diff options
| author |   Maciej Mrozowski <reavertm@gentoo.org> | 2010-04-14 18:30:46 +0000 |
|---|---|---|
| committer | Maciej Mrozowski <reavertm@gentoo.org> | 2010-04-14 18:30:46 +0000 |
| commit | 11a81738eacf2638bcb8a45d7bae4d8d221e2e51 (patch) | |
| tree | 5d77713e2d6c4e11426b0970d8176b74513dc56b /kde-base | |
| parent | Stable for HPPA (bug #305793). (diff) | |
| download | gentoo-2-11a81738eacf2638bcb8a45d7bae4d8d221e2e51.tar.gz gentoo-2-11a81738eacf2638bcb8a45d7bae4d8d221e2e51.tar.bz2 gentoo-2-11a81738eacf2638bcb8a45d7bae4d8d221e2e51.zip | |
Fix bug 315235, local privilege escalation vulnerability
(Portage version: 2.2_rc67/cvs/Linux x86_64)
Diffstat (limited to 'kde-base')
| -rw-r--r-- | kde-base/kdm/ChangeLog | 10 | ||||
| -rw-r--r-- | kde-base/kdm/files/kdm-4.3.5-CVE-2010-0436.patch | 225 | ||||
| -rw-r--r-- | kde-base/kdm/files/kdm-4.4.2-CVE-2010-0436.patch | 202 | ||||
| -rw-r--r-- | kde-base/kdm/kdm-4.3.5-r1.ebuild | 100 | ||||
| -rw-r--r-- | kde-base/kdm/kdm-4.4.2-r2.ebuild (renamed from kde-base/kdm/kdm-4.4.2-r1.ebuild) | 3 |
5 files changed, 538 insertions, 2 deletions
diff --git a/kde-base/kdm/ChangeLog b/kde-base/kdm/ChangeLog index 6a7404101551..22656f19894e 100644 --- a/kde-base/kdm/ChangeLog +++ b/kde-base/kdm/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for kde-base/kdm # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/kde-base/kdm/ChangeLog,v 1.209 2010/04/09 14:56:48 reavertm Exp $ +# $Header: /var/cvsroot/gentoo-x86/kde-base/kdm/ChangeLog,v 1.210 2010/04/14 18:30:46 reavertm Exp $ + +*kdm-4.4.2-r2 (14 Apr 2010) +*kdm-4.3.5-r1 (14 Apr 2010) + + 14 Apr 2010; Maciej Mrozowski <reavertm@gentoo.org> +kdm-4.3.5-r1.ebuild, + +files/kdm-4.3.5-CVE-2010-0436.patch, -kdm-4.4.2-r1.ebuild, + +kdm-4.4.2-r2.ebuild, +files/kdm-4.4.2-CVE-2010-0436.patch: + Fix bug 315235, local privilege escalation vulnerability *kdm-4.4.2-r1 (09 Apr 2010) diff --git a/kde-base/kdm/files/kdm-4.3.5-CVE-2010-0436.patch b/kde-base/kdm/files/kdm-4.3.5-CVE-2010-0436.patch new file mode 100644 index 000000000000..2ca173a10f74 --- /dev/null +++ b/kde-base/kdm/files/kdm-4.3.5-CVE-2010-0436.patch @@ -0,0 +1,225 @@ +Index: kdm/ConfigureChecks.cmake +=================================================================== +--- kdm/ConfigureChecks.cmake (revision 1114813) ++++ kdm/ConfigureChecks.cmake (working copy) +@@ -80,6 +80,38 @@ + define_library(nsl gethostbyname) + endif (NOT have_gethostbyname) + ++macro_push_required_vars() ++set(CMAKE_REQUIRED_LIBRARIES ${SOCKET_LIBRARIES}) ++check_c_source_runs(" ++#include <sys/socket.h> ++#include <sys/un.h> ++#include <sys/stat.h> ++#include <sys/types.h> ++#include <string.h> ++#include <unistd.h> ++#include <errno.h> ++int main() ++{ ++ int fd, fd2; ++ struct sockaddr_un sa; ++ ++ if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) ++ return 2; ++ sa.sun_family = AF_UNIX; ++ strcpy(sa.sun_path, \"testsock\"); ++ unlink(sa.sun_path); ++ if (bind(fd, (struct sockaddr *)&sa, sizeof(sa))) ++ return 2; ++ chmod(sa.sun_path, 0); ++ setuid(getuid() + 1000); ++ if ((fd2 = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) ++ return 2; ++ connect(fd2, (struct sockaddr *)&sa, sizeof(sa)); ++ return errno != EACCES; ++} ++" HONORS_SOCKET_PERMS) ++macro_pop_required_vars() ++ + # for genkdmconf; this is TODO + #if (EXISTS /etc/ttys) + # set(BSD_INIT 1) +Index: kdm/config-kdm.h.cmake +=================================================================== +--- kdm/config-kdm.h.cmake (revision 1114813) ++++ kdm/config-kdm.h.cmake (working copy) +@@ -129,6 +129,9 @@ + /* Define to 1 if the ck-connector library is found */ + #cmakedefine HAVE_CKCONNECTOR 1 + ++/* Define to 1 if OS honors permission bits on socket inodes */ ++#cmakedefine HONORS_SOCKET_PERMS 1 ++ + /* $PATH defaults set by KDM */ + #cmakedefine KDM_DEF_USER_PATH "${KDM_DEF_USER_PATH}" + #cmakedefine KDM_DEF_SYSTEM_PATH "${KDM_DEF_SYSTEM_PATH}" +Index: kdm/backend/ctrl.c +=================================================================== +--- kdm/backend/ctrl.c (revision 1114813) ++++ kdm/backend/ctrl.c (working copy) +@@ -78,8 +78,26 @@ + } + + ++#ifdef HONORS_SOCKET_PERMS + static CtrlRec ctrl = { 0, 0, -1, 0 }; ++#else ++static CtrlRec ctrl = { 0, 0, 0, -1, 0 }; + ++static int mkTempDir( char *dir ) ++{ ++ int i, l = strlen( dir ) - 6; ++ ++ for (i = 0; i < 100; i++) { ++ randomStr( dir + l ); ++ if (!mkdir( dir, 0700 )) ++ return True; ++ if (errno != EEXIST) ++ break; ++ } ++ return False; ++} ++#endif ++ + void + openCtrl( struct display *d ) + { +@@ -97,7 +115,7 @@ + if (cr->fd < 0) { + if (mkdir( fifoDir, 0755 )) { + if (errno != EEXIST) { +- logError( "mkdir %\"s failed; no control FiFos will be available\n", ++ logError( "mkdir %\"s failed: %m; no control sockets will be available\n", + fifoDir ); + return; + } +@@ -110,38 +128,74 @@ + strApp( &cr->path, sockdir, "/socket", (char *)0 ); + if (cr->path) { + if (strlen( cr->path ) >= sizeof(sa.sun_path)) +- logError( "path %\"s too long; no control sockets will be available\n", ++ logError( "path %\"s too long; control socket will not be available\n", + cr->path ); +- else if (mkdir( sockdir, 0755 ) && errno != EEXIST) +- logError( "mkdir %\"s failed; no control sockets will be available\n", ++#ifdef HONORS_SOCKET_PERMS ++ else if (mkdir( sockdir, 0700 ) && errno != EEXIST) ++ logError( "mkdir %\"s failed: %m; control socket will not be available\n", + sockdir ); ++ else if (unlink( cr->path ) && errno != ENOENT) ++ logError( "unlink %\"s failed: %m; control socket will not be available\n", ++ cr->path ); + else { +- if (!d) +- chown( sockdir, -1, fifoGroup ); ++#else ++ else if (unlink( sockdir ) && errno != ENOENT) ++ logError( "unlink %\"s failed: %m; control socket will not be available\n", ++ sockdir ); ++ else if (!strApp( &cr->realdir, sockdir, "-XXXXXX", (char *)0)) ++ ; ++ else if (!mkTempDir( cr->realdir )) { ++ logError( "mkdir %\"s failed: %m; control socket will not be available\n", ++ cr->realdir ); ++ free( cr->realdir ); ++ cr->realdir = 0; ++ } else if (symlink( cr->realdir, sockdir )) { ++ logError( "symlink %\"s => %\"s failed: %m; control socket will not be available\n", ++ sockdir, cr->realdir ); ++ rmdir( cr->realdir ); ++ free( cr->realdir ); ++ cr->realdir = 0; ++ } else { ++ chown( sockdir, 0, d ? 