Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 11 Sep 2018 10:39:36 +0000 (UTC)
From:      Adriaan de Groot <adridg@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r479522 - in head/x11/sddm: . files
Message-ID:  <201809111039.w8BAda5F043826@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: adridg
Date: Tue Sep 11 10:39:36 2018
New Revision: 479522
URL: https://svnweb.freebsd.org/changeset/ports/479522

Log:
  Backport security fixes for x11/sddm
  
  The 0.18 release of x11/sddm contains a fix for a security error
  that probably doesn't affect us: session-reuse. In any case our
  default configuration is not vulnerable. This doesn't update to
  0.18 because there's a bunch of other changes that would need to
  be chased, further delaying this update.
  
  While here, pet portlint and Tijl, who asked for a pkg-message.
  
  PR:		230029
  Reported by:	doctorwhoguy@gmail.com
  Security:	f00acdec-b59f-11e8-805d-001e2a3f778d

Added:
  head/x11/sddm/files/git-patch-147cec38d   (contents, props changed)
  head/x11/sddm/files/git-patch-b02b00559   (contents, props changed)
  head/x11/sddm/pkg-message   (contents, props changed)
Modified:
  head/x11/sddm/Makefile

Modified: head/x11/sddm/Makefile
==============================================================================
--- head/x11/sddm/Makefile	Tue Sep 11 10:39:05 2018	(r479521)
+++ head/x11/sddm/Makefile	Tue Sep 11 10:39:36 2018	(r479522)
@@ -3,11 +3,21 @@
 PORTNAME=	sddm
 PORTVERSION=	0.17.0
 DISTVERSIONPREFIX=	v
+PORTREVISION=	1
 CATEGORIES=	x11
 
 MAINTAINER=	kde@FreeBSD.org
 COMMENT=	QML based login manager
 
+# The source code is GPLv2+, but the provided themes are:
+#  - CC-BY 3.0 (default greeter theme, maldives)
+#  - CC-BY 4.0 (maya)
+#  - Apache20 (font included with maya)
+LICENSE=	GPLv2+ CC-BY-3.0 CC-BY-4.0 APACHE20
+LICENSE_COMB=	multi
+LICENSE_FILE_GPLv2+=	${WRKSRC}/LICENSE
+LICENSE_FILE_CC-BY-3.0=	${WRKSRC}/LICENSE.CC-BY-3.0
+
 RUN_DEPENDS=	dbus-run-session:devel/dbus
 
 USES=		cmake:outsource kde:5 qt:5
@@ -28,6 +38,10 @@ USERS=		sddm
 GROUPS=		sddm
 
 USE_GITHUB=	yes
+
+# There are multiple patches that apply to Display.cpp,
+# fixing CVE-2018-14345 and backported from 0.18.
+EXTRA_PATCHES=	${PATCHDIR}/git-patch-147cec38d ${PATCHDIR}/git-patch-b02b00559
 
 post-patch:
 	@${REINPLACE_CMD} -e 's#/etc/X11#${LOCALBASE}/etc/X11#' \

Added: head/x11/sddm/files/git-patch-147cec38d
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/x11/sddm/files/git-patch-147cec38d	Tue Sep 11 10:39:36 2018	(r479522)
@@ -0,0 +1,28 @@
+diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
+index 5abfc9a..57d7ecb 100644
+--- src/daemon/Display.cpp
++++ src/daemon/Display.cpp
+@@ -339,7 +339,9 @@ namespace SDDM {
+         } else {
+             //we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session
+             //by not setting the session and the helper will emit authentication and then quit
+-            connect(m_auth, &Auth::authentication, this, [=](){
++            connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){
++                if(!success)
++                    return;
+                 qDebug() << "activating existing seat";
+                 OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
+                 manager.UnlockSession(existingSessionId);
+diff --git a/src/helper/backend/PamBackend.cpp b/src/helper/backend/PamBackend.cpp
+index 69cbd2c..5467282 100644
+--- src/helper/backend/PamBackend.cpp
++++ src/helper/backend/PamBackend.cpp
+@@ -219,8 +219,6 @@ namespace SDDM {
+ 
+         if (user == QStringLiteral("sddm") && m_greeter)
+             service = QStringLiteral("sddm-greeter");
+-        else if (m_app->session()->path().isEmpty())
+-            service = QStringLiteral("sddm-check");
+         else if (m_autologin)
+             service = QStringLiteral("sddm-autologin");
+         result = m_pam->start(service, user);

Added: head/x11/sddm/files/git-patch-b02b00559
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/x11/sddm/files/git-patch-b02b00559	Tue Sep 11 10:39:36 2018	(r479522)
@@ -0,0 +1,70 @@
+diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
+index 57d7ecb..c2ea728 100644
+--- src/daemon/Display.cpp
++++ src/daemon/Display.cpp
+@@ -280,7 +280,7 @@ namespace SDDM {
+             return;
+         }
+ 
+-        QString existingSessionId;
++        m_reuseSessionId = QString();
+ 
+         if (Logind::isAvailable() && mainConfig.Users.ReuseSession.get()) {
+             OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
+@@ -291,7 +291,7 @@ namespace SDDM {
+                 if (s.userName == user) {
+                     OrgFreedesktopLogin1SessionInterface session(Logind::serviceName(), s.sessionPath.path(), QDBusConnection::systemBus());
+                     if (session.service() == QLatin1String("sddm")) {
+-                        existingSessionId =  s.sessionId;
++                        m_reuseSessionId =  s.sessionId;
+                         break;
+                     }
+                 }
+@@ -334,19 +334,8 @@ namespace SDDM {
+         m_auth->insertEnvironment(env);
+ 
+         m_auth->setUser(user);
+-        if (existingSessionId.isNull()) {
++        if (m_reuseSessionId.isNull()) {
+             m_auth->setSession(session.exec());
+-        } else {
+-            //we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session
+-            //by not setting the session and the helper will emit authentication and then quit
+-            connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){
+-                if(!success)
+-                    return;
+-                qDebug() << "activating existing seat";
+-                OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
+-                manager.UnlockSession(existingSessionId);
+-                manager.ActivateSession(existingSessionId);
+-            });
+         }
+         m_auth->start();
+     }
+@@ -355,7 +344,13 @@ namespace SDDM {
+         if (success) {
+             qDebug() << "Authenticated successfully";
+ 
+-            m_auth->setCookie(qobject_cast<XorgDisplayServer *>(m_displayServer)->cookie());
++            if (!m_reuseSessionId.isNull()) {
++                OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
++                manager.UnlockSession(m_reuseSessionId);
++                manager.ActivateSession(m_reuseSessionId);
++            } else {
++                m_auth->setCookie(qobject_cast<XorgDisplayServer *>(m_displayServer)->cookie());
++            }
+ 
+             // save last user and last session
+             if (mainConfig.Users.RememberLastUser.get())
+diff --git a/src/daemon/Display.h b/src/daemon/Display.h
+index 09d3cf9..a6a06b2 100644
+--- src/daemon/Display.h
++++ src/daemon/Display.h
+@@ -85,6 +85,7 @@ namespace SDDM {
+ 
+         QString m_passPhrase;
+         QString m_sessionName;
++        QString m_reuseSessionId;
+ 
+         Auth *m_auth { nullptr };
+         DisplayServer *m_displayServer { nullptr };

Added: head/x11/sddm/pkg-message
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/x11/sddm/pkg-message	Tue Sep 11 10:39:36 2018	(r479522)
@@ -0,0 +1,2 @@
+SDDM does not support login.conf(5), and no special restrictions
+or settings from login.conf are enforced or applied.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201809111039.w8BAda5F043826>