Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.2.git;a=commitdiff;h=56347ab9bfcd1fcdb6fa806faac760c83cd611f0

commit 56347ab9bfcd1fcdb6fa806faac760c83cd611f0
Author: Miklos Vajna <vmik...@frugalware.org>
Date:   Wed Mar 17 13:14:42 2010 +0100

kdebase-workspace-4.3.5-8locris1-i686

- add CVE-2010-0436.patch
- closes #4129

diff --git a/source/kde/kdebase-workspace/CVE-2010-0436.patch 
b/source/kde/kdebase-workspace/CVE-2010-0436.patch
new file mode 100644
index 0000000..ae9f234
--- /dev/null
+++ b/source/kde/kdebase-workspace/CVE-2010-0436.patch
@@ -0,0 +1,125 @@
+From f7dd54043ddc3f9e07e4da6ad4a82e22edff53f6 Mon Sep 17 00:00:00 2001
+From: Oswald Buddenhagen <o...@kde.org>
+Date: Mon, 1 Mar 2010 18:33:27 +0100
+Subject: [PATCH] fix local root hole relating to command sockets
+
+the user owns the socket directory. if he prevented its deletion (e.g.,
+by creating another file in it), he would subsequently get the chance to
+inject a symlink to an arbitrary file whose permissions kdm would
+conveniently change to 0666.
+
+chmod()ing a directory to the user opens a can of worms, as he might
+do all kinds of nasty things with it which would prevent us from
+reclaiming it.
+
+so instead rely on the system's ability to honor file ownership and
+permissions of the socket's inode instead of its parent directory.
+
+for systems where we cannot rely on this behavior (solaris), we create a
+new randomly named socket directory for each session and symlink it from
+the proper name. if the user tries to mess with us, he will pollute the
+top-level socket directory but cause no real harm.
+
+discovered by Sebastian Krahmer from the SUSE security team.
+---
+ kdm/ConfigureChecks.cmake |   34 ++++++++++++++++++++++++++++++++++
+ kdm/backend/ctrl.c        |   20 +++++++++-----------
+ 2 files changed, 43 insertions(+), 11 deletions(-)
+
+diff --git a/kdm/ConfigureChecks.cmake b/kdm/ConfigureChecks.cmake
+index 36544a2..5e35756 100644
+--- a/kdm/ConfigureChecks.cmake
++++ b/kdm/ConfigureChecks.cmake
+@@ -37,6 +37,40 @@ int main()
+ }
+ " HAVE_SETLOGIN)
+
++check_c_source_runs("
++#include <sys/socket.h>
++#include <sys/un.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <string.h>
++#include <unistd.h>
++#include <errno.h>
++int main()
++{
++    int fd, fd2;
++    struct sockaddr_un sa;
++
++    if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
++        return 2;
++    sa.sun_family = AF_UNIX;
++    strcpy(sa.sun_path, \"testsock\");
++    unlink(sa.sun_path);
++    if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)))
++        return 2;
++    chmod(sa.sun_path, 0);
++    setuid(getuid() + 1000);
++    if ((fd2 = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
++        return 2;
++    connect(fd2, (struct sockaddr *)&sa, sizeof(sa));
++    return errno != EACCES;
++}
++" HONORS_SOCKET_PERMS)
++
++if (NOT HONORS_SOCKET_PERMS)
++      # This should affect only BSD < 4.4 and Solaris < 2.7.
++      message(FATAL_ERROR "System does not honor file permissions on UNIX 
domain sockets.")
++endif (NOT HONORS_SOCKET_PERMS)
++
+ # for config-kdm.h
+ check_function_exists(seteuid HAVE_SETEUID)
+
+diff --git a/kdm/backend/ctrl.c b/kdm/backend/ctrl.c
+index 155667c..12b8f79 100644
+--- a/kdm/backend/ctrl.c
++++ b/kdm/backend/ctrl.c
+@@ -112,22 +112,24 @@ openCtrl( struct display *d )
+                               if (strlen( cr->path ) >= sizeof(sa.sun_path))
+                                       logError( "path %\"s too long; no 
control sockets will be available\n",
+                                                 cr->path );
+-                              else if (mkdir( sockdir, 0755 ) && errno != 
EEXIST)
++                              else if (mkdir( sockdir, 0700 ) && errno != 
EEXIST)
+                                       logError( "mkdir %\"s failed; no 
control sockets will be available\n",
+                                                 sockdir );
++                              else if (unlink( cr->path ) && errno != ENOENT)
++                                      logError( "unlink %\"s failed: %m; 
control socket will not be available\n",
++                                                      cr->path );
+                               else {
+-                                      if (!d)
+-                                              chown( sockdir, -1, fifoGroup );
+-                                      chmod( sockdir, 0750 );
+                                       if ((cr->fd = socket( PF_UNIX, 
SOCK_STREAM, 0 )) < 0)
+                                               logError( "Cannot create 
control socket\n" );
+                                       else {
+-                                              unlink( cr->path );
+                                               sa.sun_family = AF_UNIX;
+                                               strcpy( sa.sun_path, cr->path );
+                                               if (!bind( cr->fd, (struct 
sockaddr *)&sa, sizeof(sa) )) {
+                                                       if (!listen( cr->fd, 5 
)) {
+-                                                              chmod( 
cr->path, 0666 );
++                                                              chmod( 
cr->path, 0660 );
++                                                              if (!d)
++                                                                      chown( 
cr->path, -1, fifoGroup );
++                                                              chmod( sockdir, 
0755 );
+                                                               
registerCloseOnFork( cr->fd );
+                                                               registerInput( 
cr->fd );
+                                                               free( sockdir );
+@@ -176,12 +178,8 @@ closeCtrl( struct display *d )
+ void
+ chownCtrl( CtrlRec *cr, int uid )
+ {
+-      if (cr->path) {
+-              char *ptr = strrchr( cr->path, '/' );
+-              *ptr = 0;
++      if (cr->path)
+               chown( cr->path, uid, -1 );
+-              *ptr = '/';
+-      }
+ }
+
+ void
+--
+1.6.5.3
+
diff --git a/source/kde/kdebase-workspace/FrugalBuild 
b/source/kde/kdebase-workspace/FrugalBuild
index e34ff70..ff65cf5 100644
--- a/source/kde/kdebase-workspace/FrugalBuild
+++ b/source/kde/kdebase-workspace/FrugalBuild
@@ -2,7 +2,7 @@
# Maintainer: DeX77 <d...@dragonslave.de>

