Date: Tuesday, April 13, 2010 @ 15:07:18
Author: andrea
Revision: 77469
patch to fix 'KDM Local Privilege Escalation Vulnerability' (CVE-2010-0436)
Added:
kdebase-workspace/trunk/kdebase-workspace-4.3.5-CVE-2010-0436.diff
Modified:
kdebase-workspace/trunk/PKGBUILD
--------------------------------------------+
PKGBUILD | 11 +
kdebase-workspace-4.3.5-CVE-2010-0436.diff | 196 +++++++++++++++++++++++++++
2 files changed, 204 insertions(+), 3 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2010-04-13 19:06:44 UTC (rev 77468)
+++ PKGBUILD 2010-04-13 19:07:18 UTC (rev 77469)
@@ -3,7 +3,7 @@
pkgname=kdebase-workspace
pkgver=4.4.2
-pkgrel=2
+pkgrel=3
pkgdesc="KDE Base Workspace"
arch=('i686' 'x86_64')
url='http://www.kde.org'
@@ -26,7 +26,8 @@
'etc/pam.d/kscreensaver')
source=("http://download.kde.org/stable/${pkgver}/src/${pkgname}-${pkgver}.tar.bz2";
'kdm-zsh-profile.patch' 'kdm' 'kde.pam' 'kde-np.pam' 'kscreensaver.pam'
- 'fixpath.patch' 'terminate-server.patch')
+ 'fixpath.patch' 'terminate-server.patch'
+ 'kdebase-workspace-4.3.5-CVE-2010-0436.diff')
md5sums=('6251e5d0060bd1529f90b9eaf5f84230'
'721e97031b62aee8914e8617e86f9235'
'363a36b63f84bac79959cfbefdb8309e'
@@ -34,7 +35,8 @@
'552337fd9a3982d809ea16c7f0033d42'
'367a3538f54db71f108b34cfa31088ac'
'47a1f12673f66e62e2463efd7037a26a'
- '814350c52c135d6f7bdada1e29223d38')
+ '814350c52c135d6f7bdada1e29223d38'
+ '68c1dfe76e80812e5e049bb599b3374e')
build() {
cd ${srcdir}/${pkgname}-${pkgver}
@@ -42,6 +44,9 @@
patch -p0 -i ${srcdir}/fixpath.patch || return 1
patch -p0 -i ${srcdir}/terminate-server.patch || return 1
+ # fixed in 4.4.3
+ patch -p0 -i ${srcdir}/kdebase-workspace-4.3.5-CVE-2010-0436.diff ||
return 1
+
cd ${srcdir}
mkdir build
cd build
Added: kdebase-workspace-4.3.5-CVE-2010-0436.diff
===================================================================
--- kdebase-workspace-4.3.5-CVE-2010-0436.diff (rev 0)
+++ kdebase-workspace-4.3.5-CVE-2010-0436.diff 2010-04-13 19:07:18 UTC (rev
77469)
@@ -0,0 +1,196 @@
+--- kdm/ConfigureChecks.cmake
++++ kdm/ConfigureChecks.cmake
+@@ -37,6 +37,35 @@ int main()
+ }
+ " HAVE_SETLOGIN)
+
++check_c_source_runs("
++#include <sys/socket.h>
++#include <sys/un.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <string.h>
++#include <unistd.h>
++#include <errno.h>
++int main()
++{
++ int fd, fd2;
++ struct sockaddr_un sa;
++
++ if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
++ return 2;
++ sa.sun_family = AF_UNIX;
++ strcpy(sa.sun_path, \"testsock\");
++ unlink(sa.sun_path);
++ if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)))
++ return 2;
++ chmod(sa.sun_path, 0);
++ setuid(getuid() + 1000);
++ if ((fd2 = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
++ return 2;
++ connect(fd2, (struct sockaddr *)&sa, sizeof(sa));
++ return errno != EACCES;
++}
++" HONORS_SOCKET_PERMS)
++
+ # for config-kdm.h
+ check_function_exists(seteuid HAVE_SETEUID)
+
+--- kdm/backend/ctrl.c
++++ kdm/backend/ctrl.c
+@@ -79,7 +79,25 @@ nukeSock( struct cmdsock *cs )
+ }
+
+
++#ifdef HONORS_SOCKET_PERMS
+ static CtrlRec ctrl = { 0, 0, -1, 0 };
++#else
++static CtrlRec ctrl = { 0, 0, 0, -1, 0 };
++
++static int mkTempDir( char *dir )
++{
++ int i, l = strlen( dir ) - 6;
++
++ for (i = 0; i < 100; i++) {
++ randomStr( dir + l );
++ if (!mkdir( dir, 0700 ))
++ return True;
++ if (errno != EEXIST)
++ break;
++ }
++ return False;
++}
++#endif
+
+ void
+ openCtrl( struct display *d )
+@@ -113,22 +131,50 @@ openCtrl( struct display *d )
+ if (strlen( cr->path ) >= sizeof(sa.sun_path))
