gdm

Merge lp:~sbeattie/gdm/CVE-2011-0727-lp746053 into lp:~ubuntu-desktop/gdm/ubuntu

Proposed by Steve Beattie on 2011-04-05
Status: Merged
Merged at revision: 321
Proposed branch: lp:~sbeattie/gdm/CVE-2011-0727-lp746053
Merge into: lp:~ubuntu-desktop/gdm/ubuntu
Diff against target: 93 lines (+73/-0)
3 files modified
debian/changelog (+10/-0)
debian/patches/43_CVE-2011-0727.patch (+62/-0)
debian/patches/series (+1/-0)
To merge this branch: bzr merge lp:~sbeattie/gdm/CVE-2011-0727-lp746053
Reviewer Review Type Date Requested Status
Ubuntu Desktop 2011-04-05 Pending
Review via email: mp+56283@code.launchpad.net

Description of the change

This fixes the local privilege escalation vulnerability in gdm (CVE-2011-0727). The patch is based on the upstream commit http://git.gnome.org/browse/gdm/commit/?h=gnome-2-32&id=f2eb8e2b25844d6964129e0232e022995e27e11f .

My apologies for not using the correct packaging branch the first time.

To post a comment you must log in.
321. By Steve Beattie on 2011-04-05

Merged in Robert Ancell's upload that I missed, adjust patch sequencing
to follow it.
* debian/patches/24_respect_system_minuid.patch:
  - Ignore entries from ck-history that are using system UIDs (LP: #696038)
* debian/patches/42_no_ecryptfs_autologin.patch:
  - Don't autologin ecryptfs users (LP: #284443)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2011-04-01 06:45:48 +0000
3+++ debian/changelog 2011-04-05 03:45:47 +0000
4@@ -1,3 +1,13 @@
5+gdm (2.32.0-0ubuntu15) UNRELEASED; urgency=low
6+
7+ * SECURITY UPDATE: race condition allowing privilege escalation
8+ - debian/patches/43_CVE-2011-0727.patch: fix
9+ daemon/gdm-session-worker.c to copy files as session user rather
10+ than root followed by a subsequent chown. (LP: #746053)
11+ - CVE-2011-0727
12+
13+ -- Steve Beattie <sbeattie@ubuntu.com> Mon, 04 Apr 2011 20:42:03 -0700
14+
15 gdm (2.32.0-0ubuntu14) natty; urgency=low
16
17 * debian/patches/24_respect_system_minuid.patch:
18
19=== added file 'debian/patches/43_CVE-2011-0727.patch'
20--- debian/patches/43_CVE-2011-0727.patch 1970-01-01 00:00:00 +0000
21+++ debian/patches/43_CVE-2011-0727.patch 2011-04-05 03:45:47 +0000
22@@ -0,0 +1,62 @@
23+From f2eb8e2b25844d6964129e0232e022995e27e11f Mon Sep 17 00:00:00 2001
24+From: Ray Strode <rstrode@redhat.com>
25+Date: Thu, 24 Mar 2011 20:47:37 +0000
26+Subject: worker: CVE-2011-0727: change to user before copying user files
27+
28+This commit changes to a user before copying user files to prevent
29+a possible symlink local root exploit attack.
30+
31+[Ubuntu note: natty patch refreshed against 2.32.0-0ubuntu12
32+ -- sbeattie]
33+
34+---
35+ daemon/gdm-session-worker.c | 29 +++++++++++++++++------------
36+ 1 file changed, 17 insertions(+), 12 deletions(-)
37+
38+Index: b/daemon/gdm-session-worker.c
39+===================================================================
40+--- a/daemon/gdm-session-worker.c
41++++ b/daemon/gdm-session-worker.c
42+@@ -1035,17 +1035,6 @@ gdm_cache_copy_file (GdmSessionWorker *w
43+ error->message);
44+ g_error_free (error);
45+ } else {
46+- int res;
47+-
48+- res = chown (cachefilename,
49+- worker->priv->uid,
50+- worker->priv->gid);
51+- if (res == -1) {
52+- g_warning ("GdmSessionWorker: Error setting owner of cache file: %s",
53+- g_strerror (errno));
54+- }
55+-
56+- g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
57+ g_debug ("Copy successful");
58+ }
59+
60+@@ -1183,7 +1172,23 @@ gdm_session_worker_uninitialize_pam (Gdm
61+ return;
62+
63+ if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
64+- gdm_session_worker_cache_userfiles (worker);
65++ pid_t pid;
66++
67++ pid = fork ();
68++
69++ if (pid == 0) {
70++ if (setuid (worker->priv->uid) < 0) {
71++ g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
72++ _exit (1);
73++ }
74++
75++ gdm_session_worker_cache_userfiles (worker);
76++ _exit (0);
77++ }
78++
79++ if (pid > 0) {
80++ gdm_wait_on_pid (pid);
81++ }
82+ pam_close_session (worker->priv->pam_handle, 0);
83+ gdm_session_auditor_report_logout (worker->priv->auditor);
84+
85
86=== modified file 'debian/patches/series'
87--- debian/patches/series 2011-04-01 06:45:48 +0000
88+++ debian/patches/series 2011-04-05 03:45:47 +0000
89@@ -34,3 +34,4 @@
90 40_one_lang_option_per_translation.patch
91 41_pt_time_format.patch
92 42_no_ecryptfs_autologin.patch
93+43_CVE-2011-0727.patch

Subscribers

People subscribed via source and target branches

to all changes: