From 94c7ef932a5857020c2a5349ff1970b1809a080e Mon Sep 17 00:00:00 2001 From: Hartmut Goebel Date: Wed, 22 Jan 2020 11:40:01 +0100 Subject: gnu: Rename module gnutls to tls. * gnu/packages/tigervnc.scm: Rename to... * gnu/packages/vnc.scm: ... this. Change module name accordingly. Sort used modules. * gnu-system.am (GNU_SYSTEM_MODULES): Rename tigervnc module to vnc. --- gnu/packages/vnc.scm | 234 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 234 insertions(+) create mode 100644 gnu/packages/vnc.scm (limited to 'gnu/packages/vnc.scm') diff --git a/gnu/packages/vnc.scm b/gnu/packages/vnc.scm new file mode 100644 index 0000000000..e715e10d5a --- /dev/null +++ b/gnu/packages/vnc.scm @@ -0,0 +1,234 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2019 Todor Kondić +;;; Copyright © 2020 Oleg Pykhalov +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages vnc) + #:use-module (guix build-system cmake) + #:use-module (guix download) + #:use-module (guix git-download) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix utils) + #:use-module (gnu packages autotools) + #:use-module (gnu packages base) + #:use-module (gnu packages cmake) + #:use-module (gnu packages commencement) + #:use-module (gnu packages compression) + #:use-module (gnu packages fltk) + #:use-module (gnu packages gettext) + #:use-module (gnu packages image) + #:use-module (gnu packages linux) + #:use-module (gnu packages perl) + #:use-module (gnu packages tls) + #:use-module (gnu packages xorg)) + +(define-public tigervnc-client + (package + (name "tigervnc-client") + (version "1.10.1") + (source + (origin + (method git-fetch) + (uri + (git-reference + (url "https://github.com/TigerVNC/tigervnc.git") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "001n189d2f3psn7nxgl8188ml6f7jbk26cxn2835y3mnlk5lmhgr")))) + (build-system cmake-build-system) + (arguments + '(#:tests? #f ; Tests that do exists are not automated. + #:phases (modify-phases %standard-phases + (replace 'install + (lambda* (#:key outputs #:allow-other-keys) + (with-directory-excursion "vncviewer" + (invoke "make" "install"))))))) + (native-inputs + `(("autoconf" ,autoconf) + ("gettext-minimal" ,gettext-minimal) + ("automake" ,automake))) + (inputs + `(("zlib" ,zlib) + ("gnutls" ,gnutls) + ("libjpeg-turbo" ,libjpeg-turbo) + ("fltk" ,fltk) + ("linux-pam" ,linux-pam) + ("libx11" ,libx11) + ("libxext" ,libxext) + ("libxtst" ,libxtst) + ("libxrandr" ,libxrandr) + ("libxdamage" ,libxdamage))) + (home-page "https://tigervnc.org/") + (synopsis "High-performance, platform-neutral +implementation of VNC (client)") + (description "TigerVNC is a client/server implementation of VNC (Virtual +Network Computing). It provides enough performance to run even 3D and video +applications. It also provides extensions for advanced authentication methods +and TLS encryption. This package installs only the VNC client, the +application which is needed to connect to VNC servers.") + (license license:gpl2))) + +;; A VNC server is, in fact, an X server so it seems like a good idea +;; to build on the work already done for xorg-server package. This is +;; not entirely compatible with the recommendation in BUILDING.txt +;; where the client is built first, then the source code of the X +;; server is copied into a subdir of the build directory, patched with +;; VNC additions and then build and installed as Xvnc. The procedure +;; was turned around, where TigerVNC code is downloaded and built +;; inside the Guix X server build dir. Also, the VNC patching process +;; for the X server is automated in a straightforward manner. +(define-public tigervnc-server + (package + (inherit xorg-server) + (name "tigervnc-server") + (version "1.10.1") + (native-inputs + `(("tigervnc-src" ,(origin + (method git-fetch) + (uri + (git-reference + (url "https://github.com/TigerVNC/tigervnc.git") + (commit "v1.9.0"))) + (sha256 + (base32 + "0b47fg3741qs3zdpl2zr0s6jz46dypp2j6gqrappbzm3ywnnmm1x")))) + ("autoconf" ,autoconf) + ("automake" ,automake) + ("libtool" ,libtool) + ("gettext-minimal" ,gettext-minimal) + ("font-util" ,font-util) + ("cmake" ,cmake) + ("gcc-toolchain" ,gcc-toolchain) + ("perl" ,perl) + ,@(package-native-inputs tigervnc-client) + ,@(package-inputs tigervnc-client) + ,@(package-native-inputs xorg-server))) + (inputs + `(("perl" ,perl) + ("coreutils" ,coreutils) + ("xauth" ,xauth) + ,@(package-inputs xorg-server))) + (propagated-inputs + `(("xauth" ,xauth) + ,@(package-propagated-inputs xorg-server))) + (arguments + (substitute-keyword-arguments + (package-arguments xorg-server) + ((#:configure-flags flags) + `(append '("--with-pic" ; Taken from BUILDING.txt + "--without-dtrace" + "--disable-static" + "--disable-dri2" + "--disable-xinerama" + "--disable-xvfb" + "--disable-xnest" + "--disable-xorg" + "--disable-dmx" + "--disable-xwin" + "--disable-xephyr" + "--disable-kdrive" + ;; "--disable-config-dbus" ; This was a warning. + "--disable-config-hal" + "--disable-config-udev" + "--disable-dri2" + ;; "--enable-install-libxf86config" ; This, too, was a warning. + "--enable-glx") + (delete "--enable-xephyr" ,flags))) + ((#:modules modules) + `(append '((ice-9 ftw) + (ice-9 match) + (guix build utils) + (guix build gnu-build-system)) + modules)) + ((#:phases phases) + `(modify-phases ,phases + (delete 'check) ;) + (add-after 'unpack 'copy-tvnc-xserver + (lambda _ + (let* + ((tvnc-src (assoc-ref %build-inputs "tigervnc-src")) + (tvnc-xserver (string-append tvnc-src "/unix/xserver"))) + (copy-recursively tvnc-xserver ".") + #t))) + (add-after 'copy-tvnc-xserver 'patch-xserver + (lambda _ + (let* + ((tvnc-src (assoc-ref %build-inputs "tigervnc-src")) + (xorg-server-version ,(package-version xorg-server)) + (which-patch (lambda () + (let* + ((patch-num (apply string-append + (list-head (string-split xorg-server-version + #\.) + 2))) + (fn (format "~a/unix/xserver~a.patch" tvnc-src patch-num))) + (when (not (file-exists? fn)) + (error (format "Patch file, ~a, +corresponding to the input xorg-server version, does not exist. Installation +will fail. " fn))) + + fn))) ; VNC patches for xserver have the + ; form xserverXY[Y].patch, where + ; X.Y[Y].Z is the Xorg server + ; version. + (xserver-patch (which-patch))) + (invoke "patch" "-p1" "-i" xserver-patch) + (invoke "autoreconf" "-fiv")))) + (add-before 'build 'build-tigervnc + (lambda _ + (let* ((out (assoc-ref %outputs "out")) + (tvnc-src (assoc-ref %build-inputs "tigervnc-src")) + (tvnc-build (string-append (getcwd) "/tigervnc-build"))) + (mkdir-p tvnc-build) + (with-directory-excursion tvnc-build + (invoke "cmake" "-G" "Unix Makefiles" + (string-append "-DCMAKE_INSTALL_PREFIX=" out) + tvnc-src) + (invoke "make" "-j" (number->string (parallel-job-count))))))) + (replace 'build + (lambda _ + (let* ((tvnc-src (assoc-ref %build-inputs "tigervnc-src")) + (tvnc-build (string-append (getcwd) "/tigervnc-build")) + (srcarg (string-append "TIGERVNC_SRCDIR=" tvnc-src)) + (buildarg (string-append "TIGERVNC_BUILDDIR=" tvnc-build))) + (invoke "make" srcarg buildarg "-j" + (number->string (parallel-job-count)))))) + (add-before 'install 'install-tigervnc-aux + (lambda _ + (let* ((out (assoc-ref %outputs 'out)) + (tvnc-src (assoc-ref %build-inputs "tigervnc-src")) + (tvnc-build (string-append (getcwd) "/tigervnc-build")) + (srcarg (string-append "TIGERVNC_SRCDIR=" tvnc-src)) + (buildarg (string-append "TIGERVNC_BUILDDIR=" tvnc-build))) + (with-directory-excursion (string-append tvnc-build "/unix") + (invoke "make" srcarg buildarg "install"))))) + (replace 'install + (lambda* _ + (let* ((tvnc-src (assoc-ref %build-inputs "tigervnc-src")) + (tvnc-build (string-append (getcwd) "/tigervnc-build")) + (srcarg (string-append "TIGERVNC_SRCDIR=" tvnc-src)) + (buildarg (string-append "TIGERVNC_BUILDDIR=" tvnc-build))) + (invoke "make" "install" srcarg buildarg)))))))) + (description "TigerVNC is a client/server implementation of VNC (Virtual +Network Computing). It provides enough performance to run even 3D and video +applications. It also provides extensions for advanced authentication methods +and TLS encryption. This package installs the VNC server, a program that will +enable users with VNC clients to log into a graphical session on the machine +where the server is installed."))) -- cgit v1.2.3 From a789f654a0f370720b2c6b7856b9971dcc1d5eb1 Mon Sep 17 00:00:00 2001 From: Hartmut Goebel Date: Mon, 20 Jan 2020 23:43:18 +0100 Subject: gnu: Add libvnc. * gnu/packages/vnc.scm (libvnc): New variable. gnu/packages/patches/libvnc-CVE-2018-20750.patch, gnu/packages/patches/libvnc-CVE-2019-15681.patch: New files. * gnu/local.mk: Add them. --- gnu/local.mk | 2 ++ gnu/packages/patches/libvnc-CVE-2018-20750.patch | 44 ++++++++++++++++++++++++ gnu/packages/patches/libvnc-CVE-2019-15681.patch | 23 +++++++++++++ gnu/packages/vnc.scm | 39 +++++++++++++++++++++ 4 files changed, 108 insertions(+) create mode 100644 gnu/packages/patches/libvnc-CVE-2018-20750.patch create mode 100644 gnu/packages/patches/libvnc-CVE-2019-15681.patch (limited to 'gnu/packages/vnc.scm') diff --git a/gnu/local.mk b/gnu/local.mk index b10ad21520..51272b2dc8 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1124,6 +1124,8 @@ dist_patch_DATA = \ %D%/packages/patches/libutils-add-includes.patch \ %D%/packages/patches/libutils-remove-damaging-includes.patch \ %D%/packages/patches/libvdpau-va-gl-unbundle.patch \ + %D%/packages/patches/libvnc-CVE-2018-20750.patch \ + %D%/packages/patches/libvnc-CVE-2019-15681.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libvpx-use-after-free-in-postproc.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ diff --git a/gnu/packages/patches/libvnc-CVE-2018-20750.patch b/gnu/packages/patches/libvnc-CVE-2018-20750.patch new file mode 100644 index 0000000000..146243670a --- /dev/null +++ b/gnu/packages/patches/libvnc-CVE-2018-20750.patch @@ -0,0 +1,44 @@ +From 09e8fc02f59f16e2583b34fe1a270c238bd9ffec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 7 Jan 2019 10:40:01 +0100 +Subject: [PATCH] Limit lenght to INT_MAX bytes in + rfbProcessFileTransferReadBuffer() + +This ammends 15bb719c03cc70f14c36a843dcb16ed69b405707 fix for a heap +out-of-bound write access in rfbProcessFileTransferReadBuffer() when +reading a transfered file content in a server. The former fix did not +work on platforms with a 32-bit int type (expected by rfbReadExact()). + +CVE-2018-15127 + + +--- + libvncserver/rfbserver.