Mailinglist Archive: opensuse-commit (1400 mails)
| < Previous | Next > |
commit lightdm for openSUSE:Factory
- From: root@xxxxxxxxxxxxxxx (h_root)
- Date: Wed, 16 Nov 2011 17:19:48 +0100
- Message-id: <20111116161949.031B920322@hilbert.suse.de>
Hello community,
here is the log from the commit of package lightdm for openSUSE:Factory checked
in at 2011-11-16 17:19:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lightdm (Old)
and /work/SRC/openSUSE:Factory/.lightdm.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lightdm", Maintainer is ""
Changes:
--------
--- /work/SRC/openSUSE:Factory/lightdm/lightdm.changes 2011-11-10
15:50:27.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.lightdm.new/lightdm.changes 2011-11-16
17:19:47.000000000 +0100
@@ -1,0 +2,5 @@
+Tue Nov 15 16:29:15 UTC 2011 - prusnak@xxxxxxxxxxxx
+
+- fix .dmrc handling (CVE-2011-3153) [bnc#728627]
+
+-------------------------------------------------------------------
@@ -7,2 +12,2 @@
- .Xauthrotiy as root never was in a released openSUSE version
- anyway
+ .Xauthority as root never was in a released openSUSE version
+ anyway (bnc#730062)
New:
----
lightdm-CVE-2011-3153.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lightdm.spec ++++++
--- /var/tmp/diff_new_pack.jLpvYh/_old 2011-11-16 17:19:48.000000000 +0100
+++ /var/tmp/diff_new_pack.jLpvYh/_new 2011-11-16 17:19:48.000000000 +0100
@@ -48,8 +48,10 @@
Patch5: lightdm-default-configuration.patch
# PATCH-FIX-UPSTREAM lightdm-lock-screen-before-switch.patch gber@xxxxxxxxxxxx
-- Try to lock the screen before switching users
Patch7: lightdm-lock-screen-before-switch.patch
-# PATCH-FIX-UPSTREAM lightdm-remove-xauthority-ownership-fix.patch
gber@xxxxxxxxxxxx -- Remove the code correcting the ownership of .Xauthority
files, it is still not secure and the buggy LightDM version writing .Xauthrotiy
as root never was in a released openSUSE version anyway
+# PATCH-FIX-UPSTREAM lightdm-remove-xauthority-ownership-fix.patch
gber@xxxxxxxxxxxx -- Remove the code correcting the ownership of .Xauthority
files, it is still not secure and the buggy LightDM version writing .Xauthority
as root never was in a released openSUSE version anyway
Patch8: lightdm-remove-xauthority-ownership-fix.patch
+# PATCH-FIX-UPSTREAM lightdm-CVE-2011-3153.patch prusnak@xxxxxxxxxxxx -- fix
vulnerability when reading .dmrc file
+Patch9: lightdm-CVE-2011-3153.patch
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(xcb)
BuildRequires: pkgconfig(xdmcp)
@@ -176,6 +178,7 @@
%patch5 -p1
%patch7 -p1
%patch8 -p1
+%patch9 -p1
%build
./autogen.sh
++++++ lightdm-CVE-2011-3153.patch ++++++
Description: drop privileges before reading ~/.dmrc
Author: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/883865
Index: lightdm-1.0.6/src/dmrc.c
===================================================================
--- lightdm-1.0.6.orig/src/dmrc.c
+++ lightdm-1.0.6/src/dmrc.c
@@ -24,7 +24,7 @@ dmrc_load (const gchar *username)
User *user;
GKeyFile *dmrc_file;
gchar *path;
- gboolean have_dmrc;
+ gboolean have_dmrc, drop_privileges;
dmrc_file = g_key_file_new ();
@@ -38,7 +38,14 @@ dmrc_load (const gchar *username)
/* Load from the user directory, if this fails (e.g. the user directory
* is not yet mounted) then load from the cache */
path = g_build_filename (user_get_home_directory (user), ".dmrc", NULL);
+
+ /* Guard against privilege escalation through symlinks, etc. */
+ drop_privileges = geteuid () == 0;
+ if (drop_privileges)
+ privileges_drop (user);
have_dmrc = g_key_file_load_from_file (dmrc_file, path,
G_KEY_FILE_KEEP_COMMENTS, NULL);
+ if (drop_privileges)
+ privileges_reclaim ();
