Accepting request 679725 from GNOME:Next

- Update to version 3.30.3: + Screen lock bypass fix (when timed login is enabled) (CVE-2019-3825). + Updated translations. - Drop gdm-CVE-2019-3825.patch: Fixed upstream. OBS-URL: https://build.opensuse.org/request/show/679725 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdm?expand=0&rev=421
2019-02-27 18:07:10 +00:00 · 2019-02-27 18:07:10 +00:00 · 9727033cc5
commit 9727033cc5
parent 9ef4de6111
5 changed files with 14 additions and 54 deletions
--- a/gdm-3.30.2.tar.xz
+++ b/gdm-3.30.2.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:be90ede158fd5d2ff0b97db617ffd77c1033964824cb04fcfac0865c8c6f56c1
-size 1258688
--- a/gdm-3.30.3.tar.xz
+++ b/gdm-3.30.3.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5301fc76e92124a13e123af8eb04af089a249d0200ad8df07a7996f3cfa7c795
+size 1261224
--- a/gdm-CVE-2019-3825.patch
+++ b/gdm-CVE-2019-3825.patch
@ -1,47 +0,0 @@
-From 92c2a577063f538ce0e44b5cabeb348dab957edf Mon Sep 17 00:00:00 2001
-From: Iain Lane <iainl@gnome.org>
-Date: Mon, 4 Feb 2019 15:12:38 +0000
-Subject: [PATCH] GdmManager: Don't perform timed login if session gets started
-
-At the moment it's possible for the login screen to initiate
-a timed login operation shortly after a user successfully starts
-their session.
-
-GDM won't complete the timed login operation, since a session is
-already running, but will erroneously overwrite the username
-associated with the session, misattributing the users session
-to the timed login user.
-
-Later, attempts to log in as the timed user will instead unlock the
-session for the other user, since that session is now associated
-with the timed login user.
-
-This commit refuses timed login requests on sessions that are
-already running, so the username doesn't get corrupted.
-
-CVE-2019-3825
-
-Closes https://gitlab.gnome.org/GNOME/gdm/issues/460
---
- daemon/gdm-manager.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-Index: b/daemon/gdm-manager.c
-===================================================================
--- a/daemon/gdm-manager.c	2019-02-12 18:40:48.937263065 +0800
-+++ b/daemon/gdm-manager.c	2019-02-12 18:41:11.869403958 +0800
-@@ -2051,6 +2051,14 @@ on_session_client_connected (GdmSession
- 
-         g_debug ("GdmManager: client connected");
- 
-+        if (gdm_session_is_running (session)) {
-+                const char *session_username;
-+                session_username = gdm_session_get_username (session);
-+                g_debug ("GdmManager: ignoring connection, since session already running (for user %s)",
-+                         session_username);
-+                return;
-+        }
-+
-         display = get_display_for_user_session (session);
- 
-         if (display == NULL) {
--- a/gdm.changes
+++ b/gdm.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Feb 27 06:21:03 UTC 2019 - bjorn.lie@gmail.com
+
+- Update to version 3.30.3:
+  + Screen lock bypass fix (when timed login is enabled)
+    (CVE-2019-3825).
+  + Updated translations.
+- Drop gdm-CVE-2019-3825.patch: Fixed upstream.
+
 -------------------------------------------------------------------
 Wed Feb 20 07:10:14 UTC 2019 - xwang@suse.com

--- a/gdm.spec
+++ b/gdm.spec
@ -21,13 +21,14 @@
 %define enable_split_authentication 0

 Name:           gdm
-Version:        3.30.2
+Version:        3.30.3
 Release:        0
 Summary:        The GNOME Display Manager
 License:        GPL-2.0-or-later
 Group:          System/GUI/GNOME
 URL:            https://wiki.gnome.org/Projects/GDM
 Source0:        https://download.gnome.org/sources/gdm/3.30/%{name}-%{version}.tar.xz
+
 Source1:        gdm.pamd
 Source2:        gdm-autologin.pamd
 Source3:        gdm-launch-environment.pamd
@ -57,8 +58,6 @@ Patch7:         gdm-fails-to-restart-gnome-shell.patch
 Patch8:         gdm-add-runtime-option-to-disable-starting-X-server-as-u.patch
 # PATCH-FIX-UPSTREAM gdm-ignore-duplicate-desktop-file.patch bsc#1112834 glgo#GNOME/gdm#437 qzheng@suse.com -- Ignore duplicate desktop file with same "Name".
 Patch9:         gdm-ignore-duplicate-desktop-file.patch
-# PATCH-FIX-UPSTREAM gdm-CVE-2019-3825.patch boo#1124628 glgo#GNOME/gdm#460 fezhang@suse.com -- Fix lock screen bypass when timed login is enabled
-Patch10:        gdm-CVE-2019-3825.patch
 # PATCH-FIX-UPSTREAM gdm-kill-user-session.patch bsc#1112294 glgo#GNOME/gdm#400 xwang@suse.com -- Kill all sessions when stopping gdm service
 Patch11:        gdm-kill-user-session.patch
 
@ -204,7 +203,6 @@ cp %{SOURCE8} .
 %patch7 -p1
 #patch8 -p1
 %patch9 -p1
-%patch10 -p1
 %patch11 -p1

 # TODO: Hack still needed until https://gitlab.gnome.org/GNOME/gdm/issues/424 gets fixed and released.