Re: [cdesktopenv-devel] OpenBSD 5.7 AMD64 fails to compile

Tue, 16 Jun 2015 14:55:39 -0700 

On Mon, 15 Jun 2015, Isaac Dunham wrote:

> On Mon, Jun 15, 2015 at 06:32:30PM -0500, Douglas Carmichael wrote:
> ...
>
> Please fix your mailer; it's marking patches as application/octet-stream
> rather than text/x-diff or similar.
>
> Comments below.
>
>> From: Douglas Carmichael <[email protected]>
>> Date: Sun, 14 Jun 2015 11:10:36 -0500
>> Subject: [PATCH] Patches to enable compilation on OpenBSD 5.7/FreeBSD 10.1.
>>
>> ---
>>  cde/doc/util/dbtoman/instant/main.c |  2 +-
>>  cde/programs/dtlogin/genauth.c      |  3 +++
>>  cde/programs/dtlogin/session.c      | 23 -----------------------
>>  3 files changed, 4 insertions(+), 24 deletions(-)
>>
[...]
>>
>> -    if (d->language && strlen(d->language) > 0 ) {
>> -            language = strdup(d->language);
>> -            lang_key = "-D";
>> -    }
>> -
>> -    /*
>> -     *  replace any "-" or "." in the language name with "_". The C
>> -     *  preprocessor used by xrdb does not accept "-" or "." in a name.
>> -     */
>> -
>> -    while ( (p = strchr(language, '-')) != NULL ) {
>> -        *p = '_';
>> -    }
>> -
>> -    while ( (p = strchr(language, '.')) != NULL ) {
>> -        *p = '_';
>> -    }
>> -
>> -    free(language);
>
> While this change is functionally equivalent to the original code
> (apart from the detail that it's actually valid), I wonder if we
> should try to update to match current xdm or make this do the "right"
> thing...well, it looks like xdm eliminated this code over a decade
> ago.
>
> I see that neither of the CVEs for xdm apply for most builds;
> but for "AlphaArchitecture", where SIA is defined, seteuid(0)
> is called without error checking...I suppose that cannot be a
> privilege escalation, but rather might continue despite failing
> to elevate privileges.
>

Ok to apply this patch then?  It looks like particularly crappy code
to begin with, so I'm ok with removing it.

As for seteuid() - yes that should be checked, but if it fails, it
fails, so I do not see how that could cause a priv escalation...
[...]

-- 
Jon Trulson

"If we can hit that bull's-eye, the rest of the dominoes will fall
like a house of cards... Checkmate."
                                         -- Zapp Brannigan

------------------------------------------------------------------------------
_______________________________________________
cdesktopenv-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel

Reply via email to