+ logError( "path %\"s too long; control
socket will not be available\n",
+ cr->path );
+- else if (mkdir( sockdir, 0755 ) && errno !=
EEXIST)
++#ifdef HONORS_SOCKET_PERMS
++ else if (mkdir( sockdir, 0700 ) && errno !=
EEXIST)
+ logError( "mkdir %\"s failed: %m;
control socket will not be available\n",
+ sockdir );
++ else if (unlink( cr->path ) && errno != ENOENT)
++ logError( "unlink %\"s failed: %m;
control socket will not be available\n",
++ cr->path );
+ else {
+- if (!d)
+- chown( sockdir, -1, fifoGroup );
++#else
++ else if (unlink( sockdir ) && errno != ENOENT)
++ logError( "unlink %\"s failed: %m;
control socket will not be available\n",
++ sockdir );
++ else if (!strApp( &cr->realdir, sockdir,
"-XXXXXX", (char *)0))
++ ;
++ else if (!mkTempDir( cr->realdir )) {
++ logError( "mkdir %\"s failed: %m;
control socket will not be available\n",
++ cr->realdir );
++ free( cr->realdir );
++ cr->realdir = 0;
++ } else if (symlink( cr->realdir, sockdir )) {
++ logError( "symlink %\"s => %\"s failed:
%m; control socket will not be available\n",
++ sockdir, cr->realdir );
++ rmdir( cr->realdir );
++ free( cr->realdir );
++ cr->realdir = 0;
++ } else {
++ chown( sockdir, 0, d ? 0 : fifoGroup );
+ chmod( sockdir, 0750 );
++#endif
+ if ((cr->fd = socket( PF_UNIX,
SOCK_STREAM, 0 )) < 0)
+ logError( "Cannot create
control socket: %m\n" );
+ else {
+- unlink( cr->path );
+ sa.sun_family = AF_UNIX;
+ strcpy( sa.sun_path, cr->path );
+ if (!bind( cr->fd, (struct
sockaddr *)&sa, sizeof(sa) )) {
+ if (!listen( cr->fd, 5
)) {
++#ifdef HONORS_SOCKET_PERMS
++ chmod(
cr->path, 0660 );
++ if (!d)
++ chown(
cr->path, -1, fifoGroup );
++ chmod( sockdir,
0755 );
++#else
+ chmod(
cr->path, 0666 );
++#endif
+
registerCloseOnFork( cr->fd );
+ registerInput(
cr->fd );
+ free( sockdir );
+@@ -143,6 +189,14 @@ openCtrl( struct display *d )
+ close( cr->fd );
+ cr->fd = -1;
+ }
++#ifdef HONORS_SOCKET_PERMS
++ rmdir( sockdir );
++#else
++ unlink( sockdir );
++ rmdir( cr->realdir );
++ free( cr->realdir );
++ cr->realdir = 0;
++#endif
+ }
+ free( cr->path );
+ cr->path = 0;
+@@ -163,7 +217,14 @@ closeCtrl( struct display *d )
+ cr->fd = -1;
+ unlink( cr->path );
+ *strrchr( cr->path, '/' ) = 0;
++#ifdef HONORS_SOCKET_PERMS
+ rmdir( cr->path );
++#else
++ unlink( cr->path );
++ rmdir( cr->realdir );
++ free( cr->realdir );
++ cr->realdir = 0;
++#endif
+ free( cr->path );
+ cr->path = 0;
+ while (cr->css) {
+@@ -177,12 +238,12 @@ closeCtrl( struct display *d )
+ void
+ chownCtrl( CtrlRec *cr, int uid )
+ {
+- if (cr->path) {
+- char *ptr = strrchr( cr->path, '/' );
+- *ptr = 0;
++ if (cr->path)
++#ifdef HONORS_SOCKET_PERMS
+ chown( cr->path, uid, -1 );
+- *ptr = '/';
+- }
++#else
++ chown( cr->realdir, uid, -1 );
++#endif
+ }
+
+ void
+--- kdm/backend/dm.h
++++ kdm/backend/dm.h
+@@ -232,6 +232,9 @@ typedef struct {
+ struct cmdsock *css; /* open connections */
+
+ char *path; /* filename of the socket */
++#ifndef HONORS_SOCKET_PERMS
++ char *realdir; /* real dirname of the socket */
++#endif
+ int fd; /* fd of the socket */
+ int gid; /* owner group of the socket */
+ } CtrlRec;
+--- kdm/config-kdm.h.cmake
++++ kdm/config-kdm.h.cmake
+@@ -129,6 +129,9 @@
+ /* Define to 1 if the ck-connector library is found */
+ #cmakedefine HAVE_CKCONNECTOR 1
+
++/* Define to 1 if OS honors permission bits on socket inodes */
++#cmakedefine HONORS_SOCKET_PERMS 1
++
+ /* $PATH defaults set by KDM */
+ #cmakedefine KDM_DEF_USER_PATH "${KDM_DEF_USER_PATH}"
+ #cmakedefine KDM_DEF_SYSTEM_PATH "${KDM_DEF_SYSTEM_PATH}"
+--
+1.6.6.20.g9bfff
+
