Hello community, here is the log from the commit of package sddm for openSUSE:Factory checked in at 2020-11-05 21:54:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sddm (Old) and /work/SRC/openSUSE:Factory/.sddm.new.11331 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sddm" Thu Nov 5 21:54:22 2020 rev:52 rq:845755 version:0.18.1 Changes: -------- --- /work/SRC/openSUSE:Factory/sddm/sddm.changes 2020-10-11 20:15:09.944379218 +0200 +++ /work/SRC/openSUSE:Factory/.sddm.new.11331/sddm.changes 2020-11-05 21:55:02.948166748 +0100 @@ -1,0 +2,21 @@ +Tue Nov 3 14:15:55 UTC 2020 - Franck Bui <f...@suse.com> + +- Replace '%service_del_postun -n' with '%service_del_postun_without_restart' + + '-n' is deprecated and will be removed in the future. + +------------------------------------------------------------------- +Tue Nov 3 11:03:07 UTC 2020 - Fabian Vogt <fab...@ritter-vogt.de> + +- Patches to fix X not having access control on startup + (boo#1177201, CVE-2020-28049): + * Add 0001-Don-t-disable-authentication-in-test-mode.patch + * Modify 0001-Redesign-Xauth-handling.patch + +------------------------------------------------------------------- +Sat Oct 24 12:16:43 UTC 2020 - Fabian Vogt <fab...@ritter-vogt.de> + +- Add patch to set XAUTHLOCALHOSTNAME again (boo#1177835): + * 0001-Set-XAUTHLOCALHOSTNAME-in-sessions.patch + +------------------------------------------------------------------- New: ---- 0001-Don-t-disable-authentication-in-test-mode.patch 0001-Set-XAUTHLOCALHOSTNAME-in-sessions.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sddm.spec ++++++ --- /var/tmp/diff_new_pack.vwGMsN/_old 2020-11-05 21:55:04.292163726 +0100 +++ /var/tmp/diff_new_pack.vwGMsN/_new 2020-11-05 21:55:04.296163717 +0100 @@ -35,6 +35,8 @@ Patch1: 0001-FreeBSD-Link-to-libutil.patch Patch2: 0001-FreeBSD-Split-implementation-of-VT-switching.patch Patch3: 0002-Only-allocate-VTs-for-seat0.patch +# Committed directly +Patch4: 0001-Don-t-disable-authentication-in-test-mode.patch # Not merged yet: https://github.com/sddm/sddm/pull/997 Patch50: 0001-Remove-suffix-for-Wayland-session.patch # Not merged yet: https://github.com/sddm/sddm/pull/1017 @@ -51,6 +53,7 @@ # Use openSUSE pam config Patch100: proper_pam.diff Patch101: 0001-Write-the-daemon-s-PID-to-a-file-on-startup.patch +Patch102: 0001-Set-XAUTHLOCALHOSTNAME-in-sessions.patch Patch103: 0001-Read-the-DISPLAYMANAGER_AUTOLOGIN-value-from-sysconf.patch # sddm has some rudimentary support for plymouth handling, which only works with plymouth-quit.service # (the servce is not enabled on openSUSE). For users of sddm.service, we need to issue plymouth quit command by hand in this case @@ -219,7 +222,7 @@ %postun # Don't restart on upgrades (boo#1161826) -%service_del_postun -n sddm.service +%service_del_postun_without_restart sddm.service [ -f %{_prefix}/lib/X11/displaymanagers/sddm ] || %{_sbindir}/update-alternatives \ --remove default-displaymanager %{_prefix}/lib/X11/displaymanagers/sddm ++++++ 0001-Don-t-disable-authentication-in-test-mode.patch ++++++ >From ba1a742322378eed325cfd78e089102eabceb6d0 Mon Sep 17 00:00:00 2001 From: Fabian Vogt <fab...