fix security bug #213940

Package-Manager: portage-2.1.4.4 RepoMan-Options: --force
author: Gilles Dartiguelongue <eva@gentoo.org> 2008-04-02 14:03:32 +0000
committer: Gilles Dartiguelongue <eva@gentoo.org> 2008-04-02 14:03:32 +0000
commit: 20be3fb33f2d151dffb93aa26faf71991c010b0b (patch)
tree: d7906bbe756351f9ace1635fe5e1c6969cd03348 /gnome-extra
parent: Added vdr-1.6.0 and gcc-4.1 patches. (diff)
download: historical-20be3fb33f2d151dffb93aa26faf71991c010b0b.tar.gz
historical-20be3fb33f2d151dffb93aa26faf71991c010b0b.tar.bz2
historical-20be3fb33f2d151dffb93aa26faf71991c010b0b.zip
5 files changed, 358 insertions, 8 deletions
diff --git a/gnome-extra/gnome-screensaver/ChangeLog b/gnome-extra/gnome-screensaver/ChangeLog
index e61467dd1578..0a72997c1da5 100644
--- a/gnome-extra/gnome-screensaver/ChangeLog
+++ b/gnome-extra/gnome-screensaver/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for gnome-extra/gnome-screensaver
 # Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/gnome-extra/gnome-screensaver/ChangeLog,v 1.72 2008/03/26 21:03:07 cardoe Exp $
+# $Header: /var/cvsroot/gentoo-x86/gnome-extra/gnome-screensaver/ChangeLog,v 1.73 2008/04/02 14:03:31 eva Exp $
+
+*gnome-screensaver-2.22.0-r1 (02 Apr 2008)
+*gnome-screensaver-2.20.0-r3 (02 Apr 2008)
+
+  02 Apr 2008; Gilles Dartiguelongue <eva@gentoo.org>
+  +files/gnome-screensaver-CVE-2008-0887.patch,
+  +gnome-screensaver-2.20.0-r3.ebuild, -gnome-screensaver-2.22.0.ebuild,
+  +gnome-screensaver-2.22.0-r1.ebuild:
+  fix security bug #213940
 
   26 Mar 2008; Doug Goldstein <cardoe@gentoo.org>
   gnome-screensaver-2.22.0.ebuild:
diff --git a/gnome-extra/gnome-screensaver/Manifest b/gnome-extra/gnome-screensaver/Manifest
index 0f1f02fb56e6..dd72104c14d4 100644
--- a/gnome-extra/gnome-screensaver/Manifest
+++ b/gnome-extra/gnome-screensaver/Manifest
@@ -2,17 +2,19 @@
 Hash: SHA1
 
 AUX gnome-screensaver-2.20.0-fix-gamma.patch 1637 RMD160 1bda5b646edb2b38218c93ac05b6f592e1366bca SHA1 243191a5c59be9badbba440ef364483a83d69fae SHA256 20c5afb7c058e1a4acf308eee466bbf81fb01e2df9a238fc48b0e89384521005
+AUX gnome-screensaver-CVE-2008-0887.patch 7965 RMD160 9eade48b04e5a617ec427258f3e41d5c33ab750f SHA1 392a477755562b032d24928ac6c2100af7d7fca1 SHA256 71e9bb7735fbc373ee2f19f7740ba759c7eeff0e46bd50ab7401f9d6147a1666
 AUX xss-conversion-2.txt 1026 RMD160 5a1810d1f41999907ff39adf0e6396d1d6f5c5d7 SHA1 477743e8fd025cff16c1b2ed538a57ce9550a9cf SHA256 f1bcc5e85d45e53e6170d0cdf25dd3d10020aeef545cf2fdea5e3b4b30ec86c8
 DIST gnome-screensaver-2.20.0.tar.bz2 2013842 RMD160 ddea3d536366aab572462f4f66c72daabbeeb119 SHA1 0b99de04caf897642338c61edc12cb7cea27e0a4 SHA256 9ee744058d2c7139634543951a62828b2e1b69fe33cf0b5456737e9c5201dbb9
 DIST gnome-screensaver-2.22.0.tar.bz2 2038929 RMD160 3bd2884d3d676599c23d630893c448617243b4f9 SHA1 51bad55f043ff17e864a79ba24e1c0f6a80abd6c SHA256 e6d66ad1092babe5b9a1ded2a50464e21206fa42a922ea1de0c688e764e05bfb
 EBUILD gnome-screensaver-2.20.0-r2.ebuild 2975 RMD160 7cfec93dc5eb9ee7b125c96fd114b6cbbd24340f SHA1 3a1e8dc73d7545ff875f31cdc837ed9527c4150d SHA256 ff550c8d12af56aaead39dfa95c77ab9bca39af56180bb588fa404a15d1d3791
-EBUILD gnome-screensaver-2.22.0.ebuild 2955 RMD160 2a4583f5ca0d97813324bd155a640e820008c412 SHA1 9298b26c5bb479b284fb159408dca3775634dc8b SHA256 d4e694aba1fbd764d91811ea3bddc80619ea1ebd308e529f73241bb81282d657
-MISC ChangeLog 11337 RMD160 429cbf3c8f451e1a518261cf8df50a93cc942721 SHA1 0e7eb970a07f992e746dbc6704e19cc7300af6bb SHA256 a4fce55ffb333b5e2cbdce5983f09bebaa1f23f7bffb45d7ad58ffa538828bbf
+EBUILD gnome-screensaver-2.20.0-r3.ebuild 3061 RMD160 c14b3f136b530cbe00e538bbd7224c852cd9d8f5 SHA1 f042d815ec907cf24fcd02b35346e9e444dcb43e SHA256 6d3685b37ff8ea77668a44356e57381a100db3db8883c062182fa8734e98a140
