svn commit: r479522 - in head/x11/sddm: . files
Adriaan de Groot
adridg at FreeBSD.org
Tue Sep 11 10:39:38 UTC 2018
Author: adridg
Date: Tue Sep 11 10:39:36 2018
New Revision: 479522
URL: https://svnweb.freebsd.org/changeset/ports/479522
Log:
Backport security fixes for x11/sddm
The 0.18 release of x11/sddm contains a fix for a security error
that probably doesn't affect us: session-reuse. In any case our
default configuration is not vulnerable. This doesn't update to
0.18 because there's a bunch of other changes that would need to
be chased, further delaying this update.
While here, pet portlint and Tijl, who asked for a pkg-message.
PR: 230029
Reported by: doctorwhoguy at gmail.com
Security: f00acdec-b59f-11e8-805d-001e2a3f778d
Added:
head/x11/sddm/files/git-patch-147cec38d (contents, props changed)
head/x11/sddm/files/git-patch-b02b00559 (contents, props changed)
head/x11/sddm/pkg-message (contents, props changed)
Modified:
head/x11/sddm/Makefile
Modified: head/x11/sddm/Makefile
==============================================================================
--- head/x11/sddm/Makefile Tue Sep 11 10:39:05 2018 (r479521)
+++ head/x11/sddm/Makefile Tue Sep 11 10:39:36 2018 (r479522)
@@ -3,11 +3,21 @@
PORTNAME= sddm
PORTVERSION= 0.17.0
DISTVERSIONPREFIX= v
+PORTREVISION= 1
CATEGORIES= x11
MAINTAINER= kde at FreeBSD.org
COMMENT= QML based login manager
+# The source code is GPLv2+, but the provided themes are:
+# - CC-BY 3.0 (default greeter theme, maldives)
+# - CC-BY 4.0 (maya)
+# - Apache20 (font included with maya)
+LICENSE= GPLv2+ CC-BY-3.0 CC-BY-4.0 APACHE20
+LICENSE_COMB= multi
+LICENSE_FILE_GPLv2+= ${WRKSRC}/LICENSE
+LICENSE_FILE_CC-BY-3.0= ${WRKSRC}/LICENSE.CC-BY-3.0
+
RUN_DEPENDS= dbus-run-session:devel/dbus
USES= cmake:outsource kde:5 qt:5
@@ -28,6 +38,10 @@ USERS= sddm
GROUPS= sddm
USE_GITHUB= yes
+
+# There are multiple patches that apply to Display.cpp,
+# fixing CVE-2018-14345 and backported from 0.18.
+EXTRA_PATCHES= ${PATCHDIR}/git-patch-147cec38d ${PATCHDIR}/git-patch-b02b00559
post-patch:
@${REINPLACE_CMD} -e 's#/etc/X11#${LOCALBASE}/etc/X11#' \
Added: head/x11/sddm/files/git-patch-147cec38d
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/sddm/files/git-patch-147cec38d Tue Sep 11 10:39:36 2018 (r479522)
@@ -0,0 +1,28 @@
+diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
+index 5abfc9a..57d7ecb 100644
+--- src/daemon/Display.cpp
++++ src/daemon/Display.cpp
+@@ -339,7 +339,9 @@ namespace SDDM {
+ } else {
+ //we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session
+ //by not setting the session and the helper will emit authentication and then quit
+- connect(m_auth, &Auth::authentication, this, [=](){
++ connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){
++ if(!success)
++ return;
+ qDebug() << "activating existing seat";
+ OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
+ manager.UnlockSession(existingSessionId);
+diff --git a/src/helper/backend/PamBackend.cpp b/src/helper/backend/PamBackend.cpp
+index 69cbd2c..5467282 100644
+--- src/helper/backend/PamBackend.cpp
++++ src/helper/backend/PamBackend.cpp
+@@ -219,8 +219,6 @@ namespace SDDM {
+
+ if (user == QStringLiteral("sddm") && m_greeter)
+ service = QStringLiteral("sddm-greeter");
+- else if (m_app->session()->path().isEmpty())
+- service = QStringLiteral("sddm-check");
+ else if (m_autologin)
+ service = QStringLiteral("sddm-autologin");
+ result = m_pam->start(service, user);
Added: head/x11/sddm/files/git-patch-b02b00559
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/sddm/files/git-patch-b02b00559 Tue Sep 11 10:39:36 2018 (r479522)
@@ -0,0 +1,70 @@
+diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
+index 57d7ecb..c2ea728 100644
+--- src/daemon/Display.cpp
++++ src/daemon/Display.cpp
+@@ -280,7 +280,7 @@ namespace SDDM {
+ return;
+ }
+
+- QString existingSessionId;
++ m_reuseSessionId = QString();
+
+ if (Logind::isAvailable() && mainConfig.Users.ReuseSession.get()) {
+ OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
+@@ -291,7 +291,7 @@ namespace SDDM {
+ if (s.userName == user) {
+ OrgFreedesktopLogin1SessionInterface session(Logind::serviceName(), s.sessionPath.path(), QDBusConnection::systemBus());
+ if (session.service() == QLatin1String("sddm")) {
+- existingSessionId = s.sessionId;
++ m_reuseSessionId = s.sessionId;
+ break;
+ }
+ }
+@@ -334,19 +334,8 @@ namespace SDDM {
+ m_auth->insertEnvironment(env);
+
+ m_auth->setUser(user);
+- if (existingSessionId.isNull()) {
++ if (m_reuseSessionId.isNull()) {
+ m_auth->setSession(session.exec());
+- } else {
+- //we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session
+- //by not setting the session and the helper will emit authentication and then quit
+- connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){
+- if(!success)
+- return;
+- qDebug() << "activating existing seat";
+- OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
+- manager.UnlockSession(existingSessionId);
+- manager.ActivateSession(existingSessionId);
+- });
+ }
+ m_auth->start();
+ }
+@@ -355,7 +344,13 @@ namespace SDDM {
+ if (success) {
+ qDebug() << "Authenticated successfully";
+
+- m_auth->setCookie(qobject_cast<XorgDisplayServer *>(m_displayServer)->cookie());
++ if (!m_reuseSessionId.isNull()) {
++ OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
++ manager.UnlockSession(m_reuseSessionId);
++ manager.ActivateSession(m_reuseSessionId);
++ } else {
++ m_auth->setCookie(qobject_cast<XorgDisplayServer *>(m_displayServer)->cookie());
++ }
+
+ // save last user and last session
+ if (mainConfig.Users.RememberLastUser.get())
+diff --git a/src/daemon/Display.h b/src/daemon/Display.h
+index 09d3cf9..a6a06b2 100644
+--- src/daemon/Display.h
++++ src/daemon/Display.h
+@@ -85,6 +85,7 @@ namespace SDDM {
+
+ QString m_passPhrase;
+ QString m_sessionName;
++ QString m_reuseSessionId;
+
+ Auth *m_auth { nullptr };
+ DisplayServer *m_displayServer { nullptr };
Added: head/x11/sddm/pkg-message
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/sddm/pkg-message Tue Sep 11 10:39:36 2018 (r479522)
@@ -0,0 +1,2 @@
+SDDM does not support login.conf(5), and no special restrictions
+or settings from login.conf are enforced or applied.
More information about the svn-ports-all
mailing list