Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/kde-plasma/kwallet-pam/files/kwallet-pam-5.11.5-CVE-2018-10380-2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'kde-plasma/kwallet-pam/files/kwallet-pam-5.11.5-CVE-2018-10380-2.patch')
-rw-r--r--kde-plasma/kwallet-pam/files/kwallet-pam-5.11.5-CVE-2018-10380-2.patch135
1 files changed, 135 insertions, 0 deletions
diff --git a/kde-plasma/kwallet-pam/files/kwallet-pam-5.11.5-CVE-2018-10380-2.patch b/kde-plasma/kwallet-pam/files/kwallet-pam-5.11.5-CVE-2018-10380-2.patch
new file mode 100644
index 000000000000..2f88e0c3ceae
--- /dev/null
+++ b/kde-plasma/kwallet-pam/files/kwallet-pam-5.11.5-CVE-2018-10380-2.patch
@@ -0,0 +1,135 @@
+From 01d4143fda5bddb6dca37b23304dc239a5fb38b5 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 1 May 2018 12:32:24 +0200
+Subject: Move socket creation to unprivileged codepath
+
+We don't need to be creating the socket as root, and doing so,
+specially having a chown is problematic security wise.
+---
+ pam_kwallet.c | 77 ++++++++++++++++++++++++++++-------------------------------
+ 1 file changed, 36 insertions(+), 41 deletions(-)
+
+diff --git a/pam_kwallet.c b/pam_kwallet.c
+index 083c9aa..b9c984a 100644
+--- a/pam_kwallet.c
++++ b/pam_kwallet.c
+@@ -372,13 +372,13 @@ static int drop_privileges(struct passwd *userInfo)
+ return 0;
+ }
+
+-static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toWalletPipe[2], int envSocket)
++static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toWalletPipe[2], char *fullSocket)
+ {
+ //In the child pam_syslog does not work, using syslog directly
+ int x = 2;
+ //Close fd that are not of interest of kwallet
+ for (; x < 64; ++x) {
+- if (x != toWalletPipe[0] && x != envSocket) {
++ if (x != toWalletPipe[0]) {
+ close (x);
+ }
+ }
+@@ -392,6 +392,39 @@ static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toW
+ goto cleanup;
+ }
+
++ int envSocket;
++ if ((envSocket = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
++ pam_syslog(pamh, LOG_ERR, "%s: couldn't create socket", logPrefix);
++ return;
++ }
++
++ struct sockaddr_un local;
++ local.sun_family = AF_UNIX;
++
++ if (strlen(fullSocket) > sizeof(local.sun_path)) {
++ pam_syslog(pamh, LOG_ERR, "%s: socket path %s too long to open",
++ logPrefix, fullSocket);
++ free(fullSocket);
++ return;
++ }
++ strcpy(local.sun_path, fullSocket);
++ free(fullSocket);
++ fullSocket = NULL;
++ unlink(local.sun_path);//Just in case it exists from a previous login
++
++ pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, local.sun_path);
++
++ size_t len = strlen(local.sun_path) + sizeof(local.sun_family);
++ if (bind(envSocket, (struct sockaddr *)&local, len) == -1) {
++ pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't bind to local file\n", logPrefix);
++ return;
++ }
++
++ if (listen(envSocket, 5) == -1) {
++ pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't listen in socket\n", logPrefix);
++ return;
++ }
++
+ // Fork twice to daemonize kwallet
+ setsid();
+ pid_t pid = fork();
+@@ -452,12 +485,6 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
+ pam_syslog(pamh, LOG_ERR, "%s: Couldn't create pipes", logPrefix);
+ }
+
+- int envSocket;
+- if ((envSocket = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
+- pam_syslog(pamh, LOG_ERR, "%s: couldn't create socket", logPrefix);
+- return;
+- }
+-
+ #ifdef KWALLET5
+ const char *socketPrefix = "kwallet5";
+ #else
+@@ -493,38 +520,6 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
+ return;
+ }
+
+- struct sockaddr_un local;
+- local.sun_family = AF_UNIX;
+-
+- if (strlen(fullSocket) > sizeof(local.sun_path)) {
+- pam_syslog(pamh, LOG_ERR, "%s: socket path %s too long to open",
+- logPrefix, fullSocket);
+- free(fullSocket);
+- return;
+- }
+- strcpy(local.sun_path, fullSocket);
+- free(fullSocket);
+- fullSocket = NULL;
+- unlink(local.sun_path);//Just in case it exists from a previous login
+-
+- pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, local.sun_path);
+-
+- size_t len = strlen(local.sun_path) + sizeof(local.sun_family);
+- if (bind(envSocket, (struct sockaddr *)&local, len) == -1) {
+- pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't bind to local file\n", logPrefix);
+- return;
+- }
+-
+- if (listen(envSocket, 5) == -1) {
+- pam_syslog(pamh, LOG_INFO, "%s-kwalletd: Couldn't listen in socket\n", logPrefix);
+- return;
+- }
+-
+- if (chown(local.sun_path, userInfo->pw_uid, userInfo->pw_gid) == -1) {
+- pam_syslog(pamh, LOG_INFO, "%s: Couldn't change ownership of the socket", logPrefix);
+- return;
+- }
+-
+ pid_t pid;
+ int status;
+ switch (pid = fork ()) {
+@@ -534,7 +529,7 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
+
+ //Child fork, will contain kwalletd
+ case 0:
+- execute_kwallet(pamh, userInfo, toWalletPipe, envSocket);
++ execute_kwallet(pamh, userInfo, toWalletPipe, fullSocket);
+ /* Should never be reached */
+ break;
+
+--
+cgit v0.11.2
+