From c3156c7a75684fb8a09eb0cb1a22955bc0863ad1 Mon Sep 17 00:00:00 2001 From: Lorenzo Villani Date: Dec 22 2009 00:09:37 +0000 Subject: - Fix CVE-2009-1756 (bugzilla: 544024) - Fix MIT insecure cookie generation (patch from Debian) - Fix build with GCC 4.4 --- diff --git a/slim-1.3.1-CVE-2009-1756.patch b/slim-1.3.1-CVE-2009-1756.patch new file mode 100644 index 0000000..742418b --- /dev/null +++ b/slim-1.3.1-CVE-2009-1756.patch @@ -0,0 +1,175 @@ +Index: slim-1.3.1/Makefile +=================================================================== +--- slim-1.3.1.orig/Makefile ++++ slim-1.3.1/Makefile +@@ -8,7 +8,7 @@ CC=/usr/bin/gcc + OPTFLAGS=-O2 -g -Wall + CFLAGS=$(OPTFLAGS) -I. -I/usr/include/freetype2 -I/usr/include/freetype2/config -I/usr/include/libpng12 -I/usr/include + CXXFLAGS=$(CFLAGS) +-LDFLAGS=-lXft -lX11 -lfreetype -lXrender -lfontconfig -lpng12 -lz -lm -lcrypt -lXmu -lpng -ljpeg ++LDFLAGS=-lXft -lX11 -lfreetype -lXrender -lfontconfig -lpng12 -lz -lm -lcrypt -lXmu -lpng -ljpeg -lrt + CUSTOM=-DHAVE_SHADOW + ifdef USE_PAM + LDFLAGS+= -lpam +@@ -26,7 +26,8 @@ VERSION=1.3.1 + DEFINES=-DPACKAGE=\"$(NAME)\" -DVERSION=\"$(VERSION)\" \ + -DPKGDATADIR=\"$(PREFIX)/share/slim\" -DSYSCONFDIR=\"$(CFGDIR)\" + +-OBJECTS=jpeg.o png.o main.o image.o numlock.o cfg.o switchuser.o app.o panel.o ++OBJECTS=jpeg.o png.o main.o image.o numlock.o cfg.o switchuser.o app.o \ ++ panel.o util.o + ifdef USE_PAM + OBJECTS+=PAM.o + endif +Index: slim-1.3.1/Makefile.freebsd +=================================================================== +--- slim-1.3.1.orig/Makefile.freebsd ++++ slim-1.3.1/Makefile.freebsd +@@ -24,7 +24,8 @@ VERSION=1.3.1 + DEFINES=-DPACKAGE=\"$(NAME)\" -DVERSION=\"$(VERSION)\" \ + -DPKGDATADIR=\"$(PREFIX)/share/slim\" -DSYSCONFDIR=\"$(CFGDIR)\" + +-OBJECTS=jpeg.o png.o main.o image.o numlock.o cfg.o switchuser.o app.o panel.o ++OBJECTS=jpeg.o png.o main.o image.o numlock.o cfg.o switchuser.o app.o \ ++ panel.o util.o + .ifdef USE_PAM + OBJECTS+=PAM.o + .endif +Index: slim-1.3.1/Makefile.netbsd +=================================================================== +--- slim-1.3.1.orig/Makefile.netbsd ++++ slim-1.3.1/Makefile.netbsd +@@ -24,7 +24,8 @@ VERSION=1.3.1 + DEFINES=-DPACKAGE=\"$(NAME)\" -DVERSION=\"$(VERSION)\" \ + -DPKGDATADIR=\"$(PREFIX)/share/slim\" -DSYSCONFDIR=\"$(CFGDIR)\" + +-OBJECTS=jpeg.o png.o main.o image.o numlock.o cfg.o switchuser.o app.o panel.o ++OBJECTS=jpeg.o png.o main.o image.o numlock.o cfg.o switchuser.o app.o \ ++ panel.o util.o + .ifdef USE_PAM + OBJECTS+=PAM.o + .endif +Index: slim-1.3.1/Makefile.openbsd +=================================================================== +--- slim-1.3.1.orig/Makefile.openbsd ++++ slim-1.3.1/Makefile.openbsd +@@ -20,7 +20,8 @@ VERSION=1.3.1 + DEFINES=-DPACKAGE=\"$(NAME)\" -DVERSION=\"$(VERSION)\" \ + -DPKGDATADIR=\"$(PREFIX)/share/slim\" -DSYSCONFDIR=\"$(CFGDIR)\" + +-OBJECTS=jpeg.o png.o main.o image.o numlock.o cfg.o switchuser.o app.o panel.o ++OBJECTS=jpeg.o png.o main.o image.o numlock.o cfg.o switchuser.o app.o \ ++ util.o panel.o + + .SUFFIXES: .c.o .cpp.o + +Index: slim-1.3.1/app.cpp +=================================================================== +--- slim-1.3.1.orig/app.cpp ++++ slim-1.3.1/app.cpp +@@ -24,6 +24,7 @@ + #include + #include "app.h" + #include "numlock.h" ++#include "util.h" + + + #ifdef HAVE_SHADOW +@@ -1185,8 +1186,8 @@ void App::CreateServerAuth() { + authfile = cfg->getOption("authfile"); + remove(authfile.c_str()); + putenv(StrConcat("XAUTHORITY=", authfile.c_str())); +- cmd = cfg->getOption("xauth_path") + " -q -f " + authfile + " add :0 . " + mcookie; +- system(cmd.c_str()); ++ Util::add_mcookie(mcookie, ":0", cfg->getOption("xauth_path"), ++ authfile); + } + + char* App::StrConcat(const char* str1, const char* str2) { +Index: slim-1.3.1/switchuser.cpp +=================================================================== +--- slim-1.3.1.orig/switchuser.cpp ++++ slim-1.3.1/switchuser.cpp +@@ -10,6 +10,7 @@ + */ + + #include "switchuser.h" ++#include "util.h" + + using namespace std; + +@@ -53,10 +54,10 @@ void SwitchUser::Execute(const char* cmd + } + + void SwitchUser::SetClientAuth(const char* mcookie) { +- int r; ++ bool r; + string home = string(Pw->pw_dir); + string authfile = home + "/.Xauthority"; + remove(authfile.c_str()); +- string cmd = cfg->getOption("xauth_path") + " -q -f " + authfile + " add :0 . " + mcookie; +- r = system(cmd.c_str()); ++ r = Util::add_mcookie(mcookie, ":0", cfg->getOption("xauth_path"), ++ authfile); + } +Index: slim-1.3.1/util.cpp +=================================================================== +--- /dev/null ++++ slim-1.3.1/util.cpp +@@ -0,0 +1,32 @@ ++/* SLiM - Simple Login Manager ++ Copyright (C) 2009 Eygene Ryabinkin ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++*/ ++ ++#include ++#include "util.h" ++ ++/* ++ * Adds the given cookie to the specified Xauthority file. ++ * Returns true on success, false on fault. ++ */ ++bool Util::add_mcookie(const std::string &mcookie, const char *display, ++ const std::string &xauth_cmd, const std::string &authfile) ++{ ++ FILE *fp; ++ std::string cmd = xauth_cmd + " -f " + authfile + " -q"; ++ ++ fp = popen(cmd.c_str(), "w"); ++ if (!fp) ++ return false; ++ fprintf(fp, "remove %s\n", display); ++ fprintf(fp, "add %s %s %s\n", display, ".", mcookie.c_str()); ++ fprintf(fp, "exit\n"); ++ ++ pclose(fp); ++ return true; ++} +Index: slim-1.3.1/util.h +=================================================================== +--- /dev/null ++++ slim-1.3.1/util.h +@@ -0,0 +1,19 @@ ++/* SLiM - Simple Login Manager ++ Copyright (C) 2009 Eygene Ryabinkin ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++*/ ++#ifndef __UTIL_H__ ++#define __UTIL_H__ ++ ++#include ++ ++namespace Util { ++ bool add_mcookie(const std::string &mcookie, const char *display, ++ const std::string &xauth_cmd, const std::string &authfile); ++}; ++ ++#endif /* __UTIL_H__ */ diff --git a/slim-1.3.1-fix-insecure-mcookie-generation.patch b/slim-1.3.1-fix-insecure-mcookie-generation.patch new file mode 100644 index 0000000..8a7af25 --- /dev/null +++ b/slim-1.3.1-fix-insecure-mcookie-generation.patch @@ -0,0 +1,175 @@ +Index: slim-1.3.1/app.cpp +=================================================================== +--- slim-1.3.1.orig/app.cpp ++++ slim-1.3.1/app.cpp +@@ -129,15 +129,18 @@ void User1Signal(int sig) { + + + #ifdef USE_PAM +-App::App(int argc, char** argv): +- pam(conv, static_cast(&LoginPanel)){ ++App::App(int argc, char** argv) ++ : pam(conv, static_cast(&LoginPanel)), + #else +-App::App(int argc, char** argv){ ++App::App(int argc, char** argv) ++ : + #endif ++ mcookiesize(32)// Must be divisible by 4 ++{ + int tmp; + ServerPID = -1; + testing = false; +- mcookie = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; ++ mcookie = string(App::mcookiesize, 'a'); + daemonmode = false; + force_nodaemon = false; + firstlogin = true; +@@ -1128,13 +1131,13 @@ string App::findValidRandomTheme(const s + name = name.substr(0, name.length() - 1); + } + +- srandom(getpid()+time(NULL)); ++ Util::srandom(Util::makeseed()); + + vector themes; + string themefile; + Cfg::split(themes, name, ','); + do { +- int sel = random() % themes.size(); ++ int sel = Util::random() % themes.size(); + + name = Cfg::Trim(themes[sel]); + themefile = string(THEMESDIR) +"/" + name + THEMESFILE; +@@ -1161,27 +1164,27 @@ void App::replaceVariables(string& input + } + + ++/* ++ * We rely on the fact that all bits generated by Util::random() ++ * are usable, so we are taking full words from its output. ++ */ + void App::CreateServerAuth() { + /* create mit cookie */ +- int i, r; +- int hexcount = 0; +- string authfile; +- string cmd; ++ uint16_t word; ++ uint8_t hi, lo; ++ int i; ++ string authfile; + const char *digits = "0123456789abcdef"; +- srand( time(NULL) ); +- for ( i = 0; i < 31; i++ ) { +- r = rand()%16; +- mcookie[i] = digits[r]; +- if (r>9) +- hexcount++; +- } +- /* MIT-COOKIE: even occurrences of digits and hex digits */ +- if ((hexcount%2) == 0) { +- r = rand()%10; +- } else { +- r = rand()%5+10; +- } +- mcookie[31] = digits[r]; ++ Util::srandom(Util::makeseed()); ++ for (i = 0; i < App::mcookiesize; i+=4) { ++ word = Util::random() & 0xffff; ++ lo = word & 0xff; ++ hi = word >> 8; ++ mcookie[i] = digits[lo & 0x0f]; ++ mcookie[i+1] = digits[lo >> 4]; ++ mcookie[i+2] = digits[hi & 0x0f]; ++ mcookie[i+3] = digits[hi >> 4]; ++ } + /* reinitialize auth file */ + authfile = cfg->getOption("authfile"); + remove(authfile.c_str()); +Index: slim-1.3.1/app.h +=================================================================== +--- slim-1.3.1.orig/app.h ++++ slim-1.3.1/app.h +@@ -101,6 +101,8 @@ private: + + std::string themeName; + std::string mcookie; ++ ++ const int mcookiesize; + }; + + +Index: slim-1.3.1/util.cpp +=================================================================== +--- slim-1.3.1.orig/util.cpp ++++ slim-1.3.1/util.cpp +@@ -7,7 +7,13 @@ + (at your option) any later version. + */ + ++#include ++ + #include ++#include ++#include ++#include ++ + #include "util.h" + + /* +@@ -30,3 +36,34 @@ bool Util::add_mcookie(const std::string + pclose(fp); + return true; + } ++ ++/* ++ * Interface for random number generator. Just now it uses ordinary ++ * random/srandom routines and serves as a wrapper for them. ++ */ ++void Util::srandom(unsigned long seed) ++{ ++::srandom(seed); ++} ++ ++long Util::random(void) ++{ ++return ::random(); ++} ++ ++/* ++ * Makes seed for the srandom() using "random" values obtained from ++ * getpid(), time(NULL) and others. ++ */ ++long Util::makeseed(void) ++{ ++struct timespec ts; ++long pid = getpid(); ++long tm = time(NULL); ++ ++if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0) { ++ts.tv_sec = ts.tv_nsec = 0; ++} ++ ++return pid + tm + (ts.tv_sec ^ ts.tv_nsec); ++} +Index: slim-1.3.1/util.h +=================================================================== +--- slim-1.3.1.orig/util.h ++++ slim-1.3.1/util.h +@@ -12,8 +12,13 @@ + #include + + namespace Util { +- bool add_mcookie(const std::string &mcookie, const char *display, +- const std::string &xauth_cmd, const std::string &authfile); ++ bool add_mcookie(const std::string &mcookie, const char *display, ++ const std::string &xauth_cmd, const std::string &authfile); ++ ++ void srandom(unsigned long seed); ++ long random(void); ++ ++ long makeseed(void); + }; + + #endif /* __UTIL_H__ */ diff --git a/slim-1.3.1-gcc44.patch b/slim-1.3.1-gcc44.patch new file mode 100644 index 0000000..e6389fa --- /dev/null +++ b/slim-1.3.1-gcc44.patch @@ -0,0 +1,12 @@ +Index: slim-1.3.1/app.cpp +=================================================================== +--- slim-1.3.1.orig/app.cpp ++++ slim-1.3.1/app.cpp +@@ -12,6 +12,7 @@ + + #include + #include ++#include + #include + #include + #include diff --git a/slim.spec b/slim.spec index d900b05..f38268c 100644 --- a/slim.spec +++ b/slim.spec @@ -1,6 +1,6 @@ Name: slim Version: 1.3.1 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Simple Login Manager Group: User Interface/X @@ -15,13 +15,18 @@ Source3: slim-fedora.txt BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # TODO: Post these patches to upstream BTS -Patch0: slim-1.3.1-make.patch -Patch1: slim-1.3.1-usexwd.patch -Patch2: slim-1.3.1-fedora.patch -Patch3: slim-1.3.1-strtol.patch -Patch4: slim-1.3.1-remove.patch -Patch5: slim-1.3.1-curdir.patch -Patch6: slim-1.3.1-selinux.patch +Patch0: slim-1.3.1-make.patch +Patch1: slim-1.3.1-usexwd.patch +Patch2: slim-1.3.1-fedora.patch +Patch3: slim-1.3.1-strtol.patch +Patch4: slim-1.3.1-remove.patch +Patch5: slim-1.3.1-curdir.patch +Patch6: slim-1.3.1-selinux.patch +# This is from Debian, I just added -lrt to LDFLAGS +Patch7: slim-1.3.1-CVE-2009-1756.patch +# This one is from Debian, too +Patch8: slim-1.3.1-fix-insecure-mcookie-generation.patch +Patch9: slim-1.3.1-gcc44.patch BuildRequires: libXmu-devel libXft-devel libXrender-devel BuildRequires: libpng-devel libjpeg-devel freetype-devel fontconfig-devel @@ -43,7 +48,7 @@ desktop environments. SLiM is based on latest stable release of Login.app by Per Lidén. In the distribution, slim may be called through a wrapper, slim-dynwm, -which determines the available window managers using the freedesktop +which determines the available window managers using the freedesktop information and modifies the slim configuration file accordingly, before launching slim. @@ -56,6 +61,9 @@ before launching slim. %patch4 -p1 -b .gcc44 %patch5 -p1 -b .curdir %patch6 -p1 -b .selinux +%patch7 -p1 -b .CVE-2009-1756 +%patch8 -p1 -b .mcookie +%patch9 -p1 -b .gcc44again cp -p %{SOURCE3} README.Fedora %build @@ -107,6 +115,11 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Tue Dec 22 2009 Lorenzo Villani - 1.3.1-9 +- Fix CVE-2009-1756 (bugzilla: 544024) +- Fix MIT insecure cookie generation (patch from Debian) +- Fix build with GCC 4.4 + * Sat Oct 10 2009 Lorenzo Villani - 1.3.1-8 - Fix BZ #518068