Package: release.debian.org Severity: normal User: [email protected] Usertags: pu
Hi, as already discussed, I’d like to propose a stable upload for gdm3 in order to avoid a security risk when doing upgrades. Theoretically, with the greeter session of gdm 2.30 and the glib version in wheezy, you could use default URI handlers, and launch things such as a web browser. A bit of testing didn’t show any dialog from which this could be triggered, but it’s better to be on the safe side. Therefore this update would, when a newer glib is installed, disable all URI handlers, as already done by gdm3 3.4 in wheezy. Proposed diff attached. Cheers, -- .''`. Josselin Mouette : :' : `. `' `-
Index: debian/applications/mime-dummy-handler.desktop =================================================================== --- debian/applications/mime-dummy-handler.desktop (révision 0) +++ debian/applications/mime-dummy-handler.desktop (révision 36541) @@ -0,0 +1,6 @@ +[Desktop Entry] +Type=Application +Name=Dummy URI Handler +Exec=/bin/true %U +Terminal=false +StartupNotify=false Index: debian/applications/mimeapps.list =================================================================== --- debian/applications/mimeapps.list (révision 0) +++ debian/applications/mimeapps.list (révision 36541) @@ -0,0 +1,19 @@ +[Default Applications] +x-scheme-handler/file=mime-dummy-handler.desktop +x-scheme-handler/ftp=mime-dummy-handler.desktop +x-scheme-handler/ghelp=mime-dummy-handler.desktop +x-scheme-handler/help=mime-dummy-handler.desktop +x-scheme-handler/http=mime-dummy-handler.desktop +x-scheme-handler/https=mime-dummy-handler.desktop +x-scheme-handler/info=mime-dummy-handler.desktop +x-scheme-handler/irc=mime-dummy-handler.desktop +x-scheme-handler/itms=mime-dummy-handler.desktop +x-scheme-handler/mailto=mime-dummy-handler.desktop +x-scheme-handler/man=mime-dummy-handler.desktop +x-scheme-handler/mms=mime-dummy-handler.desktop +x-scheme-handler/rtp=mime-dummy-handler.desktop +x-scheme-handler/rtsp=mime-dummy-handler.desktop +x-scheme-handler/sip=mime-dummy-handler.desktop +x-scheme-handler/trash=mime-dummy-handler.desktop +x-scheme-handler/webcal=mime-dummy-handler.desktop +x-scheme-handler/xmpp=mime-dummy-handler.desktop Index: debian/patches/series =================================================================== --- debian/patches/series (révision 36540) +++ debian/patches/series (révision 36541) @@ -35,5 +35,6 @@ 35_double_free.patch 36_windowpath.patch 37_shutdown_buttons.patch +38_greeter_datadir.patch 90_relibtoolize.patch 99_CVE-2011-0727.patch Index: debian/patches/38_greeter_datadir.patch =================================================================== --- debian/patches/38_greeter_datadir.patch (révision 0) +++ debian/patches/38_greeter_datadir.patch (révision 36541) @@ -0,0 +1,49 @@ +From 48705abd751e6e2f1d20b51098e1b97d74855338 Mon Sep 17 00:00:00 2001 +From: Ray Strode <[email protected]> +Date: Mon, 20 Jun 2011 17:21:35 +0000 +Subject: daemon: use gnome-session session files instead of autostart + +Before we were doing some sort of weird hybrid thing with +a session file and an autostart directory that wasn't that +much different than just having an autostart directory by +itself. + +Now we fully define the session component list from the session +file, and merely provide a pool of new candidate desktop files to +select that sessoin from. + +This modernizes how we use gnome-session and as a side-effect +enables us the ability to have fallback sessions (which will +be important when defaulting to a shell based greeter later). +--- +(limited to 'daemon/gdm-welcome-session.c') +(refreshed against 2.30) + +Index: gdm3-2.30.5/daemon/gdm-welcome-session.c +=================================================================== +--- gdm3-2.30.5.orig/daemon/gdm-welcome-session.c 2013-01-07 12:02:30.717944131 +0100 ++++ gdm3-2.30.5/daemon/gdm-welcome-session.c 2013-01-07 12:02:42.682002617 +0100 +@@ -356,6 +356,7 @@ get_welcome_environment (GdmWelcomeSessi + "LC_IDENTIFICATION", "LC_ALL", + NULL + }; ++ char *system_data_dirs; + int i; + + load_lang_config_file (LANG_CONFIG_FILE, +@@ -375,6 +376,15 @@ get_welcome_environment (GdmWelcomeSessi + g_strdup (g_getenv (optional_environment[i]))); + } + ++ system_data_dirs = g_strjoinv (":", (char **) g_get_system_data_dirs ()); ++ ++ g_hash_table_insert (hash, ++ g_strdup ("XDG_DATA_DIRS"), ++ g_strdup_printf ("%s:%s", ++ DATADIR "/gdm/greeter", ++ system_data_dirs)); ++ g_free (system_data_dirs); ++ + if (welcome_session->priv->dbus_bus_address != NULL) { + g_hash_table_insert (hash, + g_strdup ("DBUS_SESSION_BUS_ADDRESS"), Index: debian/gdm3.install =================================================================== --- debian/gdm3.install (révision 36540) +++ debian/gdm3.install (révision 36541) @@ -8,3 +8,4 @@ debian/default.desktop usr/share/gdm/BuiltInSessions data/session-setup.entries usr/share/gdm/greeter-config debian/insserv.conf.d etc +debian/applications usr/share/gdm/greeter Index: debian/changelog =================================================================== --- debian/changelog (révision 36540) +++ debian/changelog (révision 36541) @@ -1,3 +1,19 @@ +gdm3 (2.30.5-6squeeze5) UNRELEASED; urgency=low + + * Handle partial upgrades to wheezy, where a glib version that relies + on x-scheme-* for URL handlers gets installed. In this case, using + the defaults in /usr/share/applications leads to a security + vulnerability where anyone can launch an URI handler from the + greeter session. + + 38_greeter_datadir.patch: modified patch from version 3.0. Add + XDG_DATA_DIRS to the greeter session. + + debian/applications/{mime-dummy-handler.desktop,mimeapps.list}: + copied from version 3.4. The former is a dummy handler for URIs, + the latter associates it with every known URI scheme. + + gdm3.install: install these in /usr/share/gdm/greeter/applications + + -- Josselin Mouette <[email protected]> Mon, 07 Jan 2013 12:03:06 +0100 + gdm3 (2.30.5-6squeeze4) stable; urgency=low * 35_double_free.patch: stolen from 2.30.7. Fix a double free issue in
