Hello community, here is the log from the commit of package LibVNCServer for openSUSE:Factory checked in at 2019-03-01 16:46:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/LibVNCServer (Old) and /work/SRC/openSUSE:Factory/.LibVNCServer.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "LibVNCServer" Fri Mar 1 16:46:08 2019 rev:38 rq:679220 version:0.9.12 Changes: -------- --- /work/SRC/openSUSE:Factory/LibVNCServer/LibVNCServer.changes 2018-05-19 15:41:11.741416853 +0200 +++ /work/SRC/openSUSE:Factory/.LibVNCServer.new.28833/LibVNCServer.changes 2019-03-01 16:46:11.841827019 +0100 @@ -1,0 +2,128 @@ +Wed Feb 20 15:56:14 UTC 2019 - Felix Zhang <[email protected]> + +- Add BuildRequire libgnutls-devel: Remmina needs it for VNC + connections (boo#1123805) + +------------------------------------------------------------------- +Mon Feb 11 09:16:53 UTC 2019 - Petr Gajdos <[email protected]> + +- use upstream commit, amend cmake-libdir.patch + +------------------------------------------------------------------- +Mon Feb 11 09:13:18 UTC 2019 - Petr Gajdos <[email protected]> + +- fix cmake build, add cmake-libdir.patch (upstream issue #281) + +------------------------------------------------------------------- +Tue Feb 5 09:59:42 UTC 2019 - Petr Gajdos <[email protected]> + +- update to version 0.9.12 + - Overall changes: + * CMake now is the default build system, Autotools were removed. + * In addition to TravisCI, all commits are now build-tested by AppVeyorCI. + - LibVNCServer/LibVNCClient: + * Numerous build fixes for Visual Studio compilers to the extent that + one can now _build_ the project with these. The needed changes for + successfully _running_ stuff will be implemented in 0.9.13. + * Fixed building for Android and added build instructions. + * Removed the unused PolarSSL wrapper. + * Updated the bundled noVNC to latest release 1.0.0. + * Allowed to use global LZO library instead of miniLZO. + - LibVNCClient: + * Support for OpenSSL 1.1.x. + * Support for overriding the default rectangle decode handlers (with + hardware-accelerated ones for instance) thanks to Balazs Ludmany. + * vnc2mpg updated. + * Added support for X509 server certificate verification as part of the + handshake process thanks to Simon Waterman. + * Added a TRLE decoder thanks to Wiki Wang. + * Included Tight decoding optimizations from TurboVNC thanks to DRC. + * Ported the SDL viewer from SDL 1.2 to SDL 2.0. + * Numerous security fixes. + * Added support for custom auth handlers in order to support additional + security types. + - LibVNCServer: + * Websockets rework to remove obsolete code thanks to Andreas Weigel. + * Ensured compatibility with gtk-vnc 0.7.0+ thanks to Michał Kępień. + * The built-in webserver now sends correct MIME type for Javascript. + * Numerous memory management issues fixed. + * Made the TightVNC-style file transfer more stable. +- removed patches + - LibVNCServer-CVE-2018-20021.patch (upstreamed) + - LibVNCServer-CVE-2018-20023.patch (upstreamed) + - libvncserver-0.9.10-ossl.patch (not upstreamed) + - LibVNCServer-CVE-2018-15127.patch (upstreamed) + - LibVNCServer-CVE-2018-6307.patch (upstreamed) + - LibVNCServer-CVE-2018-20019.patch (upstreamed) + - LibVNCServer-CVE-2018-7225.patch (upstreamed) + - LibVNCServer-CVE-2018-20022.patch (upstreamed) + - libvncserver-0.9.1-multilib.patch (cmake now) + - LibVNCServer-CVE-2018-15126.patch (upstreamed) + - LibVNCServer-CVE-2018-20020.patch (upstreamed) + - LibVNCServer-CVE-2018-20024.patch (upstreamed) +- removed by upstream + - libvncserver-config +- security update + * CVE-2018-20749 [bsc#1123828] + + LibVNCServer-CVE-2018-20749.patch + +------------------------------------------------------------------- +Fri Jan 11 14:10:36 UTC 2019 - [email protected] + +- Fix devel package dependencies + +------------------------------------------------------------------- +Thu Jan 3 16:33:06 UTC 2019 - Petr Gajdos <[email protected]> + +- security update + * CVE-2018-15126 [bsc#1120114] + + LibVNCServer-CVE-2018-15126.patch + * CVE-2018-6307 [bsc#1120115] + + LibVNCServer-CVE-2018-6307.patch + * CVE-2018-20020 [bsc#1120116] + + LibVNCServer-CVE-2018-20020.patch + * CVE-2018-15127 [bsc#1120117] + + LibVNCServer-CVE-2018-15127.patch + * CVE-2018-20019 [bsc#1120118] + + LibVNCServer-CVE-2018-20019.patch + * CVE-2018-20023 [bsc#1120119] + + LibVNCServer-CVE-2018-20023.patch + * CVE-2018-20022 [bsc#1120120] + + LibVNCServer-CVE-2018-20022.patch + * CVE-2018-20024 [bsc#1120121] + + LibVNCServer-CVE-2018-20024.patch + * CVE-2018-20021 [bsc#1120122] + + LibVNCServer-CVE-2018-20021.patch + +------------------------------------------------------------------- +Thu Jan 3 15:11:20 UTC 2019 - Petr Gajdos <[email protected]> + +- Update to version 0.9.11 + Overall changes: + LibVNCServer/LibVNCClient development now uses continous intregration, + provided by TravisCI. + LibVNCClient: + Now initializes libgcrypt before use if the application did not do it. + Fixes a crash when connection to Mac hosts + (#45). + Various fixes that result in more stable handling of malicious or broken + servers. + Removed broken and unmaintained H264 decoding. + Some documentation fixes. + Added hooks to WriteToTLS() for optional protection by mutex. + LibVNCServer: + Stability fixes for the WebSocket implementation. + Replaced SHA1 implementation with the one from RFC 6234. + The built-in HTTP server does not allow directory traversals anymore. + The built-in HTTP now sends correct MIME types for CSS and SVG. + Added support for systemd socket activation. + Made it possible to get autoPort behavior with either ipv4 or ipv6 + disabled. + Fixed starting of an onHold-client in threaded mode. +- dropped patches: + - libvncserver-0.9.10-use-namespaced-rfbMax-macro.patch (upstreamed) + - libvncserver-byteswap.patch (stop maintaining not upstreamed patch) +- modified patches: + % libvncserver-0.9.10-ossl.patch (refreshed) + +------------------------------------------------------------------- Old: ---- LibVNCServer-CVE-2018-7225.patch libvncserver-0.9.1-multilib.patch libvncserver-0.9.10-ossl.patch libvncserver-0.9.10-use-namespaced-rfbMax-macro.patch libvncserver-LibVNCServer-0.9.10.tar.gz libvncserver-byteswap.patch New: ---- LibVNCServer-0.9.12.tar.gz LibVNCServer-CVE-2018-20749.patch cmake-libdir.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ LibVNCServer.spec ++++++ --- /var/tmp/diff_new_pack.dlLuY9/_old 2019-03-01 16:46:12.593826734 +0100 +++ /var/tmp/diff_new_pack.dlLuY9/_new 2019-03-01 16:46:12.597826733 +0100 @@ -1,7 +1,7 @@ # # spec file for package LibVNCServer # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,36 +12,33 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # +%define libnum 1 Name: LibVNCServer -Version: 0.9.10 +Version: 0.9.12 Release: 0 Summary: VNC Development Library License: GPL-2.0-or-later Group: Development/Libraries/X11 Url: https://github.com/LibVNC/libvncserver # Archive is renamed by github -#Source0: https://github.com/LibVNC/libvncserver/archive/%{name}-%{version}.tar.gz -Source0: libvncserver-%{name}-%{version}.tar.gz +Source0: https://github.com/LibVNC/libvncserver/archive/%{name}-%{version}.tar.gz Source1: baselibs.conf -#PATCH-FIX-OPENSUSE: multilib support -Patch1: libvncserver-0.9.1-multilib.patch #PATCH-FIX-OPENSUSE: redefine keysyms only if needed -Patch7: redef-keysym.patch -#PATCH_FIX-OPENSUSE: Use system fast byteswap routines. -Patch11: libvncserver-byteswap.patch -Patch12: libvncserver-%{version}-ossl.patch -#PATCH-FIX-UPSTREAM: use namespaced rfbMax macro (avoids conflicts with stl_algobase.h), picked from upstream -Patch13: libvncserver-0.9.10-use-namespaced-rfbMax-macro.patch -Patch14: LibVNCServer-CVE-2018-7225.patch +Patch0: redef-keysym.patch +# https://github.com/LibVNC/libvncserver/issues/281 +Patch1: cmake-libdir.patch +Patch2: LibVNCServer-CVE-2018-20749.patch +BuildRequires: cmake +BuildRequires: gcc-c++ BuildRequires: libavahi-devel BuildRequires: libgcrypt-devel +BuildRequires: libgnutls-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel -BuildRequires: libtool BuildRequires: lzo-devel BuildRequires: openssl-devel BuildRequires: pkgconfig @@ -60,28 +57,28 @@ real running X11 server) has been split off into its own package on 2007-07-16. -%package -n libvncclient0 +%package -n libvncclient%{libnum} Summary: Library implementing a VNC client Group: System/Libraries Obsoletes: linuxvnc < %{version} Conflicts: LibVNCServer < %version -%description -n libvncclient0 +%description -n libvncclient%{libnum} LibVNCServer/LibVNCClient are cross-platform C libraries that allow implementing VNC server or client functionality in your program. -%package -n libvncserver0 +%package -n libvncserver%{libnum} Summary: Library implementing a VNC server Group: System/Libraries -%description -n libvncserver0 +%description -n libvncserver%{libnum} LibVNCServer/LibVNCClient are cross-platform C libraries that allow implementing VNC server or client functionality in your program. %package devel Requires: gnutls-devel -Requires: libvncclient0 = %version -Requires: libvncserver0 = %version +Requires: libvncclient%{libnum} = %version +Requires: libvncserver%{libnum} = %version Requires: zlib-devel Summary: VNC Development Library Group: Development/Libraries/X11 @@ -101,67 +98,46 @@ %prep %setup -q -n libvncserver-%{name}-%{version} -%patch1 -p1 -b .multilib -#%patch2 -p1 -b .system_minilzo -%patch7 -p1 -# aclocal; autoheader; automake --add-missing --copy; autoconf -# ./configure --enable-maintainer-mode -# sh ./autogen.sh -%patch11 -%patch12 -%patch13 -p1 -%patch14 -p1 +%patch0 -p1 +%patch1 -p1 +#%patch2 -p1 # fix encoding -for file in AUTHORS ChangeLog ; do +for file in ChangeLog ; do mv ${file} ${file}.OLD && \ iconv -f ISO_8859-1 -t UTF8 ${file}.OLD > ${file} && \ touch --reference ${file}.OLD $file done -#nuke bundled minilzo -#rm -f common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c - -# needed by patch 2 (and to nuke rpath's) -#autoreconf - %build -CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -D_REENTRANT" \ -NOCONFIGURE=1 ./autogen.sh - -# Plase note that tightvn cause a problem; need to be fix -%configure --disable-static --with-pic --enable-shared --with-gnu-ld --without-tightvnc-filetransfer - +%cmake make %{?_smp_mflags} -%{__install} -d -m0755 RPM_BUILD_ROOT%{_datadir}/x11vnc/classes - %check -make check +make test %install -%makeinstall -%{__rm} -f %{buildroot}%{_libdir}/*.la -%{__rm} -f %{buildroot}%{_libdir}/*.a - -%post -n libvncclient0 -p /sbin/ldconfig -%postun -n libvncclient0 -p /sbin/ldconfig -%post -n libvncserver0 -p /sbin/ldconfig -%postun -n libvncserver0 -p /sbin/ldconfig +%cmake_install + +%post -n libvncclient%{libnum} -p /sbin/ldconfig +%postun -n libvncclient%{libnum} -p /sbin/ldconfig +%post -n libvncserver%{libnum} -p /sbin/ldconfig +%postun -n libvncserver%{libnum} -p /sbin/ldconfig -%files -n libvncserver0 +%files -n libvncserver%{libnum} %defattr(-,root,root) -%doc COPYING README -%_libdir/libvncserver.so.0* +%doc COPYING README.md +%_libdir/libvncserver.so.%{version} +%_libdir/libvncserver.so.%{libnum}* -%files -n libvncclient0 +%files -n libvncclient%{libnum} %defattr(-,root,root) -%doc COPYING README -%_libdir/libvncclient.so.0* +%doc COPYING README.md +%_libdir/libvncclient.so.