0 : fifoGroup ); + chmod( sockdir, 0750 ); ++#endif + if ((cr->fd = socket( PF_UNIX, SOCK_STREAM, 0 )) < 0) +- logError( "Cannot create control socket\n" ); ++ logError( "Cannot create control socket: %m\n" ); + else { +- unlink( cr->path ); + sa.sun_family = AF_UNIX; + strcpy( sa.sun_path, cr->path ); + if (!bind( cr->fd, (struct sockaddr *)&sa, sizeof(sa) )) { + if (!listen( cr->fd, 5 )) { ++#ifdef HONORS_SOCKET_PERMS ++ chmod( cr->path, 0660 ); ++ if (!d) ++ chown( cr->path, -1, fifoGroup ); ++ chmod( sockdir, 0755 ); ++#else + chmod( cr->path, 0666 ); ++#endif + registerCloseOnFork( cr->fd ); + registerInput( cr->fd ); + free( sockdir ); + return; + } + unlink( cr->path ); +- logError( "Cannot listen on control socket %\"s\n", ++ logError( "Cannot listen on control socket %\"s: %m\n", + cr->path ); + } else +- logError( "Cannot bind control socket %\"s\n", ++ logError( "Cannot bind control socket %\"s: %m\n", + cr->path ); + close( cr->fd ); + cr->fd = -1; + } ++#ifdef HONORS_SOCKET_PERMS ++ rmdir( sockdir ); ++#else ++ unlink( sockdir ); ++ rmdir( cr->realdir ); ++ free( cr->realdir ); ++ cr->realdir = 0; ++#endif + } + free( cr->path ); + cr->path = 0; +@@ -162,7 +216,14 @@ + cr->fd = -1; + unlink( cr->path ); + *strrchr( cr->path, '/' ) = 0; ++#ifdef HONORS_SOCKET_PERMS + rmdir( cr->path ); ++#else ++ rmdir( cr->realdir ); ++ free( cr->realdir ); ++ cr->realdir = 0; ++ unlink( cr->path ); ++#endif + free( cr->path ); + cr->path = 0; + while (cr->css) { +@@ -177,10 +238,11 @@ + chownCtrl( CtrlRec *cr, int uid ) + { + if (cr->path) { +- char *ptr = strrchr( cr->path, '/' ); +- *ptr = 0; ++#ifdef HONORS_SOCKET_PERMS + chown( cr->path, uid, -1 ); +- *ptr = '/'; ++#else ++ chown( cr->realdir, uid, -1 ); ++#endif + } + } + +Index: kdm/backend/dm.h +=================================================================== +--- kdm/backend/dm.h (revision 1114813) ++++ kdm/backend/dm.h (working copy) +@@ -232,6 +232,9 @@ + struct cmdsock *css; /* open connections */ + + char *path; /* filename of the socket */ ++#ifndef HONORS_SOCKET_PERMS ++ char *realdir; /* real dirname of the socket */ ++#endif + int fd; /* fd of the socket */ + int gid; /* owner group of the socket */ + } CtrlRec; diff --git a/kde-base/kdm/files/kdm-4.4.2-CVE-2010-0436.patch b/kde-base/kdm/files/kdm-4.4.2-CVE-2010-0436.patch new file mode 100644 index 000000000000..b6363bfac521 --- /dev/null +++ b/kde-base/kdm/files/kdm-4.4.2-CVE-2010-0436.patch @@ -0,0 +1,202 @@ +Index: kdm/ConfigureChecks.cmake +=================================================================== +--- kdm/ConfigureChecks.cmake (revision 1114416) ++++ kdm/ConfigureChecks.cmake (revision 1114417) +@@ -80,6 +80,38 @@ + define_library(nsl gethostbyname) + endif (NOT have_gethostbyname) + ++macro_push_required_vars() ++set(CMAKE_REQUIRED_LIBRARIES ${SOCKET_LIBRARIES}) ++check_c_source_runs(" ++#include <sys/socket.h> ++#include <sys/un.h> ++#include <sys/stat.h> ++#include <sys/types.h> ++#include <string.h> ++#include <unistd.h> ++#include <errno.h> ++int main() ++{ ++ int fd, fd2; ++ struct sockaddr_un sa; ++ ++ if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) ++ return 2; ++ sa.sun_family = AF_UNIX; ++ strcpy(sa.sun_path, \"testsock\"); ++ unlink(sa.sun_path); ++ if (bind(fd, (struct sockaddr *)&sa, sizeof(sa))) ++ return 2; ++ chmod(sa.sun_path, 0); ++ setuid(getuid() + 1000); ++ if ((fd2 = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) ++ return 2; ++ connect(fd2, (struct sockaddr *)&sa, sizeof(sa)); ++ return errno != EACCES; ++} ++" HONORS_SOCKET_PERMS) ++macro_pop_required_vars() ++ + # for genkdmconf; this is TODO + #if (EXISTS /etc/ttys) + # set(BSD_INIT 1) +Index: kdm/config-kdm.h.cmake +=================================================================== +--- kdm/config-kdm.h.cmake (revision 1114416) ++++ kdm/config-kdm.h.cmake (revision 1114417) +@@ -129,6 +129,9 @@ + /* Define to 1 if the ck-connector library is found */ + #cmakedefine HAVE_CKCONNECTOR 1 + ++/* Define to 1 if OS honors permission bits on socket inodes */ ++#cmakedefine HONORS_SOCKET_PERMS 1 ++ + /* $PATH defaults set by KDM */ + #cmakedefine KDM_DEF_USER_PATH "${KDM_DEF_USER_PATH}" + #cmakedefine KDM_DEF_SYSTEM_PATH "${KDM_DEF_SYSTEM_PATH}" +Index: kdm/backend/ctrl.c +=================================================================== +--- kdm/backend/ctrl.c (revision 1114416) ++++ kdm/backend/ctrl.c (revision 1114417) +@@ -79,8 +79,26 @@ + } + + ++#ifdef HONORS_SOCKET_PERMS + static CtrlRec ctrl = { 0, 0, -1, 0 }; ++#else ++static CtrlRec ctrl = { 0, 0, 0, -1, 0 }; + ++static int mkTempDir( char *dir ) ++{ ++ int i, l = strlen( dir ) - 6; ++ ++ for (i = 0; i < 100; i++) { ++ randomStr( dir + l ); ++ if (!mkdir( dir, 0700 )) ++ return True; ++ if (errno != EEXIST) ++ break; ++ } ++ return False; ++} ++#endif ++ + void + openCtrl( struct display *d ) + { +@@ -113,22 +131,50 @@ + if (strlen( cr->path ) >= sizeof(sa.sun_path)) + logError( "path %\"s too long; control socket will not be available\n", + cr->path ); +- else if (mkdir( sockdir, 0755 ) && errno != EEXIST) ++#ifdef HONORS_SOCKET_PERMS ++ else if (mkdir( sockdir, 0700 ) && errno != EEXIST) + logError( "mkdir %\"s failed: %m; control socket will not be available\n", + sockdir ); ++ else if (unlink( cr->path ) && errno != ENOENT) ++ logError( "unlink %\"s failed: %m; control socket will not be available\n", ++ cr->path ); + else { +- if (!d) +- chown( sockdir, -1, fifoGroup ); ++#else ++ else if (unlink( sockdir ) && errno != ENOENT) ++ logError( "unlink %\"s failed: %m; control socket will not be available\n", ++ sockdir ); ++ else if (!strApp( &cr->realdir, sockdir, "-XXXXXX", (char *)0)) ++ ; ++ else if (!mkTempDir( cr->realdir )) { ++ logError( "mkdir %\"s failed: %m; control socket will not be available\n", ++ cr->realdir ); ++ free( cr->realdir ); ++ cr->realdir = 0; ++ } else if (symlink( cr->realdir, sockdir )) { ++ logError( "symlink %\"s => %\"s failed: %m; control socket will not be available\n", ++ sockdir, cr->realdir ); ++ rmdir( cr->realdir ); ++ free( cr->realdir ); ++ cr->realdir = 0; ++ } else { ++ chown( sockdir, 0, d ? 0 : fifoGroup ); + chmod( sockdir, 0750 ); ++#endif + if ((cr->fd = socket( PF_UNIX, SOCK_STREAM, 0 )) < 0) + logError( "Cannot create control socket: %m\n" ); + else { +- unlink( cr->path ); + sa.sun_family = AF_UNIX; + strcpy( sa.sun_path, cr->path ); + if (!bind( cr->fd, (struct sockaddr *)&sa, sizeof(sa) )) { + if (!listen( cr->fd, 5 )) { ++#ifdef HONORS_SOCKET_PERMS ++ chmod( cr->path, 0660 ); ++ if (!d) ++ chown( cr->path, -1, fifoGroup ); ++ chmod( sockdir, 0755 ); ++#else + chmod( cr->path, 0666 ); ++#endif + registerCloseOnFork( cr->fd ); + registerInput( cr->fd ); + free( sockdir ); +@@ -143,6 +189,14 @@ + close( cr->fd ); + cr->fd = -1; + } ++#ifdef HONORS_SOCKET_PERMS ++ rmdir( sockdir ); ++#else ++ unlink( sockdir ); ++ rmdir( cr->realdir ); ++ free( cr->realdir ); ++ cr->realdir = 0; ++#endif + } + free( cr->path ); + cr->path = 0; +@@ -163,7 +217,14 @@ + cr->fd = -1; + unlink( cr->path ); + *strrchr( cr->path, '/' ) = 0; ++#ifdef HONORS_SOCKET_PERMS + rmdir( cr->path ); ++#else ++ rmdir( cr->realdir ); ++ free( cr->realdir ); ++ cr->realdir = 0; ++ unlink( cr->path ); ++#endif + free( cr->path ); + cr->path = 0; + while (cr->css) { +@@ -178,10 +239,11 @@ + chownCtrl( CtrlRec *cr, int uid ) + { + if (cr->path) { +- char *ptr = strrchr( cr->path, '/' ); +- *ptr = 0; ++#ifdef HONORS_SOCKET_PERMS + chown( cr->path, uid, -1 ); +- *ptr = '/'; ++#else ++ chown( cr->realdir, uid, -1 ); ++#endif + } + } + +Index: kdm/backend/dm.h +=================================================================== +--- kdm/backend/dm.h (revision 1114416) ++++ kdm/backend/dm.h (revision 1114417) +@@ -232,6 +232,9 @@ + struct cmdsock *css; /* open connections */ + + char *path; /* filename of the socket */ ++#ifndef HONORS_SOCKET_PERMS ++ char *realdir; /* real dirname of the socket */ ++#endif + int fd; /* fd of the socket */ + int gid; /* owner group of the socket */ + } CtrlRec; diff --git a/kde-base/kdm/kdm-4.3.5-r1.ebuild b/kde-base/kdm/kdm-4.3.5-r1.ebuild new file mode 100644 index 000000000000..f23acf0faeb7 --- /dev/null +++ b/kde-base/kdm/kdm-4.3.5-r1.ebuild @@ -0,0 +1,100 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/kde-base/kdm/kdm-4.3.5-r1.ebuild,v 1.1 2010/04/14 18:30:46 reavertm Exp $ + +EAPI="2" + +KMNAME="kdebase-workspace" +inherit kde4-meta flag-o-matic + +DESCRIPTION="KDE login manager, similar to xdm and gdm" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86" +IUSE="consolekit debug +handbook kerberos