diff options
| author |   Gilles Dartiguelongue <eva@gentoo.org> | 2008-04-02 14:03:32 +0000 |
|---|---|---|
| committer | Gilles Dartiguelongue <eva@gentoo.org> | 2008-04-02 14:03:32 +0000 |
| commit | 253972e80959b034979f46c29609c32d984cdb62 (patch) | |
| tree | d54724d7f79afed3860311a002e6866aa81d1a63 /gnome-extra/gnome-screensaver | |
| parent | Added vdr-1.6.0 and gcc-4.1 patches. (diff) | |
| download | gentoo-2-253972e80959b034979f46c29609c32d984cdb62.tar.gz gentoo-2-253972e80959b034979f46c29609c32d984cdb62.tar.bz2 gentoo-2-253972e80959b034979f46c29609c32d984cdb62.zip | |
fix security bug #213940
(Portage version: 2.1.4.4, RepoMan options: --force)
Diffstat (limited to 'gnome-extra/gnome-screensaver')
| -rw-r--r-- | gnome-extra/gnome-screensaver/ChangeLog | 11 | ||||
| -rw-r--r-- | gnome-extra/gnome-screensaver/files/gnome-screensaver-CVE-2008-0887.patch | 225 | ||||
| -rw-r--r-- | gnome-extra/gnome-screensaver/gnome-screensaver-2.20.0-r3.ebuild | 107 | ||||
| -rw-r--r-- | gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0-r1.ebuild (renamed from gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0.ebuild) | 11 |
4 files changed, 351 insertions, 3 deletions
diff --git a/gnome-extra/gnome-screensaver/ChangeLog b/gnome-extra/gnome-screensaver/ChangeLog index e61467dd1578..0a72997c1da5 100644 --- a/gnome-extra/gnome-screensaver/ChangeLog +++ b/gnome-extra/gnome-screensaver/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for gnome-extra/gnome-screensaver # Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/gnome-extra/gnome-screensaver/ChangeLog,v 1.72 2008/03/26 21:03:07 cardoe Exp $ +# $Header: /var/cvsroot/gentoo-x86/gnome-extra/gnome-screensaver/ChangeLog,v 1.73 2008/04/02 14:03:31 eva Exp $ + +*gnome-screensaver-2.22.0-r1 (02 Apr 2008) +*gnome-screensaver-2.20.0-r3 (02 Apr 2008) + + 02 Apr 2008; Gilles Dartiguelongue <eva@gentoo.org> + +files/gnome-screensaver-CVE-2008-0887.patch, + +gnome-screensaver-2.20.0-r3.ebuild, -gnome-screensaver-2.22.0.ebuild, + +gnome-screensaver-2.22.0-r1.ebuild: + fix security bug #213940 26 Mar 2008; Doug Goldstein <cardoe@gentoo.org> gnome-screensaver-2.22.0.ebuild: diff --git a/gnome-extra/gnome-screensaver/files/gnome-screensaver-CVE-2008-0887.patch b/gnome-extra/gnome-screensaver/files/gnome-screensaver-CVE-2008-0887.patch new file mode 100644 index 000000000000..e0216529dbcf --- /dev/null +++ b/gnome-extra/gnome-screensaver/files/gnome-screensaver-CVE-2008-0887.patch @@ -0,0 +1,225 @@ +Index: gnome-screensaver/src/gnome-screensaver-dialog.c +=================================================================== +--- gnome-screensaver/src/gnome-screensaver-dialog.c (revision 1398) ++++ gnome-screensaver/src/gnome-screensaver-dialog.c (working copy) +@@ -41,6 +41,8 @@ + + #include "gs-debug.h" + ++#define MAX_FAILURES 5 ++ + static gboolean verbose = FALSE; + static gboolean show_version = FALSE; + static gboolean enable_logout = FALSE; +@@ -299,8 +301,6 @@ do_auth_check (GSLockPlug *plug) + gs_lock_plug_show_message (plug, _("Authentication failed.")); + } + +- g_timeout_add (3000, (GSourceFunc)reset_idle_cb, plug); +- + printf ("NOTICE=AUTH