mirror of
https://git.FreeBSD.org/ports.git
synced 2024-10-20 20:09:11 +00:00
Backport security fixes for x11/sddm
The 0.18 release of x11/sddm contains a fix for a security error that probably doesn't affect us: session-reuse. In any case our default configuration is not vulnerable. This doesn't update to 0.18 because there's a bunch of other changes that would need to be chased, further delaying this update. While here, pet portlint and Tijl, who asked for a pkg-message. PR: 230029 Reported by: doctorwhoguy@gmail.com Security: f00acdec-b59f-11e8-805d-001e2a3f778d
This commit is contained in:
parent
a314e23802
commit
116ff37469
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=479522
@ -3,11 +3,21 @@
|
||||
PORTNAME= sddm
|
||||
PORTVERSION= 0.17.0
|
||||
DISTVERSIONPREFIX= v
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= x11
|
||||
|
||||
MAINTAINER= kde@FreeBSD.org
|
||||
COMMENT= QML based login manager
|
||||
|
||||
# The source code is GPLv2+, but the provided themes are:
|
||||
# - CC-BY 3.0 (default greeter theme, maldives)
|
||||
# - CC-BY 4.0 (maya)
|
||||
# - Apache20 (font included with maya)
|
||||
LICENSE= GPLv2+ CC-BY-3.0 CC-BY-4.0 APACHE20
|
||||
LICENSE_COMB= multi
|
||||
LICENSE_FILE_GPLv2+= ${WRKSRC}/LICENSE
|
||||
LICENSE_FILE_CC-BY-3.0= ${WRKSRC}/LICENSE.CC-BY-3.0
|
||||
|
||||
RUN_DEPENDS= dbus-run-session:devel/dbus
|
||||
|
||||
USES= cmake:outsource kde:5 qt:5
|
||||
@ -29,6 +39,10 @@ GROUPS= sddm
|
||||
|
||||
USE_GITHUB= yes
|
||||
|
||||
# There are multiple patches that apply to Display.cpp,
|
||||
# fixing CVE-2018-14345 and backported from 0.18.
|
||||
EXTRA_PATCHES= ${PATCHDIR}/git-patch-147cec38d ${PATCHDIR}/git-patch-b02b00559
|
||||
|
||||
post-patch:
|
||||
@${REINPLACE_CMD} -e 's#/etc/X11#${LOCALBASE}/etc/X11#' \
|
||||
-e 's#/usr/bin/#${LOCALBASE}/bin/#g' \
|
||||
|
28
x11/sddm/files/git-patch-147cec38d
Normal file
28
x11/sddm/files/git-patch-147cec38d
Normal file
@ -0,0 +1,28 @@
|
||||
diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
|
||||
index 5abfc9a..57d7ecb 100644
|
||||
--- src/daemon/Display.cpp
|
||||
+++ src/daemon/Display.cpp
|
||||
@@ -339,7 +339,9 @@ namespace SDDM {
|
||||
} else {
|
||||
//we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session
|
||||
//by not setting the session and the helper will emit authentication and then quit
|
||||
- connect(m_auth, &Auth::authentication, this, [=](){
|
||||
+ connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){
|
||||
+ if(!success)
|
||||
+ return;
|
||||
qDebug() << "activating existing seat";
|
||||
OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
|
||||
manager.UnlockSession(existingSessionId);
|
||||
diff --git a/src/helper/backend/PamBackend.cpp b/src/helper/backend/PamBackend.cpp
|
||||
index 69cbd2c..5467282 100644
|
||||
--- src/helper/backend/PamBackend.cpp
|
||||
+++ src/helper/backend/PamBackend.cpp
|
||||
@@ -219,8 +219,6 @@ namespace SDDM {
|
||||
|
||||
if (user == QStringLiteral("sddm") && m_greeter)
|
||||
service = QStringLiteral("sddm-greeter");
|
||||
- else if (m_app->session()->path().isEmpty())
|
||||
- service = QStringLiteral("sddm-check");
|
||||
else if (m_autologin)
