From 9a7504fbe7bda55fb8239c10d69b3a279a282027 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Aug 04 2014 02:46:42 +0000 Subject: krfb: unbundle libvncserver (CVE-2014-4607, #655844) --- diff --git a/krfb-unbundle_libvncserver.patch b/krfb-unbundle_libvncserver.patch new file mode 100644 index 0000000..2bc8ead --- /dev/null +++ b/krfb-unbundle_libvncserver.patch @@ -0,0 +1,110 @@ +diff -up krfb-4.13.3/CMakeLists.txt.unbundle_libvncserver krfb-4.13.3/CMakeLists.txt +--- krfb-4.13.3/CMakeLists.txt.unbundle_libvncserver 2014-01-06 21:51:44.000000000 -0600 ++++ krfb-4.13.3/CMakeLists.txt 2014-08-03 19:35:37.970707309 -0500 +@@ -26,6 +26,9 @@ if(NOT INSIDE_KDENETWORK) + include_directories(${CMAKE_SOURCE_DIR} ${CMAKE_BINARY_DIR} ${KDE4_INCLUDES}) + endif(NOT INSIDE_KDENETWORK) + ++set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules ${CMAKE_MODULE_PATH}) ++find_package(LibVNCServer REQUIRED) ++ + macro_optional_find_package(TelepathyQt4) + macro_log_feature(TelepathyQt4_FOUND "telepathy-qt" "Telepathy Qt Bindings" "http://telepathy.freedesktop.org" FALSE "0.9" "Needed to build Telepathy Tubes support.") + +@@ -35,8 +38,6 @@ macro_bool_to_01(X11_XShm_FOUND HAVE_XSH + include_directories ("${CMAKE_CURRENT_BINARY_DIR}/krfb" + "${CMAKE_CURRENT_SOURCE_DIR}/krfb" + "${CMAKE_CURRENT_SOURCE_DIR}/krfb/ui" +- "${CMAKE_CURRENT_SOURCE_DIR}/libvncserver/" +- "${CMAKE_CURRENT_BINARY_DIR}/libvncserver/" + ) + + if(Q_WS_X11) +@@ -45,9 +46,8 @@ if(Q_WS_X11) + endif(NOT X11_XTest_FOUND) + endif(Q_WS_X11) + +-add_subdirectory(libvncserver) + add_subdirectory(krfb) +-add_subdirectory (framebuffers) ++add_subdirectory(framebuffers) + add_subdirectory(doc) + + if (NOT INSIDE_KDENETWORK) +diff -up krfb-4.13.3/cmake/modules/FindLibVNCServer.cmake.unbundle_libvncserver krfb-4.13.3/cmake/modules/FindLibVNCServer.cmake +--- krfb-4.13.3/cmake/modules/FindLibVNCServer.cmake.unbundle_libvncserver 2014-08-03 19:35:27.987812554 -0500 ++++ krfb-4.13.3/cmake/modules/FindLibVNCServer.cmake 2014-08-03 19:35:27.987812554 -0500 +@@ -0,0 +1,41 @@ ++# cmake macro to test LIBVNCSERVER LIB ++ ++# Copyright (c) 2006, Alessandro Praduroux ++# Copyright (c) 2007, Urs Wolfer ++# ++# Redistribution and use is allowed according to the terms of the BSD license. ++# For details see the accompanying COPYING-CMAKE-SCRIPTS file. ++ ++INCLUDE(CheckPointerMember) ++ ++IF (LIBVNCSERVER_INCLUDE_DIR AND LIBVNCSERVER_LIBRARIES) ++ # Already in cache, be silent ++ SET(LIBVNCSERVER_FIND_QUIETLY TRUE) ++ENDIF (LIBVNCSERVER_INCLUDE_DIR AND LIBVNCSERVER_LIBRARIES) ++ ++FIND_PATH(LIBVNCSERVER_INCLUDE_DIR rfb/rfb.h) ++ ++FIND_LIBRARY(LIBVNCSERVER_LIBRARIES NAMES vncserver libvncserver) ++ ++# libvncserver and libvncclient are in the same package, so it does ++# not make sense to add a new cmake script for finding libvncclient. ++# instead just find the libvncclient also in this file. ++FIND_PATH(LIBVNCCLIENT_INCLUDE_DIR rfb/rfbclient.h) ++FIND_LIBRARY(LIBVNCCLIENT_LIBRARIES NAMES vncclient libvncclient) ++ ++IF (LIBVNCSERVER_INCLUDE_DIR AND LIBVNCSERVER_LIBRARIES) ++ SET(CMAKE_REQUIRED_INCLUDES "${LIBVNCSERVER_INCLUDE_DIR}" "${CMAKE_REQUIRED_INCLUDES}") ++ CHECK_POINTER_MEMBER(rfbClient* GotXCutText rfb/rfbclient.h LIBVNCSERVER_FOUND) ++ENDIF (LIBVNCSERVER_INCLUDE_DIR AND LIBVNCSERVER_LIBRARIES) ++ ++IF (LIBVNCSERVER_FOUND) ++ IF (NOT LIBVNCSERVER_FIND_QUIETLY) ++ MESSAGE(STATUS "Found LibVNCServer: ${LIBVNCSERVER_LIBRARIES}") ++ ENDIF (NOT LIBVNCSERVER_FIND_QUIETLY) ++ELSE (LIBVNCSERVER_FOUND) ++ IF (LIBVNCSERVER_FIND_REQUIRED) ++ MESSAGE(FATAL_ERROR "Could NOT find acceptable version of LibVNCServer (version 0.9 or later required).") ++ ENDIF (LIBVNCSERVER_FIND_REQUIRED) ++ENDIF (LIBVNCSERVER_FOUND) ++ ++MARK_AS_ADVANCED(LIBVNCSERVER_INCLUDE_DIR LIBVNCSERVER_LIBRARIES) +\ No newline at end of file +diff -up krfb-4.13.3/krfb/CMakeLists.txt.unbundle_libvncserver krfb-4.13.3/krfb/CMakeLists.txt +--- krfb-4.13.3/krfb/CMakeLists.txt.unbundle_libvncserver 2014-01-06 21:51:44.000000000 -0600 ++++ krfb-4.13.3/krfb/CMakeLists.txt 2014-08-03 19:35:27.987812554 -0500 +@@ -20,6 +20,7 @@ target_link_libraries (krfbprivate + ${QT_QTCORE_LIBRARY} + ${QT_QTGUI_LIBRARY} + ${X11_X11_LIB} ++ ${LIBVNCSERVER_LIBRARIES} + ) + + set_target_properties (krfbprivate PROPERTIES +@@ -104,6 +105,7 @@ target_link_libraries (krfb + ${QT_QTNETWORK_LIBRARY} + ${KDE4_KDNSSD_LIBS} + ${KDE4_KDEUI_LIBS} ++ ${LIBVNCSERVER_LIBRARIES} + ) + + if(TelepathyQt4_FOUND) +diff -up krfb-4.13.3/krfb/rfb.h.unbundle_libvncserver krfb-4.13.3/krfb/rfb.h +--- krfb-4.13.3/krfb/rfb.h.unbundle_libvncserver 2014-01-06 21:51:44.000000000 -0600 ++++ krfb-4.13.3/krfb/rfb.h 2014-08-03 19:35:27.987812554 -0500 +@@ -6,7 +6,7 @@ + #ifndef KRFB_RFB_H + #define KRFB_RFB_H + +-#include "../libvncserver/rfb/rfb.h" ++#include "rfb/rfb.h" + + #undef TRUE + #undef FALSE diff --git a/krfb.spec b/krfb.spec index e3ee521..8c68459 100644 --- a/krfb.spec +++ b/krfb.spec @@ -2,7 +2,7 @@ Name: krfb Summary: Desktop sharing Version: 4.13.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ and GFDL URL: https://projects.kde.org/projects/kde/kdenetwork/%{name} @@ -14,10 +14,14 @@ URL: https://projects.kde.org/projects/kde/kdenetwork/%{name} %endif Source0: http://download.kde.org/%{stable}/%{version}/src/%{name}-%{version}.tar.xz +# http://www.kde.org/info/security/advisory-20140803-1.txt +# unbundle libvncserver, based on +# http://quickgit.kde.org/?p=krfb.git&a=commit&h=1c85dc7d85570c9e3a5fcc57572feb04e57fe6db +Patch100: krfb-unbundle_libvncserver.patch + BuildRequires: desktop-file-utils BuildRequires: kdelibs4-devel >= %{version} -# kdenetwork(krfb): bundled libvncserver, see http://bugzilla.redhat.com/655844 -BuildRequires: libvncserver-devel +BuildRequires: pkgconfig(libvncserver) BuildRequires: libjpeg-devel %if 0%{?fedora} %global telepathy 1 @@ -49,6 +53,9 @@ Provides: kdenetwork-krfb-libs = 7:%{version}-%{release} %prep %setup -q +%patch100 -p1 -b .unbundle_libvncserver +rm -rfv libvncserver/ + %build mkdir -p %{_target_platform} @@ -103,6 +110,9 @@ fi %changelog +* Sun Aug 03 2014 Rex Dieter 4.13.3-2 +- krfb: unbundle libvncserver (CVE-2014-4607, #655844) + * Tue Jul 15 2014 Rex Dieter - 4.13.3-1 - 4.13.3