FAILED\n"); + fflush (stdout); + +@@ -325,15 +325,28 @@ response_cb (GSLockPlug *plug, + static gboolean + auth_check_idle (GSLockPlug *plug) + { +- gboolean res; ++ gboolean res; ++ gboolean again; ++ static guint loop_counter = 0; + ++ again = TRUE; + res = do_auth_check (plug); + + if (res) { ++ again = FALSE; + g_idle_add ((GSourceFunc)quit_response_ok, NULL); ++ } else { ++ loop_counter++; ++ ++ if (loop_counter < MAX_FAILURES) { ++ g_timeout_add (3000, (GSourceFunc)reset_idle_cb, plug); ++ } else { ++ again = FALSE; ++ gtk_main_quit (); ++ } + } + +- return !res; ++ return again; + } + + static void +Index: gnome-screensaver/src/setuid.c +=================================================================== +--- gnome-screensaver/src/setuid.c (revision 1398) ++++ gnome-screensaver/src/setuid.c (working copy) +@@ -48,7 +48,7 @@ uid_gid_string (uid_t uid, + return buf; + } + +-static int ++static gboolean + set_ids_by_number (uid_t uid, + gid_t gid, + char **message_ret) +@@ -96,7 +96,7 @@ set_ids_by_number (uid_t uid, + + g_free (reason); + +- return 0; ++ return TRUE; + } else { + char *reason = NULL; + +@@ -141,9 +141,9 @@ set_ids_by_number (uid_t uid, + g_free (reason); + reason = NULL; + } +- +- return -1; ++ return FALSE; + } ++ return FALSE; + } + + +@@ -165,12 +165,21 @@ hack_uid (char **nolock_reason, + char **orig_uid, + char **uid_message) + { +- if (nolock_reason) ++ char *reason; ++ gboolean ret; ++ ++ ret = TRUE; ++ reason = NULL; ++ ++ if (nolock_reason != NULL) { + *nolock_reason = NULL; +- if (orig_uid) ++ } ++ if (orig_uid != NULL) { + *orig_uid = NULL; +- if (uid_message) ++ } ++ if (uid_message != NULL) { + *uid_message = NULL; ++ } + + /* Discard privileges, and set the effective user/group ids to the + real user/group ids. That is, give up our "chmod +s" rights. +@@ -181,12 +190,18 @@ hack_uid (char **nolock_reason, + uid_t uid = getuid (); + gid_t gid = getgid (); + +- if (orig_uid) ++ if (orig_uid != NULL) { + *orig_uid = uid_gid_string (euid, egid); ++ } ++ ++ if (uid != euid || gid != egid) { ++ if (! set_ids_by_number (uid, gid, uid_message)) { ++ reason = g_strdup ("unable to discard privileges."); + +- if (uid != euid || gid != egid) +- if (set_ids_by_number (uid, gid, uid_message) != 0) +- return FALSE; ++ ret = FALSE; ++ goto out; ++ } ++ } + } + + +@@ -200,81 +215,16 @@ hack_uid (char **nolock_reason, + and "USING XDM". + */ + if (getuid () == (uid_t) 0) { +- if (nolock_reason) +- *nolock_reason = g_strdup ("running as root"); +- return FALSE; ++ reason = g_strdup ("running as root"); ++ ret = FALSE; ++ goto out; + } + +- /* If we're running as root, switch to a safer user. This is above and +- beyond the fact that we've disabling locking, above -- the theory is +- that running graphics demos as root is just always a stupid thing +- to do, since they have probably never been security reviewed and are +- more likely to be buggy than just about any other kind of program. +- (And that assumes non-malicious code. There are also attacks here.) +- +- *** WARNING: DO NOT DISABLE THIS CODE! +- If you do so, you will open a security hole. See the sections +- of the xscreensaver manual