+EBUILD gnome-screensaver-2.22.0-r1.ebuild 3082 RMD160 6da07d4f6dda3b76062c2adc10cd0ad41d1bd218 SHA1 ffd6ae9a512045a5e7a5298a49bd05cdb007aba8 SHA256 9eb68484814a06adb1e483a5b4e78f60d292b99b0786c48b85bd97809db216fe
+MISC ChangeLog 11663 RMD160 b7e5d4bc8a48ba9f1ada61ecfffbd5b4ad73dfb3 SHA1 875c3b93ce9d58697ec69c0d713f413b5dd913ef SHA256 00dc99e3349b4775e9e72eddef280aaf1677c8687737330eec7929232144e059
 MISC metadata.xml 472 RMD160 3fe1221d0cb389cf1be040c98fa9c40dbf3c07e5 SHA1 18913172dba9d94ca5952b7f8bfb2aa13808bb67 SHA256 e70be8f69acbda81bd1e90c1bd3a57a0b5ccb5fa09c7a6f04427ef888e1872bc
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.7 (GNU/Linux)
 
-iD8DBQFH6rr/oeSe8B0zEfwRAoGqAJ4yjFISdduJ0b5b0HqWMu4TBPcnZwCdHOcv
-tcMozj1vghdlO+R2jfB6VOw=
-=8KOz
+iD8DBQFH85JF1fmVwcYIWAYRAq7PAKC1uq08AhCnR0VPidLLZ+86PBytmACfdKIF
+utOjdVVhdgGP8FD0umAlnuY=
+=YfBH
 -----END PGP SIGNATURE-----
diff --git a/gnome-extra/gnome-screensaver/files/gnome-screensaver-CVE-2008-0887.patch b/gnome-extra/gnome-screensaver/files/gnome-screensaver-CVE-2008-0887.patch
new file mode 100644
index 000000000000..e0216529dbcf
--- /dev/null
+++ b/gnome-extra/gnome-screensaver/files/gnome-screensaver-CVE-2008-0887.patch
@@ -0,0 +1,225 @@
+Index: gnome-screensaver/src/gnome-screensaver-dialog.c
+===================================================================
+--- gnome-screensaver/src/gnome-screensaver-dialog.c	(revision 1398)
++++ gnome-screensaver/src/gnome-screensaver-dialog.c	(working copy)
+@@ -41,6 +41,8 @@
+ 
+ #include "gs-debug.h"
+ 
++#define MAX_FAILURES 5
++
+ static gboolean verbose        = FALSE;
+ static gboolean show_version   = FALSE;
+ static gboolean enable_logout  = FALSE;
+@@ -299,8 +301,6 @@ do_auth_check (GSLockPlug *plug)
+                         gs_lock_plug_show_message (plug, _("Authentication failed."));
+                 }
+ 
+-                g_timeout_add (3000, (GSourceFunc)reset_idle_cb, plug);
+-
+                 printf ("NOTICE=AUTH FAILED\n");
+                 fflush (stdout);
+ 
+@@ -325,15 +325,28 @@ response_cb (GSLockPlug *plug,
+ static gboolean
+ auth_check_idle (GSLockPlug *plug)
+ {
+-        gboolean res;
++        gboolean     res;
++        gboolean     again;
++        static guint loop_counter = 0;
+ 
++        again = TRUE;
+         res = do_auth_check (plug);
+ 
+         if (res) {
++                again = FALSE;
+                 g_idle_add ((GSourceFunc)quit_response_ok, NULL);
++        } else {
++                loop_counter++;
++
++                if (loop_counter < MAX_FAILURES) {
++                        g_timeout_add (3000, (GSourceFunc)reset_idle_cb, plug);
++                } else {
++                        again = FALSE;
++                        gtk_main_quit ();
++                }
+         }
+ 
+-        return !res;
++        return again;
+ }
+ 
+ static void
+Index: gnome-screensaver/src/setuid.c
+===================================================================
+--- gnome-screensaver/src/setuid.c	(revision 1398)
++++ gnome-screensaver/src/setuid.c	(working copy)
+@@ -48,7 +48,7 @@ uid_gid_string (uid_t uid,
+         return buf;
+ }
+ 
+-static int
++static gboolean
+ set_ids_by_number (uid_t  uid,
+                    gid_t  gid,
+                    char **message_ret)
+@@ -96,7 +96,7 @@ set_ids_by_number (uid_t  uid,
+ 
+                 g_free (reason);
+ 
+-                return 0;
++                return TRUE;
+         } else {
+                 char *reason = NULL;
+ 
+@@ -141,9 +141,9 @@ set_ids_by_number (uid_t  uid,
+                         g_free (reason);
+                         reason = NULL;
+                 }
+-
+-                return -1;
++                return FALSE;
+         }
++        return FALSE;
