diff --git a/gnome-screensaver-2.22-pwent-unlock.patch b/gnome-screensaver-2.22-pwent-unlock.patch new file mode 100644 index 0000000..e021652 --- /dev/null +++ b/gnome-screensaver-2.22-pwent-unlock.patch @@ -0,0 +1,225 @@ +Index: gnome-screensaver/src/gnome-screensaver-dialog.c +=================================================================== +--- gnome-screensaver/src/gnome-screensaver-dialog.c (revision 1398) ++++ gnome-screensaver/src/gnome-screensaver-dialog.c (working copy) +@@ -41,6 +41,8 @@ + + #include "gs-debug.h" + ++#define MAX_FAILURES 5 ++ + static gboolean verbose = FALSE; + static gboolean show_version = FALSE; + static gboolean enable_logout = FALSE; +@@ -299,8 +301,6 @@ do_auth_check (GSLockPlug *plug) + gs_lock_plug_show_message (plug, _("Authentication failed.")); + } + +- g_timeout_add (3000, (GSourceFunc)reset_idle_cb, plug); +- + printf ("NOTICE=AUTH FAILED\n"); + fflush (stdout); + +@@ -325,15 +325,28 @@ response_cb (GSLockPlug *plug, + static gboolean + auth_check_idle (GSLockPlug *plug) + { +- gboolean res; ++ gboolean res; ++ gboolean again; ++ static guint loop_counter = 0; + ++ again = TRUE; + res = do_auth_check (plug); + + if (res) { ++ again = FALSE; + g_idle_add ((GSourceFunc)quit_response_ok, NULL); ++ } else { ++ loop_counter++; ++ ++ if (loop_counter < MAX_FAILURES) { ++ g_timeout_add (3000, (GSourceFunc)reset_idle_cb, plug); ++ } else { ++ again = FALSE; ++ gtk_main_quit (); ++ } + } + +- return !res; ++ return again; + } + + static void +Index: gnome-screensaver/src/setuid.c +=================================================================== +--- gnome-screensaver/src/setuid.c (revision 1398) ++++ gnome-screensaver/src/setuid.c (working copy) +@@ -48,7 +48,7 @@ uid_gid_string (uid_t uid, + return buf; + } + +-static int ++static gboolean + set_ids_by_number (uid_t uid, + gid_t gid, + char **message_ret) +@@ -96,7 +96,7 @@ set_ids_by_number (uid_t uid, + + g_free (reason); + +- return 0; ++ return TRUE; + } else { + char *reason = NULL; + +@@ -141,9 +141,9 @@ set_ids_by_number (uid_t uid, + g_free (reason); + reason = NULL; + } +- +- return -1; ++ return FALSE; + } ++ return FALSE; + } + + +@@ -165,12 +165,21 @@ hack_uid (char **nolock_reason, + char **orig_uid, + char **uid_message) + { +- if (nolock_reason) ++ char *reason; ++ gboolean ret; ++ ++ ret = TRUE; ++ reason = NULL; ++ ++ if (nolock_reason != NULL) { + *nolock_reason = NULL; +- if (orig_uid) ++ } ++ if (orig_uid != NULL) { + *orig_uid = NULL; +- if (uid_message) ++ } ++ if (uid_message != NULL) { + *uid_message = NULL; ++ } + + /* Discard privileges, and set the effective user/group ids to the + real user/group ids. That is, give up our "chmod +s" rights. +@@ -181,12 +190,18 @@ hack_uid (char **nolock_reason, + uid_t uid = getuid (); + gid_t gid = getgid (); + +- if (orig_uid) ++ if (orig_uid != NULL) { + *orig_uid = uid_gid_string (euid, egid); ++ } ++ ++ if (uid != euid || gid != egid) { ++ if (! set_ids_by_number (uid, gid, uid_message)) { ++ reason = g_strdup ("unable to discard privileges."); + +- if (uid != euid || gid != egid) +- if (set_ids_by_number (uid, gid, uid_message) != 0) +- return FALSE; ++ ret = FALSE; ++ goto out; ++ } ++ } + } + + +@@ -200,81 +215,16 @@ hack_uid (char **nolock_reason, + and "USING XDM". + */ + if (getuid () == (uid_t) 0) { +- if (nolock_reason) +- *nolock_reason = g_strdup ("running as root"); +- return FALSE; ++ reason = g_strdup ("running as root"); ++ ret = FALSE; ++ goto out; + } + +- /* If we're running as root, switch to a safer user. This is above and +- beyond the fact that we've disabling locking, above -- the theory is +- that running graphics demos as root is just always a stupid thing +- to do, since they