titled "LOCKING AND ROOT LOGINS", +- and "USING XDM". +- */ +- if (getuid () == (uid_t) 0) { +- struct passwd *p; +- +- p = getpwnam ("nobody"); +- if (! p) p = getpwnam ("noaccess"); +- if (! p) p = getpwnam ("daemon"); +- if (! p) { +- g_warning ("running as root, and couldn't find a safer uid."); +- return FALSE; +- } +- +- if (set_ids_by_number (p->pw_uid, p->pw_gid, uid_message) != 0) +- return FALSE; +- } +- +- +- /* If there's anything even remotely funny looking about the passwd struct, +- or if we're running as some other user from the list below (a +- non-comprehensive selection of users known to be privileged in some way, +- and not normal end-users) then disable locking. If it was possible, +- switching to "nobody" would be the thing to do, but only root itself has +- the privs to do that. +- +- *** WARNING: DO NOT DISABLE THIS CODE! +- If you do so, you will open a security hole. See the sections +- of the xscreensaver manual titled "LOCKING AND ROOT LOGINS", +- and "USING XDM". +- */ +- { +- uid_t uid = getuid (); /* get it again */ +- struct passwd *p = getpwuid (uid); /* get it again */ +- +- if (!p || +- uid == (uid_t) 0 || +- uid == (uid_t) -1 || +- uid == (uid_t) -2 || +- p->pw_uid == (uid_t) 0 || +- p->pw_uid == (uid_t) -1 || +- p->pw_uid == (uid_t) -2 || +- !p->pw_name || +- !*p->pw_name || +- !strcmp (p->pw_name, "root") || +- !strcmp (p->pw_name, "nobody") || +- !strcmp (p->pw_name, "noaccess") || +- !strcmp (p->pw_name, "operator") || +- !strcmp (p->pw_name, "daemon") || +- !strcmp (p->pw_name, "bin") || +- !strcmp (p->pw_name, "adm") || +- !strcmp (p->pw_name, "sys") || +- !strcmp (p->pw_name, "games")) { +- if (nolock_reason) +- *nolock_reason = g_strdup_printf ("running as %s", +- (p && p->pw_name +- && *p->pw_name +- ? p->pw_name : "<unknown>")); +- return FALSE; +- } ++ out: ++ if (nolock_reason != NULL) { ++ *nolock_reason = g_strdup (reason); + } ++ g_free (reason); + +- return TRUE; ++ return ret; + } diff --git a/gnome-extra/gnome-screensaver/gnome-screensaver-2.20.0-r3.ebuild b/gnome-extra/gnome-screensaver/gnome-screensaver-2.20.0-r3.ebuild new file mode 100644 index 000000000000..2929aab198f1 --- /dev/null +++ b/gnome-extra/gnome-screensaver/gnome-screensaver-2.20.0-r3.ebuild @@ -0,0 +1,107 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/gnome-extra/gnome-screensaver/gnome-screensaver-2.20.0-r3.ebuild,v 1.1 2008/04/02 14:03:31 eva Exp $ + +inherit gnome2 eutils + +DESCRIPTION="Replaces xscreensaver, integrating with the desktop." +HOMEPAGE="http://live.gnome.org/GnomeScreensaver" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 hppa ~ia64 ~ppc ppc64 sparc x86 ~x86-fbsd" +KERNEL_IUSE="kernel_linux" +IUSE="debug doc libnotify opengl pam xinerama $KERNEL_IUSE" + +RDEPEND=">=gnome-base/gconf-2.6.1 + >=x11-libs/gtk+-2.11.5 + >=gnome-base/gnome-vfs-2.12 + >=gnome-base/libglade-2.5.0 + >=gnome-base/gnome-menus-2.12 + >=dev-libs/glib-2.8 + >=gnome-base/libgnomekbd-0.1 + >=dev-libs/dbus-glib-0.71 + libnotify? ( x11-libs/libnotify ) + opengl? ( virtual/opengl ) + xinerama? ( + x11-libs/libXinerama + x11-proto/xineramaproto + ) + pam? ( virtual/pam ) + !pam? ( kernel_linux? ( sys-apps/shadow ) ) + x11-libs/libX11 + x11-libs/libXext + x11-libs/libXrandr + x11-libs/libXScrnSaver" +DEPEND="${RDEPEND} + sys-devel/gettext + >=dev-util/pkgconfig-0.9 + >=dev-util/intltool-0.35 + doc? ( + app-text/xmlto + ~app-text/docbook-xml-dtd-4.1.2 + ~app-text/docbook-xml-dtd-4.4 + ) + x11-proto/xextproto + x11-proto/randrproto + x11-proto/scrnsaverproto + x11-proto/xf86miscproto" + +DOCS="AUTHORS ChangeLog HACKING NEWS README TODO" + +pkg_setup() { + G2CONF="${G2CONF} \ + $(use_enable doc docbook-docs) \ + $(use_enable debug) \ + $(use_with libnotify) \ + $(use_with opengl libgl) \ + $(use_enable pam) \ + $(use_enable xinerama) \ + --enable-locking \ + --with-kbd-layout-indicator \ + --with-gdm-config=/usr/share/gdm/defaults.conf \ + --with-xscreensaverdir=/usr/share/xscreensaver/config \ + --with-xscreensaverhackdir=/usr/lib/misc/xscreensaver" +} + +src_unpack() { + gnome2_src_unpack + epatch "${FILESDIR}/${P}-fix-gamma.patch" + + # Fix CVE-2008-0887, bug #213940 + epatch "${FILESDIR}/${PN}-CVE-2008-0887.patch" +} + +src_install() { + gnome2_src_install + + # Install the conversion script in the documentation + dodoc "${S}"/data/migrate-xscreensaver-config.sh + dodoc "${S}"/data/xscreensaver-config.xsl + + # Conversion information + sed -e "s:\${PF}:${PF}:" \ + < "${FILESDIR}"/xss-conversion-2.txt > "${S}"/xss-conversion.txt + + dodoc "${S}"/xss-conversion.txt + + # Non PAM users will need this suid to read the password hashes. + # OpenPAM users will probably need this too when + # http://bugzilla.gnome.org/show_bug.cgi?id=370847 + # is fixed. + if ! use pam ; then + fperms u+s /usr/libexec/gnome-screensaver-dialog + fi +} + +pkg_postinst() { + gnome2_pkg_postinst + + ewarn "If you have xscreensaver installed, you probably want to disable it." + ewarn "To prevent a duplicate Screensaver entry in the menu, you need to" + ewarn "build xscreensaver with -gnome in the USE flags." + ewarn "echo \"x11-misc/xscreensaver -gnome\" >> /etc/portage/package.use" + echo + elog "Information for converting screensavers is located in " + elog "/usr/share/doc/${PF}/xss-conversion.txt.${PORTAGE_COMPRESS}" +} diff --git a/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0.ebuild b/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0-r1.ebuild index dd80b2cbf0d5..d96aab99d398 100644 --- a/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0.ebuild +++ b/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0-r1.ebuild @@ -1,8 +1,8 @@ # Copyright 1999-2008 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0.ebuild,v 1.2 2008/03/26 21:03:07 cardoe Exp $ +# $Header: /var/cvsroot/gentoo-x86/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0-r1.ebuild,v 1.1 2008/04/02 14:03:31 eva Exp $ -inherit gnome2 +inherit eutils gnome2 DESCRIPTION="Replaces xscreensaver, integrating with the desktop." HOMEPAGE="http://live.gnome.org/GnomeScreensaver" @@ -64,6 +64,13 @@ pkg_setup() { --with-xscreensaverhackdir=/usr/lib/misc/xscreensaver" } +src_unpack() { + gnome2_src_unpack + + # Fix CVE-2008-0887, bug #213940 + epatch "${FILESDIR}/${PN}-CVE-2008-0887.patch" +} + src_install() { gnome2_src_install |