gdm

Merge lp:~sbeattie/gdm/CVE-2011-0727-lp746053 into lp:~ubuntu-desktop/gdm/ubuntu

  1. CVE-2011-0727-lp746053
  2. Merge into ubuntu
Proposed by Steve Beattie
Status: Merged
Merged at revision: 321
Proposed branch: lp:~sbeattie/gdm/CVE-2011-0727-lp746053
Merge into: lp:~ubuntu-desktop/gdm/ubuntu
Diff against target: 93 lines (+73/-0)
3 files modified
debian/changelog (+10/-0)
debian/patches/43_CVE-2011-0727.patch (+62/-0)
debian/patches/series (+1/-0)
To merge this branch: bzr merge lp:~sbeattie/gdm/CVE-2011-0727-lp746053
Reviewer Review Type Date Requested Status
Ubuntu Desktop Pending
Review via email: mp+56283@code.launchpad.net

Description of the change

This fixes the local privilege escalation vulnerability in gdm (CVE-2011-0727). The patch is based on the upstream commit http://git.gnome.org/browse/gdm/commit/?h=gnome-2-32&id=f2eb8e2b25844d6964129e0232e022995e27e11f .

My apologies for not using the correct packaging branch the first time.

To post a comment you must log in.
lp:~sbeattie/gdm/CVE-2011-0727-lp746053 updated
321. By Steve Beattie

Merged in Robert Ancell's upload that I missed, adjust patch sequencing
to follow it.
* debian/patches/24_respect_system_minuid.patch:
  - Ignore entries from ck-history that are using system UIDs (LP: #696038)
* debian/patches/42_no_ecryptfs_autologin.patch:
  - Don't autologin ecryptfs users (LP: #284443)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2011-04-01 06:45:48 +0000
+++ debian/changelog 2011-04-05 03:45:47 +0000
@@ -1,3 +1,13 @@
1gdm (2.32.0-0ubuntu15) UNRELEASED; urgency=low
2
3 * SECURITY UPDATE: race condition allowing privilege escalation
4 - debian/patches/43_CVE-2011-0727.patch: fix
5 daemon/gdm-session-worker.c to copy files as session user rather
6 than root followed by a subsequent chown. (LP: #746053)
7 - CVE-2011-0727
8
9 -- Steve Beattie <sbeattie@ubuntu.com> Mon, 04 Apr 2011 20:42:03 -0700
10
1gdm (2.32.0-0ubuntu14) natty; urgency=low11gdm (2.32.0-0ubuntu14) natty; urgency=low
212
3 * debian/patches/24_respect_system_minuid.patch:13 * debian/patches/24_respect_system_minuid.patch:
414
=== added file 'debian/patches/43_CVE-2011-0727.patch'
--- debian/patches/43_CVE-2011-0727.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/43_CVE-2011-0727.patch 2011-04-05 03:45:47 +0000
@@ -0,0 +1,62 @@
1From f2eb8e2b25844d6964129e0232e022995e27e11f Mon Sep 17 00:00:00 2001
2From: Ray Strode <rstrode@redhat.com>
3Date: Thu, 24 Mar 2011 20:47:37 +0000
4Subject: worker: CVE-2011-0727: change to user before copying user files
5
6This commit changes to a user before copying user files to prevent
7a possible symlink local root exploit attack.
8
9[Ubuntu note: natty patch refreshed against 2.32.0-0ubuntu12
10 -- sbeattie]
11
12---
13 daemon/gdm-session-worker.c | 29 +++++++++++++++++------------
14 1 file changed, 17 insertions(+), 12 deletions(-)
15
16Index: b/daemon/gdm-session-worker.c
17===================================================================
18--- a/daemon/gdm-session-worker.c
19+++ b/daemon/gdm-session-worker.c
20@@ -1035,17 +1035,6 @@ gdm_cache_copy_file (GdmSessionWorker *w
21 error->message);
22 g_error_free (error);
23 } else {
24- int res;
25-
26- res = chown (cachefilename,
27- worker->priv->uid,
28- worker->priv->gid);
29- if (res == -1) {
30- g_warning ("GdmSessionWorker: Error setting owner of cache file: %s",
31- g_strerror (errno));
32- }
33-
34- g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
35 g_debug ("Copy successful");
36 }
37
38@@ -1183,7 +1172,23 @@ gdm_session_worker_uninitialize_pam (Gdm
39 return;
40
41 if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
42- gdm_session_worker_cache_userfiles (worker);
43+ pid_t pid;
44+
45+ pid = fork ();
46+
47+ if (pid == 0) {
48+ if (setuid (worker->priv->uid) < 0) {
49+ g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
50+ _exit (1);
51+ }
52+
53+ gdm_session_worker_cache_userfiles (worker);
54+ _exit (0);
55+ }
56+
57+ if (pid > 0) {
58+ gdm_wait_on_pid (pid);
59+ }
60 pam_close_session (worker->priv->pam_handle, 0);
61 gdm_session_auditor_report_logout (worker->priv->auditor);
62
063
=== modified file 'debian/patches/series'
--- debian/patches/series 2011-04-01 06:45:48 +0000
+++ debian/patches/series 2011-04-05 03:45:47 +0000
@@ -34,3 +34,4 @@
3440_one_lang_option_per_translation.patch3440_one_lang_option_per_translation.patch
3541_pt_time_format.patch3541_pt_time_format.patch
3642_no_ecryptfs_autologin.patch3642_no_ecryptfs_autologin.patch
3743_CVE-2011-0727.patch

Subscribers

People subscribed via source and target branches

to all changes: