Re: status of the gdm3 security update

2018-08-28 Thread Antoine Beaupré 
On 2018-08-28 19:31:27, Markus Koschany wrote:
> Hello Chris,
>
> the Debian LTS team would like to fix CVE-2018-14424, gdm3 in Jessie. We
> have prepared a patch [1] based on your work which you have attached to
> the Gnome issue tracker. [2] We have noticed [3] that it is still
> possible to "crash" gdm3 in Jessie with your POC although we cannot get
> a meaningful stacktrace to find out why.

Hi!

For the record, I cannot reproduce those results. With the packages
provided in [3], everything works well in my test environment. I am
testing in Vagrant 2.0.2 backed by VirtualBox 5.2.18 on Debian buster,
with an up-to-date official "jessie" box available here:

https://app.vagrantup.com/debian/boxes/jessie64

To reproduce, on the host:

sudo apt install vagrant
vagrant init debian/jessie64
vagrant up
vagrant ssh

Then, in the guest, this should reproduce the crash in jessie:

sudo apt update ; sudo apt upgrade -y
sudo apt install -y gdm3
wget 
https://gitlab.gnome.org/GNOME/gdm/uploads/70fb90ddb64ea3b4697be3e93438dc2c/crash-gdm.sh
cat crash-gdm.sh # quick audit
sh crash-gdm.sh # reproduce the crash
sudo dmesg | tail # should show segfault

Then, in the guest again, upgrade to my test packages:

sudo apt install devscripts
dget 
https://people.debian.org/~anarcat/debian/jessie-lts/gdm3_3.14.1-7+deb7u1_amd64.changes
sudo apt install ./gdm3_3.14.1-7+deb7u1_amd64.deb
sudo service restart gdm3
sh crash-gdm.sh
sudo dmesg | tail # shows no segfault

I believe the confusion might be coming from the signal that is sent in
the proof of concept (PoC): because it sends a transient screen call, it
*looks* like the session is crashed. But here's a test procedure that
will show it does not, actually crash the session and that the provided
packages behave correctly:

 1. start gdm3
 2. login (user: vagrant, password: vagrant)
 3. start any application (say the file manager)
 4. launch the PoC (sh crash-gdm.sh)
 5. a login dialog comes up. login again
 6. session returns with the application still running

Markus, are you sure the session actually crashes?

> Do you plan to fix this issue for Ubuntu 16.04 too? The version in
> 16.04 is closer to ours, so you may experience the same result.

For what it's worth, the patch should be available here:

https://people.debian.org/~anarcat/debian/jessie-lts/gdm3_3.14.1-7+deb7u1.debian.tar.xz

I also attach the two patches backported by Markus for review.

> Do you think there is an additional patch required or is GDM actually
> doing what it is asked for?

>From my point of view, it's doing exactly what it is asked for. :)

I hope that clarifies things!

A.

-- 
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin, 1755
From: Markus Koschany 
Date: Thu, 16 Aug 2018 11:48:54 +0200
Subject: CVE-2018-14424_part1

Bug-Upstream: https://gitlab.gnome.org/GNOME/gdm/issues/401
Origin: https://gitlab.gnome.org/GNOME/gdm/commit/6060db704a19b0db68f2e9e6a2d020c0c78b6bba
---
 daemon/gdm-display-store.c | 11 +++
 daemon/gdm-display-store.h |  2 +-
 daemon/gdm-manager.c   | 19 +--
 daemon/gdm-manager.h   |  3 ++-
 4 files changed, 15 insertions(+), 20 deletions(-)

diff --git a/daemon/gdm-display-store.c b/daemon/gdm-display-store.c
index af76f51..fd24334 100644
--- a/daemon/gdm-display-store.c
+++ b/daemon/gdm-display-store.c
@@ -76,15 +76,10 @@ stored_display_new (GdmDisplayStore *store,
 static void
 stored_display_free (StoredDisplay *stored_display)
 {
-char *id;
-
-gdm_display_get_id (stored_display->display, , NULL);
-
 g_signal_emit (G_OBJECT (stored_display->store),
signals[DISPLAY_REMOVED],
0,
-   id);
-g_free (id);
+   stored_display->display);
 
 g_debug ("GdmDisplayStore: Unreffing display: %p",
  stored_display->display);
@@ -281,9 +276,9 @@ gdm_display_store_class_init (GdmDisplayStoreClass *klass)
   G_STRUCT_OFFSET (GdmDisplayStoreClass, display_removed),
   NULL,
   NULL,
-  g_cclosure_marshal_VOID__STRING,
+  g_cclosure_marshal_VOID__OBJECT,
   G_TYPE_NONE,
-  1, G_TYPE_STRING);
+  1, G_TYPE_OBJECT);
 
 g_type_class_add_private (klass, sizeof (GdmDisplayStorePrivate));
 }
diff --git a/daemon/gdm-display-store.h b/daemon/gdm-display-store.h
index 2835993..0aff8ee 100644
--- a/daemon/gdm-display-store.h
+++ b/daemon/gdm-display-store.h
@@ -49,7 +49,7 @@ typedef struct
 void  (* display_added)(GdmDisplayStore *display_store,
 const char  *id);

