From 7d58edcf61c1ae4204a4d4a8de903beea0156bb1 Mon Sep 17 00:00:00 2001 From: sthen Date: Sat, 28 Mar 2026 12:34:09 +0000 Subject: [PATCH] backport upstream fixes from 1.16.2 --- x11/tigervnc/Makefile | 2 +- .../patches/patch-unix_x0vncserver_Image_cxx | 23 +++++++++++++++ .../patch-unix_xserver_hw_vnc_vncHooks_c | 29 +++++++++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 x11/tigervnc/patches/patch-unix_x0vncserver_Image_cxx create mode 100644 x11/tigervnc/patches/patch-unix_xserver_hw_vnc_vncHooks_c diff --git a/x11/tigervnc/Makefile b/x11/tigervnc/Makefile index 70ee13a1a1a..662b67dab84 100644 --- a/x11/tigervnc/Makefile +++ b/x11/tigervnc/Makefile @@ -3,7 +3,7 @@ COMMENT= high performance, multi-platform VNC client and server GH_ACCOUNT= TigerVNC GH_PROJECT= tigervnc GH_TAGNAME= v1.15.0 -REVISION= 0 +REVISION= 1 XORG_V= 21.1.21 diff --git a/x11/tigervnc/patches/patch-unix_x0vncserver_Image_cxx b/x11/tigervnc/patches/patch-unix_x0vncserver_Image_cxx new file mode 100644 index 00000000000..e2aaa4b5058 --- /dev/null +++ b/x11/tigervnc/patches/patch-unix_x0vncserver_Image_cxx @@ -0,0 +1,23 @@ +From a3fbb54278ebe91bf573f44b32d64e78a33a4828 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Tue, 24 Mar 2026 09:52:01 +0100 +Subject: [PATCH] Prevent other users reading x0vncserver screen + +Prevent other users from observing the screen, or modifying what is sent +to the client. Malicious attackers can even crash x0vncserver if they +time the modifications right. + +(cherry picked from commit 0b5cab169d847789efa54459a87659d3fd484393) + +Index: unix/x0vncserver/Image.cxx +--- unix/x0vncserver/Image.cxx.orig ++++ unix/x0vncserver/Image.cxx +@@ -268,7 +268,7 @@ void ShmImage::Init(int width, int height, const XVisu + + shminfo->shmid = shmget(IPC_PRIVATE, + xim->bytes_per_line * xim->height, +- IPC_CREAT|0777); ++ IPC_CREAT|0600); + if (shminfo->shmid == -1) { + perror("shmget"); + vlog.error("shmget() failed (%d bytes requested)", diff --git a/x11/tigervnc/patches/patch-unix_xserver_hw_vnc_vncHooks_c b/x11/tigervnc/patches/patch-unix_xserver_hw_vnc_vncHooks_c new file mode 100644 index 00000000000..85f971c3250 --- /dev/null +++ b/x11/tigervnc/patches/patch-unix_xserver_hw_vnc_vncHooks_c @@ -0,0 +1,29 @@ +From 87612b64652152ca19d568eb6b8770d067730da3 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Thu, 26 Mar 2026 10:10:12 +0100 +Subject: [PATCH] Use locks to avoid races with input thread + +Taken from how Xorg deals with hooking these functions. Without it we +can get corruption of the sprite functions struct. + +(cherry picked from commit 3bc1cf73ea96082929232797e98823fa3e5ed4ed) + +Index: unix/xserver/hw/vnc/vncHooks.c +--- unix/xserver/hw/vnc/vncHooks.c.orig ++++ unix/xserver/hw/vnc/vncHooks.c +@@ -1144,6 +1144,7 @@ static Bool vncHooksRandRCrtcSet(ScreenPtr pScreen, RR + // Unwrap and rewrap helpers + + #define SPRITE_PROLOGUE(field) \ ++ input_lock(); \ + miPointerScreenPtr miPointerPriv = \ + dixLookupPrivate(&screen->devPrivates, miPointerScreenKey); \ + vncHooksScreenPtr vncHooksScreen = vncHooksScreenPrivate(screen); \ +@@ -1152,6 +1153,7 @@ static Bool vncHooksRandRCrtcSet(ScreenPtr pScreen, RR + + #define SPRITE_EPILOGUE(field) \ + wrap(vncHooksScreen, miPointerPriv, spriteFuncs, &vncHooksSpriteFuncs); \ ++ input_unlock(); + + static Bool vncHooksRealizeCursor(DeviceIntPtr dev, ScreenPtr screen, + CursorPtr cursor)