systemd/0001-util-never-follow-symlinks-in-rm_rf_children.patch

From 5ebff5337594d690b322078c512eb222d34aaa82 Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Fri, 2 Mar 2012 10:39:10 +0100
Subject: [PATCH] util: never follow symlinks in rm_rf_children()

The function checks if the entry is a directory before recursing, but
there is a window between the check and the open, during which the
directory could be replaced with a symlink.

CVE-2012-1174
https://bugzilla.redhat.com/show_bug.cgi?id=803358
---
 src/util.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/src/util.c b/src/util.c
index 20cbc2b..dfc1dc6 100644
--- a/src/util.c
+++ b/src/util.c
@@ -3593,7 +3593,8 @@ static int rm_rf_children(int fd, bool only_dirs, bool honour_sticky) {
                 if (is_dir) {
                         int subdir_fd;
 
-                        if ((subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) {
+                        subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW);
+                        if (subdir_fd < 0) {
                                 if (ret == 0 && errno != ENOENT)
                                         ret = -errno;
                                 continue;
-- 
1.7.7

From c9d8629baa09f853fbcc44972c9748e70562270c Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 22 Mar 2012 01:43:36 +0100
Subject: [PATCH] logind: extend comment about X11 socket symlink

---
 src/login/logind-session.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/src/login/logind-session.c b/src/login/logind-session.c
index af9c12d..4e0af86 100644
--- a/src/login/logind-session.c
+++ b/src/login/logind-session.c
@@ -391,6 +391,10 @@ static int session_link_x11_socket(Session *s) {
                 return -ENOENT;
         }
 
+        /* Note that this cannot be in a subdir to avoid
+         * vulnerabilities since we are privileged but the runtime
+         * path is owned by the user */
+
         t = strappend(s->user->runtime_path, "/X11-display");
         if (!t) {
                 log_error("Out of memory");
-- 
1.7.7
- Add 0001-util-never-follow-symlinks-in-rm_rf_children.patch: fix CVE-2012-1174 (bnc#752281). OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=260 2012-03-19 11:27:58 +01:00			`From 5ebff5337594d690b322078c512eb222d34aaa82 Mon Sep 17 00:00:00 2001`
			`From: Michal Schmidt <mschmidt@redhat.com>`
			`Date: Fri, 2 Mar 2012 10:39:10 +0100`
			`Subject: [PATCH] util: never follow symlinks in rm_rf_children()`

			`The function checks if the entry is a directory before recursing, but`
			`there is a window between the check and the open, during which the`
			`directory could be replaced with a symlink.`

			`CVE-2012-1174`
			`https://bugzilla.redhat.com/show_bug.cgi?id=803358`
			`---`
			`src/util.c \| 3 ++-`
			`1 files changed, 2 insertions(+), 1 deletions(-)`

			`diff --git a/src/util.c b/src/util.c`
			`index 20cbc2b..dfc1dc6 100644`
			`--- a/src/util.c`
			`+++ b/src/util.c`
			`@@ -3593,7 +3593,8 @@ static int rm_rf_children(int fd, bool only_dirs, bool honour_sticky) {`
			`if (is_dir) {`
			`int subdir_fd;`

			`- if ((subdir_fd = openat(fd, de->d_name, O_RDONLY\|O_NONBLOCK\|O_DIRECTORY\|O_CLOEXEC)) < 0) {`
			`+ subdir_fd = openat(fd, de->d_name, O_RDONLY\|O_NONBLOCK\|O_DIRECTORY\|O_CLOEXEC\|O_NOFOLLOW);`
			`+ if (subdir_fd < 0) {`
			`if (ret == 0 && errno != ENOENT)`
			`ret = -errno;`
			`continue;`
			`--`
			`1.7.7`

- Update fixppc.patch with upstream patches - Add comments from upstream in 0001-util-never-follow-symlinks-in-rm_rf_children.patch. - Add logind-logout.patch: it should fix sudo / su with pam_systemd (bnc#746704). OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=263 2012-03-22 09:55:35 +01:00			`From c9d8629baa09f853fbcc44972c9748e70562270c Mon Sep 17 00:00:00 2001`
			`From: Lennart Poettering <lennart@poettering.net>`
			`Date: Thu, 22 Mar 2012 01:43:36 +0100`
			`Subject: [PATCH] logind: extend comment about X11 socket symlink`

			`---`
			`src/login/logind-session.c \| 4 ++++`
			`1 files changed, 4 insertions(+), 0 deletions(-)`

			`diff --git a/src/login/logind-session.c b/src/login/logind-session.c`
			`index af9c12d..4e0af86 100644`
			`--- a/src/login/logind-session.c`
			`+++ b/src/login/logind-session.c`
			`@@ -391,6 +391,10 @@ static int session_link_x11_socket(Session *s) {`
			`return -ENOENT;`
			`}`

			`+ /* Note that this cannot be in a subdir to avoid`
			`+ * vulnerabilities since we are privileged but the runtime`
			`+ * path is owned by the user */`
			`+`
			`t = strappend(s->user->runtime_path, "/X11-display");`
			`if (!t) {`
			`log_error("Out of memory");`
			`--`
			`1.7.7`