have probably never been security reviewed and are +- more likely to be buggy than just about any other kind of program. +- (And that assumes non-malicious code. There are also attacks here.) +- +- *** WARNING: DO NOT DISABLE THIS CODE! +- If you do so, you will open a security hole. See the sections +- of the xscreensaver manual titled "LOCKING AND ROOT LOGINS", +- and "USING XDM". +- */ +- if (getuid () == (uid_t) 0) { +- struct passwd *p; +- +- p = getpwnam ("nobody"); +- if (! p) p = getpwnam ("noaccess"); +- if (! p) p = getpwnam ("daemon"); +- if (! p) { +- g_warning ("running as root, and couldn't find a safer uid."); +- return FALSE; +- } +- +- if (set_ids_by_number (p->pw_uid, p->pw_gid, uid_message) != 0) +- return FALSE; +- } +- +- +- /* If there's anything even remotely funny looking about the passwd struct, +- or if we're running as some other user from the list below (a +- non-comprehensive selection of users known to be privileged in some way, +- and not normal end-users) then disable locking. If it was possible, +- switching to "nobody" would be the thing to do, but only root itself has +- the privs to do that. +- +- *** WARNING: DO NOT DISABLE THIS CODE! +- If you do so, you will open a security hole. See the sections +- of the xscreensaver manual titled "LOCKING AND ROOT LOGINS", +- and "USING XDM". +- */ +- { +- uid_t uid = getuid (); /* get it again */ +- struct passwd *p = getpwuid (uid); /* get it again */ +- +- if (!p || +- uid == (uid_t) 0 || +- uid == (uid_t) -1 || +- uid == (uid_t) -2 || +- p->pw_uid == (uid_t) 0 || +- p->pw_uid == (uid_t) -1 || +- p->pw_uid == (uid_t) -2 || +- !p->pw_name || +- !*p->pw_name || +- !strcmp (p->pw_name, "root") || +- !strcmp (p->pw_name, "nobody") || +- !strcmp (p->pw_name, "noaccess") || +- !strcmp (p->pw_name, "operator") || +- !strcmp (p->pw_name, "daemon") || +- !strcmp (p->pw_name, "bin") || +- !strcmp (p->pw_name, "adm") || +- !strcmp (p->pw_name, "sys") || +- !strcmp (p->pw_name, "games")) { +- if (nolock_reason) +- *nolock_reason = g_strdup_printf ("running as %s", +- (p && p->pw_name +- && *p->pw_name +- ? p->pw_name : "")); +- return FALSE; +- } ++ out: ++ if (nolock_reason != NULL) { ++ *nolock_reason = g_strdup (reason); + } ++ g_free (reason); + +- return TRUE; ++ return ret; + } diff --git a/gnome-screensaver.spec b/gnome-screensaver.spec index 2030789..31b79fc 100644 --- a/gnome-screensaver.spec +++ b/gnome-screensaver.spec @@ -13,7 +13,7 @@ Summary: GNOME Screensaver Name: gnome-screensaver Version: 2.18.2 -Release: 3%{?dist} +Release: 4%{?dist} License: GPL Group: Amusements/Graphics Source0: http://download.gnome.org/sources/gnome-screensaver/2.18/%{name}-%{version}.tar.bz2 @@ -26,8 +26,9 @@ Patch3: gnome-screensaver-2.18.0-user-dirs.patch Patch7: gnome-screensaver-2.18.0-handle-overlapping-heads.patch Patch8: gnome-screensaver-2.18.2-clear-clipboard.patch +Patch9: gnome-screensaver-2.22-pwent-unlock.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) URL: http://www.gnome.org BuildRequires: gtk2-devel => %{gtk2_version} BuildRequires: gnome-vfs2-devel => %{gnome_vfs2_version} @@ -67,12 +68,13 @@ gnome-screensaver is a screen saver and locker that aims to have simple, sane, secure defaults and be well integrated with the desktop. %prep -%setup -q +%setup -q %patch1 -p1 -b .use-floaters-by-default %patch2 -p1 -b .securitytoken %patch3 -p1 -b .user-dirs %patch7 -p1 -b .handle-overlapping-screens %patch8 -p1 -b .clear-clipboard +%patch9 -p1 -b .pwent-unlock %build autoreconf @@ -129,6 +131,9 @@ fi %{_sysconfdir}/pam.d/* %changelog +* Wed Apr 02 2008 Jon McCann - 2.20.0-12 +- Address CVE-2008-0887 (bug 440255) + * Fri Mar 28 2008 Ray Strode - 2.18.2-3 - Address CVE-2007-6389 (bug 426169)