%{version} +%_libdir/libvncclient.so.%{libnum}* %files devel %defattr(-,root,root) -%doc AUTHORS COPYING ChangeLog NEWS README TODO -%{_bindir}/libvncserver-config +%doc AUTHORS COPYING ChangeLog NEWS README.md TODO %{_includedir}/rfb/* %dir /usr/include/rfb %{_libdir}/libvncclient.so ++++++ LibVNCServer-CVE-2018-7225.patch -> LibVNCServer-CVE-2018-20749.patch ++++++ --- /work/SRC/openSUSE:Factory/LibVNCServer/LibVNCServer-CVE-2018-7225.patch 2018-05-19 15:41:11.657419926 +0200 +++ /work/SRC/openSUSE:Factory/.LibVNCServer.new.28833/LibVNCServer-CVE-2018-20749.patch 2019-03-01 16:46:11.829827024 +0100 @@ -1,39 +1,29 @@ diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c -index 116c4889..4fc4d9d5 100644 +index 6ca511fe..e210a32f 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c -@@ -88,6 +88,8 @@ - #include <errno.h> - /* strftime() */ - #include <time.h> -+/* PRIu32 */ -+#include <inttypes.h> +@@ -1461,11 +1461,21 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + int n=0; - #ifdef LIBVNCSERVER_WITH_WEBSOCKETS - #include "rfbssl.h" -@@ -2575,7 +2577,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) - - msg.cct.length = Swap32IfLE(msg.cct.length); - -- str = (char *)malloc(msg.cct.length); -+ /* uint32_t input is passed to malloc()'s size_t argument, -+ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int -+ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int -+ * argument. Here we impose a limit of 1 MB so that the value fits -+ * into all of the types to prevent from misinterpretation and thus -+ * from accessing uninitialized memory (CVE-2018-7225) and also to -+ * prevent from a denial-of-service by allocating to much memory in -+ * the server. */ -+ if (msg.cct.length > 1<<20) { -+ rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n", -+ msg.cct.length); -+ rfbCloseClient(cl); -+ return; -+ } + FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL); ++ + /* +- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); ++ We later alloc length+1, which might wrap around on 32-bit systems if length equals ++ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF ++ will safely be allocated since this check will never trigger and malloc() can digest length+1 ++ without problems as length is a uint32_t. + */ ++ if(length == SIZE_MAX) { ++ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); ++ rfbCloseClient(cl); ++ return NULL; ++ } + -+ /* Allow zero-length client cut text. */ -+ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1); - if (str == NULL) { - rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); - rfbCloseClient(cl); + if (length>0) { +- buffer=malloc((uint64_t)length+1); ++ buffer=malloc((size_t)length+1); + if (buffer!=NULL) { + if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { + if (n != 0) ++++++ cmake-libdir.patch ++++++ diff --git a/CMakeLists.txt b/CMakeLists.txt index 873cc7b5..55f7e650 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -9,6 +9,7 @@ include(CheckTypeSize) include(TestBigEndian) include(CheckCSourceCompiles) include(CheckCSourceRuns) +include(GNUInstallDirs) enable_testing() @@ -666,8 +667,8 @@ get_link_libraries(PRIVATE_LIBS vncclient) configure_file(${CMAKE_CURRENT_SOURCE_DIR}/libvncclient.pc.cmakein ${CMAKE_CURRENT_BINARY_DIR}/libvncclient.pc @ONLY) -install_targets(/lib vncserver) -install_targets(/lib vncclient) +install_targets(/${CMAKE_INSTALL_LIBDIR} vncserver) +install_targets(/${CMAKE_INSTALL_LIBDIR} vncclient) install_files(/include/rfb FILES rfb/keysym.h rfb/rfb.h @@ -677,7 +678,7 @@ install_files(/include/rfb FILES rfb/rfbregion.h ) -install_files(/lib/pkgconfig FILES +install_files(/${CMAKE_INSTALL_LIBDIR}/pkgconfig FILES libvncserver.pc libvncclient.pc )