@ritter-vogt.de> Date: Fri, 9 Oct 2020 20:53:34 +0200 Subject: [PATCH] Don't disable authentication in --test-mode For some reason Xephyr was started with the "-ac" option, although handling of the auth file is completely functional. (cherry picked from commit bb8e817493020113e1b0f3207f7bbcd1593e9c9e) --- src/daemon/XorgDisplayServer.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/daemon/XorgDisplayServer.cpp b/src/daemon/XorgDisplayServer.cpp index 28ce524..80b2227 100644 --- a/src/daemon/XorgDisplayServer.cpp +++ b/src/daemon/XorgDisplayServer.cpp @@ -128,7 +128,7 @@ namespace SDDM { if (daemonApp->testing()) { QStringList args; - args << m_display << QStringLiteral("-ac") << QStringLiteral("-br") << QStringLiteral("-noreset") << QStringLiteral("-screen") << QStringLiteral("800x600"); + args << m_display << QStringLiteral("-auth") << m_authPath << QStringLiteral("-br") << QStringLiteral("-noreset") << QStringLiteral("-screen") << QStringLiteral("800x600"); process->start(mainConfig.X11.XephyrPath.get(), args); -- 2.25.1 ++++++ 0001-Redesign-Xauth-handling.patch ++++++ --- /var/tmp/diff_new_pack.vwGMsN/_old 2020-11-05 21:55:04.360163573 +0100 +++ /var/tmp/diff_new_pack.vwGMsN/_new 2020-11-05 21:55:04.360163573 +0100 @@ -1,4 +1,4 @@ -From 7236fb5d21df6c1fc74b06bcd7f938934ae3cfd4 Mon Sep 17 00:00:00 2001 +From 862f8cc0fff51b95f00778ea52b3c66342bc6241 Mon Sep 17 00:00:00 2001 From: Fabian Vogt <fab...@ritter-vogt.de> Date: Wed, 21 Aug 2019 16:32:03 +0200 Subject: [PATCH] Redesign Xauth handling @@ -24,7 +24,7 @@ src/common/XauthUtils.cpp | 82 ++++++++++++++++++++++++++++++++ src/common/XauthUtils.h | 16 +++++++ src/daemon/CMakeLists.txt | 3 ++ - src/daemon/XorgDisplayServer.cpp | 42 ++-------------- + src/daemon/XorgDisplayServer.cpp | 58 ++++++++-------------- src/daemon/XorgDisplayServer.h | 4 +- src/helper/Backend.cpp | 7 --- src/helper/CMakeLists.txt | 8 +++- @@ -32,12 +32,12 @@ src/helper/HelperApp.h | 4 +- src/helper/UserSession.cpp | 53 +++++++++++---------- src/helper/UserSession.h | 9 ++++ - 16 files changed, 164 insertions(+), 93 deletions(-) + 16 files changed, 179 insertions(+), 94 deletions(-) create mode 100644 src/common/XauthUtils.cpp create mode 100644 src/common/XauthUtils.h diff --git a/CMakeLists.txt b/CMakeLists.txt -index 47f2860..b6cb61c 100644 +index b2b074d..4518b93 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -88,6 +88,9 @@ add_feature_info("PAM" PAM_FOUND "PAM support") @@ -51,10 +51,10 @@ find_package(XCB REQUIRED) diff --git a/data/man/sddm.conf.rst.in b/data/man/sddm.conf.rst.in -index bee0768..e91280a 100644 +index b14de73..cfd7e65 100644 --- a/data/man/sddm.conf.rst.in +++ b/data/man/sddm.conf.rst.in -@@ -110,10 +110,6 @@ OPTIONS +@@ -106,10 +106,6 @@ OPTIONS Path of the Xephyr. Default value is "/usr/bin/Xephyr". @@ -65,7 +65,7 @@ `SessionDir=` Path of the directory containing session files. Default value is "/usr/share/xsessions". -@@ -128,10 +124,6 @@ OPTIONS +@@ -124,10 +120,6 @@ OPTIONS Path to the user session log file, relative to the home directory. Default value is ".local/share/sddm/xorg-session.log". @@ -77,7 +77,7 @@ Path of script to execute when starting the display server. Default value is "@DATA_INSTALL_DIR@/scripts/Xsetup". diff --git a/src/auth/Auth.cpp b/src/auth/Auth.cpp -index caca314..c2228ae 100644 +index 9978912..72383ac 100644 --- a/src/auth/Auth.cpp +++ b/src/auth/Auth.cpp @@ -64,7 +64,7 @@ namespace SDDM { @@ -98,7 +98,7 @@ return d->cookie; } -@@ -298,7 +298,7 @@ namespace SDDM { +@@ -294,7 +294,7 @@ namespace SDDM { d->environment.insert(key, value); } @@ -108,7 +108,7 @@ d->cookie = cookie; Q_EMIT cookieChanged(); diff --git a/src/auth/Auth.h b/src/auth/Auth.h -index 87f5f44..38d63fc 100644 +index 9c26b95..292449c 100644 --- a/src/auth/Auth.h +++ b/src/auth/Auth.h @@ -54,7 +54,7 @@ namespace SDDM { @@ -129,7 +129,7 @@ const QString &user() const; const QString &session() const; AuthRequest *request(); -@@ -149,7 +149,7 @@ namespace SDDM { +@@ -145,7 +145,7 @@ namespace SDDM { * Set the display server cookie, to be inserted into the user's $XAUTHORITY * @param cookie cookie data */ @@ -139,10 +139,10 @@ public Q_SLOTS: /** diff --git a/src/common/Configuration.h b/src/common/Configuration.h -index cf44a62..a7e0585 100644 +index 9cb1007..7f99f68 100644 --- a/src/common/Configuration.h +++ b/src/common/Configuration.h -@@ -63,11 +63,9 @@ namespace SDDM { +@@ -62,11 +62,9 @@ namespace SDDM { Entry(ServerPath, QString, _S("/usr/bin/X"), _S("Path to X server binary")); Entry(ServerArguments, QString, _S("-nolisten tcp"), _S("Arguments passed to the X server invocation")); Entry(XephyrPath, QString, _S("/usr/bin/Xephyr"), _S("Path to Xephyr binary")); @@ -293,7 +293,7 @@ if(PAM_FOUND) target_link_libraries(sddm ${PAM_LIBRARIES}) diff --git a/src/daemon/XorgDisplayServer.cpp b/src/daemon/XorgDisplayServer.cpp -index d04f634..ff2605e 100644 +index 80b2227..b0ee6b3 100644 --- a/src/daemon/XorgDisplayServer.cpp +++ b/src/daemon/XorgDisplayServer.cpp @@ -25,6 +25,7 @@ @@ -304,7 +304,7 @@ #include <QDebug> #include <QFile> -@@ -55,17 +56,7 @@ namespace SDDM { +@@ -54,17 +55,7 @@ namespace SDDM { m_authPath = QStringLiteral("%1/%2").arg(authDir).arg(QUuid::createUuid().toString()); // generate cookie @@ -323,7 +323,7 @@ } XorgDisplayServer::~XorgDisplayServer() { -@@ -84,35 +75,10 @@ namespace SDDM { +@@ -83,35 +74,10 @@ namespace SDDM { return QStringLiteral("x11"); } @@ -360,12 +360,35 @@ bool XorgDisplayServer::start() { // check flag if (m_started) -@@ -218,7 +184,7 @@ namespace SDDM { +@@ -126,6 +92,14 @@ namespace SDDM { + // log message + qDebug() << "Display server starting..."; + ++ // generate auth file ++ // For the X server's copy, the display number doesn't matter. ++ // An empty file would result in no access control! ++ if(!Xauth::writeCookieToFile(m_authPath, QStringLiteral(":0"), m_cookie)) { ++ qCritical() << "Failed to write xauth file"; ++ return