Hello community, here is the log from the commit of package gdm for openSUSE:11.4 checked in at Tue May 31 15:46:21 CEST 2011.
-------- --- old-versions/11.4/UPDATES/all/gdm/gdm.changes 2011-03-30 09:35:33.000000000 +0200 +++ 11.4/gdm/gdm.changes 2011-05-31 09:07:05.000000000 +0200 @@ -1,0 +2,10 @@ +Mon May 23 19:21:04 CEST 2011 - [email protected] + +- Add gdm-no-uri-handler.patch: gdm is supposed to override the + default URI handlers to /bin/true to avoid things like running + Firefox in the GDM session. However, this was done in gconf and + with the move to glib 2.28, the configuration moved outside of + gconf. The patch updates the overrides. Fix bnc#694858 and + CVE-2011-1709. + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- gdm-no-uri-handler.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gdm.spec ++++++ --- /var/tmp/diff_new_pack.JdKNO9/_old 2011-05-31 15:44:53.000000000 +0200 +++ /var/tmp/diff_new_pack.JdKNO9/_new 2011-05-31 15:44:53.000000000 +0200 @@ -42,7 +42,7 @@ License: GPLv2+ Group: System/GUI/GNOME Version: 2.32.0 -Release: 9.<RELEASE14> +Release: 9.<RELEASE16> Summary: The GNOME Display Manager Source: %{name}-%{version}.tar.bz2 Source1: gdm.pamd @@ -87,6 +87,8 @@ Patch37: gdm-autologin-once.patch # PATCH-FIX-UPSTREAM gdm-look-at-runlevel.patch bnc540482 bgo599180 [email protected] -- Look at the current runlevel before managing the display again, so we don't do this when shutting down or rebooting Patch40: gdm-look-at-runlevel.patch +# PATCH-FIX-UPSTREAM gdm-no-uri-handler.patch CVE-2011-1709 bnc#694858 [email protected] -- Use /bin/true as URI handler to avoid security issues where a link could open firefox for the gdm user +Patch41: gdm-no-uri-handler.patch # PATCH-FIX-OPENSUSE gdm-selinux.patch -- Small changes to make it compile fine with SELinux Patch60: gdm-selinux.patch # PATCH-FIX-UPSTREAM gdm-CVE-2011-0727-bnc679786.patch CVE-2011-0727 bnc#679687 [email protected] -- Change to user before copying user files. @@ -172,6 +174,7 @@ %patch35 -p0 %patch37 -p1 %patch40 -p1 +%patch41 -p1 %patch60 %patch61 -p1 #gnome-patch-translation-update @@ -281,6 +284,11 @@ %attr(750,gdm,gdm) %dir %{_localstatedir}/lib/gdm/.gconf.mandatory %attr(640,gdm,gdm) %{_localstatedir}/lib/gdm/.gconf.mandatory/%gconf-tree.xml %attr(640,gdm,gdm) %{_localstatedir}/lib/gdm/.gconf.path +%attr(750,gdm,gdm) %dir %{_localstatedir}/lib/gdm/.local +%attr(750,gdm,gdm) %dir %{_localstatedir}/lib/gdm/.local/share +%attr(750,gdm,gdm) %dir %{_localstatedir}/lib/gdm/.local/share/applications +%attr(750,gdm,gdm) %{_localstatedir}/lib/gdm/.local/share/applications/mimeapps.list +%attr(750,gdm,gdm) %{_localstatedir}/lib/gdm/.local/share/applications/mime-dummy-handler.desktop %dir %{_localstatedir}/cache/gdm %config /etc/pam.d/* %config %{_sysconfdir}/dbus-1/system.d/gdm.conf ++++++ gdm-no-uri-handler.patch ++++++ commit b9678dab44cfb0f1ab4904ee12ac5b3719599b83 Author: Vincent Untz <[email protected]> Date: Mon May 23 18:34:46 2011 +0200 Register /bin/true as URI scheme handler for several schemes Starting with glib 2.28, we don't use gconf to find out which handler should be used for a URI scheme, and we need to provide a custom MIME configuration for the gdm user to ensure no default URI scheme handler is used. diff --git a/data/Makefile.am b/data/Makefile.am index 4b13387..f252b64 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -98,6 +98,8 @@ EXTRA_DIST = \ PostLogin \ gconf.path \ session-setup.entries \ + mime-dummy-handler.desktop \ + mimeapps.list \ $(NULL) CLEANFILES = \ @@ -247,6 +249,12 @@ install-data-hook: gdm.conf-custom Xsession Init PostSession PreSession gconf.pa chown root:gdm $(DESTDIR)$(workingdir) || : ; \ fi + if test '!' -d $(DESTDIR)$(workingdir)/.local/share/applications; then \ + $(mkinstalldirs) $(DESTDIR)$(workingdir)/.local/share/applications; \ + chmod 0755 $(DESTDIR)$(workingdir)/.local/share/applications; \ + chown gdm:gdm $(DESTDIR)$(workingdir)/.local/share/applications || : ; \ + fi + if test '!' -d $(DESTDIR)$(cachedir); then \ $(mkinstalldirs) $(DESTDIR)$(cachedir); \ chmod 1755 $(DESTDIR)$(cachedir); \ @@ -275,3 +283,5 @@ install-data-hook: gdm.conf-custom Xsession Init PostSession PreSession gconf.pa chmod 1640 $(DESTDIR)$(workingdir)/.gconf.mandatory/*.xml + $(INSTALL_DATA) $(srcdir)/mime-dummy-handler.desktop $(DESTDIR)$(workingdir)/.local/share/applications/mime-dummy-handler.desktop + $(INSTALL_DATA) $(srcdir)/mimeapps.list $(DESTDIR)$(workingdir)/.local/share/applications/mimeapps.list diff --git a/data/mime-dummy-handler.desktop b/data/mime-dummy-handler.desktop new file mode 100644 index 0000000..c94779c --- /dev/null +++ b/data/mime-dummy-handler.desktop @@ -0,0 +1,6 @@ +[Desktop Entry] +Type=Application +Name=Dummy URI Handler +Exec=/bin/true %U +Terminal=false +StartupNotify=false diff --git a/data/mimeapps.list b/data/mimeapps.list new file mode 100644 index 0000000..db3a144 --- /dev/null +++ b/data/mimeapps.list @@ -0,0 +1,19 @@ +[Default Applications] +x-scheme-handler/file=mime-dummy-handler.desktop +x-scheme-handler/ftp=mime-dummy-handler.desktop +x-scheme-handler/ghelp=mime-dummy-handler.desktop +x-scheme-handler/help=mime-dummy-handler.desktop +x-scheme-handler/http=mime-dummy-handler.desktop +x-scheme-handler/https=mime-dummy-handler.desktop +x-scheme-handler/info=mime-dummy-handler.desktop +x-scheme-handler/irc=mime-dummy-handler.desktop +x-scheme-handler/itms=mime-dummy-handler.desktop +x-scheme-handler/mailto=mime-dummy-handler.desktop +x-scheme-handler/man=mime-dummy-handler.desktop +x-scheme-handler/mms=mime-dummy-handler.desktop +x-scheme-handler/rtp=mime-dummy-handler.desktop +x-scheme-handler/rtsp=mime-dummy-handler.desktop +x-scheme-handler/sip=mime-dummy-handler.desktop +x-scheme-handler/trash=mime-dummy-handler.desktop +x-scheme-handler/webcal=mime-dummy-handler.desktop +x-scheme-handler/xmpp=mime-dummy-handler.desktop ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
