Bug 230029 - x11/sddm Please upgrade from 0.14.0 to 0.18.0 (address CVE-2018-14345)
Summary: x11/sddm Please upgrade from 0.14.0 to 0.18.0 (address CVE-2018-14345)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-kde (group)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-25 05:04 UTC by Patrick McMunn
Modified: 2019-01-10 03:19 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (kde)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick McMunn 2018-07-25 05:04:07 UTC

    
Comment 1 Adriaan de Groot freebsd_committer freebsd_triage 2018-09-08 10:33:52 UTC
I've just updated to 0.17 (from 0.14) and will pick this up later today.
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-09-11 10:39:53 UTC
A commit references this bug:

Author: adridg
Date: Tue Sep 11 10:39:06 UTC 2018
New revision: 479521
URL: https://svnweb.freebsd.org/changeset/ports/479521

Log:
  The 0.18 release of x11/sddm contains a fix for a security error
  that allows unlocking a session without a password, if the
  ReuseSession configuration option is set to true. The default
  configuration sets it to false.

  I'm setting the version to < 0.17.0_1 here, because I'm going
  to update 0.17 with backports rather than pull in 0.18 (there's
  a lot more work in that update, because of reorganisation upstream
  and none of our patches apply anymore).

  PR:		230029
  Reported by:	doctorwhoguy@gmail.com

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-09-11 10:39:55 UTC
A commit references this bug:

Author: adridg
Date: Tue Sep 11 10:39:37 UTC 2018
New revision: 479522
URL: https://svnweb.freebsd.org/changeset/ports/479522

Log:
  Backport security fixes for x11/sddm

  The 0.18 release of x11/sddm contains a fix for a security error
  that probably doesn't affect us: session-reuse. In any case our
  default configuration is not vulnerable. This doesn't update to
  0.18 because there's a bunch of other changes that would need to
  be chased, further delaying this update.

  While here, pet portlint and Tijl, who asked for a pkg-message.

  PR:		230029
  Reported by:	doctorwhoguy@gmail.com
  Security:	f00acdec-b59f-11e8-805d-001e2a3f778d

Changes:
  head/x11/sddm/Makefile
  head/x11/sddm/files/git-patch-147cec38d
  head/x11/sddm/files/git-patch-b02b00559
  head/x11/sddm/pkg-message
Comment 4 Adriaan de Groot freebsd_committer freebsd_triage 2018-09-11 10:44:50 UTC
Fixed by backporting fixes, rather than updating wholesale to 0.18 because the latter is a lot more work (many upstream changes).