[Pkg-xfce-commits] r6207 - in goodies/trunk/lightdm/debian: . patches

Yves-Alexis Perez corsac at alioth.debian.org
Tue Nov 15 08:39:16 UTC 2011 

Author: corsac
Date: 2011-11-15 20:39:15 +0000 (Tue, 15 Nov 2011)
New Revision: 6207

Added:
   goodies/trunk/lightdm/debian/patches/07_CVE-2011-4105.patch
   goodies/trunk/lightdm/debian/patches/08_CVE-2011-3153.patch
Modified:
   goodies/trunk/lightdm/debian/changelog
   goodies/trunk/lightdm/debian/patches/series
Log:
* urgency=high for security fixes.
* debian/patches:
  - 07_CVE-2011-4105 added, make sure the file is not a link when chowning
    it. (CVE-2011-4105)
  - 08_CVE-2011-3153 added, fix information disclosure by droping privileges
    before reading and re-writing ~/.dmrc.

Modified: goodies/trunk/lightdm/debian/changelog
===================================================================
--- goodies/trunk/lightdm/debian/changelog	2011-11-13 13:18:03 UTC (rev 6206)
+++ goodies/trunk/lightdm/debian/changelog	2011-11-15 20:39:15 UTC (rev 6207)
@@ -1,3 +1,14 @@
+lightdm (1.0.6-2) UNRELEASED; urgency=high
+
+  * urgency=high for security fixes.
+  * debian/patches:
+    - 07_CVE-2011-4105 added, make sure the file is not a link when chowning
+      it. (CVE-2011-4105)
+    - 08_CVE-2011-3153 added, fix information disclosure by droping privileges
+      before reading and re-writing ~/.dmrc.
+
+ -- Yves-Alexis Perez <corsac at debian.org>  Tue, 15 Nov 2011 21:21:28 +0100
+
 lightdm (1.0.6-1) unstable; urgency=high
 
   * New upstream release, urgency=high for security fix.

Added: goodies/trunk/lightdm/debian/patches/07_CVE-2011-4105.patch
===================================================================
--- goodies/trunk/lightdm/debian/patches/07_CVE-2011-4105.patch	                        (rev 0)
+++ goodies/trunk/lightdm/debian/patches/07_CVE-2011-4105.patch	2011-11-15 20:39:15 UTC (rev 6207)
@@ -0,0 +1,36 @@
+Description: ensure we don't chown links
+Author: Marc Deslauriers <marc.deslauriers at canonical.com>
+
+Index: lightdm-1.0.6/src/xsession.c
+===================================================================
+--- lightdm-1.0.6.orig/src/xsession.c	2011-11-02 11:21:29.000000000 -0400
++++ lightdm-1.0.6/src/xsession.c	2011-11-11 12:54:17.245116709 -0500
+@@ -104,10 +104,26 @@
+              * incorrectly written as root in a buggy version of LightDM */
+             if (getuid () == 0)
+             {
++                int fd = -1;
+                 int result;
+-                result = lchown (path, user_get_uid (session_get_user (session)), user_get_gid (session_get_user (session)));
++                struct stat st_buf;
++
++                fd = open (path, O_RDONLY|O_NOFOLLOW);
++                if (fd == -1)
++                    goto out;
++
++                if (fstat (fd, &st_buf) != 0)
++                    goto out;
++
++                if ((!S_ISREG (st_buf.st_mode)) || (st_buf.st_nlink > 1))
++                    goto out;
++
++                result = fchown (fd, user_get_uid (session_get_user (session)), user_get_gid (session_get_user (session)));
+                 if (result < 0 && errno != ENOENT)
+-                    g_warning ("Failed to correct ownership of %s: %s", path, strerror (errno));                
++                    g_warning ("Failed to correct ownership of %s: %s", path, strerror (errno));
++out:
++                if (fd > 0)
++                    close(fd);
+             }
+         }
+ 

Added: goodies/trunk/lightdm/debian/patches/08_CVE-2011-3153.patch
===================================================================
--- goodies/trunk/lightdm/debian/patches/08_CVE-2011-3153.patch	                        (rev 0)
+++ goodies/trunk/lightdm/debian/patches/08_CVE-2011-3153.patch	2011-11-15 20:39:15 UTC (rev 6207)
@@ -0,0 +1,33 @@
+Description: drop privileges before reading ~/.dmrc
+Author: Marc Deslauriers <marc.deslauriers at canonical.com>
+Origin: http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1299
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/883865
+
+Index: lightdm-1.0.6/src/dmrc.c
+===================================================================
+--- lightdm-1.0.6.orig/src/dmrc.c	2011-11-11 12:54:46.841116960 -0500
++++ lightdm-1.0.6/src/dmrc.c	2011-11-11 12:58:38.877118919 -0500
+@@ -24,7 +24,7 @@
+     User *user;
+     GKeyFile *dmrc_file;
+     gchar *path;
+-    gboolean have_dmrc;
++    gboolean have_dmrc, drop_privileges;
+ 
+     dmrc_file = g_key_file_new ();
+ 
+@@ -38,7 +38,14 @@
+     /* Load from the user directory, if this fails (e.g. the user directory
+      * is not yet mounted) then load from the cache */
+     path = g_build_filename (user_get_home_directory (user), ".dmrc", NULL);
++
++    /* Guard against privilege escalation through symlinks, etc. */
++    drop_privileges = geteuid () == 0;
++    if (drop_privileges)
++        privileges_drop (user);
+     have_dmrc = g_key_file_load_from_file (dmrc_file, path, G_KEY_FILE_KEEP_COMMENTS, NULL);
++    if (drop_privileges)
++        privileges_reclaim ();
+     g_free (path);
+ 
+     /* If no ~/.dmrc, then load from the cache */  

Modified: goodies/trunk/lightdm/debian/patches/series
===================================================================
--- goodies/trunk/lightdm/debian/patches/series	2011-11-13 13:18:03 UTC (rev 6206)
+++ goodies/trunk/lightdm/debian/patches/series	2011-11-15 20:39:15 UTC (rev 6207)
@@ -4,3 +4,5 @@
 04_default-gtk-greeter-config.patch
 05_dont-add-pkglibexecdir-path.patch
 06_move-progs-to-pkglibexecdir.patch
+07_CVE-2011-4105.patch
+08_CVE-2011-3153.patch

More information about the Pkg-xfce-commits mailing list