aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBart Ribbers <bribbers@disroot.org>2020-11-05 10:16:13 +0100
committerLeo <thinkabit.ukim@gmail.com>2020-11-06 04:26:11 +0000
commit868070ed305cd2ae7f58b4e8f23d3c4f25dba759 (patch)
treef1f1c1b2abb5814a5820b030b4b9b1fe7ec5682c
parentd8403c9eea36a6c39dc3f08af8dd2755e94f25c0 (diff)
downloadaports-868070ed305cd2ae7f58b4e8f23d3c4f25dba759.tar.gz
aports-868070ed305cd2ae7f58b4e8f23d3c4f25dba759.tar.bz2
aports-868070ed305cd2ae7f58b4e8f23d3c4f25dba759.tar.xz
community/sddm: fix CVE-2020-28049
-rw-r--r--community/sddm/APKBUILD6
-rw-r--r--community/sddm/CVE-2020-28049.patch94
2 files changed, 98 insertions, 2 deletions
diff --git a/community/sddm/APKBUILD b/community/sddm/APKBUILD
index ae37beaf3e..938b04d7b0 100644
--- a/community/sddm/APKBUILD
+++ b/community/sddm/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Bart Ribbers <bribbers@disroot.org>
pkgname=sddm
pkgver=0.18.1
-pkgrel=7
+pkgrel=8
pkgdesc="Simple Desktop Display Manager"
url="https://github.com/sddm/sddm/"
arch="all !armhf" # armhf blocked by qt5-qtdeclarative
@@ -19,6 +19,7 @@ pkggroups="sddm"
source="$pkgname-$pkgver.tar.gz::https://github.com/sddm/sddm/archive/v$pkgver.tar.gz
pam-path-fix.patch
sddm.initd
+ CVE-2020-28049.patch
"
build() {
@@ -46,4 +47,5 @@ package() {
sha512sums="18d5b9ee5e4d022ac86e10cde1c70c5475aeaff86d41d8b9897bc26953f5b6d042a7fef1d6e727865ebeb003a730455656765ba53350a665891113afd4dfa7d8 sddm-0.18.1.tar.gz
f0b4eb7ef0581701157f9decc637629156f36f6711b9a4bae517f94d7a1df614c81bbd891c918f07ac50e2a3d1519c43ccb9eefd80282c95dd79eca0e8d90904 pam-path-fix.patch
-9a72f97d3de5d66ede593263e35e4030a2720371782c7767f444b1bbae3c1a358b349cb43be389814713b92d8b27174293bbdbd5b1d1c837abef1b6a6d082f98 sddm.initd"
+9a72f97d3de5d66ede593263e35e4030a2720371782c7767f444b1bbae3c1a358b349cb43be389814713b92d8b27174293bbdbd5b1d1c837abef1b6a6d082f98 sddm.initd
+cb4840dce22e76ee1bd912c81c590f5333c3c6e679dfca70555ec82dbe64579297bf2fa4ac94c4beda75724f4db28c8178357a4d0392d432e7928b6b1576dcf9 CVE-2020-28049.patch"
diff --git a/community/sddm/CVE-2020-28049.patch b/community/sddm/CVE-2020-28049.patch
new file mode 100644
index 0000000000..8209c0739d
--- /dev/null
+++ b/community/sddm/CVE-2020-28049.patch
@@ -0,0 +1,94 @@
+From be202f533ab98a684c6a007e8d5b4357846bc222 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Tue, 6 Oct 2020 21:21:38 +0200
+Subject: [PATCH] Fix X not having access control on startup
+
+If the auth file is empty, X allows any local application (= any user on the
+system) to connect. This is currently the case until X wrote the display
+number to sddm and sddm used that to write the entry into the file.
+To work around this chicken-and-egg problem, make use of the fact that X
+doesn't actually look at the display number in the passed auth file and just
+use :0 unconditionally. Also make sure that writing the entry was actually
+successful.
+
+CVE-2020-28049
+---
+ src/daemon/XorgDisplayServer.cpp | 25 ++++++++++++++++++++-----
+ src/daemon/XorgDisplayServer.h | 2 +-
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/src/daemon/XorgDisplayServer.cpp b/src/daemon/XorgDisplayServer.cpp
+index d04f6344..df685b2d 100644
+--- a/src/daemon/XorgDisplayServer.cpp
++++ b/src/daemon/XorgDisplayServer.cpp
+@@ -88,7 +88,7 @@ namespace SDDM {
+ return m_cookie;
+ }
+
+- void XorgDisplayServer::addCookie(const QString &file) {
++ bool XorgDisplayServer::addCookie(const QString &file) {
+ // log message
+ qDebug() << "Adding cookie to" << file;
+
+@@ -104,13 +104,13 @@ namespace SDDM {
+
+ // check file
+ if (!fp)
+- return;
++ return false;
+ fprintf(fp, "remove %s\n", qPrintable(m_display));
+ fprintf(fp, "add %s . %s\n", qPrintable(m_display), qPrintable(m_cookie));
+ fprintf(fp, "exit\n");
+
+ // close pipe
+- pclose(fp);
++ return pclose(fp) == 0;
+ }
+
+ bool XorgDisplayServer::start() {
+@@ -127,6 +127,15 @@ namespace SDDM {
+ // log message
+ qDebug() << "Display server starting...";
+
++ // generate auth file.
++ // For the X server's copy, the display number doesn't matter.
++ // An empty file would result in no access control!
++ m_display = QStringLiteral(":0");
++ if(!addCookie(m_authPath)) {
++ qCritical() << "Failed to write xauth file";
++ return false;
++ }
++
+ if (daemonApp->testing()) {
+ QStringList args;
+ QDir x11socketDir(QStringLiteral("/tmp/.X11-unix"));
+@@ -217,8 +226,14 @@ namespace SDDM {
+ emit started();
+ }
+
+- // generate auth file
+- addCookie(m_authPath);
++ // The file is also used by the greeter, which does care about the
++ // display number. Write the proper entry, if it's different.
++ if(m_display != QStringLiteral(":0")) {
++ if(!addCookie(m_authPath)) {
++ qCritical() << "Failed to write xauth file";
++ return false;
++ }
++ }
+ changeOwner(m_authPath);
+
+ // set flag
+diff --git a/src/daemon/XorgDisplayServer.h b/src/daemon/XorgDisplayServer.h
+index d2bdf6d4..e97a0b53 100644
+--- a/src/daemon/XorgDisplayServer.h
++++ b/src/daemon/XorgDisplayServer.h
+@@ -40,7 +40,7 @@ namespace SDDM {
+
+ const QString &cookie() const;
+
+- void addCookie(const QString &file);
++ bool addCookie(const QString &file);
+
+ public slots:
+ bool start();