxy Maintainers</name> + </maintainer> + <longdescription> + The primary goal of this program is to create a portable and + simple command-line server utility that allows a VNC viewer + to connect to an actual X display. + </longdescription> + <use> + <flag name="xdamage">Enable support for the Xdamage library</flag> + <flag name="xfixes">Enable support for the Xfixes library</flag> + <flag name="xrandr">Enable support for the X xrandr extension</flag> + </use> + <upstream> + <remote-id type="sourceforge">libvncserver</remote-id> + <remote-id type="github">LibVNC/x11vnc</remote-id> + </upstream> +</pkgmetadata> diff --git a/x11-misc/x11vnc/x11vnc-0.9.16-r4.ebuild b/x11-misc/x11vnc/x11vnc-0.9.16-r4.ebuild new file mode 100644 index 0000000..2e798c0 --- /dev/null +++ b/x11-misc/x11vnc/x11vnc-0.9.16-r4.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit autotools + +DESCRIPTION="VNC server for real X displays" +HOMEPAGE="https://libvnc.github.io/" +SRC_URI="https://github.com/LibVNC/x11vnc/archive/${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-2+-with-openssl-exception" +SLOT="0" +KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~ia64 ~mips ppc ppc64 ~s390 sparc x86 ~amd64-linux ~x86-linux ~sparc-solaris ~x64-solaris ~x86-solaris" +IUSE="crypt fbcon libressl ssl +xcomposite +xdamage +xfixes xinerama +xrandr zeroconf" + +COMMON_DEPEND=" + >=net-libs/libvncserver-0.9.8[ssl=] + x11-libs/libX11 + x11-libs/libXcursor + x11-libs/libXext + >=x11-libs/libXtst-1.1.0 + ssl? ( + !libressl? ( dev-libs/openssl:0= ) + libressl? ( dev-libs/libressl:= ) + ) + xcomposite? ( x11-libs/libXcomposite ) + xdamage? ( x11-libs/libXdamage ) + xfixes? ( x11-libs/libXfixes ) + xinerama? ( x11-libs/libXinerama ) + xrandr? ( x11-libs/libXrandr ) + zeroconf? ( >=net-dns/avahi-0.6.4 ) +" +DEPEND="${COMMON_DEPEND} + x11-base/xorg-proto + x11-libs/libXt +" +# https://bugzilla.redhat.com/show_bug.cgi?id=920554 +RDEPEND="${COMMON_DEPEND} + dev-lang/tk:0 +" + +PATCHES=( + "${FILESDIR}"/${P}-crypto.patch # https://github.com/LibVNC/x11vnc/issues/86 + "${FILESDIR}"/${P}-anonymous-ssl.patch # https://github.com/LibVNC/x11vnc/pull/85 + "${FILESDIR}"/${P}-libressl.patch + "${FILESDIR}"/${P}-fno-common.patch + "${FILESDIR}"/${P}-CVE-2020-29074.patch +) + +src_prepare() { + default + eautoreconf +} + +src_configure() { + # --without-v4l because of missing video4linux 2.x support wrt #389079 + local myconf=( + --without-v4l + --without-xkeyboard + --without-fbpm + --without-dpms + $(use_with crypt) + $(use_with fbcon fbdev) + $(use_with ssl) + $(use_with ssl crypto) + $(use_with xcomposite) + $(use_with xdamage) + $(use_with xfixes) + $(use_with xinerama) + $(use_with xrandr) + $(use_with zeroconf avahi) + ) + econf "${myconf[@]}" +} + +src_install() { + default + newinitd "${FILESDIR}/x11vnc.init.d" x11vnc + newconfd "${FILESDIR}/x11vnc.conf.d" x11vnc +}