Darcsweb-Url: http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20070907063715-dd049-3885e04063a127d9b91f00cfb647fa4ac5a7a374.gz;
[gdm-2.18.0-2terminus1-i686 voroskoi <[EMAIL PROTECTED]>**20070907063715 secfix relbump, closes #2329 ] { addfile ./source/gnome/gdm/CVE-2007-3381.diff hunk ./source/gnome/gdm/CVE-2007-3381.diff 1 +--- gnome-2-18/daemon/gdm.c 2007/04/09 02:31:48 4777 ++++ gnome-2-18/daemon/gdm.c 2007/07/12 00:06:52 5062 +@@ -2557,190 +2557,216 @@ + NULL, 0, NULL, NULL, NULL); + } else if (strncmp (msg, "opcode="GDM_SOP_SHOW_ERROR_DIALOG, + strlen ("opcode="GDM_SOP_SHOW_ERROR_DIALOG)) == 0) { +- GdmDisplay *d; +- GtkMessageType type; + char **list; +- char *ptr; +- char *error; +- char *details_label; +- char *details_file; +- long slave_pid; +- int uid, gid; +- + list = g_strsplit (msg, "$$", -1); + +- ptr = strchr (list[1], '='); +- slave_pid = atol (ptr + 1); +- +- ptr = strchr (list[2], '='); +- type = atoi (ptr + 1); +- +- ptr = strchr (list[3], '='); +- error = g_malloc0 (strlen (ptr)); +- strcpy (error, ptr + 1); +- +- ptr = strchr (list[4], '='); +- details_label = g_malloc0 (strlen (ptr)); +- strcpy (details_label, ptr + 1); +- +- ptr = strchr (list[5], '='); +- details_file = g_malloc0 (strlen (ptr)); +- strcpy (details_file, ptr + 1); +- +- ptr = strchr (list[6], '='); +- uid = atoi (ptr + 1); +- +- ptr = strchr (list[7], '='); +- gid = atoi (ptr + 1); ++ if (ve_vector_len (list) == 8) { ++ GdmDisplay *d; ++ GtkMessageType type; ++ char *ptr; ++ char *error; ++ char *details_label; ++ char *details_file; ++ long slave_pid; ++ int uid, gid; ++ ++ ptr = strchr (list[1], '='); ++ slave_pid = atol (ptr + 1); ++ ++ ptr = strchr (list[2], '='); ++ type = atoi (ptr + 1); ++ ++ ptr = strchr (list[3], '='); ++ error = g_malloc0 (strlen (ptr)); ++ strcpy (error, ptr + 1); ++ ++ ptr = strchr (list[4], '='); ++ details_label = g_malloc0 (strlen (ptr)); ++ strcpy (details_label, ptr + 1); ++ ++ ptr = strchr (list[5], '='); ++ details_file = g_malloc0 (strlen (ptr)); ++ strcpy (details_file, ptr + 1); ++ ++ ptr = strchr (list[6], '='); ++ uid = atoi (ptr + 1); ++ ++ ptr = strchr (list[7], '='); ++ gid = atoi (ptr + 1); ++ ++ d = gdm_display_lookup (slave_pid); ++ ++ if (d != NULL) { ++ if (GDM_AUTHFILE (d)) { ++ VE_IGNORE_EINTR ( ++ chmod (GDM_AUTHFILE (d), 0644)); ++ } + +- d = gdm_display_lookup (slave_pid); ++ gdm_error_box_full (d, type, error, ++ details_label, details_file, 0, 0); + +- if (d != NULL) { +- if (GDM_AUTHFILE (d)) { +- VE_IGNORE_EINTR (chmod (GDM_AUTHFILE (d), 0644)); +- } +- +- gdm_error_box_full (d, type, error, details_label, details_file, 0, 0); ++ if (GDM_AUTHFILE (d)) { ++ VE_IGNORE_EINTR ( ++ chmod (GDM_AUTHFILE (d), 0640)); ++ } + +- if (GDM_AUTHFILE (d)) { +- VE_IGNORE_EINTR (chmod (GDM_AUTHFILE (d), 0640)); ++ send_slave_ack_dialog_char (d, ++ GDM_SLAVE_NOTIFY_ERROR_RESPONSE, NULL); + } +- +- send_slave_ack_dialog_char (d, GDM_SLAVE_NOTIFY_ERROR_RESPONSE, NULL); ++ g_free (error); ++ g_free (details_label); ++ g_free (details_file); + } + +- g_free (error); +- g_free (details_label); +- g_free (details_file); + g_strfreev (list); + } else if (strncmp (msg, "opcode="GDM_SOP_SHOW_YESNO_DIALOG, +- strlen ("opcode="GDM_SOP_SHOW_YESNO_DIALOG)) == 0) { +- GdmDisplay *d; ++ strlen ("opcode="GDM_SOP_SHOW_YESNO_DIALOG)) == 0) { + char **list; +- char *ptr; +- char *yesno_msg; +- long slave_pid; +- gboolean response_yesno; +- + list = g_strsplit (msg, "$$", -1); + +- ptr = strchr (list [1], '='); +- slave_pid = atol (ptr + 1); +- +- ptr = strchr (list [2], '='); +- yesno_msg = g_malloc0 (strlen (ptr)); +- strcpy (yesno_msg, ptr + 1); +- +- d = gdm_display_lookup (slave_pid); +- if (d != NULL) { +- if (GDM_AUTHFILE (d)) { +- VE_IGNORE_EINTR (chmod (GDM_AUTHFILE (d), 0644)); +- } +- +- response_yesno = gdm_failsafe_yesno (d, yesno_msg); ++ if (ve_vector_len (list) == 3) { ++ GdmDisplay *d; ++ char *ptr; ++ char *yesno_msg; ++ long slave_pid; ++ gboolean resp; ++ ++ ptr = strchr (list [1], '='); ++ slave_pid = atol (ptr + 1); ++ ++ ptr = strchr (list [2], '='); ++ yesno_msg = g_malloc0 (strlen (ptr)); ++ strcpy (yesno_msg, ptr + 1); ++ ++ d = gdm_display_lookup (slave_pid); ++ if (d != NULL) { ++ if (GDM_AUTHFILE (d)) { ++ VE_IGNORE_EINTR ( ++ chmod (GDM_AUTHFILE (d), 0644)); ++ } + +- send_slave_ack_dialog_int (d, GDM_SLAVE_NOTIFY_YESNO_RESPONSE, response_yesno); ++ resp = gdm_failsafe_yesno (d, yesno_msg); + +- if (GDM_AUTHFILE (d)) { +- VE_IGNORE_EINTR (chmod (GDM_AUTHFILE (d), 0640)); ++ send_slave_ack_dialog_int (d, ++ GDM_SLAVE_NOTIFY_YESNO_RESPONSE, ++ resp); ++ ++ if (GDM_AUTHFILE (d)) { ++ VE_IGNORE_EINTR ( ++ chmod (GDM_AUTHFILE (d), 0640)); ++ } + } +- } + +- g_free (yesno_msg); ++ g_free (yesno_msg); ++ } + g_strfreev (list); + } else if (strncmp (msg, "opcode="GDM_SOP_SHOW_QUESTION_DIALOG, + strlen ("opcode="GDM_SOP_SHOW_QUESTION_DIALOG)) == 0) { +- GdmDisplay *d; + char **list; +- char *ptr; +- char *question_msg; +- char *response_question; +- long slave_pid; +- gboolean echo; +- + list = g_strsplit (msg, "$$", -1); + +- ptr = strchr (list [1], '='); +- slave_pid = atol (ptr + 1); +- +- ptr = strchr (list [2], '='); +- question_msg = g_malloc0 (strlen (ptr)); +- strcpy (question_msg, ptr + 1); +- +- ptr = strchr (list [3], '='); +- echo = atoi (ptr + 1); +- +- d = gdm_display_lookup (slave_pid); +- if (d != NULL) { +- if (GDM_AUTHFILE (d)) { +- VE_IGNORE_EINTR (chmod (GDM_AUTHFILE (d), 0644)); +- } +- +- response_question = gdm_failsafe_question (d, question_msg, echo); ++ if (ve_vector_len (list) == 4) { ++ GdmDisplay *d; ++ char *ptr; ++ char *question_msg; ++ char *resp; ++ long slave_pid; ++ gboolean echo; ++ ++ ptr = strchr (list [1], '='); ++ slave_pid = atol (ptr + 1); ++ ++ ptr = strchr (list [2], '='); ++ question_msg = g_malloc0 (strlen (ptr)); ++ strcpy (question_msg, ptr + 1); ++ ++ ptr = strchr (list [3], '='); ++ echo = atoi (ptr + 1); ++ ++ d = gdm_display_lookup (slave_pid); ++ if (d != NULL) { ++ if (GDM_AUTHFILE (d)) { ++ VE_IGNORE_EINTR ( ++ chmod (GDM_AUTHFILE (d), 0644)); ++ } + +- send_slave_ack_dialog_char (d, GDM_SLAVE_NOTIFY_QUESTION_RESPONSE, response_question); ++ resp = gdm_failsafe_question (d, ++ question_msg, echo); + +- if (GDM_AUTHFILE (d)) { +- VE_IGNORE_EINTR (chmod (GDM_AUTHFILE (d), 0640)); ++ send_slave_ack_dialog_char (d, ++ GDM_SLAVE_NOTIFY_QUESTION_RESPONSE, ++ resp); ++ ++ if (GDM_AUTHFILE (d)) { ++ VE_IGNORE_EINTR ( ++ chmod (GDM_AUTHFILE (d), 0640)); ++ } + } +- } + +- g_free (question_msg); ++ g_free (question_msg); ++ } + g_strfreev (list); + } else if (strncmp (msg, "opcode="GDM_SOP_SHOW_ASKBUTTONS_DIALOG, + strlen ("opcode="GDM_SOP_SHOW_ASKBUTTONS_DIALOG)) == 0) { +- GdmDisplay *d; +- char *askbuttons_msg; + char **list; +- char *ptr; +- char *options[4]; +- long slave_pid; +- int i; +- int response_askbuttons; +- + list = g_strsplit (msg, "$$", -1); + +- ptr = strchr (list [1], '='); +- slave_pid = atol (ptr + 1); +- +- ptr = strchr (list [2], '='); +- askbuttons_msg = g_malloc0 (strlen (ptr)); +- strcpy (askbuttons_msg, ptr + 1); +- +- ptr = strchr (list [3], '='); +- options[0] = g_malloc0 (strlen (ptr)); +- strcpy (options[0], ptr + 1); +- +- ptr = strchr (list [4], '='); +- options[1] = g_malloc0 (strlen (ptr)); +- strcpy (options[1], ptr + 1); +- +- ptr = strchr (list [5], '='); +- options[2] = g_malloc0 (strlen (ptr)); +- strcpy (options[2], ptr + 1); +- +- ptr = strchr (list [6], '='); +- options[3] = g_malloc0 (strlen (ptr)); +- strcpy (options[3], ptr + 1); +- +- d = gdm_display_lookup (slave_pid); +- if (d != NULL) { +- if (GDM_AUTHFILE (d)) { +- VE_IGNORE_EINTR (chmod (GDM_AUTHFILE (d), 0644)); +- } ++ if (ve_vector_len (list) == 7) { ++ GdmDisplay *d; ++ char *askbuttons_msg; ++ char *ptr; ++ char *options[4]; ++ long slave_pid; ++ int i; ++ int resp; ++ ++ ptr = strchr (list [1], '='); ++ slave_pid = atol (ptr + 1); ++ ++ ptr = strchr (list [2], '='); ++ askbuttons_msg = g_malloc0 (strlen (ptr)); ++ strcpy (askbuttons_msg, ptr + 1); ++ ++ ptr = strchr (list [3], '='); ++ options[0] = g_malloc0 (strlen (ptr)); ++ strcpy (options[0], ptr + 1); ++ ++ ptr = strchr (list [4], '='); ++ options[1] = g_malloc0 (strlen (ptr)); ++ strcpy (options[1], ptr + 1); ++ ++ ptr = strchr (list [5], '='); ++ options[2] = g_malloc0 (strlen (ptr)); ++ strcpy (options[2], ptr + 1); ++ ++ ptr = strchr (list [6], '='); ++ options[3] = g_malloc0 (strlen (ptr)); ++ strcpy (options[3], ptr + 1); ++ ++ d = gdm_display_lookup (slave_pid); ++ if (d != NULL) { ++ if (GDM_AUTHFILE (d)) { ++ VE_IGNORE_EINTR ( ++ chmod (GDM_AUTHFILE (d), 0644)); ++ } + +- response_askbuttons = gdm_failsafe_ask_buttons (d, askbuttons_msg, options); ++ resp = gdm_failsafe_ask_buttons (d, ++ askbuttons_msg, options); + +- send_slave_ack_dialog_int (d, GDM_SLAVE_NOTIFY_ASKBUTTONS_RESPONSE, response_askbuttons); +- if (GDM_AUTHFILE (d)) { +- VE_IGNORE_EINTR (chmod (GDM_AUTHFILE (d), 0640)); ++ send_slave_ack_dialog_int (d, ++ GDM_SLAVE_NOTIFY_ASKBUTTONS_RESPONSE, ++ resp); ++ if (GDM_AUTHFILE (d)) { ++ VE_IGNORE_EINTR ( ++ chmod (GDM_AUTHFILE (d), 0640)); ++ } + } +- } + +- g_free (askbuttons_msg); ++ g_free (askbuttons_msg); + +- for (i = 0; i < 3; i ++) +- g_free (options[i]); ++ for (i = 0; i < 3; i ++) ++ g_free (options[i]); ++ } + g_strfreev (list); + } + } +@@ -3481,9 +3507,13 @@ + + } else if (strncmp (msg, GDM_SUP_GET_SERVER_DETAILS " ", + strlen (GDM_SUP_GET_SERVER_DETAILS " ")) == 0) { +- const gchar *server = &msg[strlen (GDM_SUP_GET_SERVER_DETAILS " ")]; +- gchar **splitstr = g_strsplit (server, " ", 2); +- GdmXserver *svr = gdm_find_xserver ((gchar *)splitstr[0]); ++ const gchar *server = &msg[strlen (GDM_SUP_GET_SERVER_DETAILS " ")]; ++ gchar **splitstr = g_strsplit (server, " ", 2); ++ GdmXserver *svr = NULL; ++ ++ if (splitstr != NULL && splitstr[0] != NULL) { ++ svr = gdm_find_xserver ((gchar *)splitstr[0]); ++ } + + if (svr != NULL) { + if (g_strcasecmp (splitstr[1], "ID") == 0) +@@ -3520,12 +3550,11 @@ + gdm_connection_printf (conn, "OK false\n"); + else + gdm_connection_printf (conn, "ERROR 2 Key not valid\n"); +- +- g_strfreev (splitstr); + } else { + gdm_connection_printf (conn, "ERROR 1 Server not found\n"); + } + ++ g_strfreev (splitstr); + } else if (strcmp (msg, GDM_SUP_GREETERPIDS) == 0) { + GString *msg; + GSList *li; +@@ -3555,10 +3584,15 @@ + } else if (strncmp (msg, GDM_SUP_GET_CONFIG " ", + strlen (GDM_SUP_GET_CONFIG " ")) == 0) { + const gchar *parms = &msg[strlen (GDM_SUP_GET_CONFIG " ")]; +- gchar **splitstr = g_strsplit (parms, " ", 2); +- gchar *retval = NULL; ++ gchar **splitstr = g_strsplit (parms, " ", 2); ++ gchar *retval = NULL; + static gboolean done_prefetch = FALSE; + ++ if (splitstr == NULL || splitstr[0] == NULL) { ++ gdm_connection_printf (conn, "ERROR 50 Unsupported key <null>\n"); ++ return; ++ } ++ + /* + * It is not meaningful to manage this in a per-display + * fashion since the prefetch program is only run once the +--- gnome-2-18/daemon/gdmconfig.c 2007/03/20 08:50:41 4684 ++++ gnome-2-18/daemon/gdmconfig.c 2007/07/12 00:06:52 5062 +@@ -850,9 +850,10 @@ + + file = gdm_get_per_display_custom_config_file (display); + +- if (strcmp (ve_sure_string (splitstr[0]), "greeter") == 0 || +- strcmp (ve_sure_string (splitstr[0]), "gui") == 0 || +- is_key (key, GDM_KEY_PAM_STACK)) { ++ if (splitstr != NULL && ++ (strcmp (ve_sure_string (splitstr[0]), "greeter") == 0 || ++ strcmp (ve_sure_string (splitstr[0]), "gui") == 0 || ++ is_key (key, GDM_KEY_PAM_STACK))) { + gdm_config_key_to_string (file, key, retval); + } + +@@ -878,7 +879,7 @@ + *retval = NULL; + + /* Should not fail, all keys should have a category. */ +- if (splitstr[0] == NULL) ++ if (splitstr == NULL || splitstr[0] == NULL) + return; + + /* If file doesn't exist, then just return */ +@@ -1768,7 +1769,7 @@ + if (custom_cfg != NULL) { + gchar **splitstr = g_strsplit (key, "/", 2); + +- if (splitstr[0] != NULL) { ++ if (splitstr != NULL && splitstr[0] != NULL) { + GList *list = ve_config_get_keys (custom_cfg, splitstr[0]); + + while (list != NULL) { +@@ -1956,7 +1957,7 @@ + /* First check the custom file */ + if (cfgfiles->custom_cfg != NULL) { + gchar **splitstr = g_strsplit (key_in, "/", 2); +- if (splitstr[0] != NULL) { ++ if (splitstr != NULL && splitstr[0] != NULL) { + GList *list = ve_config_get_keys (cfgfiles->custom_cfg, splitstr[0]); + + while (list != NULL) { +--- gnome-2-18/gui/gdmflexiserver.c 2007/04/09 05:07:27 4796 ++++ gnome-2-18/gui/gdmflexiserver.c 2007/07/12 00:06:52 5062 +@@ -136,9 +136,10 @@ + for (i = 0; vec[i] != NULL; i++) { + char **rvec; + rvec = g_strsplit (vec[i], ",", -1); +- if (rvec == NULL || +- ve_vector_len (rvec) != 3) ++ if (ve_vector_len (rvec) != 3) { ++ g_strfreev (rvec); + continue; ++ } + + if (strcmp (rvec[0], vtpart) == 0) { + /* could be nested? */ +@@ -177,9 +178,10 @@ + char **rvec; + int vt; + rvec = g_strsplit (vec[i], ",", -1); +- if (rvec == NULL || +- ve_vector_len (rvec) != 3) ++ if (ve_vector_len (rvec) != 3) { ++ g_strfreev (rvec); + continue; ++ } + + vt = get_vt_num (vec, rvec[2], 5); + +@@ -516,9 +518,10 @@ + char **rvec; + int vt; + rvec = g_strsplit (vec[i], ",", -1); +- if (rvec == NULL || +- ve_vector_len (rvec) != 3) ++ if (ve_vector_len (rvec) != 3) { ++ g_strfreev (rvec); + continue; ++ } + + vt = get_vt_num (vec, rvec[2], 5); + +--- gnome-2-18/gui/gdmsetup.c 2007/04/02 05:28:30 4743 ++++ gnome-2-18/gui/gdmsetup.c 2007/07/12 00:06:52 5062 +@@ -4220,7 +4220,7 @@ + msg = g_string_new (""); + + actions = g_strsplit (strings_list, sep, -1); +- for (i = 0; actions[i]; i++) { ++ for (i = 0; actions != NULL && actions[i] != NULL; i++) { + if (strncmp (actions[i], string, strlen (string)) == 0) + continue; + g_string_append_printf (msg, "%s%s", separator, actions[i]); +--- gnome-2-18/gui/greeter/greeter_item_ulist.c 2007/04/09 02:36:08 4778 ++++ gnome-2-18/gui/greeter/greeter_item_ulist.c 2007/07/12 00:06:52 5062 +@@ -140,8 +140,10 @@ + char **rvec; + + rvec = g_strsplit (vec[i], ",", -1); +- if (rvec == NULL || ve_vector_len (rvec) != 3) ++ if (ve_vector_len (rvec) != 3) { ++ g_strfreev (rvec); + continue; ++ } + + g_hash_table_insert (displays_hash, + g_strdup (rvec[1]), +--- gnome-2-18/gui/gdmconfig.c 2007/03/20 08:50:41 4684 ++++ gnome-2-18/gui/gdmconfig.c 2007/07/12 00:06:52 5062 +@@ -214,11 +214,11 @@ + } + + /* skip the "OK " */ +- splitstr = g_strsplit (result + 3, ";", 0); +- sec = splitstr; ++ splitstr = g_strsplit (result + 3, ";", 0); ++ sec = splitstr; + g_free (result); + +- while (*sec != NULL) { ++ while (sec != NULL && *sec != NULL) { + GdmXserver *svr = g_new0 (GdmXserver, 1); + + temp = gdm_config_get_xserver_details (*sec, "ID"); hunk ./source/gnome/gdm/FrugalBuild 6 -pkgrel=1 +pkgrel=2terminus1 hunk ./source/gnome/gdm/FrugalBuild 21 + CVE-2007-3381.diff \ hunk ./source/gnome/gdm/FrugalBuild 24 - 'a61f7c9569a2d73a5cf078e61a17cfed7d280b12' \ + 'a61f7c9569a2d73a5cf078e61a17cfed7d280b12' \ hunk ./source/gnome/gdm/FrugalBuild 26 - '82bb42ae2217465196b8de03b18efcdd832ff137' \ + '82bb42ae2217465196b8de03b18efcdd832ff137' \ + '67949c3a0c4a32e9dd52927272c37946325b8553' \ } _______________________________________________ Frugalware-darcs mailing list Frugalware-darcs@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-darcs