pkgname=kdebase-workspace
-pkgrel=7
+pkgrel=8locris1
pkgdesc="Programs specific for the KDE4 desktop."
groups=('kde')
archs=('i686' 'x86_64' 'ppc')
@@ -37,7 +37,8 @@ source=("${sour...@]}" \
11-plasma-obvious-configure.diff \
12-cursors-location.patch \
13-polkit-kde-1.patch \
-       14-PyKde4.patch)
+       14-PyKde4.patch \
+       CVE-2010-0436.patch)
replaces=('ksensors' 'katapult' 'tastymenu' 'kbfx' 'kdesktop-menu' \
'kicker-compiz' 'taskbar-compiz' 'mtaskbar' 'ksmoothdock' \
'kompose' 'dbus-qt3' 'katapult' 'compiz-kde')
@@ -59,7 +60,9 @@ sha1sums=('703582cb8a3471c5821986dbdfc3c6deedac0ff3' \
'469e6e5c2893c662c3fde199bcb867d081ba3d50' \
'454f18f51d225d8e9c05985ea42a0a713727f964' \
'f92fc315dd470c137cbd356cbb453636d0a85e89' \
-          '5fa17cf59d4a3eec413b44ef2abf11ed43da668a')
+          '5fa17cf59d4a3eec413b44ef2abf11ed43da668a' \
+          'f91f7bc1b87b81bb2c68e1f0765e1f7a4ef3f92d')
+options=("${optio...@]}" 'nofakeroot')

subpkgs=("${subpk...@]}" "kdm")
subdescs=("${subdes...@]}" "KDE Display Manager")
_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git

Reply via email to