Hi, On Wed, Nov 04, 2020 at 01:52:12PM +0100, Salvatore Bonaccorso wrote: > Source: sddm > Version: 0.18.1-1 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for sddm. > > CVE-2020-28049[0]: > | local privilege escalation due to race condition in creation of the > | Xauthority file > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-28049 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28049 > [1] > https://github.com/sddm/sddm/commit/be202f533ab98a684c6a007e8d5b4357846bc222 > [2] https://bugzilla.suse.com/show_bug.cgi?id=1177201 > [3] https://www.openwall.com/lists/oss-security/2020/11/04/2
Attached the debdiff as to be used for the buster-security update. Regards, Salvatore
diff -Nru sddm-0.18.0/debian/changelog sddm-0.18.0/debian/changelog --- sddm-0.18.0/debian/changelog 2018-07-22 13:26:44.000000000 +0200 +++ sddm-0.18.0/debian/changelog 2020-11-04 15:29:27.000000000 +0100 @@ -1,3 +1,11 @@ +sddm (0.18.0-1+deb10u1) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix X not having access control on startup (CVE-2020-28049) + (Closes: #973748) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 04 Nov 2020 15:29:27 +0100 + sddm (0.18.0-1) unstable; urgency=medium [ Simon Quigley ] diff -Nru sddm-0.18.0/debian/patches/06_Fix-X-not-having-access-control-on-startup.diff sddm-0.18.0/debian/patches/06_Fix-X-not-having-access-control-on-startup.diff --- sddm-0.18.0/debian/patches/06_Fix-X-not-having-access-control-on-startup.diff 1970-01-01 01:00:00.000000000 +0100 +++ sddm-0.18.0/debian/patches/06_Fix-X-not-having-access-control-on-startup.diff 2020-11-04 15:29:27.000000000 +0100 @@ -0,0 +1,93 @@ +From: Fabian Vogt <fab...@ritter-vogt.de> +Date: Tue, 6 Oct 2020 21:21:38 +0200 +Subject: Fix X not having access control on startup +Origin: https://github.com/sddm/sddm/commit/be202f533ab98a684c6a007e8d5b4357846bc222 +Bug: https://bugzilla.suse.com/show_bug.cgi?id=1177201 +Bug-Debian: https://bugs.debian.org/973748 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-28049 + +If the auth file is empty, X allows any local application (= any user on the +system) to connect. This is currently the case until X wrote the display +number to sddm and sddm used that to write the entry into the file. +To work around this chicken-and-egg problem, make use of the fact that X +doesn't actually look at the display number in the passed auth file and just +use :0 unconditionally. Also make sure that writing the entry was actually +successful. + +CVE-2020-28049 +--- + src/daemon/XorgDisplayServer.cpp | 25 ++++++++++++++++++++----- + src/daemon/XorgDisplayServer.h | 2 +- + 2 files changed, 21 insertions(+), 6 deletions(-) + +--- a/src/daemon/XorgDisplayServer.cpp ++++ b/src/daemon/XorgDisplayServer.cpp +@@ -87,7 +87,7 @@ namespace SDDM { + return m_cookie; + } + +- void XorgDisplayServer::addCookie(const QString &file) { ++ bool XorgDisplayServer::addCookie(const QString &file) { + // log message + qDebug() << "Adding cookie to" << file; + +@@ -103,13 +103,13 @@ namespace SDDM { + + // check file + if (!fp) +- return; ++ return false; + fprintf(fp, "remove %s\n", qPrintable(m_display)); + fprintf(fp, "add %s . %s\n", qPrintable(m_display), qPrintable(m_cookie)); + fprintf(fp, "exit\n"); + + // close pipe +- pclose(fp); ++ return pclose(fp) == 0; + } + + bool XorgDisplayServer::start() { +@@ -126,6 +126,15 @@ namespace SDDM { + // log message + qDebug() << "Display server starting..."; + ++ // generate auth file. ++ // For the X server's copy, the display number doesn't matter. ++ // An empty file would result in no access control! ++ m_display = QStringLiteral(":0"); ++ if(!addCookie(m_authPath)) { ++ qCritical() << "Failed to write xauth file"; ++ return false; ++ } ++ + if (daemonApp->testing()) { + QStringList args; + args << m_display << QStringLiteral("-ac") << QStringLiteral("-br") << QStringLiteral("-noreset") << QStringLiteral("-screen") << QStringLiteral("800x600"); +@@ -210,8 +219,14 @@ namespace SDDM { + emit started(); + } + +- // generate auth file +- addCookie(m_authPath); ++ // The file is also used by the greeter, which does care about the ++ // display number. Write the proper entry, if it's different. ++ if(m_display != QStringLiteral(":0")) { ++ if(!addCookie(m_authPath)) { ++ qCritical() << "Failed to write xauth file"; ++ return false; ++ } ++ } + changeOwner(m_authPath); + + // set flag +--- a/src/daemon/XorgDisplayServer.h ++++ b/src/daemon/XorgDisplayServer.h +@@ -40,7 +40,7 @@ namespace SDDM { + + const QString &cookie() const; + +- void addCookie(const QString &file); ++ bool addCookie(const QString &file); + + public slots: + bool start(); diff -Nru sddm-0.18.0/debian/patches/series sddm-0.18.0/debian/patches/series --- sddm-0.18.0/debian/patches/series 2018-07-22 13:26:44.000000000 +0200 +++ sddm-0.18.0/debian/patches/series 2020-11-04 15:29:27.000000000 +0100 @@ -3,3 +3,4 @@ 03_vt7-minimum-vt.diff 04_set_default_path.diff 05_add_debian_themes.diff +06_Fix-X-not-having-access-control-on-startup.diff