From e3c1324520374aedbace4fc3faabfbf054f364c21063534a4a752418c80a94da Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Sat, 5 May 2018 11:19:35 +0000 Subject: [PATCH] - Add patch to address regression introduced by previous fixes: * 0001-Avoid-giving-an-stderr-to-kwallet.patch OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=77 --- 0001-Avoid-giving-an-stderr-to-kwallet.patch | 54 ++++++++++++++++++++ pam_kwallet.changes | 6 +++ pam_kwallet.spec | 2 + 3 files changed, 62 insertions(+) create mode 100644 0001-Avoid-giving-an-stderr-to-kwallet.patch diff --git a/0001-Avoid-giving-an-stderr-to-kwallet.patch b/0001-Avoid-giving-an-stderr-to-kwallet.patch new file mode 100644 index 0000000..cd12ff0 --- /dev/null +++ b/0001-Avoid-giving-an-stderr-to-kwallet.patch @@ -0,0 +1,54 @@ +From 8da1a47035fc92bc1496059583772bc4bd6e8ba6 Mon Sep 17 00:00:00 2001 +From: Maximiliano Curia +Date: Fri, 4 May 2018 22:06:06 +0200 +Subject: [PATCH] Avoid giving an stderr to kwallet + +Summary: +The fixes for CVE-2018-10380 introduced a regression for most users not +using kde, and some for kde sessions. In particular the reorder of the +close calls and creating a new socket caused that the socket is always +assigned the file descriptor 2, aka stderr. + +BUG: 393856 + +Test Plan: It works + +Reviewers: #plasma, aacid + +Reviewed By: aacid + +Subscribers: asturmlechner, rdieter, davidedmundson, plasma-devel + +Tags: #plasma + +Differential Revision: https://phabricator.kde.org/D12702 +--- + pam_kwallet.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/pam_kwallet.c b/pam_kwallet.c +index b9c984a..661ed8d 100644 +--- a/pam_kwallet.c ++++ b/pam_kwallet.c +@@ -375,7 +375,8 @@ static int drop_privileges(struct passwd *userInfo) + static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toWalletPipe[2], char *fullSocket) + { + //In the child pam_syslog does not work, using syslog directly +- int x = 2; ++ //keep stderr open so socket doesn't returns us that fd ++ int x = 3; + //Close fd that are not of interest of kwallet + for (; x < 64; ++x) { + if (x != toWalletPipe[0]) { +@@ -424,6 +425,8 @@ static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toW + pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't listen in socket\n", logPrefix); + return; + } ++ //finally close stderr ++ close(2); + + // Fork twice to daemonize kwallet + setsid(); +-- +2.16.2 + diff --git a/pam_kwallet.changes b/pam_kwallet.changes index 93ce535..9ce757e 100644 --- a/pam_kwallet.changes +++ b/pam_kwallet.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Sat May 5 11:17:50 UTC 2018 - fabian@ritter-vogt.de + +- Add patch to address regression introduced by previous fixes: + * 0001-Avoid-giving-an-stderr-to-kwallet.patch + ------------------------------------------------------------------- Thu May 3 14:57:51 UTC 2018 - fabian@ritter-vogt.de diff --git a/pam_kwallet.spec b/pam_kwallet.spec index c8990ba..274259a 100644 --- a/pam_kwallet.spec +++ b/pam_kwallet.spec @@ -29,6 +29,8 @@ Source1: baselibs.conf Patch1: 0001-Move-salt-creation-to-an-unprivileged-process.patch # PATCH-FIX-UPSTREAM Patch2: 0002-Move-socket-creation-to-unprivileged-codepath.patch +# PATCH-FIX-UPSTREAM +Patch3: 0001-Avoid-giving-an-stderr-to-kwallet.patch BuildRequires: extra-cmake-modules >= 1.2.0 BuildRequires: kf5-filesystem BuildRequires: libgcrypt-devel >= 1.5.0