From owner-svn-ports-all@freebsd.org Tue Sep 11 10:39:37 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B70CD108C804; Tue, 11 Sep 2018 10:39:37 +0000 (UTC) (envelope-from adridg@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6CB847178F; Tue, 11 Sep 2018 10:39:37 +0000 (UTC) (envelope-from adridg@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 67A4A169B3; Tue, 11 Sep 2018 10:39:37 +0000 (UTC) (envelope-from adridg@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w8BAdb3I043830; Tue, 11 Sep 2018 10:39:37 GMT (envelope-from adridg@FreeBSD.org) Received: (from adridg@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w8BAda5F043826; Tue, 11 Sep 2018 10:39:36 GMT (envelope-from adridg@FreeBSD.org) Message-Id: <201809111039.w8BAda5F043826@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: adridg set sender to adridg@FreeBSD.org using -f From: Adriaan de Groot Date: Tue, 11 Sep 2018 10:39:36 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r479522 - in head/x11/sddm: . files X-SVN-Group: ports-head X-SVN-Commit-Author: adridg X-SVN-Commit-Paths: in head/x11/sddm: . files X-SVN-Commit-Revision: 479522 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2018 10:39:38 -0000 Author: adridg Date: Tue Sep 11 10:39:36 2018 New Revision: 479522 URL: https://svnweb.freebsd.org/changeset/ports/479522 Log: Backport security fixes for x11/sddm The 0.18 release of x11/sddm contains a fix for a security error that probably doesn't affect us: session-reuse. In any case our default configuration is not vulnerable. This doesn't update to 0.18 because there's a bunch of other changes that would need to be chased, further delaying this update. While here, pet portlint and Tijl, who asked for a pkg-message. PR: 230029 Reported by: doctorwhoguy@gmail.com Security: f00acdec-b59f-11e8-805d-001e2a3f778d Added: head/x11/sddm/files/git-patch-147cec38d (contents, props changed) head/x11/sddm/files/git-patch-b02b00559 (contents, props changed) head/x11/sddm/pkg-message (contents, props changed) Modified: head/x11/sddm/Makefile Modified: head/x11/sddm/Makefile ============================================================================== --- head/x11/sddm/Makefile Tue Sep 11 10:39:05 2018 (r479521) +++ head/x11/sddm/Makefile Tue Sep 11 10:39:36 2018 (r479522) @@ -3,11 +3,21 @@ PORTNAME= sddm PORTVERSION= 0.17.0 DISTVERSIONPREFIX= v +PORTREVISION= 1 CATEGORIES= x11 MAINTAINER= kde@FreeBSD.org COMMENT= QML based login manager +# The source code is GPLv2+, but the provided themes are: +# - CC-BY 3.0 (default greeter theme, maldives) +# - CC-BY 4.0 (maya) +# - Apache20 (font included with maya) +LICENSE= GPLv2+ CC-BY-3.0 CC-BY-4.0 APACHE20 +LICENSE_COMB= multi +LICENSE_FILE_GPLv2+= ${WRKSRC}/LICENSE +LICENSE_FILE_CC-BY-3.0= ${WRKSRC}/LICENSE.CC-BY-3.0 + RUN_DEPENDS= dbus-run-session:devel/dbus USES= cmake:outsource kde:5 qt:5 @@ -28,6 +38,10 @@ USERS= sddm GROUPS= sddm USE_GITHUB= yes + +# There are multiple patches that apply to Display.cpp, +# fixing CVE-2018-14345 and backported from 0.18. +EXTRA_PATCHES= ${PATCHDIR}/git-patch-147cec38d ${PATCHDIR}/git-patch-b02b00559 post-patch: @${REINPLACE_CMD} -e 's#/etc/X11#${LOCALBASE}/etc/X11#' \ Added: head/x11/sddm/files/git-patch-147cec38d ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/sddm/files/git-patch-147cec38d Tue Sep 11 10:39:36 2018 (r479522) @@ -0,0 +1,28 @@ +diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp +index 5abfc9a..57d7ecb 100644 +--- src/daemon/Display.cpp ++++ src/daemon/Display.cpp +@@ -339,7 +339,9 @@ namespace SDDM { + } else { + //we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session + //by