[Pkg-xfce-commits] r6209 - in goodies/tags/lightdm: . 1.0.6-2/debian 1.0.6-2/debian/patches
Yves-Alexis Perez
corsac at alioth.debian.org
Wed Nov 16 06:14:47 UTC 2011
Author: corsac
Date: 2011-11-16 06:14:47 +0000 (Wed, 16 Nov 2011)
New Revision: 6209
Added:
goodies/tags/lightdm/1.0.6-2/
goodies/tags/lightdm/1.0.6-2/debian/changelog
goodies/tags/lightdm/1.0.6-2/debian/patches/07_CVE-2011-4105.patch
goodies/tags/lightdm/1.0.6-2/debian/patches/08_CVE-2011-3153.patch
goodies/tags/lightdm/1.0.6-2/debian/patches/series
Removed:
goodies/tags/lightdm/1.0.6-2/debian/changelog
goodies/tags/lightdm/1.0.6-2/debian/patches/series
Log:
[svn-buildpackage] Tagging lightdm 1.0.6-2
Deleted: goodies/tags/lightdm/1.0.6-2/debian/changelog
===================================================================
--- goodies/trunk/lightdm/debian/changelog 2011-11-13 13:18:03 UTC (rev 6206)
+++ goodies/tags/lightdm/1.0.6-2/debian/changelog 2011-11-16 06:14:47 UTC (rev 6209)
@@ -1,173 +0,0 @@
-lightdm (1.0.6-1) unstable; urgency=high
-
- * New upstream release, urgency=high for security fix.
- - fix .Xauthority ownership using lchown() (CVE-2011-4105)
-
- -- Yves-Alexis Perez <corsac at debian.org> Fri, 04 Nov 2011 20:54:52 +0100
-
-lightdm (1.0.4-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches:
- - 01_set-default-path refreshed.
-
- -- Yves-Alexis Perez <corsac at debian.org> Wed, 26 Oct 2011 07:29:19 +0200
-
-lightdm (1.0.3-1) unstable; urgency=low
-
- * New upstream release.
- * debian/watch updated to only track stable releases.
- * debian/patches:
- - 01_set-default-path and 05_dont-add-pkglibexecdir-path refreshed for new
- upstream release.
- - 06_move-lightdm-set-defaults-to-pkglibexecdir renamed to
- 06_move-progs-to-pkglibexecdir, use the same patch to move
- lightdm-guest-session-wrapper to pkglibexecdir and refresh the original
- patch for new upstream.
- * debian/lightdm.install:
- - install lightdm-guest-session-wrapper.
-
- -- Yves-Alexis Perez <corsac at debian.org> Sat, 08 Oct 2011 13:39:15 +0200
-
-lightdm (1.0.2-1) unstable; urgency=low
-
- * New upstream release.
- - don't use autologin pam service, fix startup. closes: #643844
- * debian/control:
- - add recommends on policykit-1 to greeters. closes: #643292
- * debian/patches:
- - 05_dont-add-pkglibexecdir-path refreshed for new upstream release.
-
- -- Yves-Alexis Perez <corsac at debian.org> Thu, 06 Oct 2011 07:41:40 +0200
-
-lightdm (1.0.0-3) unstable; urgency=low
-
- * debian/lightdm-{gtk,qt}.{postinst,prerm}:
- - don't use dpkg-architecture since it's in dpkg-dev. closes: #643792
-
- -- Yves-Alexis Perez <corsac at debian.org> Thu, 29 Sep 2011 22:26:18 +0200
-
-lightdm (1.0.0-2) unstable; urgency=low
-
- * debian/rules:
- - correctly enable pie and bindnow.
- - use a variable for multi-arch path instead of *.
- - use autoreconf dh addon
- * debian/control:
- - add build-dep on dh-autoreconf and gtk-doc-tools
- * debian/patches:
- - 06_move-lightdm-set-defaults-to-pkglibexecdir added, move
- lightdm-set-defaults to pkglibexecdir instead of libexecdir.
- * debian/lightdm-{gtk,qt}-greeter.{postinst,prerm}:
- - use variable for multi-arch path instead of *.
- - update lightdm-set-defaults path to re-add lightdm folder.
-
- -- Yves-Alexis Perez <corsac at debian.org> Thu, 29 Sep 2011 12:09:35 +0200
-
-lightdm (1.0.0-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches:
- - all patches refreshed
- - 02_default-config: explicitly disable tcp listen.
- * debian/rules:
- - drop all hardening rules now done by dh in compat mode 9, but manually
- add pie and bindnow.
