mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-10-20 20:09:11 +00:00
Code Issues Releases Activity

Backport security fixes for x11/sddm

Browse Source 
The 0.18 release of x11/sddm contains a fix for a security error
that probably doesn't affect us: session-reuse. In any case our
default configuration is not vulnerable. This doesn't update to
0.18 because there's a bunch of other changes that would need to
be chased, further delaying this update.

While here, pet portlint and Tijl, who asked for a pkg-message.

PR:		230029
Reported by:	doctorwhoguy@gmail.com
Security:	f00acdec-b59f-11e8-805d-001e2a3f778d
This commit is contained in:
Adriaan de Groot 2018-09-11 10:39:36 +00:00
parent a314e23802
commit 116ff37469
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=479522
4 changed files with 114 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
x11/sddm/Makefile
View File

@ -3,11 +3,21 @@
PORTNAME= sddm
PORTVERSION= 0.17.0
DISTVERSIONPREFIX= v
PORTREVISION= 1
CATEGORIES= x11
MAINTAINER= kde@FreeBSD.org
COMMENT= QML based login manager
# The source code is GPLv2+, but the provided themes are:
# - CC-BY 3.0 (default greeter theme, maldives)
# - CC-BY 4.0 (maya)
# - Apache20 (font included with maya)
LICENSE= GPLv2+ CC-BY-3.0 CC-BY-4.0 APACHE20
LICENSE_COMB= multi
LICENSE_FILE_GPLv2+= ${WRKSRC}/LICENSE
LICENSE_FILE_CC-BY-3.0= ${WRKSRC}/LICENSE.CC-BY-3.0
RUN_DEPENDS= dbus-run-session:devel/dbus
USES= cmake:outsource kde:5 qt:5
@ -29,6 +39,10 @@ GROUPS= sddm
USE_GITHUB= yes
# There are multiple patches that apply to Display.cpp,
# fixing CVE-2018-14345 and backported from 0.18.
EXTRA_PATCHES= ${PATCHDIR}/git-patch-147cec38d ${PATCHDIR}/git-patch-b02b00559
post-patch:
@${REINPLACE_CMD} -e 's#/etc/X11#${LOCALBASE}/etc/X11#' \
-e 's#/usr/bin/#${LOCALBASE}/bin/#g' \

28
x11/sddm/files/git-patch-147cec38d Normal file
View File

@ -0,0 +1,28 @@
diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
index 5abfc9a..57d7ecb 100644
--- src/daemon/Display.cpp
+++ src/daemon/Display.cpp
@@ -339,7 +339,9 @@ namespace SDDM {
} else {
//we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session
//by not setting the session and the helper will emit authentication and then quit
- connect(m_auth, &Auth::authentication, this, [=](){
+ connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){
+ if(!success)
+ return;
qDebug() << "activating existing seat";
OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
manager.UnlockSession(existingSessionId);
diff --git a/src/helper/backend/PamBackend.cpp b/src/helper/backend/PamBackend.cpp
index 69cbd2c..5467282 100644
--- src/helper/backend/PamBackend.cpp
+++ src/helper/backend/PamBackend.cpp
@@ -219,8 +219,6 @@ namespace SDDM {
if (user == QStringLiteral("sddm") && m_greeter)
service = QStringLiteral("sddm-greeter");
- else if (m_app->session()->path().isEmpty())
- service = QStringLiteral("sddm-check");
else if (m_autologin)
service = QStringLiteral("sddm-autologin");
result = m_pam->start(service, user);

70
x11/sddm/files/git-patch-b02b00559 Normal file
View File

@ -0,0 +1,70 @@
diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
index 57d7ecb..c2ea728 100644
--- src/daemon/Display.cpp
+++ src/daemon/Display.cpp
@@ -280,7 +280,7 @@ namespace SDDM {
return;
}
- QString existingSessionId;
+ m_reuseSessionId = QString();
if (Logind::isAvailable() && mainConfig.Users.ReuseSession.get()) {
OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
@@ -291,7 +291,7 @@ namespace SDDM {
if (s.userName == user) {
OrgFreedesktopLogin1SessionInterface session(Logind::serviceName(), s.sessionPath.path(), QDBusConnection::systemBus());
if (session.service() == QLatin1String("sddm")) {
- existingSessionId = s.sessionId;
+ m_reuseSessionId = s.sessionId;
break;
}
}
@@ -334,19 +334,8 @@ namespace SDDM {
m_auth->insertEnvironment(env);
m_auth->setUser(user);
- if (existingSessionId.isNull()) {
+ if (m_reuseSessionId.isNull()) {
m_auth->setSession(session.exec());
- } else {
- //we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session
- //by not setting the session and the helper will emit authentication and then quit
- connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){
- if(!success)
- return;
- qDebug() << "activating existing seat";
- OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
- manager.UnlockSession(existingSessionId);
- manager.ActivateSession(existingSessionId);
- });
}
m_auth->start();
}
@@ -355,7 +344,13 @@ namespace SDDM {
if (success) {
qDebug() << "Authenticated successfully";
- m_auth->setCookie(qobject_cast<XorgDisplayServer *>(m_displayServer)->cookie());
+ if (!m_reuseSessionId.isNull()) {
+ OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
+ manager.UnlockSession(m_reuseSessionId);
+ manager.ActivateSession(m_reuseSessionId);
+ } else {
+ m_auth->setCookie(qobject_cast<XorgDisplayServer *>(m_displayServer)->cookie());
+ }
// save last user and last session
if (mainConfig.Users.RememberLastUser.get())
diff --git a/src/daemon/Display.h b/src/daemon/Display.h
index 09d3cf9..a6a06b2 100644
--- src/daemon/Display.h
+++ src/daemon/Display.h
@@ -85,6 +85,7 @@ namespace SDDM {
QString m_passPhrase;
QString m_sessionName;
+ QString m_reuseSessionId;
Auth *m_auth { nullptr };
DisplayServer *m_displayServer { nullptr };

2
x11/sddm/pkg-message Normal file
View File

@ -0,0 +1,2 @@
SDDM does not support login.conf(5), and no special restrictions
or settings from login.conf are enforced or applied.