Re: status of the gdm3 security update

2018-08-28 Thread Markus Koschany 
Hello Chris,

the Debian LTS team would like to fix CVE-2018-14424, gdm3 in Jessie. We
have prepared a patch [1] based on your work which you have attached to
the Gnome issue tracker. [2] We have noticed [3] that it is still
possible to "crash" gdm3 in Jessie with your POC although we cannot get
a meaningful stacktrace to find out why. Do you plan to fix this issue
for Ubuntu 16.04 too? The version in 16.04 is closer to ours, so you may
experience the same result. Do you think there is an additional patch
required or is GDM actually doing what it is asked for?

Regards,

Markus

[1] https://people.debian.org/~apo/lts/
[2] https://gitlab.gnome.org/GNOME/gdm/issues/401
[3] https://lists.debian.org/debian-lts/2018/08/msg00084.html



signature.asc
Description: OpenPGP digital signature

Re: status of the gdm3 security update

2018-08-27 Thread Antoine Beaupré 
Oh, and I forgot to mention the test packages are available here:

https://people.debian.org/~anarcat/debian/jessie-lts/

Cheers,

A.

status of the gdm3 security update

2018-08-27 Thread Antoine Beaupré 
Hi!

After asking Markus the status of the gdm3 security upgrade for jessie,
he nicely offered me to take it over since he got stuck.

Using his patches, however, I wasn't able to reproduce the
problems. Sure, it *looks* like gdm is "crashing", but I /think/ it's
actually doing what it's asked. The reproducer issues those two
commands:

display_path=$(dbus-send --system --dest=org.gnome.DisplayManager 
--type=method_call --print-reply=literal 
/org/gnome/DisplayManager/LocalDisplayFactory 
org.gnome.DisplayManager.LocalDisplayFactory.CreateTransientDisplay)
dbus-send --system --dest=org.gnome.DisplayManager --type=method_call 
$display_path org.gnome.DisplayManager.Display.GetId

ie. it's calling `CreateTransientDisplay`. I am not very familiar with
the gdm3 D-Bus API, but a quick search online seems to indicate this is
used to create a "transient" session, also known as "fast user
switching".

When running the patched gdm3 under Vagrant / VirtualBox, the reproducer
seems to "crash" the display - but what it's doing is actually trying to
create that secondary display. There is no actual segfault the Linux
kernel can detect, and an attached gdb process happily goes through
without detecting anything faulty.

I would therefore assert that the patch does what it's designed to do
and everything is actually good.

Just out of curiosity, I've actually tested the reproducer in Debian
buster, which is supposed to be fixed. It could be because I have an
exotic session (i3 window manager), but it doesn't work very well
either. The display seems to completely crash and return to some virtual
terminal. (Just for good measure, all volumes are maxed up as well,
bringing down my hearing a few more dBs. :p) But gdm3 doesn't segfault
and if I login with my regular user, my session actually returns
untouched.

So I think this flickering and reset is actually normal.

(One thing I *did* find in buster is that
gnome-session-check-accelerated segfaults during the procedure:

Aug 27 19:34:57 curie kernel: [446832.229288] gnome-session-c[28820]: segfault 
at 0 ip  sp 7fff2cd46d08 error 14 in 
gnome-session-check-accelerated
[5606b821b000+2000]
Aug 27 19:34:57 curie kernel: [446832.308946] gnome-session-c[28824]: segfault 
at 0 ip  sp 7fffcd6fb1b8 error 14 in 
gnome-session-check-accelerated
[5589f17d9000+2000]
Aug 27 19:34:57 curie gnome-session[28817]: gnome-session-binary[28817]: 
WARNING: software acceleration check failed: Le processus fils a été tué par le 
signal 11
Aug 27 19:34:57 curie gnome-session-binary[28817]: WARNING: software 
acceleration check failed: Le processus fils a été tué par le signal 11

This is likely an unrelated problem, however, so I am ignoring that.)

So long story short: apo, your patches were fine! Should I upload the
result or do you want to do the honors?

If I got no reply tomorrow, I'll complete the DLA.

Thanks for the hard work!

A.

-- 
In a world where Henry Kissinger wins the Nobel Peace Prize,
there is no need for satire.
- Tom Lehrer