false; ++ } ++ + if (daemonApp->testing()) { + QStringList args; + args << m_display << QStringLiteral("-auth") << m_authPath << QStringLiteral("-br") << QStringLiteral("-noreset") << QStringLiteral("-screen") << QStringLiteral("800x600"); +@@ -210,8 +184,14 @@ namespace SDDM { + emit started(); } - // generate auth file +- // generate auth file - addCookie(m_authPath); -+ Xauth::writeCookieToFile(m_authPath, m_display, m_cookie); ++ // The file is also used by the greeter, which does care about the ++ // display number. Write the proper entry, if different. ++ if(m_display != QStringLiteral(":0")) { ++ if(!Xauth::writeCookieToFile(m_authPath, m_display, m_cookie)) { ++ qCritical() << "Failed to write xauth file"; ++ return false; ++ } ++ } changeOwner(m_authPath); // set flag @@ -443,10 +466,10 @@ # On FreeBSD (possibly other BSDs as well), we want to use # setusercontext() to set up the login configuration from login.conf diff --git a/src/helper/HelperApp.cpp b/src/helper/HelperApp.cpp -index cad93bd..3c49a2a 100644 +index e328052..13ccdfa 100644 --- a/src/helper/HelperApp.cpp +++ b/src/helper/HelperApp.cpp -@@ -231,7 +231,7 @@ namespace SDDM { +@@ -229,7 +229,7 @@ namespace SDDM { str >> m >> env >> m_cookie; if (m != AUTHENTICATED) { env = QProcessEnvironment(); @@ -455,7 +478,7 @@ qCritical() << "Received a wrong opcode instead of AUTHENTICATED:" << m; } return env; -@@ -257,7 +257,7 @@ namespace SDDM { +@@ -255,7 +255,7 @@ namespace SDDM { return m_user; } ++++++ 0001-Set-XAUTHLOCALHOSTNAME-in-sessions.patch ++++++ >From 5ae235adea72a68796c9c25f2a7a8194dd3d7509 Mon Sep 17 00:00:00 2001 From: Fabian Vogt <fab...@ritter-vogt.de> Date: Sat, 24 Oct 2020 13:57:05 +0200 Subject: [PATCH] Set XAUTHLOCALHOSTNAME in sessions While FamilyWild avoids that hostname changes break xauth, this doesn't help with Xtrans (used for ICE). Xtrans always uses the current host name for setting $SESSION_MANAGER and for a successful connection this has to match the current hostname (or $XAUTHLOCALHOSTNAME, see p_xauth.diff in xtrans) on client connection attempts as well. By setting XAUTHLOCALHOSTNAME here, it's likely that it equals the hostname set by the session manager later (e.g. ksmserver). --- src/helper/Backend.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/helper/Backend.cpp b/src/helper/Backend.cpp index 1e80693..3feb49e 100644 --- a/src/helper/Backend.cpp +++ b/src/helper/Backend.cpp @@ -27,6 +27,7 @@ #include "UserSession.h" #include <QtCore/QProcessEnvironment> +#include <QtNetwork/QHostInfo> #include <pwd.h> @@ -63,6 +64,7 @@ namespace SDDM { env.insert(QStringLiteral("SHELL"), QString::fromLocal8Bit(pw->pw_shell)); env.insert(QStringLiteral("USER"), QString::fromLocal8Bit(pw->pw_name)); env.insert(QStringLiteral("LOGNAME"), QString::fromLocal8Bit(pw->pw_name)); + env.insert(QStringLiteral("XAUTHLOCALHOSTNAME"), QHostInfo::localHostName()); // TODO: I'm fairly sure this shouldn't be done for PAM sessions, investigate! m_app->session()->setProcessEnvironment(env); } -- 2.25.1