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 7af84906..f2edbeea 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -88,6 +88,8 @@ + #include + /* strftime() */ + #include ++/* INT_MAX */ ++#include + + #ifdef LIBVNCSERVER_WITH_WEBSOCKETS + #include "rfbssl.h" +@@ -1472,8 +1474,11 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length) + 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF + will safely be allocated since this check will never trigger and malloc() can digest length+1 + without problems as length is a uint32_t. ++ We also later pass length to rfbReadExact() that expects a signed int type and ++ that might wrap on platforms with a 32-bit int type if length is bigger ++ than 0X7FFFFFFF. + */ +- if(length == SIZE_MAX) { ++ if(length == SIZE_MAX || length > INT_MAX) { + rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length); + rfbCloseClient(cl); + return NULL; diff --git a/gnu/packages/patches/libvnc-CVE-2019-15681.patch b/gnu/packages/patches/libvnc-CVE-2019-15681.patch new file mode 100644 index 0000000000..e328d87920 --- /dev/null +++ b/gnu/packages/patches/libvnc-CVE-2019-15681.patch @@ -0,0 +1,23 @@ +From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Mon, 19 Aug 2019 22:32:25 +0200 +Subject: [PATCH] rfbserver: don't leak stack memory to the remote + +Thanks go to Pavel Cheremushkin of Kaspersky for reporting. +--- + libvncserver/rfbserver.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c +index 3bacc891..310e5487 100644 +--- a/libvncserver/rfbserver.c ++++ b/libvncserver/rfbserver.c +@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len) + rfbServerCutTextMsg sct; + rfbClientIteratorPtr iterator; + ++ memset((char *)&sct, 0, sizeof(sct)); ++ + iterator = rfbGetClientIterator(rfbScreen); + while ((cl = rfbClientIteratorNext(iterator)) != NULL) { + sct.type = rfbServerCutText; diff --git a/gnu/packages/vnc.scm b/gnu/packages/vnc.scm index e715e10d5a..e1cba08952 100644 --- a/gnu/packages/vnc.scm +++ b/gnu/packages/vnc.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019 Todor Kondić ;;; Copyright © 2020 Oleg Pykhalov +;;; Copyright © 2020 Hartmut Goebel ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,6 +25,7 @@ #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix utils) + #:use-module (gnu packages) #:use-module (gnu packages autotools) #:use-module (gnu packages base) #:use-module (gnu packages cmake) @@ -31,9 +33,12 @@ #:use-module (gnu packages compression) #:use-module (gnu packages fltk) #:use-module (gnu packages gettext) + #:use-module (gnu packages gnupg) #:use-module (gnu packages image) #:use-module (gnu packages linux) #:use-module (gnu packages perl) + #:use-module (gnu packages pkg-config) + #:use-module (gnu packages sdl) #:use-module (gnu packages tls) #:use-module (gnu packages xorg)) @@ -232,3 +237,37 @@ applications. It also provides extensions for advanced authentication methods and TLS encryption. This package installs the VNC server, a program that will enable users with VNC clients to log into a graphical session on the machine where the server is installed."))) + +(define-public libvnc + (package + (name "libvnc") + (version "0.9.12") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/LibVNC/libvncserver.git") + (commit (string-append "LibVNCServer-" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 "1226hb179l914919f5nm2mlf8rhaarqbf48aa649p4rwmghyx9vm")) + (patches (search-patches "libvnc-CVE-2018-20750.patch" + "libvnc-CVE-2019-15681.patch")))) + (build-system cmake-build-system) + (native-inputs + `(("pkg-config" ,pkg-config))) + (inputs + `(("gnutls" ,gnutls) + ("libgcrypt" ,libgcrypt) + ("libjpeg" ,libjpeg) + ("libpng" ,libpng) + ("lzo" ,lzo) + ("sdl2" ,sdl2))) + (home-page "https://libvnc.github.io/") + (synopsis "Cross-platform C libraries for implementing VNC server or +client") + (description "This package provides @code{LibVNCServer} and +@code{LibVNCClient}. These are cross-platform C libraries that allow you to +easily implement VNC server or client functionality in your program.") + (license ;; GPL for programs, FDL for documentation + (list license:gpl2+ license:fdl1.2+)))) -- cgit v1.2.3