+ }
+ 
+ 
+@@ -165,12 +165,21 @@ hack_uid (char **nolock_reason,
+           char **orig_uid,
+           char **uid_message)
+ {
+-        if (nolock_reason)
++        char    *reason;
++        gboolean ret;
++
++        ret = TRUE;
++        reason = NULL;
++
++        if (nolock_reason != NULL) {
+                 *nolock_reason = NULL;
+-        if (orig_uid)
++        }
++        if (orig_uid != NULL) {
+                 *orig_uid = NULL;
+-        if (uid_message)
++        }
++        if (uid_message != NULL) {
+                 *uid_message = NULL;
++        }
+ 
+         /* Discard privileges, and set the effective user/group ids to the
+            real user/group ids.  That is, give up our "chmod +s" rights.
+@@ -181,12 +190,18 @@ hack_uid (char **nolock_reason,
+                 uid_t uid  = getuid ();
+                 gid_t gid  = getgid ();
+ 
+-                if (orig_uid)
++                if (orig_uid != NULL) {
+                         *orig_uid = uid_gid_string (euid, egid);
++                }
++
++                if (uid != euid || gid != egid) {
++                        if (! set_ids_by_number (uid, gid, uid_message)) {
++                                reason = g_strdup ("unable to discard privileges.");
+ 
+-                if (uid != euid || gid != egid)
+-                        if (set_ids_by_number (uid, gid, uid_message) != 0)
+-                                return FALSE;
++                                ret = FALSE;
++                                goto out;
++                        }
++                }
+         }
+ 
+ 
+@@ -200,81 +215,16 @@ hack_uid (char **nolock_reason,
+            and "USING XDM".
+         */
+         if (getuid () == (uid_t) 0) {
+-                if (nolock_reason)
+-                        *nolock_reason = g_strdup ("running as root");
+-                return FALSE;
++                reason = g_strdup ("running as root");
++                ret = FALSE;
++                goto out;
+         }
+ 
+-        /* If we're running as root, switch to a safer user.  This is above and
+-           beyond the fact that we've disabling locking, above -- the theory is
+-           that running graphics demos as root is just always a stupid thing
+-           to do, since they have probably never been security reviewed and are
+-           more likely to be buggy than just about any other kind of program.
+-           (And that assumes non-malicious code.  There are also attacks here.)
+-
+-           *** WARNING: DO NOT DISABLE THIS CODE!
+-           If you do so, you will open a security hole.  See the sections
+-           of the xscreensaver manual titled "LOCKING AND ROOT LOGINS", 
+-           and "USING XDM".
+-        */
+-        if (getuid () == (uid_t) 0) {
+-                struct passwd *p;
+-
+-                p = getpwnam ("nobody");
+-                if (! p) p = getpwnam ("noaccess");
+-                if (! p) p = getpwnam ("daemon");
+-                if (! p) {
+-                        g_warning ("running as root, and couldn't find a safer uid.");
+-                        return FALSE;
+-                }
+-
+-                if (set_ids_by_number (p->pw_uid, p->pw_gid, uid_message) != 0)
+-                        return FALSE;
+-        }
+-
+-
+-        /* If there's anything even remotely funny looking about the passwd struct,
+-           or if we're running as some other user from the list below (a
+-           non-comprehensive selection of users known to be privileged in some way,
+-           and not normal end-users) then disable locking.  If it was possible,
+-           switching to "nobody" would be the thing to do, but only root itself has
+-           the privs to do that.