not setting the session and the helper will emit authentication and then quit +- connect(m_auth, &Auth::authentication, this, [=](){ ++ connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){ ++ if(!success) ++ return; + qDebug() << "activating existing seat"; + OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus()); + manager.UnlockSession(existingSessionId); +diff --git a/src/helper/backend/PamBackend.cpp b/src/helper/backend/PamBackend.cpp +index 69cbd2c..5467282 100644 +--- src/helper/backend/PamBackend.cpp ++++ src/helper/backend/PamBackend.cpp +@@ -219,8 +219,6 @@ namespace SDDM { + + if (user == QStringLiteral("sddm") && m_greeter) + service = QStringLiteral("sddm-greeter"); +- else if (m_app->session()->path().isEmpty()) +- service = QStringLiteral("sddm-check"); + else if (m_autologin) + service = QStringLiteral("sddm-autologin"); + result = m_pam->start(service, user); Added: head/x11/sddm/files/git-patch-b02b00559 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/sddm/files/git-patch-b02b00559 Tue Sep 11 10:39:36 2018 (r479522) @@ -0,0 +1,70 @@ +diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp +index 57d7ecb..c2ea728 100644 +--- src/daemon/Display.cpp ++++ src/daemon/Display.cpp +@@ -280,7 +280,7 @@ namespace SDDM { + return; + } + +- QString existingSessionId; ++ m_reuseSessionId = QString(); + + if (Logind::isAvailable() && mainConfig.Users.ReuseSession.get()) { + OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus()); +@@ -291,7 +291,7 @@ namespace SDDM { + if (s.userName == user) { + OrgFreedesktopLogin1SessionInterface session(Logind::serviceName(), s.sessionPath.path(), QDBusConnection::systemBus()); + if (session.service() == QLatin1String("sddm")) { +- existingSessionId = s.sessionId; ++ m_reuseSessionId = s.sessionId; + break; + } + } +@@ -334,19 +334,8 @@ namespace SDDM { + m_auth->insertEnvironment(env); + + m_auth->setUser(user); +- if (existingSessionId.isNull()) { ++ if (m_reuseSessionId.isNull()) { + m_auth->setSession(session.exec()); +- } else { +- //we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session +- //by not setting the session and the helper will emit authentication and then quit +- connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){ +- if(!success) +- return; +- qDebug() << "activating existing seat"; +- OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus()); +- manager.UnlockSession(existingSessionId); +- manager.ActivateSession(existingSessionId); +- }); + } + m_auth->start(); + } +@@ -355,7 +344,13 @@ namespace SDDM { + if (success) { + qDebug() << "Authenticated successfully"; + +- m_auth->setCookie(qobject_cast(m_displayServer)->cookie()); ++ if (!m_reuseSessionId.isNull()) { ++ OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus()); ++ manager.UnlockSession(m_reuseSessionId); ++ manager.ActivateSession(m_reuseSessionId); ++ } else { ++ m_auth->setCookie(qobject_cast(m_displayServer)->cookie()); ++ } + + // save last user and last session + if (mainConfig.Users.RememberLastUser.get()) +diff --git a/src/daemon/Display.h b/src/daemon/Display.h +index 09d3cf9..a6a06b2 100644 +--- src/daemon/Display.h ++++ src/daemon/Display.h +@@ -85,6 +85,7 @@ namespace SDDM { + + QString m_passPhrase; + QString m_sessionName; ++ QString m_reuseSessionId; + + Auth *m_auth { nullptr }; + DisplayServer *m_displayServer { nullptr }; Added: head/x11/sddm/pkg-message ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/sddm/pkg-message Tue Sep 11 10:39:36 2018 (r479522) @@ -0,0 +1,2 @@ +SDDM does not support login.conf(5), and no special restrictions +or settings from login.conf are enforced or applied.