FreeBSD Bugzilla – Attachment 193457 Details for
Bug 228291
[patch] security/plasma5-kwallet-pam: make it work
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
kwallet-pam.patch (text/plain), 6.82 KB, created by
Tijl Coosemans
on 2018-05-16 13:20:11 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Tijl Coosemans
Created:
2018-05-16 13:20:11 UTC
Size:
6.82 KB
patch
obsolete
>Index: security/plasma5-kwallet-pam/Makefile >=================================================================== >--- security/plasma5-kwallet-pam/Makefile (revision 470013) >+++ security/plasma5-kwallet-pam/Makefile (working copy) >@@ -2,7 +2,7 @@ > > PORTNAME= kwallet-pam > DISTVERSION= ${KDE_PLASMA_VERSION} >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES= security kde kde-plasma > > MAINTAINER= kde@FreeBSD.org >@@ -11,8 +11,8 @@ COMMENT= Plasma5 KWallet PAM Integration > LIB_DEPENDS= libgcrypt.so:security/libgcrypt \ > libgpg-error.so:security/libgpg-error > >-USES= cmake:outsource cpe gettext kde:5 tar:xz >-USE_KDE= ecm >+USES= cmake:outsource cpe kde:5 tar:xz >+USE_KDE= ecm wallet_run > USE_QT5= buildtools_build qmake_build > > # The qmake dependency is only needed so that kf5-e-c-m can query qmake for >@@ -21,5 +21,11 @@ USE_QT5= buildtools_build qmake_build > # to avoid needlessly depending on qt5-core. > CMAKE_ARGS= -DCMAKE_DISABLE_FIND_PACKAGE_Qt5Core=TRUE \ > -DQMAKE_EXECUTABLE:PATH=${QMAKE} >+ >+post-patch: >+ @${REINPLACE_CMD} -e 's,socat,nc,' -e 's,/security,,' \ >+ ${WRKSRC}/CMakeLists.txt >+ @${REINPLACE_CMD} 's,/usr/bin/kwalletd,${LOCALBASE}/bin/kwalletd,' \ >+ ${WRKSRC}/pam_kwallet.c > > .include <bsd.port.mk> >Index: security/plasma5-kwallet-pam/files/patch-3-8da1a470.diff >=================================================================== >--- security/plasma5-kwallet-pam/files/patch-3-8da1a470.diff (nonexistent) >+++ security/plasma5-kwallet-pam/files/patch-3-8da1a470.diff (working copy) >@@ -0,0 +1,51 @@ >+From 8da1a47035fc92bc1496059583772bc4bd6e8ba6 Mon Sep 17 00:00:00 2001 >+From: Maximiliano Curia <maxy@gnuservers.com.ar> >+Date: Fri, 4 May 2018 22:06:06 +0200 >+Subject: [PATCH] Avoid giving an stderr to kwallet >+ >+Summary: >+The fixes for CVE-2018-10380 introduced a regression for most users not >+using kde, and some for kde sessions. In particular the reorder of the >+close calls and creating a new socket caused that the socket is always >+assigned the file descriptor 2, aka stderr. >+ >+BUG: 393856 >+ >+Test Plan: It works >+ >+Reviewers: #plasma, aacid >+ >+Reviewed By: aacid >+ >+Subscribers: asturmlechner, rdieter, davidedmundson, plasma-devel >+ >+Tags: #plasma >+ >+Differential Revision: https://phabricator.kde.org/D12702 >+--- >+ pam_kwallet.c | 5 ++++- >+ 1 file changed, 4 insertions(+), 1 deletion(-) >+ >+diff --git a/pam_kwallet.c b/pam_kwallet.c >+index b9c984a..661ed8d 100644 >+--- pam_kwallet.c >++++ pam_kwallet.c >+@@ -375,7 +375,8 @@ static int drop_privileges(struct passwd *userInfo) >+ static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toWalletPipe[2], char *fullSocket) >+ { >+ //In the child pam_syslog does not work, using syslog directly >+- int x = 2; >++ //keep stderr open so socket doesn't returns us that fd >++ int x = 3; >+ //Close fd that are not of interest of kwallet >+ for (; x < 64; ++x) { >+ if (x != toWalletPipe[0]) { >+@@ -424,6 +425,8 @@ static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toW >+ pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't listen in socket\n", logPrefix); >+ return; >+ } >++ //finally close stderr >++ close(2); >+ >+ // Fork twice to daemonize kwallet >+ setsid(); > >Property changes on: security/plasma5-kwallet-pam/files/patch-3-8da1a470.diff >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: security/plasma5-kwallet-pam/files/patch-pam_kwallet.c >=================================================================== >--- security/plasma5-kwallet-pam/files/patch-pam_kwallet.c (nonexistent) >+++ security/plasma5-kwallet-pam/files/patch-pam_kwallet.c (working copy) >@@ -0,0 +1,30 @@ >+--- pam_kwallet.c.orig 2018-05-01 12:51:31 UTC >++++ pam_kwallet.c >+@@ -118,7 +118,7 @@ static void parseArguments(int argc, const char **argv >+ } >+ #else >+ if (kdehome == NULL) { >+- kdehome = ".kde"; >++ kdehome = ".kde4"; >+ } >+ if (kwalletd == NULL) { >+ kwalletd = "/usr/bin/kwalletd"; >+@@ -486,7 +486,7 @@ static void start_kwallet(pam_handle_t *pamh, struct p >+ struct sockaddr_un local; >+ local.sun_family = AF_UNIX; >+ >+- if (strlen(fullSocket) > sizeof(local.sun_path)) { >++ if (strlen(fullSocket) >= sizeof(local.sun_path)) { >+ pam_syslog(pamh, LOG_ERR, "%s: socket path %s too long to open", >+ logPrefix, fullSocket); >+ free(fullSocket); >+@@ -499,8 +499,7 @@ static void start_kwallet(pam_handle_t *pamh, struct p >+ >+ pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, local.sun_path); >+ >+- size_t len = strlen(local.sun_path) + sizeof(local.sun_family); >+- if (bind(envSocket, (struct sockaddr *)&local, len) == -1) { >++ if (bind(envSocket, (struct sockaddr *)&local, sizeof(local)) == -1) { >+ pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't bind to local file\n", logPrefix); >+ return; >+ } > >Property changes on: security/plasma5-kwallet-pam/files/patch-pam_kwallet.c >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: security/plasma5-kwallet-pam/files/patch-pam_kwallet_init >=================================================================== >--- security/plasma5-kwallet-pam/files/patch-pam_kwallet_init (nonexistent) >+++ security/plasma5-kwallet-pam/files/patch-pam_kwallet_init (working copy) >@@ -0,0 +1,15 @@ >+--- pam_kwallet_init.orig 2018-05-01 12:51:31 UTC >++++ pam_kwallet_init >+@@ -1,10 +1,10 @@ >+ #!/bin/sh >+ >+ if test -n "$PAM_KWALLET_LOGIN" ; then >+- env | socat STDIN UNIX-CONNECT:$PAM_KWALLET_LOGIN >++ env | nc -U "$PAM_KWALLET_LOGIN" | : >+ fi >+ >+ if test -n "$PAM_KWALLET5_LOGIN" ; then >+- env | socat STDIN UNIX-CONNECT:$PAM_KWALLET5_LOGIN >++ env | nc -U "$PAM_KWALLET5_LOGIN" | : >+ fi >+ > >Property changes on: security/plasma5-kwallet-pam/files/patch-pam_kwallet_init >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: security/plasma5-kwallet-pam/pkg-plist >=================================================================== >--- security/plasma5-kwallet-pam/pkg-plist (revision 470013) >+++ security/plasma5-kwallet-pam/pkg-plist (working copy) >@@ -1,3 +1,3 @@ > etc/xdg/autostart/pam_kwallet_init.desktop > lib/libexec/pam_kwallet_init >-lib/security/pam_kwallet5.so >+lib/pam_kwallet5.so
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=193457">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 228291
: 193457 |
206965