- - add -Wl,--as-needed -Wl,-O1 to LDFLAGS.
- - update gdmflexiserver path for multi-arch paths.
- * debian/compat bumped to 9.
- * debian/control:
- - added build-deb on dpkg-dev (>= 1.16.1) for hardening support.
- - dropped hardening-includes from build-depends, now superseded
- - update debhelper build-dep to 8.9.4 for compat mode v9.
- - add Pre-Depends: ${misc:Pre-Depends} to the lib packages.
- - add Recommends: on gnome-icon-theme to gtk greeter. closes: #643291
- * debian/liblightdm-gobject-1-0.install,
- debian/liblightdm-gobject-dev.install, debian/liblightdm-qt-1-0.install,
- debian/liblightdm-qt-dev.install, debian/lightdm.install:
- - update to use multi-arch folders.
- * debian/lightdm.install:
- - in v9 compat mode, libexecdir doesn't have the package name added so
- update in consequence
- * debian/liblightdm*.{postinst,prerm}:
- - update path to lightdm-set-defaults.
- * debian/lightdm.postinst:
- - don't fail if one can't reload dbus, like in a chroot. closes: #642295
-
- -- Yves-Alexis Perez <corsac at debian.org> Thu, 29 Sep 2011 07:39:18 +0200
-
-lightdm (0.9.7-1) unstable; urgency=low
-
- * New upstream release.
- - fix consolekit session issues.
-
- -- Yves-Alexis Perez <corsac at debian.org> Fri, 16 Sep 2011 08:01:12 +0200
-
-lightdm (0.9.6-1) unstable; urgency=low
-
- * New upstream release:
- - don't write user files as root to prevent symlinks attacks
- [CVE-2011-3349] closes: #639151
- * debian/patches:
- - 01_set-default-path, 02_default-config, 03_quit-plymouth,
- 04_default-gtk-greeter-config refreshed.
- - 05_always-export-XAUTHORITY dropped, included upstream.
- - 05_dont-add-pkglibexecdir-path added, don't add /usr/lib/lightdm/lightdm
- to the PATH, it's ugly.
- * debian/rules:
- - don't install gdmflexiserver script for now until the PATH issue is
- solved.
- * debian/lightdm.install
- - install lightdm-set-default and dm-tool there.
- * debian/lightdm-{gtk,qt}-greeter.{config,templates,postinst,prerm}:
- - provide a way to select the current greeter through debconf. Other
- packages providing a greeter use the same templates/config to register
- themselves in debconf.
- * debian/control:
- - add suggests on accountsservice.
-
- -- Yves-Alexis Perez <corsac at debian.org> Thu, 15 Sep 2011 11:36:21 +0200
-
-lightdm (0.9.2-3) unstable; urgency=low
-
- * debian/patches:
- - 05_always-export-XAUTHORITY added, always export path to xauth file.
- * debian/lightdm-xsession.desktop:
- - provide a default xsession desktop file. closes: #636111
-
- -- Yves-Alexis Perez <corsac at debian.org> Sat, 06 Aug 2011 11:34:57 +0200
-
-lightdm (0.9.2-2) unstable; urgency=low
-
- * debian/control;
- - use real package name in greeter dependency. closes: #636020
- - recommends desktop-base (for default background) and
- gnome-theme-standards (for Adwaita GTK+ 3 theme) in GTK+ greeter.
- * debian/patches:
- - 04_default-gtk-greeter-config added, tune GTK+ greeter config to match
- Debian themes.
-
- -- Yves-Alexis Perez <corsac at debian.org> Sat, 30 Jul 2011 20:03:59 +0200
-
-lightdm (0.9.2-1) unstable; urgency=low
-
- * New upstream release.
- * debian/lightdm.install:
- - install locale files in lightdm package.
- * debian/rules:
- - set greeter user at build time.
- * debian/control:
- - rename the greeter packages to fit what's in Ubuntu.
- - lightdm-vala doesn't provide a greeter anymore.
- * debian/lightdm{,-gtk-greeter}.install:
- - ship GTK+ greeter config file in the lightdm-gtk-greeter package.
- * debian/lightdm.{config,templates} and debian/po debconf files added from
- Ubuntu package.