pam" + +DEPEND=" + x11-libs/libXau + x11-libs/libXdmcp + x11-libs/libXtst + consolekit? ( + >=sys-apps/dbus-1.0.2 + sys-auth/consolekit + ) + kerberos? ( virtual/krb5 ) + pam? ( + $(add_kdebase_dep kcheckpass) + virtual/pam + ) +" +RDEPEND="${DEPEND} + $(add_kdebase_dep kdepasswd) + >=x11-apps/xinit-1.0.5-r2 + x11-apps/xmessage +" + +KMEXTRACTONLY=" + kcontrol/kdm/ +" +KMEXTRA=" + libs/kdm/ +" + +PATCHES=( + "${FILESDIR}/kdebase-4.0.2-pam-optional.patch" + "${FILESDIR}/${PN}-4-gentoo-xinitrc.d.patch" + "${FILESDIR}/${PN}-4.3.1-set-grub-default.patch" + "${FILESDIR}/${PN}-4.3.5-CVE-2010-0436.patch" +) + +src_configure() { + # genkdmconf breaks with -O3 + # last checked in 4.2.95 + replace-flags -O3 -O2 + + mycmakeargs=( + $(cmake-utils_use kerberos KDE4_KRB5AUTH) + $(cmake-utils_use_with pam) + $(cmake-utils_use_with consolekit CkConnector) + ) + + kde4-meta_src_configure +} + +src_install() { + export GENKDMCONF_FLAGS="--no-old --no-backup" + + kde4-meta_src_install + + # Customize the kdmrc configuration + sed -i -e "s:^.*SessionsDirs=.*$:#&\nSessionsDirs=${EPREFIX}/usr/share/xsessions:" \ + "${ED}"/${PREFIX}/share/config/kdm/kdmrc \ + || die "Failed to set SessionsDirs correctly." + + # Don't install empty dir + rmdir "${ED}${KDEDIR}"/share/config/kdm/sessions +} + +pkg_postinst() { + kde4-meta_pkg_postinst + + # Set the default kdm face icon if it's not already set by the system admin + # because this is user-overrideable in that way, it's not in src_install + if [[ ! -e "${EROOT}${KDEDIR}/share/apps/kdm/faces/.default.face.icon" ]]; then + mkdir -p "${EROOT}${KDEDIR}/share/apps/kdm/faces" + cp "${EROOT}${KDEDIR}/share/apps/kdm/pics/users/default1.png" \ + "${EROOT}${KDEDIR}/share/apps/kdm/faces/.default.face.icon" + fi + if [[ ! -e "${EROOT}${KDEDIR}/share/apps/kdm/faces/root.face.icon" ]]; then + mkdir -p "${EROOT}${KDEDIR}/share/apps/kdm/faces" + cp "${EROOT}${KDEDIR}/share/apps/kdm/pics/users/root1.png" \ + "${EROOT}${KDEDIR}/share/apps/kdm/faces/root.face.icon" + fi + + if use consolekit; then + echo + elog "You have compiled 'kdm' with consolekit support. If you want to use kdm," + elog "make sure consolekit daemon is running and started at login time" + elog + elog "rc-update add consolekit default && /etc/init.d/consolekit start" + echo + fi +} diff --git a/kde-base/kdm/kdm-4.4.2-r1.ebuild b/kde-base/kdm/kdm-4.4.2-r2.ebuild index 0f876b15fe7c..6e95e0178fd8 100644 --- a/kde-base/kdm/kdm-4.4.2-r1.ebuild +++ b/kde-base/kdm/kdm-4.4.2-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2010 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/kde-base/kdm/kdm-4.4.2-r1.ebuild,v 1.1 2010/04/09 14:56:48 reavertm Exp $ +# $Header: /var/cvsroot/gentoo-x86/kde-base/kdm/kdm-4.4.2-r2.ebuild,v 1.1 2010/04/14 18:30:46 reavertm Exp $ EAPI="3" @@ -41,6 +41,7 @@ KMEXTRA=" PATCHES=( "${FILESDIR}/kdebase-4.0.2-pam-optional.patch" "${FILESDIR}/${PN}-4-gentoo-xinitrc.d.patch" + "${FILESDIR}/${PN}-4.4.2-CVE-2010-0436.patch" ) src_configure() { |