forked from pool/fcitx
Accepting request 1105876 from M17N
OBS-URL: https://build.opensuse.org/request/show/1105876 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fcitx?expand=0&rev=69
This commit is contained in:
commit
50d279147c
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 24 09:38:18 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- add remote-module-use-safe-directory-for-socket-API-sock.patch: use a safe
|
||||||
|
directory for the fcitx-socket:%d API socket currently placed in /tmp. This
|
||||||
|
avoids a possible local denial of service issue (bsc#1213331).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Aug 17 20:03:29 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
Wed Aug 17 20:03:29 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package fcitx
|
# spec file for package fcitx
|
||||||
#
|
#
|
||||||
# Copyright (c) 2022 SUSE LLC
|
# Copyright (c) 2023 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -40,6 +40,7 @@ Source100: https://download.fcitx-im.org/fcitx/%{name}-%{version}_dict.tar.
|
|||||||
Patch2: fcitx-autostart-check-INPUT_METHOD.patch
|
Patch2: fcitx-autostart-check-INPUT_METHOD.patch
|
||||||
# PATCH-FIX-OPENSUSE downgrade cmake requirement to 3.1 again
|
# PATCH-FIX-OPENSUSE downgrade cmake requirement to 3.1 again
|
||||||
Patch3: fcitx-cmake-3.1.patch
|
Patch3: fcitx-cmake-3.1.patch
|
||||||
|
Patch4: remote-module-use-safe-directory-for-socket-API-sock.patch
|
||||||
BuildRequires: cairo-devel
|
BuildRequires: cairo-devel
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
BuildRequires: dbus-1-devel
|
BuildRequires: dbus-1-devel
|
||||||
@ -337,6 +338,7 @@ You can either use this package for download from kde-look.org using knewstaff i
|
|||||||
%setup -q
|
%setup -q
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
mkdir build
|
mkdir build
|
||||||
|
111
remote-module-use-safe-directory-for-socket-API-sock.patch
Normal file
111
remote-module-use-safe-directory-for-socket-API-sock.patch
Normal file
@ -0,0 +1,111 @@
|
|||||||
|
From 27208dc130124d650c94c3579bd7eea072f90d3b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matthias Gerstner <matthias.gerstner@suse.de>
|
||||||
|
Date: Thu, 24 Aug 2023 11:12:25 +0200
|
||||||
|
Subject: [PATCH] remote module: use safe directory for socket API socket
|
||||||
|
|
||||||
|
Placing this into /tmp opens a local DoS attack vector, allowing other
|
||||||
|
uses to pre-create this path and thereby making it impossible for fctx
|
||||||
|
to start.
|
||||||
|
|
||||||
|
Use a safe directory in $XDG_RUNTIME_DIR or $HOME, instead.
|
||||||
|
---
|
||||||
|
src/module/remote/remote.c | 7 +++++--
|
||||||
|
src/module/remote/remote.h | 31 +++++++++++++++++++++++++++++++
|
||||||
|
tools/cli/fcitx-remote.c | 4 ++--
|
||||||
|
3 files changed, 38 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100644 src/module/remote/remote.h
|
||||||
|
|
||||||
|
diff --git a/src/module/remote/remote.c b/src/module/remote/remote.c
|
||||||
|
index eda44972..486b405b 100644
|
||||||
|
--- a/src/module/remote/remote.c
|
||||||
|
+++ b/src/module/remote/remote.c
|
||||||
|
@@ -36,6 +36,7 @@
|
||||||
|
#include "fcitx/frontend.h"
|
||||||
|
#include "fcitx/instance.h"
|
||||||
|
#include "fcitx-utils/utils.h"
|
||||||
|
+#include "module/remote/remote.h"
|
||||||
|
|
||||||
|
#define MAX_IMNAME_LEN 30
|
||||||
|
|
||||||
|
@@ -63,8 +64,10 @@ void* RemoteCreate(FcitxInstance* instance)
|
||||||
|
FcitxRemote* remote = fcitx_utils_malloc0(sizeof(FcitxRemote));
|
||||||
|
remote->owner = instance;
|
||||||
|
|
||||||
|
- char *socketfile;
|
||||||
|
- asprintf(&socketfile, "/tmp/fcitx-socket-:%d", fcitx_utils_get_display_number());
|
||||||
|
+ const char *socketfile = GetRemoteSocketPath(fcitx_utils_get_display_number());
|
||||||
|
+ if (!socketfile)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
remote->socket_fd = CreateSocket(socketfile);
|
||||||
|
if (remote->socket_fd < 0) {
|
||||||
|
FcitxLog(ERROR, _("Can't open socket %s: %s"), socketfile, strerror(errno));
|
||||||
|
diff --git a/src/module/remote/remote.h b/src/module/remote/remote.h
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..ee52c980
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/module/remote/remote.h
|
||||||
|
@@ -0,0 +1,31 @@
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+
|
||||||
|
+// returns a safe path name for a socket to use in the remote module and
|
||||||
|
+// remote utility.
|
||||||
|
+// if no safe directory can be determined this returns NULL and no remote
|
||||||
|
+// socket must be setup
|
||||||
|
+// otherwise a malloc'd string is returned that needs to be free()'d by the
|
||||||
|
+// caller when it isn't needed any longer.
|
||||||
|
+static inline const char* GetRemoteSocketPath(int display_nr)
|
||||||
|
+{
|
||||||
|
+ const char *hidden = "";
|
||||||
|
+ const char *dir = getenv("XDG_RUNTIME_DIR");
|
||||||
|
+ if (!dir) {
|
||||||
|
+ dir = getenv("HOME");
|
||||||
|
+ // if it is placed in the home directory then add a "." prefix to the
|
||||||
|
+ // basename to make it hidden
|
||||||
|
+ hidden = ".";
|
||||||
|
+ }
|
||||||
|
+ if (!dir) {
|
||||||
|
+ // no safe directory found
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ char *path = NULL;
|
||||||
|
+
|
||||||
|
+ if (asprintf(&path, "%s/%sfcitx-socket-:%d", dir, hidden, fcitx_utils_get_display_number()) < 0)
|
||||||
|
+ // formatting error
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ return path;
|
||||||
|
+}
|
||||||
|
diff --git a/tools/cli/fcitx-remote.c b/tools/cli/fcitx-remote.c
|
||||||
|
index 5e06ea76..80677100 100644
|
||||||
|
--- a/tools/cli/fcitx-remote.c
|
||||||
|
+++ b/tools/cli/fcitx-remote.c
|
||||||
|
@@ -36,6 +36,7 @@
|
||||||
|
#include <limits.h>
|
||||||
|
#include "fcitx/frontend.h"
|
||||||
|
#include "fcitx-utils/utils.h"
|
||||||
|
+#include "module/remote/remote.h"
|
||||||
|
|
||||||
|
int create_socket(const char *name)
|
||||||
|
{
|
||||||
|
@@ -82,7 +83,6 @@ void usage(FILE* fp)
|
||||||
|
|
||||||
|
int main(int argc, char *argv[])
|
||||||
|
{
|
||||||
|
- char *socketfile = NULL;
|
||||||
|
int socket_fd;
|
||||||
|
|
||||||
|
int o = 0;
|
||||||
|
@@ -124,7 +124,7 @@ int main(int argc, char *argv[])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- asprintf(&socketfile, "/tmp/fcitx-socket-:%d", fcitx_utils_get_display_number());
|
||||||
|
+ const char *socketfile = GetRemoteSocketPath(fcitx_utils_get_display_number());
|
||||||
|
|
||||||
|
socket_fd = create_socket(socketfile);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
Loading…
Reference in New Issue
Block a user