|
||||
service = QStringLiteral("sddm-autologin");
|
||||
result = m_pam->start(service, user);
|
70
x11/sddm/files/git-patch-b02b00559
Normal file
70
x11/sddm/files/git-patch-b02b00559
Normal file
@ -0,0 +1,70 @@
|
||||
diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
|
||||
index 57d7ecb..c2ea728 100644
|
||||
--- src/daemon/Display.cpp
|
||||
+++ src/daemon/Display.cpp
|
||||
@@ -280,7 +280,7 @@ namespace SDDM {
|
||||
return;
|
||||
}
|
||||
|
||||
- QString existingSessionId;
|
||||
+ m_reuseSessionId = QString();
|
||||
|
||||
if (Logind::isAvailable() && mainConfig.Users.ReuseSession.get()) {
|
||||
OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
|
||||
@@ -291,7 +291,7 @@ namespace SDDM {
|
||||
if (s.userName == user) {
|
||||
OrgFreedesktopLogin1SessionInterface session(Logind::serviceName(), s.sessionPath.path(), QDBusConnection::systemBus());
|
||||
if (session.service() == QLatin1String("sddm")) {
|
||||
- existingSessionId = s.sessionId;
|
||||
+ m_reuseSessionId = s.sessionId;
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -334,19 +334,8 @@ namespace SDDM {
|
||||
m_auth->insertEnvironment(env);
|
||||
|
||||
m_auth->setUser(user);
|
||||
- if (existingSessionId.isNull()) {
|
||||
+ if (m_reuseSessionId.isNull()) {
|
||||
m_auth->setSession(session.exec());
|
||||
- } else {
|
||||
- //we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session
|
||||
- //by not setting the session and the helper will emit authentication and then quit
|
||||
- connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){
|
||||
- if(!success)
|
||||
- return;
|
||||
- qDebug() << "activating existing seat";
|
||||
- OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
|
||||
- manager.UnlockSession(existingSessionId);
|
||||
- manager.ActivateSession(existingSessionId);
|
||||
- });
|
||||
}
|
||||
m_auth->start();
|
||||
}
|
||||
@@ -355,7 +344,13 @@ namespace SDDM {
|
||||
if (success) {
|
||||
qDebug() << "Authenticated successfully";
|
||||
|
||||
- m_auth->setCookie(qobject_cast<XorgDisplayServer *>(m_displayServer)->cookie());
|
||||
+ if (!m_reuseSessionId.isNull()) {
|
||||
+ OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
|
||||
+ manager.UnlockSession(m_reuseSessionId);
|
||||
+ manager.ActivateSession(m_reuseSessionId);
|
||||
+ } else {
|
||||
+ m_auth->setCookie(qobject_cast<XorgDisplayServer *>(m_displayServer)->cookie());
|
||||
+ }
|
||||
|
||||
// save last user and last session
|
||||
if (mainConfig.Users.RememberLastUser.get())
|
||||
diff --git a/src/daemon/Display.h b/src/daemon/Display.h
|
||||
index 09d3cf9..a6a06b2 100644
|
||||
--- src/daemon/Display.h
|
||||
+++ src/daemon/Display.h
|
||||
@@ -85,6 +85,7 @@ namespace SDDM {
|
||||
|
||||
QString m_passPhrase;
|
||||
QString m_sessionName;
|
||||
+ QString m_reuseSessionId;
|
||||
|
||||
Auth *m_auth { nullptr };
|
||||
DisplayServer *m_displayServer { nullptr };
|
2
x11/sddm/pkg-message
Normal file
2
x11/sddm/pkg-message
Normal file
@ -0,0 +1,2 @@
|
||||
SDDM does not support login.conf(5), and no special restrictions
|
||||
or settings from login.conf are enforced or applied.
|
Loading…
Reference in New Issue
Block a user