+-
+-           *** WARNING: DO NOT DISABLE THIS CODE!
+-           If you do so, you will open a security hole.  See the sections
+-           of the xscreensaver manual titled "LOCKING AND ROOT LOGINS",
+-           and "USING XDM".
+-        */
+-        {
+-                uid_t          uid = getuid ();		/* get it again */
+-                struct passwd *p   = getpwuid (uid);	/* get it again */
+-
+-                if (!p ||
+-                    uid == (uid_t)  0 ||
+-                    uid == (uid_t) -1 ||
+-                    uid == (uid_t) -2 ||
+-                    p->pw_uid == (uid_t)  0 ||
+-                    p->pw_uid == (uid_t) -1 ||
+-                    p->pw_uid == (uid_t) -2 ||
+-                    !p->pw_name ||
+-                    !*p->pw_name ||
+-                    !strcmp (p->pw_name, "root") ||
+-                    !strcmp (p->pw_name, "nobody") ||
+-                    !strcmp (p->pw_name, "noaccess") ||
+-                    !strcmp (p->pw_name, "operator") ||
+-                    !strcmp (p->pw_name, "daemon") ||
+-                    !strcmp (p->pw_name, "bin") ||
+-                    !strcmp (p->pw_name, "adm") ||
+-                    !strcmp (p->pw_name, "sys") ||
+-                    !strcmp (p->pw_name, "games")) {
+-                        if (nolock_reason)
+-                                *nolock_reason = g_strdup_printf ("running as %s",
+-                                                                  (p && p->pw_name
+-                                                                   && *p->pw_name
+-                                                                   ? p->pw_name : "<unknown>"));
+-                        return FALSE;
+-                }
++ out:
++        if (nolock_reason != NULL) {
++                *nolock_reason = g_strdup (reason);
+         }
++        g_free (reason);
+ 
+-        return TRUE;
++        return ret;
+ }
diff --git a/gnome-extra/gnome-screensaver/gnome-screensaver-2.20.0-r3.ebuild b/gnome-extra/gnome-screensaver/gnome-screensaver-2.20.0-r3.ebuild
new file mode 100644
index 000000000000..2929aab198f1
--- /dev/null
+++ b/gnome-extra/gnome-screensaver/gnome-screensaver-2.20.0-r3.ebuild
@@ -0,0 +1,107 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/gnome-extra/gnome-screensaver/gnome-screensaver-2.20.0-r3.ebuild,v 1.1 2008/04/02 14:03:31 eva Exp $
+
+inherit gnome2 eutils
+
+DESCRIPTION="Replaces xscreensaver, integrating with the desktop."
+HOMEPAGE="http://live.gnome.org/GnomeScreensaver"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 hppa ~ia64 ~ppc ppc64 sparc x86 ~x86-fbsd"
+KERNEL_IUSE="kernel_linux"
+IUSE="debug doc libnotify opengl pam xinerama $KERNEL_IUSE"
+
+RDEPEND=">=gnome-base/gconf-2.6.1
+	>=x11-libs/gtk+-2.11.5
+	>=gnome-base/gnome-vfs-2.12
+	>=gnome-base/libglade-2.5.0
+	>=gnome-base/gnome-menus-2.12
+	>=dev-libs/glib-2.8
+	>=gnome-base/libgnomekbd-0.1
+	>=dev-libs/dbus-glib-0.71
+	libnotify? ( x11-libs/libnotify )
+	opengl?	( virtual/opengl )
+	xinerama?	(
+					x11-libs/libXinerama
+					x11-proto/xineramaproto
+				)
+	pam? ( virtual/pam )
+	!pam? ( kernel_linux? ( sys-apps/shadow ) )
+	x11-libs/libX11
+	x11-libs/libXext
+	x11-libs/libXrandr
+	x11-libs/libXScrnSaver"
+DEPEND="${RDEPEND}
+	sys-devel/gettext
+	>=dev-util/pkgconfig-0.9
+	>=dev-util/intltool-0.35
+	doc?	(
+				app-text/xmlto
+				~app-text/docbook-xml-dtd-4.1.2
