rev 17667 - in trunk/packages/kdebase-workspace/debian: . patches

Fathi Boudra fabo at alioth.debian.org
Wed Apr 14 09:05:56 UTC 2010 

Author: fabo
Date: 2010-04-14 09:05:45 +0000 (Wed, 14 Apr 2010)
New Revision: 17667

Added:
   trunk/packages/kdebase-workspace/debian/patches/kdebase-workspace-4.3.5-CVE-2010-0436.diff
Modified:
   trunk/packages/kdebase-workspace/debian/changelog
   trunk/packages/kdebase-workspace/debian/patches/series
Log:
Add upstream patch to fix KDM Local Privilege Escalation Vulnerability (CVE-2010-0436)

Modified: trunk/packages/kdebase-workspace/debian/changelog
===================================================================
--- trunk/packages/kdebase-workspace/debian/changelog	2010-04-13 21:19:02 UTC (rev 17666)
+++ trunk/packages/kdebase-workspace/debian/changelog	2010-04-14 09:05:45 UTC (rev 17667)
@@ -1,3 +1,9 @@
+kdebase-workspace (4:4.4.2-2) UNRELEASED; urgency=low
+
+  * CVE-2010-0436 - KDM Local Privilege Escalation Vulnerability fix.
+
+ -- Fathi Boudra <fabo at debian.org>  Wed, 14 Apr 2010 12:02:38 +0300
+
 kdebase-workspace (4:4.4.2-1) experimental; urgency=low
 
   * New upstream release:

Added: trunk/packages/kdebase-workspace/debian/patches/kdebase-workspace-4.3.5-CVE-2010-0436.diff
===================================================================
--- trunk/packages/kdebase-workspace/debian/patches/kdebase-workspace-4.3.5-CVE-2010-0436.diff	                        (rev 0)
+++ trunk/packages/kdebase-workspace/debian/patches/kdebase-workspace-4.3.5-CVE-2010-0436.diff	2010-04-14 09:05:45 UTC (rev 17667)
@@ -0,0 +1,201 @@
+KDE Security Advisory: KDM Local Privilege Escalation Vulnerability
+Original Release Date: 2010-04-13
+URL: http://www.kde.org/info/security/advisory-20100413-1.txt
+CVE: CVE-2010-0436
+
+--- a/kdm/ConfigureChecks.cmake
++++ b/kdm/ConfigureChecks.cmake
+@@ -37,6 +37,35 @@ int main()
+ }
+ " HAVE_SETLOGIN)
+ 
++check_c_source_runs("
++#include <sys/socket.h>
++#include <sys/un.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <string.h>
++#include <unistd.h>
++#include <errno.h>
++int main()
++{
++    int fd, fd2;
++    struct sockaddr_un sa;
++
++    if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
++        return 2;
++    sa.sun_family = AF_UNIX;
++    strcpy(sa.sun_path, \"testsock\");
++    unlink(sa.sun_path);
++    if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)))
++        return 2;
++    chmod(sa.sun_path, 0);
++    setuid(getuid() + 1000);
++    if ((fd2 = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
++        return 2;
++    connect(fd2, (struct sockaddr *)&sa, sizeof(sa));
++    return errno != EACCES;
++}
++" HONORS_SOCKET_PERMS)
++
+ # for config-kdm.h
+ check_function_exists(seteuid HAVE_SETEUID)
+ 
+--- a/kdm/backend/ctrl.c
++++ b/kdm/backend/ctrl.c
+@@ -79,7 +79,25 @@ nukeSock( struct cmdsock *cs )
+ }
+ 
+ 
++#ifdef HONORS_SOCKET_PERMS
+ static CtrlRec ctrl = { 0, 0, -1, 0 };
++#else
++static CtrlRec ctrl = { 0, 0, 0, -1, 0 };
++
++static int mkTempDir( char *dir )
++{
++	int i, l = strlen( dir ) - 6;
++
++	for (i = 0; i < 100; i++) {
++		randomStr( dir + l );
++		if (!mkdir( dir, 0700 ))
++			return True;
++		if (errno != EEXIST)
++			break;
++	}
++	return False;
++}
++#endif
+ 
+ void
+ openCtrl( struct display *d )
+@@ -113,22 +131,50 @@ openCtrl( struct display *d )
+ 				if (strlen( cr->path ) >= sizeof(sa.sun_path))
+ 					logError( "path %\"s too long; control socket will not be available\n",
+ 					          cr->path );
+-				else if (mkdir( sockdir, 0755 ) && errno != EEXIST)
++#ifdef HONORS_SOCKET_PERMS
++				else if (mkdir( sockdir, 0700 ) && errno != EEXIST)
+ 					logError( "mkdir %\"s failed: %m; control socket will not be available\n",
+ 					          sockdir );
++				else if (unlink( cr->path ) && errno != ENOENT)
++					logError( "unlink %\"s failed: %m; control socket will not be available\n",
++					          cr->path );
+ 				else {
+-					if (!d)
+-						chown( sockdir, -1, fifoGroup );
++#else
++				else if (unlink( sockdir ) && errno != ENOENT)
++					logError( "unlink %\"s failed: %m; control socket will not be available\n",
++					          sockdir );
++				else if (!strApp( &cr->realdir, sockdir, "-XXXXXX", (char *)0))
++					;
++				else if (!mkTempDir( cr->realdir )) {
++					logError( "mkdir %\"s failed: %m; control socket will not be available\n",
++					          cr->realdir );
++					free( cr->realdir );
++					cr->realdir = 0;
++				} else if (symlink( cr->realdir, sockdir )) {
++					logError( "symlink %\"s => %\"s failed: %m; control socket will not be available\n",
++					          sockdir, cr->realdir );
++					rmdir( cr->realdir );
++					free( cr->realdir );
++					cr->realdir = 0;
++				} else {
++					chown( sockdir, 0, d ? 0 : fifoGroup );
+ 					chmod( sockdir, 0750 );
++#endif
+ 					if ((cr->fd = socket( PF_UNIX, SOCK_STREAM, 0 )) < 0)
+ 						logError( "Cannot create control socket: %m\n" );
+ 					else {
+-						unlink( cr->path );
+ 						sa.sun_family = AF_UNIX;
+ 						strcpy( sa.sun_path, cr->path );
+ 						if (!bind( cr->fd, (struct sockaddr *)&sa, sizeof(sa) )) {
+ 							if (!listen( cr->fd, 5 )) {
++#ifdef HONORS_SOCKET_PERMS
++								chmod( cr->path, 0660 );
++								if (!d)
++									chown( cr->path, -1, fifoGroup );
++								chmod( sockdir, 0755 );
++#else
+ 								chmod( cr->path, 0666 );
++#endif
+ 								registerCloseOnFork( cr->fd );
+ 								registerInput( cr->fd );
+ 								free( sockdir );
+@@ -143,6 +189,14 @@ openCtrl( struct display *d )
+ 						close( cr->fd );
+ 						cr->fd = -1;
+ 					}
++#ifdef HONORS_SOCKET_PERMS
++					rmdir( sockdir );
++#else
++					unlink( sockdir );
++					rmdir( cr->realdir );
++					free( cr->realdir );
++					cr->realdir = 0;
++#endif
+ 				}
+ 				free( cr->path );
+ 				cr->path = 0;
+@@ -163,7 +217,14 @@ closeCtrl( struct display *d )
+ 		cr->fd = -1;
+ 		unlink( cr->path );
+ 		*strrchr( cr->path, '/' ) = 0;
++#ifdef HONORS_SOCKET_PERMS
+ 		rmdir( cr->path );
++#else
++		unlink( cr->path );
++		rmdir( cr->realdir );
++		free( cr->realdir );
++		cr->realdir = 0;
++#endif
+ 		free( cr->path );
+ 		cr->path = 0;
+ 		while (cr->css) {
+@@ -177,12 +238,12 @@ closeCtrl( struct display *d )
+ void
+ chownCtrl( CtrlRec *cr, int uid )
+ {
+-	if (cr->path) {
+-		char *ptr = strrchr( cr->path, '/' );
+-		*ptr = 0;
++	if (cr->path)
++#ifdef HONORS_SOCKET_PERMS
+ 		chown( cr->path, uid, -1 );
+-		*ptr = '/';
+-	}
++#else
++		chown( cr->realdir, uid, -1 );
++#endif
+ }
+ 
+ void
+--- a/kdm/backend/dm.h
++++ b/kdm/backend/dm.h
+@@ -232,6 +232,9 @@ typedef struct {
+ 	struct cmdsock *css;  /* open connections */
+ 
+ 	char *path;           /* filename of the socket */
++#ifndef HONORS_SOCKET_PERMS
++	char *realdir;        /* real dirname of the socket */
++#endif
+ 	int fd;               /* fd of the socket */
+ 	int gid;              /* owner group of the socket */
+ } CtrlRec;
+--- a/kdm/config-kdm.h.cmake
++++ b/kdm/config-kdm.h.cmake
+@@ -129,6 +129,9 @@
+ /* Define to 1 if the ck-connector library is found */
+ #cmakedefine HAVE_CKCONNECTOR 1
+ 
++/* Define to 1 if OS honors permission bits on socket inodes */
++#cmakedefine HONORS_SOCKET_PERMS 1
++
+ /* $PATH defaults set by KDM */
+ #cmakedefine KDM_DEF_USER_PATH "${KDM_DEF_USER_PATH}"
+ #cmakedefine KDM_DEF_SYSTEM_PATH "${KDM_DEF_SYSTEM_PATH}"
+-- 
+1.6.6.20.g9bfff
+

Modified: trunk/packages/kdebase-workspace/debian/patches/series
===================================================================
--- trunk/packages/kdebase-workspace/debian/patches/series	2010-04-13 21:19:02 UTC (rev 17666)
+++ trunk/packages/kdebase-workspace/debian/patches/series	2010-04-14 09:05:45 UTC (rev 17667)
@@ -1,3 +1,4 @@
+kdebase-workspace-4.3.5-CVE-2010-0436.diff
 06_kdm_does_not_wreak_havoc.diff
 07_kdmrc_defaults.diff
 08_genkdmconf.diff

More information about the pkg-kde-commits mailing list