Attachment #193457 for bug #228291

Lines 2-8 Link Here

(-)security/plasma5-kwallet-pam/Makefile (-3 / +9 lines)
2		2
3	PORTNAME= kwallet-pam	3	PORTNAME= kwallet-pam
4	DISTVERSION= ${KDE_PLASMA_VERSION}	4	DISTVERSION= ${KDE_PLASMA_VERSION}
5	PORTREVISION= 1	5	PORTREVISION= 2
6	CATEGORIES= security kde kde-plasma	6	CATEGORIES= security kde kde-plasma
7		7
8	MAINTAINER= kde@FreeBSD.org	8	MAINTAINER= kde@FreeBSD.org
Lines 11-18 COMMENT= Plasma5 KWallet PAM Integration Link Here
11	LIB_DEPENDS= libgcrypt.so:security/libgcrypt \	11	LIB_DEPENDS= libgcrypt.so:security/libgcrypt \
12	libgpg-error.so:security/libgpg-error	12	libgpg-error.so:security/libgpg-error
13		13
14	USES= cmake:outsource cpe gettext kde:5 tar:xz	14	USES= cmake:outsource cpe kde:5 tar:xz
15	USE_KDE= ecm	15	USE_KDE= ecm wallet_run
16	USE_QT5= buildtools_build qmake_build	16	USE_QT5= buildtools_build qmake_build
17		17
18	# The qmake dependency is only needed so that kf5-e-c-m can query qmake for	18	# The qmake dependency is only needed so that kf5-e-c-m can query qmake for
Lines 21-25 USE_QT5= buildtools_build qmake_build Link Here
21	# to avoid needlessly depending on qt5-core.	21	# to avoid needlessly depending on qt5-core.
22	CMAKE_ARGS= -DCMAKE_DISABLE_FIND_PACKAGE_Qt5Core=TRUE \	22	CMAKE_ARGS= -DCMAKE_DISABLE_FIND_PACKAGE_Qt5Core=TRUE \
23	-DQMAKE_EXECUTABLE:PATH=${QMAKE}	23	-DQMAKE_EXECUTABLE:PATH=${QMAKE}
		24
		25	post-patch:
		26	@${REINPLACE_CMD} -e 's,socat,nc,' -e 's,/security,,' \
		27	${WRKSRC}/CMakeLists.txt
		28	@${REINPLACE_CMD} 's,/usr/bin/kwalletd,${LOCALBASE}/bin/kwalletd,' \
		29	${WRKSRC}/pam_kwallet.c
24		30
25	.include <bsd.port.mk>	31	.include <bsd.port.mk>




From 8da1a47035fc92bc1496059583772bc4bd6e8ba6 Mon Sep 17 00:00:00 2001
From: Maximiliano Curia <maxy@gnuservers.com.ar>
Date: Fri, 4 May 2018 22:06:06 +0200
Subject: [PATCH] Avoid giving an stderr to kwallet

Summary:
The fixes for CVE-2018-10380 introduced a regression for most users not
using kde, and some for kde sessions. In particular the reorder of the
close calls and creating a new socket caused that the socket is always
assigned the file descriptor 2, aka stderr.

BUG: 393856

Test Plan: It works

Reviewers: #plasma, aacid

Reviewed By: aacid

Subscribers: asturmlechner, rdieter, davidedmundson, plasma-devel

Tags: #plasma

Differential Revision: https://phabricator.kde.org/D12702
---
 pam_kwallet.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pam_kwallet.c b/pam_kwallet.c
index b9c984a..661ed8d 100644
--- pam_kwallet.c
+++ pam_kwallet.c
@@ -375,7 +375,8 @@ static int drop_privileges(struct passwd *userInfo)
 static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toWalletPipe[2], char *fullSocket)
 {
     //In the child pam_syslog does not work, using syslog directly
-    int x = 2;
+    //keep stderr open so socket doesn't returns us that fd
+    int x = 3;
     //Close fd that are not of interest of kwallet
     for (; x < 64; ++x) {
         if (x != toWalletPipe[0]) {
@@ -424,6 +425,8 @@ static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toW
         pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't listen in socket\n", logPrefix);
         return;
     }
+    //finally close stderr
+    close(2);
 
