Merge pull request #336605 from LeSuisse/tightvnc-drop

2024-08-25 01:49:23 +02:00 · 2024-08-25 01:49:23 +02:00 · 2d1ea93eac
commit 2d1ea93eac
parent bf24134ee2 8caa26332d
7 changed files with 1 additions and 188 deletions
--- a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch
+++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch
@ -1,18 +0,0 @@
-Adapted from https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a
-diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
-index 04b0230..47a6863 100644
--- a/vncviewer/rfbproto.c
-+++ b/vncviewer/rfbproto.c
-@@ -1217,6 +1217,12 @@ HandleRFBServerMessage()
-     if (serverCutText)
-       free(serverCutText);
- 
-+    if (msg.sct.length > 1<<20) {
-+      fprintf(stderr,"Ignoring too big cut text length sent by server: %u B > 1 MB\n",
-+              (unsigned int)msg.sct.length);
-+      return False;
-+    }
-+
-     serverCutText = malloc(msg.sct.length+1);
- 
-     if (!ReadFromRFBServer(serverCutText, msg.sct.length))
--- a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch
+++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch
@ -1,19 +0,0 @@
-Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7
-diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
-index 04b0230..bd11b54 100644
--- a/vncviewer/rfbproto.c
-+++ b/vncviewer/rfbproto.c
-@@ -303,7 +303,12 @@ InitialiseRFBConnection(void)
-   si.format.blueMax = Swap16IfLE(si.format.blueMax);
-   si.nameLength = Swap32IfLE(si.nameLength);
- 
-  /* FIXME: Check arguments to malloc() calls. */
-+  if (si.nameLength > 1<<20) {
-+    fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n",
-+            (unsigned long)si.nameLength);
-+    return False;
-+  }
-+
-   desktopName = malloc(si.nameLength + 1);
-   if (!desktopName) {
-     fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",
--- a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch
+++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15680.patch
@ -1,16 +0,0 @@
-diff --git a/vncviewer/zlib.c b/vncviewer/zlib.c
-index 80c4eee..76998d8 100644
--- a/vncviewer/zlib.c
-+++ b/vncviewer/zlib.c
-@@ -55,6 +55,11 @@ HandleZlibBPP (int rx, int ry, int rw, int rh)
-     raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
-     raw_buffer = (char*) malloc( raw_buffer_size );
- 
-+    if ( raw_buffer == NULL ) {
-+      fprintf(stderr,
-+              "couldn't allocate raw_buffer in HandleZlibBPP");
-+      return False;
-+    }
-   }
- 
-   if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
--- a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch
+++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-8287.patch
@ -1,14 +0,0 @@
-Adapted from https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
-diff --git a/vncviewer/corre.c b/vncviewer/corre.c
-index c846a10..a4c272d 100644
--- a/vncviewer/corre.c
-+++ b/vncviewer/corre.c
-@@ -56,7 +56,7 @@ HandleCoRREBPP (int rx, int ry, int rw, int rh)
-     XChangeGC(dpy, gc, GCForeground, &gcv);
-     XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh);
- 
-    if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
-+    if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
- 	return False;
- 
-     ptr = (CARD8 *)buffer;
--- a/pkgs/tools/admin/tightvnc/default.nix
+++ b/pkgs/tools/admin/tightvnc/default.nix
@ -1,116 +0,0 @@
-{ lib
-, stdenv
-, fetchurl
-, zlib
-, libjpeg
-, imake
-, gccmakedep
-, libXaw
-, libXext
-, libXmu
-, libXp
-, libXpm
-, perl
-, xauth
-, fontDirectories
-, openssh
-}:
-
-stdenv.mkDerivation rec {
-  pname = "tightvnc";
-  version = "1.3.10";
-
-  src = fetchurl {
