Hello community, here is the log from the commit of package pam_kwallet for openSUSE:Factory checked in at 2018-05-06 15:02:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_kwallet (Old) and /work/SRC/openSUSE:Factory/.pam_kwallet.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_kwallet" Sun May 6 15:02:30 2018 rev:29 rq:604497 version:5.12.5 Changes: -------- --- /work/SRC/openSUSE:Factory/pam_kwallet/pam_kwallet.changes 2018-05-04 11:31:04.936282392 +0200 +++ /work/SRC/openSUSE:Factory/.pam_kwallet.new/pam_kwallet.changes 2018-05-06 15:02:34.666583049 +0200 @@ -1,0 +2,6 @@ +Sat May 5 11:17:50 UTC 2018 - [email protected] + +- Add patch to address regression introduced by previous fixes: + * 0001-Avoid-giving-an-stderr-to-kwallet.patch + +------------------------------------------------------------------- New: ---- 0001-Avoid-giving-an-stderr-to-kwallet.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_kwallet.spec ++++++ --- /var/tmp/diff_new_pack.9iMO1P/_old 2018-05-06 15:02:35.218562788 +0200 +++ /var/tmp/diff_new_pack.9iMO1P/_new 2018-05-06 15:02:35.218562788 +0200 @@ -29,6 +29,8 @@ Patch1: 0001-Move-salt-creation-to-an-unprivileged-process.patch # PATCH-FIX-UPSTREAM Patch2: 0002-Move-socket-creation-to-unprivileged-codepath.patch +# PATCH-FIX-UPSTREAM +Patch3: 0001-Avoid-giving-an-stderr-to-kwallet.patch BuildRequires: extra-cmake-modules >= 1.2.0 BuildRequires: kf5-filesystem BuildRequires: libgcrypt-devel >= 1.5.0 ++++++ 0001-Avoid-giving-an-stderr-to-kwallet.patch ++++++ >From 8da1a47035fc92bc1496059583772bc4bd6e8ba6 Mon Sep 17 00:00:00 2001 From: Maximiliano Curia <[email protected]> Date: Fri, 4 May 2018 22:06:06 +0200 Subject: [PATCH] Avoid giving an stderr to kwallet Summary: The fixes for CVE-2018-10380 introduced a regression for most users not using kde, and some for kde sessions. In particular the reorder of the close calls and creating a new socket caused that the socket is always assigned the file descriptor 2, aka stderr. BUG: 393856 Test Plan: It works Reviewers: #plasma, aacid Reviewed By: aacid Subscribers: asturmlechner, rdieter, davidedmundson, plasma-devel Tags: #plasma Differential Revision: https://phabricator.kde.org/D12702 --- pam_kwallet.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pam_kwallet.c b/pam_kwallet.c index b9c984a..661ed8d 100644 --- a/pam_kwallet.c +++ b/pam_kwallet.c @@ -375,7 +375,8 @@ static int drop_privileges(struct passwd *userInfo) static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toWalletPipe[2], char *fullSocket) { //In the child pam_syslog does not work, using syslog directly - int x = 2; + //keep stderr open so socket doesn't returns us that fd + int x = 3; //Close fd that are not of interest of kwallet for (; x < 64; ++x) { if (x != toWalletPipe[0]) { @@ -424,6 +425,8 @@ static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toW pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't listen in socket\n", logPrefix); return; } + //finally close stderr + close(2); // Fork twice to daemonize kwallet setsid(); -- 2.16.2