     // Fork twice to daemonize kwallet
     setsid();




--- pam_kwallet.c.orig	2018-05-01 12:51:31 UTC
+++ pam_kwallet.c
@@ -118,7 +118,7 @@ static void parseArguments(int argc, const char **argv
     }
 #else
     if (kdehome == NULL) {
-        kdehome = ".kde";
+        kdehome = ".kde4";
     }
     if (kwalletd == NULL) {
         kwalletd = "/usr/bin/kwalletd";
@@ -486,7 +486,7 @@ static void start_kwallet(pam_handle_t *pamh, struct p
     struct sockaddr_un local;
     local.sun_family = AF_UNIX;
 
-    if (strlen(fullSocket) > sizeof(local.sun_path)) {
+    if (strlen(fullSocket) >= sizeof(local.sun_path)) {
         pam_syslog(pamh, LOG_ERR, "%s: socket path %s too long to open",
                    logPrefix, fullSocket);
         free(fullSocket);
@@ -499,8 +499,7 @@ static void start_kwallet(pam_handle_t *pamh, struct p
 
     pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, local.sun_path);
 
-    size_t len = strlen(local.sun_path) + sizeof(local.sun_family);
-    if (bind(envSocket, (struct sockaddr *)&local, len) == -1) {
+    if (bind(envSocket, (struct sockaddr *)&local, sizeof(local)) == -1) {
         pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't bind to local file\n", logPrefix);
         return;
     }




--- pam_kwallet_init.orig	2018-05-01 12:51:31 UTC
+++ pam_kwallet_init
@@ -1,10 +1,10 @@
 #!/bin/sh
 
 if test -n "$PAM_KWALLET_LOGIN" ; then
-    env | socat STDIN UNIX-CONNECT:$PAM_KWALLET_LOGIN
+    env | nc -U "$PAM_KWALLET_LOGIN" | :
 fi
 
 if test -n "$PAM_KWALLET5_LOGIN" ; then
-    env | socat STDIN UNIX-CONNECT:$PAM_KWALLET5_LOGIN
+    env | nc -U "$PAM_KWALLET5_LOGIN" | :
 fi
 

Lines 1-3 Link Here

(-)security/plasma5-kwallet-pam/pkg-plist (-1 / +1 lines)
1	etc/xdg/autostart/pam_kwallet_init.desktop	1	etc/xdg/autostart/pam_kwallet_init.desktop
2	lib/libexec/pam_kwallet_init	2	lib/libexec/pam_kwallet_init
3	lib/security/pam_kwallet5.so	3	lib/pam_kwallet5.so

Return to bug 228291

Line 0 Link Here

(-)security/plasma5-kwallet-pam/files/patch-3-8da1a470.diff (+51 lines)
	1	From 8da1a47035fc92bc1496059583772bc4bd6e8ba6 Mon Sep 17 00:00:00 2001
	2	From: Maximiliano Curia <maxy@gnuservers.com.ar>
	3	Date: Fri, 4 May 2018 22:06:06 +0200
	4	Subject: [PATCH] Avoid giving an stderr to kwallet
	5
	6	Summary:
	7	The fixes for CVE-2018-10380 introduced a regression for most users not
	8	using kde, and some for kde sessions. In particular the reorder of the
	9	close calls and creating a new socket caused that the socket is always
	10	assigned the file descriptor 2, aka stderr.
	11
	12	BUG: 393856
	13
	14	Test Plan: It works
	15
	16	Reviewers: #plasma, aacid
	17
	18	Reviewed By: aacid
	19
	20	Subscribers: asturmlechner, rdieter, davidedmundson, plasma-devel
	21
	22	Tags: #plasma
	23
	24	Differential Revision: https://phabricator.kde.org/D12702
	25	---
	26	pam_kwallet.c \| 5 ++++-
	27	1 file changed, 4 insertions(+), 1 deletion(-)
	28
	29	diff --git a/pam_kwallet.c b/pam_kwallet.c
	30	index b9c984a..661ed8d 100644
	31	--- pam_kwallet.c
	32	+++ pam_kwallet.c
	33	@@ -375,7 +375,8 @@ static int drop_privileges(struct passwd *userInfo)
	34	static void execute_kwallet(pam_handle_t pamh, struct passwd userInfo, int toWalletPipe[2], char *fullSocket)
	35	{
	36	//In the child pam_syslog does not work, using syslog directly
	37	- int x = 2;
	38	+ //keep stderr open so socket doesn't returns us that fd
	39	+ int x = 3;
	40	//Close fd that are not of interest of kwallet
	41	for (; x < 64; ++x) {
	42	if (x != toWalletPipe[0]) {
	43	@@ -424,6 +425,8 @@ static void execute_kwallet(pam_handle_t pamh, struct passwd userInfo, int toW
	44	pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't listen in socket\n", logPrefix);
	45	return;
	46	}
	47	+ //finally close stderr
	48	+ close(2);
	49
	50	// Fork twice to daemonize kwallet
	51	setsid();

Line 0 Link Here

(-)security/plasma5-kwallet-pam/files/patch-pam_kwallet.c (+30 lines)
	1	--- pam_kwallet.c.orig 2018-05-01 12:51:31 UTC
	2	+++ pam_kwallet.c
	3	@@ -118,7 +118,7 @@ static void parseArguments(int argc, const char **argv
	4	}
	5	#else
	6	if (kdehome == NULL) {
	7	- kdehome = ".kde";
	8	+ kdehome = ".kde4";
	9	}
	10	if (kwalletd == NULL) {
	11	kwalletd = "/usr/bin/kwalletd";
	12	@@ -486,7 +486,7 @@ static void start_kwallet(pam_handle_t *pamh, struct p
	13	struct sockaddr_un local;
	14	local.sun_family = AF_UNIX;
	15
	16	- if (strlen(fullSocket) > sizeof(local.sun_path)) {
	17	+ if (strlen(fullSocket) >= sizeof(local.sun_path)) {
	18	pam_syslog(pamh, LOG_ERR, "%s: socket path %s too long to open",
	19	logPrefix, fullSocket);
	20	free(fullSocket);
	21	@@ -499,8 +499,7 @@ static void start_kwallet(pam_handle_t *pamh, struct p
	22
	23	pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, local.sun_path);
	24
	25	- size_t len = strlen(local.sun_path) + sizeof(local.sun_family);
	26	- if (bind(envSocket, (struct sockaddr *)&local, len) == -1) {
	27	+ if (bind(envSocket, (struct sockaddr *)&local, sizeof(local)) == -1) {
	28	pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't bind to local file\n", logPrefix);
	29	return;
	30	}

Line 0 Link Here

(-)security/plasma5-kwallet-pam/files/patch-pam_kwallet_init (+15 lines)
	1	--- pam_kwallet_init.orig 2018-05-01 12:51:31 UTC
	2	+++ pam_kwallet_init
	3	@@ -1,10 +1,10 @@
	4	#!/bin/sh
	5
	6	if test -n "$PAM_KWALLET_LOGIN" ; then
	7	- env \| socat STDIN UNIX-CONNECT:$PAM_KWALLET_LOGIN
	8	+ env \| nc -U "$PAM_KWALLET_LOGIN" \| :
	9	fi
	10
	11	if test -n "$PAM_KWALLET5_LOGIN" ; then
	12	- env \| socat STDIN UNIX-CONNECT:$PAM_KWALLET5_LOGIN
	13	+ env \| nc -U "$PAM_KWALLET5_LOGIN" \| :
	14	fi
	15