-
- -- Yves-Alexis Perez <corsac at debian.org> Fri, 29 Jul 2011 20:32:36 +0200
-
-lightdm (0.9.0-1) unstable; urgency=low
-
- * Initial release. closes: #615591
-
- -- Yves-Alexis Perez <corsac at debian.org> Thu, 28 Jul 2011 22:39:44 +0200
Copied: goodies/tags/lightdm/1.0.6-2/debian/changelog (from rev 6208, goodies/trunk/lightdm/debian/changelog)
===================================================================
--- goodies/tags/lightdm/1.0.6-2/debian/changelog (rev 0)
+++ goodies/tags/lightdm/1.0.6-2/debian/changelog 2011-11-16 06:14:47 UTC (rev 6209)
@@ -0,0 +1,184 @@
+lightdm (1.0.6-2) unstable; urgency=high
+
+ * urgency=high for security fixes.
+ * debian/patches:
+ - 07_CVE-2011-4105 added, make sure the file is not a link when chowning
+ it. (CVE-2011-4105)
+ - 08_CVE-2011-3153 added, fix information disclosure by droping privileges
+ before reading and re-writing ~/.dmrc.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Tue, 15 Nov 2011 21:39:30 +0100
+
+lightdm (1.0.6-1) unstable; urgency=high
+
+ * New upstream release, urgency=high for security fix.
+ - fix .Xauthority ownership using lchown() (CVE-2011-4105)
+
+ -- Yves-Alexis Perez <corsac at debian.org> Fri, 04 Nov 2011 20:54:52 +0100
+
+lightdm (1.0.4-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/patches:
+ - 01_set-default-path refreshed.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Wed, 26 Oct 2011 07:29:19 +0200
+
+lightdm (1.0.3-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/watch updated to only track stable releases.
+ * debian/patches:
+ - 01_set-default-path and 05_dont-add-pkglibexecdir-path refreshed for new
+ upstream release.
+ - 06_move-lightdm-set-defaults-to-pkglibexecdir renamed to
+ 06_move-progs-to-pkglibexecdir, use the same patch to move
+ lightdm-guest-session-wrapper to pkglibexecdir and refresh the original
+ patch for new upstream.
+ * debian/lightdm.install:
+ - install lightdm-guest-session-wrapper.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Sat, 08 Oct 2011 13:39:15 +0200
+
+lightdm (1.0.2-1) unstable; urgency=low
+
+ * New upstream release.
+ - don't use autologin pam service, fix startup. closes: #643844
+ * debian/control:
+ - add recommends on policykit-1 to greeters. closes: #643292
+ * debian/patches:
+ - 05_dont-add-pkglibexecdir-path refreshed for new upstream release.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Thu, 06 Oct 2011 07:41:40 +0200
+
+lightdm (1.0.0-3) unstable; urgency=low
+
+ * debian/lightdm-{gtk,qt}.{postinst,prerm}:
+ - don't use dpkg-architecture since it's in dpkg-dev. closes: #643792
+
+ -- Yves-Alexis Perez <corsac at debian.org> Thu, 29 Sep 2011 22:26:18 +0200
+
+lightdm (1.0.0-2) unstable; urgency=low
+
+ * debian/rules:
+ - correctly enable pie and bindnow.
+ - use a variable for multi-arch path instead of *.
+ - use autoreconf dh addon
+ * debian/control:
+ - add build-dep on dh-autoreconf and gtk-doc-tools
+ * debian/patches:
+ - 06_move-lightdm-set-defaults-to-pkglibexecdir added, move
+ lightdm-set-defaults to pkglibexecdir instead of libexecdir.
+ * debian/lightdm-{gtk,qt}-greeter.{postinst,prerm}:
+ - use variable for multi-arch path instead of *.
+ - update lightdm-set-defaults path to re-add lightdm folder.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Thu, 29 Sep 2011 12:09:35 +0200
+
+lightdm (1.0.0-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/patches:
+ - all patches refreshed
+ - 02_default-config: explicitly disable tcp listen.
+ * debian/rules:
+ - drop all hardening rules now done by dh in compat mode 9, but manually
+ add pie and bindnow.
+ - add -Wl,--as-needed -Wl,-O1 to LDFLAGS.
+ - update gdmflexiserver path for multi-arch paths.
+ * debian/compat bumped to 9.
+ * debian/control:
+ - added build-deb on dpkg-dev (>= 1.16.1) for hardening support.
+ - dropped hardening-includes from build-depends, now superseded
+ - update debhelper build-dep to 8.9.4 for compat mode v9.
+ - add Pre-Depends: ${misc:Pre-Depends} to the lib packages.
+ - add Recommends: on gnome-icon-theme to gtk greeter. closes: #643291
+ * debian/liblightdm-gobject-1-0.install,
+ debian/liblightdm-gobject-dev.install, debian/liblightdm-qt-1-0.install,
+ debian/liblightdm-qt-dev.install, debian/lightdm.install:
+ - update to use multi-arch folders.
+ * debian/lightdm.install:
+ - in v9 compat mode, libexecdir doesn't have the package name added so
+ update in consequence
+ * debian/liblightdm*.{postinst,prerm}:
+ - update path to lightdm-set-defaults.
+ * debian/lightdm.postinst:
+ - don't fail if one can't reload dbus, like in a chroot. closes: #642295
+
+ -- Yves-Alexis Perez <corsac at debian.org> Thu, 29 Sep 2011 07:39:18 +0200
+
+lightdm (0.9.7-1) unstable; urgency=low
+
+ * New upstream release.
+ - fix consolekit session issues.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Fri, 16 Sep 2011 08:01:12 +0200
+
+lightdm (0.9.6-1) unstable; urgency=low
+
+ * New upstream release:
+ - don't write user files as root to prevent symlinks attacks
+ [CVE-2011-3349] closes: #639151
+ * debian/patches:
+ - 01_set-default-path, 02_default-config, 03_quit-plymouth,
+ 04_default-gtk-greeter-config refreshed.
+ - 05_always-export-XAUTHORITY dropped, included upstream.
+ - 05_dont-add-pkglibexecdir-path added, don't add /usr/lib/lightdm/lightdm
+ to the PATH, it's ugly.
+ * debian/rules:
+ - don't install gdmflexiserver script for now until the PATH issue is
+ solved.
+ * debian/lightdm.install
+ - install lightdm-set-default and dm-tool there.
+ * debian/lightdm-{gtk,qt}-greeter.{config,templates,postinst,prerm}:
+ - provide a way to select the current greeter through debconf. Other
+ packages providing a greeter use the same templates/config to register
+ themselves in debconf.
+ * debian/control:
+ - add suggests on accountsservice.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Thu, 15 Sep 2011 11:36:21 +0200
+
+lightdm (0.9.2-3) unstable; urgency=low
+
+ * debian/patches:
+ - 05_always-export-XAUTHORITY added, always export path to xauth file.
+ * debian/lightdm-xsession.desktop:
+ - provide a default xsession desktop file. closes: #636111
+
+ -- Yves-Alexis Perez <corsac at debian.org> Sat, 06 Aug 2011 11:34:57 +0200
+
+lightdm (0.9.2-2) unstable; urgency=low
+
+ * debian/control;
+ - use real package name in greeter dependency. closes: #636020
+ - recommends desktop-base (for default background) and
+ gnome-theme-standards (for Adwaita GTK+ 3 theme) in GTK+ greeter.
+ * debian/patches:
+ - 04_default-gtk-greeter-config added, tune GTK+ greeter config to match
+ Debian themes.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Sat, 30 Jul 2011 20:03:59 +0200
+
+lightdm (0.9.2-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/lightdm.install:
+ - install locale files in lightdm package.
+ * debian/rules:
+ - set greeter user at build time.
+ * debian/control:
+ - rename the greeter packages to fit what's in Ubuntu.
+ - lightdm-vala doesn't provide a greeter anymore.
+ * debian/lightdm{,-gtk-greeter}.install:
+ - ship GTK+ greeter config file in the lightdm-gtk-greeter package.
+ * debian/lightdm.{config,templates} and debian/po debconf files added from
+ Ubuntu package.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Fri, 29 Jul 2011 20:32:36 +0200
+
+lightdm (0.9.0-1) unstable; urgency=low
+
+ * Initial release. closes: #615591
+
+ -- Yves-Alexis Perez <corsac at debian.org> Thu, 28 Jul 2011 22:39:44 +0200
Copied: goodies/tags/lightdm/1.0.6-2/debian/patches/07_CVE-2011-4105.patch (from rev 6207, goodies/trunk/lightdm/debian/patches/07_CVE-2011-4105.patch)
===================================================================
--- goodies/tags/lightdm/1.0.6-2/debian/patches/07_CVE-2011-4105.patch (rev 0)
+++ goodies/tags/lightdm/1.0.6-2/debian/patches/07_CVE-2011-4105.patch 2011-11-16 06:14:47 UTC (rev 6209)
@@ -0,0 +1,36 @@
+Description: ensure we don't chown links
+Author: Marc Deslauriers <marc.deslauriers at canonical.com>
+
+Index: lightdm-1.0.6/src/xsession.c
+===================================================================
+--- lightdm-1.0.6.orig/src/xsession.c 2011-11-02 11:21:29.000000000 -0400
++++ lightdm-1.0.6/src/xsession.c 2011-11-11 12:54:17.245116709 -0500
+@@ -104,10 +104,26 @@
+ * incorrectly written as root in a buggy version of LightDM */
+ if (getuid () == 0)
+ {
++ int fd = -1;
+ int result;
+- result = lchown (path, user_get_uid (session_get_user (session)), user_get_gid (session_get_user (session)));
++ struct stat st_buf;
++
++ fd = open (path, O_RDONLY|O_NOFOLLOW);
++ if (fd == -1)
++ goto out;
++
++ if (fstat (fd, &st_buf) != 0)
++ goto out;
++
++ if ((!S_ISREG (st_buf.st_mode)) || (st_buf.st_nlink > 1))
++ goto out;
++
++ result = fchown (fd, user_get_uid (session_get_user (session)), user_get_gid (session_get_user (session)));
+ if (result < 0 && errno != ENOENT)
+- g_warning ("Failed to correct ownership of %s: %s", path, strerror (errno));
++ g_warning ("Failed to correct ownership of %s: %s", path, strerror (errno));
++out:
++ if (fd > 0)
++ close(fd);
+ }
+ }
+
Copied: goodies/tags/lightdm/1.0.6-2/debian/patches/08_CVE-2011-3153.patch (from rev 6207, goodies/trunk/lightdm/debian/patches/08_CVE-2011-3153.patch)
===================================================================
--- goodies/tags/lightdm/1.0.6-2/debian/patches/08_CVE-2011-3153.patch (rev 0)
+++ goodies/tags/lightdm/1.0.6-2/debian/patches/08_CVE-2011-3153.patch 2011-11-16 06:14:47 UTC (rev 6209)
@@ -0,0 +1,33 @@
+Description: drop privileges before reading ~/.dmrc
+Author: Marc Deslauriers <marc.deslauriers at canonical.com>
+Origin: http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1299
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/883865
+
+Index: lightdm-1.0.6/src/dmrc.c
+===================================================================
+--- lightdm-1.0.6.orig/src/dmrc.c 2011-11-11 12:54:46.841116960 -0500
++++ lightdm-1.0.6/src/dmrc.c 2011-11-11 12:58:38.877118919 -0500
+@@ -24,7 +24,7 @@
+ User *user;
+ GKeyFile *dmrc_file;
+ gchar *path;
+- gboolean have_dmrc;
++ gboolean have_dmrc, drop_privileges;
+
+ dmrc_file = g_key_file_new ();
+
+@@ -38,7 +38,14 @@
+ /* Load from the user directory, if this fails (e.g. the user directory
+ * is not yet mounted) then load from the cache */
+ path = g_build_filename (user_get_home_directory (user), ".dmrc", NULL);
++
++ /* Guard against privilege escalation through symlinks, etc. */
++ drop_privileges = geteuid () == 0;
++ if (drop_privileges)
++ privileges_drop (user);
+ have_dmrc = g_key_file_load_from_file (dmrc_file, path, G_KEY_FILE_KEEP_COMMENTS, NULL);
++ if (drop_privileges)
++ privileges_reclaim ();
+ g_free (path);
+
+ /* If no ~/.dmrc, then load from the cache */
Deleted: goodies/tags/lightdm/1.0.6-2/debian/patches/series
===================================================================
--- goodies/trunk/lightdm/debian/patches/series 2011-11-13 13:18:03 UTC (rev 6206)
+++ goodies/tags/lightdm/1.0.6-2/debian/patches/series 2011-11-16 06:14:47 UTC (rev 6209)
@@ -1,6 +0,0 @@
-01_set-default-path.patch
-02_default-config.patch
-03_quit-plymouth.patch
-04_default-gtk-greeter-config.patch
-05_dont-add-pkglibexecdir-path.patch
-06_move-progs-to-pkglibexecdir.patch
Copied: goodies/tags/lightdm/1.0.6-2/debian/patches/series (from rev 6207, goodies/trunk/lightdm/debian/patches/series)
===================================================================
--- goodies/tags/lightdm/1.0.6-2/debian/patches/series (rev 0)
+++ goodies/tags/lightdm/1.0.6-2/debian/patches/series 2011-11-16 06:14:47 UTC (rev 6209)
@@ -0,0 +1,8 @@
+01_set-default-path.patch
+02_default-config.patch
+03_quit-plymouth.patch
+04_default-gtk-greeter-config.patch
+05_dont-add-pkglibexecdir-path.patch
+06_move-progs-to-pkglibexecdir.patch
+07_CVE-2011-4105.patch
+08_CVE-2011-3153.patch
More information about the Pkg-xfce-commits
mailing list