gdm

Merge lp:~sbeattie/gdm/CVE-2011-0727-lp746053 into lp:~ubuntu-desktop/gdm/ubuntu

CVE-2011-0727-lp746053
Merge into ubuntu

Proposed by Steve Beattie on 2011-04-05

Status:	Merged
Merged at revision:	321
Proposed branch:	lp:~sbeattie/gdm/CVE-2011-0727-lp746053
Merge into:	lp:~ubuntu-desktop/gdm/ubuntu
Diff against target:	93 lines (+73/-0) 3 files modified debian/changelog (+10/-0) debian/patches/43_CVE-2011-0727.patch (+62/-0) debian/patches/series (+1/-0)
To merge this branch:	bzr merge lp:~sbeattie/gdm/CVE-2011-0727-lp746053
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu Desktop		2011-04-05	Pending
Review via email: mp+56283@code.launchpad.net

Description of the change

This fixes the local privilege escalation vulnerability in gdm (CVE-2011-0727). The patch is based on the upstream commit http://git.gnome.org/browse/gdm/commit/?h=gnome-2-32&id=f2eb8e2b25844d6964129e0232e022995e27e11f .

My apologies for not using the correct packaging branch the first time.

lp:~sbeattie/gdm/CVE-2011-0727-lp746053 updated on 2011-04-05

321. By Steve Beattie on 2011-04-05: Merged in Robert Ancell's upload that I missed, adjust patch sequencing
to follow it.
* debian/patches/24_respect_system_minuid.patch:
- Ignore entries from ck-history that are using system UIDs (LP: #696038)
* debian/patches/42_no_ecryptfs_autologin.patch:
- Don't autologin ecryptfs users (LP: #284443)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Steve Beattie

Ubuntu Desktop

 === modified file 'debian/changelog'
 --- debian/changelog	2011-04-01 06:45:48 +0000
 +++ debian/changelog	2011-04-05 03:45:47 +0000
@@ -1,3 +1,13 @@
++gdm (2.32.0-0ubuntu15) UNRELEASED; urgency=low
++
++  * SECURITY UPDATE: race condition allowing privilege escalation
++    - debian/patches/43_CVE-2011-0727.patch: fix
++      daemon/gdm-session-worker.c to copy files as session user rather
++      than root followed by a subsequent chown. (LP: #746053)
++    - CVE-2011-0727
++
++ -- Steve Beattie <sbeattie@ubuntu.com>  Mon, 04 Apr 2011 20:42:03 -0700
++
  gdm (2.32.0-0ubuntu14) natty; urgency=low
    * debian/patches/24_respect_system_minuid.patch:
 === added file 'debian/patches/43_CVE-2011-0727.patch'
 --- debian/patches/43_CVE-2011-0727.patch	1970-01-01 00:00:00 +0000
 +++ debian/patches/43_CVE-2011-0727.patch	2011-04-05 03:45:47 +0000
@@ -0,0 +1,62 @@
++From f2eb8e2b25844d6964129e0232e022995e27e11f Mon Sep 17 00:00:00 2001
++From: Ray Strode <rstrode@redhat.com>
++Date: Thu, 24 Mar 2011 20:47:37 +0000
++Subject: worker: CVE-2011-0727: change to user before copying user files
++
++This commit changes to a user before copying user files to prevent
++a possible symlink local root exploit attack.
++
++[Ubuntu note: natty patch refreshed against 2.32.0-0ubuntu12
++ -- sbeattie]
++
++---
++ daemon/gdm-session-worker.c |   29 +++++++++++++++++------------
++ 1 file changed, 17 insertions(+), 12 deletions(-)
++
++Index: b/daemon/gdm-session-worker.c
++===================================================================
++--- a/daemon/gdm-session-worker.c
+++++ b/daemon/gdm-session-worker.c
++@@ -1035,17 +1035,6 @@ gdm_cache_copy_file (GdmSessionWorker *w
++                                    error->message);
++                         g_error_free (error);
++                  } else {
++-                         int res;
++-
++-                         res = chown (cachefilename,
++-                                      worker->priv->uid,
++-                                      worker->priv->gid);
++-                         if (res == -1) {
++-                                 g_warning ("GdmSessionWorker: Error setting owner of cache file: %s",
++-                                            g_strerror (errno));
++-                         }
++-
++-                        g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
++                         g_debug ("Copy successful");
++                 }
++
++@@ -1183,7 +1172,23 @@ gdm_session_worker_uninitialize_pam (Gdm
++                 return;
++
++         if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
++-                gdm_session_worker_cache_userfiles (worker);
+++                pid_t pid;
+++
+++                pid = fork ();
+++
+++                if (pid == 0) {
+++                        if (setuid (worker->priv->uid) < 0) {
+++                                g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
+++                                _exit (1);
+++                        }
+++
+++                        gdm_session_worker_cache_userfiles (worker);
+++                        _exit (0);
+++                }
+++
+++                if (pid > 0) {
+++                        gdm_wait_on_pid (pid);
+++                }
++                 pam_close_session (worker->priv->pam_handle, 0);
++                 gdm_session_auditor_report_logout (worker->priv->auditor);
++
 === modified file 'debian/patches/series'
 --- debian/patches/series	2011-04-01 06:45:48 +0000
 +++ debian/patches/series	2011-04-05 03:45:47 +0000
@@ -34,3 +34,4 @@
 _one_lang_option_per_translation.patch
 _pt_time_format.patch
 _no_ecryptfs_autologin.patch
++43_CVE-2011-0727.patch

gdm

Merge lp:~sbeattie/gdm/CVE-2011-0727-lp746053 into lp:~ubuntu-desktop/gdm/ubuntu

Commit message

Description of the change

Preview Diff

Subscribers