-    url = "mirror://sourceforge/vnc-tight/tightvnc-${version}_unixsrc.tar.bz2";
-    sha256 = "f48c70fea08d03744ae18df6b1499976362f16934eda3275cead87baad585c0d";
-  };
-
-  patches = [
-    ./1.3.10-CVE-2019-15678.patch
-    ./1.3.10-CVE-2019-15679.patch
-    ./1.3.10-CVE-2019-15680.patch
-    ./1.3.10-CVE-2019-8287.patch
-  ];
-
-  # for the builder script
-  inherit fontDirectories;
-
-  hardeningDisable = [ "format" ];
-
-  buildInputs = [
-    zlib
-    libjpeg
-    imake
-    gccmakedep
-    libXaw
-    libXext
-    libXmu
-    libXp
-    libXpm
-    xauth
-    openssh
-  ];
-
-  postPatch = ''
-    fontPath=
-    for i in $fontDirectories; do
-      for j in $(find $i -name fonts.dir); do
-        addToSearchPathWithCustomDelimiter "," fontPath $(dirname $j)
-      done
-    done
-
-    sed -i "s@/usr/bin/ssh@${openssh}/bin/ssh@g" vncviewer/vncviewer.h
-
-    sed -e 's@/usr/bin/perl@${perl}/bin/perl@' \
-        -e 's@unix/:7100@'$fontPath'@' \
-        -i vncserver
-
-    sed -e 's@.* CppCmd .*@#define CppCmd		cpp@' -i Xvnc/config/cf/linux.cf
-    sed -e 's@.* CppCmd .*@#define CppCmd		cpp@' -i Xvnc/config/cf/Imake.tmpl
-    sed -i \
-        -e 's@"uname","xauth","Xvnc","vncpasswd"@"uname","Xvnc","vncpasswd"@g' \
-        -e "s@\<xauth\>@${xauth}/bin/xauth@g" \
-        vncserver
-  '';
-
-  preInstall = ''
-    mkdir -p $out/bin
-    mkdir -p $out/share/man/man1
-  '';
-
-  installPhase = ''
-    runHook preInstall
-
-    ./vncinstall $out/bin $out/share/man
-
-    runHook postInstall
-  '';
-
-  postInstall = ''
-    # fix HTTP client:
-    mkdir -p $out/share/tightvnc
-    cp -r classes $out/share/tightvnc
-    substituteInPlace $out/bin/vncserver \
-      --replace /usr/local/vnc/classes $out/share/tightvnc/classes
-  '';
-
-  meta = {
-    license = lib.licenses.gpl2Plus;
-    homepage = "https://vnc-tight.sourceforge.net/";
-    description = "Improved version of VNC";
-
-    longDescription = ''
-      TightVNC is an improved version of VNC, the great free
-      remote-desktop tool. The improvements include bandwidth-friendly
-      "tight" encoding, file transfers in the Windows version, enhanced
-      GUI, many bugfixes, and more.
-    '';
-
-    maintainers = [ ];
-    platforms = lib.platforms.unix;
-
-    knownVulnerabilities = [ "CVE-2021-42785" ];
-    # Unfortunately, upstream doesn't maintain the 1.3 branch anymore, and the
-    # new 2.x branch is substantially different (requiring either Windows or Java)
-  };
-}
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@ -1481,6 +1481,7 @@ mapAliases ({
  invalidateFetcherByDrvHash = testers.invalidateFetcherByDrvHash; # Added 2022-05-05
  timescale-prometheus = promscale; # Added 2020-09-29
  tinygltf = throw "TinyglTF has been embedded in draco due to lack of other users and compatibility breaks."; # Added 2023-06-25
+  tightvnc = throw "'tightvnc' has been removed as the version 1.3 is not maintained upstream anymore and is insecure"; # Added 2024-08-22
  tixati = throw "'tixati' has been removed from nixpkgs as it is unfree and unmaintained"; # Added 2023-03-17
  tkcvs = tkrev; # Added 2022-03-07
  tokodon = plasma5Packages.tokodon;
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -13938,11 +13938,6 @@ with pkgs;

  tigervnc = callPackage ../tools/admin/tigervnc { };

-  tightvnc = callPackage ../tools/admin/tightvnc {
-    fontDirectories = [ xorg.fontadobe75dpi xorg.fontmiscmisc xorg.fontcursormisc
-      xorg.fontbhlucidatypewriter75dpi ];
-  };
-
  time = callPackage ../tools/misc/time { };

  tweet-hs = haskell.lib.compose.justStaticExecutables haskellPackages.tweet-hs;