From fe7e64d152364efe78452e77447703dbe8cd572e Mon Sep 17 00:00:00 2001 From: Ondrej Holy Date: May 23 2018 07:30:06 +0000 Subject: Do not listen all if invalid interface is provided --- diff --git a/Do-not-listen-all-if-invalid-interface-is-provided.patch b/Do-not-listen-all-if-invalid-interface-is-provided.patch new file mode 100644 index 0000000..1eb791e --- /dev/null +++ b/Do-not-listen-all-if-invalid-interface-is-provided.patch @@ -0,0 +1,68 @@ +From bfa1432ea1972b4272e3a7b8927f7c22094e5e44 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Tue, 22 May 2018 21:06:06 +0200 +Subject: [PATCH 2/2] Do not listen all if invalid interface is provided + +It is not a good idea from security point of view to listen all interfaces +in case of invalid interface is provided. We should rather listen to nothing +and print error in journal. + +https://bugzilla.gnome.org/show_bug.cgi?id=796349 +--- + server/libvncserver/sockets.c | 18 ++++++++++++------ + server/vino-server.c | 3 +++ + 2 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/server/libvncserver/sockets.c b/server/libvncserver/sockets.c +index 746a3e5..45df6d5 100644 +--- a/server/libvncserver/sockets.c ++++ b/server/libvncserver/sockets.c +@@ -152,9 +152,13 @@ rfbInitListenSock(rfbScreenInfoPtr rfbScreen) + char *netIface = (char*)rfbScreen->netIface; + int i; + +- if(netIface == NULL || if_nametoindex(netIface) == 0) { +- if(netIface != NULL) +- rfbLog("WARNING: This (%s) a invalid network interface, set to all\n", netIface); ++ if(netIface != NULL && strlen(netIface) > 0) { ++ if(if_nametoindex(netIface) == 0) { ++ rfbLog("(%s) is an invalid network interface\n", netIface); ++ return; ++ } ++ } ++ else { + netIface = NULL; + } + +@@ -748,9 +752,11 @@ rfbSetNetworkInterface(rfbScreenInfoPtr rfbScreen, const char *netIface) + rfbScreen->netIface = netIface; + } + else { +- rfbScreen->netIface = NULL; +- if(netIface != NULL) +- rfbLog("WARNING: This (%s) a invalid network interface, set to all\n", netIface); ++ rfbScreen->netIface = NULL; ++ if(netIface != NULL && strlen(netIface) > 0) { ++ rfbLog("(%s) is an invalid network interface\n", netIface); ++ return FALSE; ++ } + } + + rfbLog("Re-binding socket to listen for VNC connections on TCP port %d in (%s) interface\n", +diff --git a/server/vino-server.c b/server/vino-server.c +index 38b17e3..b8cd755 100644 +--- a/server/vino-server.c ++++ b/server/vino-server.c +@@ -970,6 +970,9 @@ vino_server_init_io_channels(VinoServer *server) + { + dprintf (RFB, "%d ", rfb_screen->rfbListenSock[i]); + ++ if (rfb_screen->rfbListenSock[i] == -1) ++ continue; ++ + server->priv->io_channel[i] = g_io_channel_unix_new (rfb_screen->rfbListenSock[i]); + server->priv->io_watch[i] = g_io_add_watch (server->priv->io_channel[i], + G_IO_IN|G_IO_PRI, +-- +2.17.0 + diff --git a/vino.spec b/vino.spec index 87e73c8..c12336b 100644 --- a/vino.spec +++ b/vino.spec @@ -10,6 +10,7 @@ Source0: https://download.gnome.org/sources/%{name}/3.22/%{name}-%{version}.tar. Patch0: Return-error-if-X11-is-not-detected.patch Patch1: Do-not-restart-service-after-unclean-exit-code.patch +Patch2: Do-not-listen-all-if-invalid-interface-is-provided.patch BuildRequires: pkgconfig(avahi-client) BuildRequires: pkgconfig(avahi-glib) @@ -43,6 +44,7 @@ connect to a running GNOME session using VNC. %setup -q %patch0 -p1 -b .Return-error-if-X11-is-not-detected %patch1 -p1 -b .Do-not-restart-service-after-unclean-exit-code +%patch2 -p1 -b .Do-not-listen-all-if-invalid-interface-is-provided %build @@ -92,6 +94,7 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/vino-server.desktop %changelog * Wed May 23 2018 Ondrej Holy - 3.22.0-9 - Do not restart service after unclean exit code +- Do not listen all if invalid interface is provided * Fri May 18 2018 Ondrej Holy - 3.22.0-8 - Return error if X11 is not detected