backport upstream fixes from 1.16.2

2026-06-17 23:13:55 +02:00 · 2026-03-28 12:34:09 +00:00
parent e84824af0d
commit 7d58edcf61
3 changed files with 53 additions and 1 deletions
@@ -3,7 +3,7 @@ COMMENT=	high performance, multi-platform VNC client and server
 GH_ACCOUNT=	TigerVNC
 GH_PROJECT=	tigervnc
 GH_TAGNAME=	v1.15.0
-REVISION=	0
+REVISION=	1

 XORG_V=		21.1.21

@@ -0,0 +1,23 @@
+From a3fbb54278ebe91bf573f44b32d64e78a33a4828 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <ossman@cendio.se>
+Date: Tue, 24 Mar 2026 09:52:01 +0100
+Subject: [PATCH] Prevent other users reading x0vncserver screen
+
+Prevent other users from observing the screen, or modifying what is sent
+to the client. Malicious attackers can even crash x0vncserver if they
+time the modifications right.
+
+(cherry picked from commit 0b5cab169d847789efa54459a87659d3fd484393)
+
+Index: unix/x0vncserver/Image.cxx
+--- unix/x0vncserver/Image.cxx.orig
+++ unix/x0vncserver/Image.cxx
+@@ -268,7 +268,7 @@ void ShmImage::Init(int width, int height, const XVisu
+ 
+   shminfo->shmid = shmget(IPC_PRIVATE,
+                           xim->bytes_per_line * xim->height,
+-                          IPC_CREAT|0777);
+                          IPC_CREAT|0600);
+   if (shminfo->shmid == -1) {
+     perror("shmget");
+     vlog.error("shmget() failed (%d bytes requested)",
@@ -0,0 +1,29 @@
+From 87612b64652152ca19d568eb6b8770d067730da3 Mon Sep 17 00:00:00 2001
+From: Pierre Ossman <ossman@cendio.se>
+Date: Thu, 26 Mar 2026 10:10:12 +0100
+Subject: [PATCH] Use locks to avoid races with input thread
+
+Taken from how Xorg deals with hooking these functions. Without it we
+can get corruption of the sprite functions struct.
+
+(cherry picked from commit 3bc1cf73ea96082929232797e98823fa3e5ed4ed)
+
+Index: unix/xserver/hw/vnc/vncHooks.c
+--- unix/xserver/hw/vnc/vncHooks.c.orig
+++ unix/xserver/hw/vnc/vncHooks.c
+@@ -1144,6 +1144,7 @@ static Bool vncHooksRandRCrtcSet(ScreenPtr pScreen, RR
+ // Unwrap and rewrap helpers
+ 
+ #define SPRITE_PROLOGUE(field)                                            \
+  input_lock();                                                           \
+   miPointerScreenPtr miPointerPriv =                                      \
+     dixLookupPrivate(&screen->devPrivates, miPointerScreenKey);           \
+   vncHooksScreenPtr vncHooksScreen = vncHooksScreenPrivate(screen);       \
+@@ -1152,6 +1153,7 @@ static Bool vncHooksRandRCrtcSet(ScreenPtr pScreen, RR
+ 
+ #define SPRITE_EPILOGUE(field)                                            \
+   wrap(vncHooksScreen, miPointerPriv, spriteFuncs, &vncHooksSpriteFuncs); \
+  input_unlock();
+ 
+ static Bool vncHooksRealizeCursor(DeviceIntPtr dev, ScreenPtr screen,
+                                   CursorPtr cursor)