g_free (path);
/* If no ~/.dmrc, then load from the cache */
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx
here is the log from the commit of package lightdm for openSUSE:Factory checked
in at 2011-11-16 17:19:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lightdm (Old)
and /work/SRC/openSUSE:Factory/.lightdm.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lightdm", Maintainer is ""
Changes:
--------
--- /work/SRC/openSUSE:Factory/lightdm/lightdm.changes 2011-11-10
15:50:27.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.lightdm.new/lightdm.changes 2011-11-16
17:19:47.000000000 +0100
@@ -1,0 +2,5 @@
+Tue Nov 15 16:29:15 UTC 2011 - prusnak@xxxxxxxxxxxx
+
+- fix .dmrc handling (CVE-2011-3153) [bnc#728627]
+
+-------------------------------------------------------------------
@@ -7,2 +12,2 @@
- .Xauthrotiy as root never was in a released openSUSE version
- anyway
+ .Xauthority as root never was in a released openSUSE version
+ anyway (bnc#730062)
New:
----
lightdm-CVE-2011-3153.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lightdm.spec ++++++
--- /var/tmp/diff_new_pack.jLpvYh/_old 2011-11-16 17:19:48.000000000 +0100
+++ /var/tmp/diff_new_pack.jLpvYh/_new 2011-11-16 17:19:48.000000000 +0100
@@ -48,8 +48,10 @@
Patch5: lightdm-default-configuration.patch
# PATCH-FIX-UPSTREAM lightdm-lock-screen-before-switch.patch gber@xxxxxxxxxxxx
-- Try to lock the screen before switching users
Patch7: lightdm-lock-screen-before-switch.patch
-# PATCH-FIX-UPSTREAM lightdm-remove-xauthority-ownership-fix.patch
gber@xxxxxxxxxxxx -- Remove the code correcting the ownership of .Xauthority
files, it is still not secure and the buggy LightDM version writing .Xauthrotiy
as root never was in a released openSUSE version anyway
+# PATCH-FIX-UPSTREAM lightdm-remove-xauthority-ownership-fix.patch
gber@xxxxxxxxxxxx -- Remove the code correcting the ownership of .Xauthority
files, it is still not secure and the buggy LightDM version writing .Xauthority
as root never was in a released openSUSE version anyway
Patch8: lightdm-remove-xauthority-ownership-fix.patch
+# PATCH-FIX-UPSTREAM lightdm-CVE-2011-3153.patch prusnak@xxxxxxxxxxxx -- fix
vulnerability when reading .dmrc file
+Patch9: lightdm-CVE-2011-3153.patch
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(xcb)
BuildRequires: pkgconfig(xdmcp)
@@ -176,6 +178,7 @@
%patch5 -p1
%patch7 -p1
%patch8 -p1
+%patch9 -p1
%build
./autogen.sh
++++++ lightdm-CVE-2011-3153.patch ++++++
Description: drop privileges before reading ~/.dmrc
Author: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/883865
Index: lightdm-1.0.6/src/dmrc.c
===================================================================
--- lightdm-1.0.6.orig/src/dmrc.c
+++ lightdm-1.0.6/src/dmrc.c
@@ -24,7 +24,7 @@ dmrc_load (const gchar *username)
User *user;
GKeyFile *dmrc_file;
gchar *path;
- gboolean have_dmrc;
+ gboolean have_dmrc, drop_privileges;
dmrc_file = g_key_file_new ();
@@ -38,7 +38,14 @@ dmrc_load (const gchar *username)
/* Load from the user directory, if this fails (e.g. the user directory
* is not yet mounted) then load from the cache */
path = g_build_filename (user_get_home_directory (user), ".dmrc", NULL);
+
+ /* Guard against privilege escalation through symlinks, etc. */
+ drop_privileges = geteuid () == 0;
+ if (drop_privileges)
+ privileges_drop (user);
have_dmrc = g_key_file_load_from_file (dmrc_file, path,
G_KEY_FILE_KEEP_COMMENTS, NULL);
+ if (drop_privileges)
+ privileges_reclaim ();
g_free (path);
/* If no ~/.dmrc, then load from the cache */
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx
| < Previous | Next > |