Bug 230029

Summary: x11/sddm Please upgrade from 0.14.0 to 0.18.0 (address CVE-2018-14345)
Product: Ports & Packages Reporter: Patrick McMunn <doctorwhoguy>
Component: Individual Port(s)Assignee: kde
Status: Closed FIXED    
Severity: Affects Only Me CC: adridg, me
Priority: --- Flags: bugzilla: maintainer-feedback? (kde)
Version: Latest   
Hardware: Any   
OS: Any   

Description Patrick McMunn 2018-07-25 05:04:07 UTC

    
Comment 1 Adriaan de Groot freebsd_committer 2018-09-08 10:33:52 UTC
I've just updated to 0.17 (from 0.14) and will pick this up later today.
Comment 2 commit-hook freebsd_committer 2018-09-11 10:39:53 UTC
A commit references this bug:

Author: adridg
Date: Tue Sep 11 10:39:06 UTC 2018
New revision: 479521
URL: https://svnweb.freebsd.org/changeset/ports/479521

Log:
  The 0.18 release of x11/sddm contains a fix for a security error
  that allows unlocking a session without a password, if the
  ReuseSession configuration option is set to true. The default
  configuration sets it to false.

  I'm setting the version to < 0.17.0_1 here, because I'm going
  to update 0.17 with backports rather than pull in 0.18 (there's
  a lot more work in that update, because of reorganisation upstream
  and none of our patches apply anymore).

  PR:		230029
  Reported by:	doctorwhoguy@gmail.com

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer 2018-09-11 10:39:55 UTC
A commit references this bug:

Author: adridg
Date: Tue Sep 11 10:39:37 UTC 2018
New revision: 479522
URL: https://svnweb.freebsd.org/changeset/ports/479522

Log:
  Backport security fixes for x11/sddm

  The 0.18 release of x11/sddm contains a fix for a security error
  that probably doesn't affect us: session-reuse. In any case our
  default configuration is not vulnerable. This doesn't update to
  0.18 because there's a bunch of other changes that would need to
  be chased, further delaying this update.

  While here, pet portlint and Tijl, who asked for a pkg-message.

  PR:		230029
  Reported by:	doctorwhoguy@gmail.com
  Security:	f00acdec-b59f-11e8-805d-001e2a3f778d

Changes:
  head/x11/sddm/Makefile
  head/x11/sddm/files/git-patch-147cec38d
  head/x11/sddm/files/git-patch-b02b00559
  head/x11/sddm/pkg-message
Comment 4 Adriaan de Groot freebsd_committer 2018-09-11 10:44:50 UTC
Fixed by backporting fixes, rather than updating wholesale to 0.18 because the latter is a lot more work (many upstream changes).