+				~app-text/docbook-xml-dtd-4.4
+			)
+	x11-proto/xextproto
+	x11-proto/randrproto
+	x11-proto/scrnsaverproto
+	x11-proto/xf86miscproto"
+
+DOCS="AUTHORS ChangeLog HACKING NEWS README TODO"
+
+pkg_setup() {
+	G2CONF="${G2CONF} \
+		$(use_enable doc docbook-docs) \
+		$(use_enable debug) \
+		$(use_with libnotify) \
+		$(use_with opengl libgl) \
+		$(use_enable pam) \
+		$(use_enable xinerama) \
+		--enable-locking \
+		--with-kbd-layout-indicator \
+		--with-gdm-config=/usr/share/gdm/defaults.conf \
+		--with-xscreensaverdir=/usr/share/xscreensaver/config \
+		--with-xscreensaverhackdir=/usr/lib/misc/xscreensaver"
+}
+
+src_unpack() {
+	gnome2_src_unpack
+	epatch "${FILESDIR}/${P}-fix-gamma.patch"
+
+	# Fix CVE-2008-0887, bug #213940
+	epatch "${FILESDIR}/${PN}-CVE-2008-0887.patch"
+}
+
+src_install() {
+	gnome2_src_install
+
+	# Install the conversion script in the documentation
+	dodoc "${S}"/data/migrate-xscreensaver-config.sh
+	dodoc "${S}"/data/xscreensaver-config.xsl
+
+	# Conversion information
+	sed -e "s:\${PF}:${PF}:" \
+		< "${FILESDIR}"/xss-conversion-2.txt > "${S}"/xss-conversion.txt
+
+	dodoc "${S}"/xss-conversion.txt
+
+	# Non PAM users will need this suid to read the password hashes.
+	# OpenPAM users will probably need this too when
+	# http://bugzilla.gnome.org/show_bug.cgi?id=370847
+	# is fixed.
+	if ! use pam ; then
+		fperms u+s /usr/libexec/gnome-screensaver-dialog
+	fi
+}
+
+pkg_postinst() {
+	gnome2_pkg_postinst
+
+	ewarn "If you have xscreensaver installed, you probably want to disable it."
+	ewarn "To prevent a duplicate Screensaver entry in the menu, you need to"
+	ewarn "build xscreensaver with -gnome in the USE flags."
+	ewarn "echo \"x11-misc/xscreensaver -gnome\" >> /etc/portage/package.use"
+	echo
+	elog "Information for converting screensavers is located in "
+	elog "/usr/share/doc/${PF}/xss-conversion.txt.${PORTAGE_COMPRESS}"
+}
diff --git a/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0.ebuild b/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0-r1.ebuild
index dd80b2cbf0d5..d96aab99d398 100644
--- a/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0.ebuild
+++ b/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0-r1.ebuild
@@ -1,8 +1,8 @@
 # Copyright 1999-2008 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0.ebuild,v 1.2 2008/03/26 21:03:07 cardoe Exp $
+# $Header: /var/cvsroot/gentoo-x86/gnome-extra/gnome-screensaver/gnome-screensaver-2.22.0-r1.ebuild,v 1.1 2008/04/02 14:03:31 eva Exp $
 
-inherit gnome2
+inherit eutils gnome2
 
 DESCRIPTION="Replaces xscreensaver, integrating with the desktop."
 HOMEPAGE="http://live.gnome.org/GnomeScreensaver"
@@ -64,6 +64,13 @@ pkg_setup() {
 		--with-xscreensaverhackdir=/usr/lib/misc/xscreensaver"
 }
 
+src_unpack() {
+	gnome2_src_unpack
+
+	# Fix CVE-2008-0887, bug #213940
+	epatch "${FILESDIR}/${PN}-CVE-2008-0887.patch"
+}
+
 src_install() {
 	gnome2_src_install
author	Gilles Dartiguelongue <eva@gentoo.org>	2008-04-02 14:03:32 +0000
committer	Gilles Dartiguelongue <eva@gentoo.org>	2008-04-02 14:03:32 +0000
commit	20be3fb33f2d151dffb93aa26faf71991c010b0b (patch)
tree	d7906bbe756351f9ace1635fe5e1c6969cd03348 /gnome-extra
parent	Added vdr-1.6.0 and gcc-4.1 patches. (diff)
download	historical-20be3fb33f2d151dffb93aa26faf71991c010b0b.tar.gz historical-20be3fb33f2d151dffb93aa26faf71991c010b0b.tar.bz2 historical-20be3fb33f2d151dffb93aa26faf71991c010b0b.zip