1 |
commit: 943445b50d918a2a5ac0712105e109973147eb6e |
2 |
Author: Conrad Kostecki <conikost <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Mar 27 19:42:50 2022 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Apr 1 14:47:07 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=943445b5 |
7 |
|
8 |
x11-misc/sddm: migrate to glep-81 |
9 |
|
10 |
Also added tmpfiles handling and patch for CVE-2020-28049. |
11 |
|
12 |
Bug: https://bugs.gentoo.org/753104 |
13 |
Closes: https://bugs.gentoo.org/802306 |
14 |
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org> |
15 |
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> |
16 |
|
17 |
.../sddm/files/sddm-0.18.1-cve-2020-28049.patch | 94 +++++++++++++++++ |
18 |
x11-misc/sddm/files/sddm.tmpfiles | 1 + |
19 |
x11-misc/sddm/sddm-0.18.1-r6.ebuild | 116 +++++++++++++++++++++ |
20 |
3 files changed, 211 insertions(+) |
21 |
|
22 |
diff --git a/x11-misc/sddm/files/sddm-0.18.1-cve-2020-28049.patch b/x11-misc/sddm/files/sddm-0.18.1-cve-2020-28049.patch |
23 |
new file mode 100644 |
24 |
index 000000000000..8209c0739dc6 |
25 |
--- /dev/null |
26 |
+++ b/x11-misc/sddm/files/sddm-0.18.1-cve-2020-28049.patch |
27 |
@@ -0,0 +1,94 @@ |
28 |
+From be202f533ab98a684c6a007e8d5b4357846bc222 Mon Sep 17 00:00:00 2001 |
29 |
+From: Fabian Vogt <fabian@×××××××××××.de> |
30 |
+Date: Tue, 6 Oct 2020 21:21:38 +0200 |
31 |
+Subject: [PATCH] Fix X not having access control on startup |
32 |
+ |
33 |
+If the auth file is empty, X allows any local application (= any user on the |
34 |
+system) to connect. This is currently the case until X wrote the display |
35 |
+number to sddm and sddm used that to write the entry into the file. |
36 |
+To work around this chicken-and-egg problem, make use of the fact that X |
37 |
+doesn't actually look at the display number in the passed auth file and just |
38 |
+use :0 unconditionally. Also make sure that writing the entry was actually |
39 |
+successful. |
40 |
+ |
41 |
+CVE-2020-28049 |
42 |
+--- |
43 |
+ src/daemon/XorgDisplayServer.cpp | 25 ++++++++++++++++++++----- |
44 |
+ src/daemon/XorgDisplayServer.h | 2 +- |
45 |
+ 2 files changed, 21 insertions(+), 6 deletions(-) |
46 |
+ |
47 |
+diff --git a/src/daemon/XorgDisplayServer.cpp b/src/daemon/XorgDisplayServer.cpp |
48 |
+index d04f6344..df685b2d 100644 |
49 |
+--- a/src/daemon/XorgDisplayServer.cpp |
50 |
++++ b/src/daemon/XorgDisplayServer.cpp |
51 |
+@@ -88,7 +88,7 @@ namespace SDDM { |
52 |
+ return m_cookie; |
53 |
+ } |
54 |
+ |
55 |
+- void XorgDisplayServer::addCookie(const QString &file) { |
56 |
++ bool XorgDisplayServer::addCookie(const QString &file) { |
57 |
+ // log message |
58 |
+ qDebug() << "Adding cookie to" << file; |
59 |
+ |
60 |
+@@ -104,13 +104,13 @@ namespace SDDM { |
61 |
+ |
62 |
+ // check file |
63 |
+ if (!fp) |
64 |
+- return; |
65 |
++ return false; |
66 |
+ fprintf(fp, "remove %s\n", qPrintable(m_display)); |
67 |
+ fprintf(fp, "add %s . %s\n", qPrintable(m_display), qPrintable(m_cookie)); |
68 |
+ fprintf(fp, "exit\n"); |
69 |
+ |
70 |
+ // close pipe |
71 |
+- pclose(fp); |
72 |
++ return pclose(fp) == 0; |
73 |
+ } |
74 |
+ |
75 |
+ bool XorgDisplayServer::start() { |
76 |
+@@ -127,6 +127,15 @@ namespace SDDM { |
77 |
+ // log message |
78 |
+ qDebug() << "Display server starting..."; |
79 |
+ |
80 |
++ // generate auth file. |
81 |
++ // For the X server's copy, the display number doesn't matter. |
82 |
++ // An empty file would result in no access control! |
83 |
++ m_display = QStringLiteral(":0"); |
84 |
++ if(!addCookie(m_authPath)) { |
85 |
++ qCritical() << "Failed to write xauth file"; |
86 |
++ return false; |
87 |
++ } |
88 |
++ |
89 |
+ if (daemonApp->testing()) { |
90 |
+ QStringList args; |
91 |
+ QDir x11socketDir(QStringLiteral("/tmp/.X11-unix")); |
92 |
+@@ -217,8 +226,14 @@ namespace SDDM { |
93 |
+ emit started(); |
94 |
+ } |
95 |
+ |
96 |
+- // generate auth file |
97 |
+- addCookie(m_authPath); |
98 |
++ // The file is also used by the greeter, which does care about the |
99 |
++ // display number. Write the proper entry, if it's different. |
100 |
++ if(m_display != QStringLiteral(":0")) { |
101 |
++ if(!addCookie(m_authPath)) { |
102 |
++ qCritical() << "Failed to write xauth file"; |
103 |
++ return false; |
104 |
++ } |
105 |
++ } |
106 |
+ changeOwner(m_authPath); |
107 |
+ |
108 |
+ // set flag |
109 |
+diff --git a/src/daemon/XorgDisplayServer.h b/src/daemon/XorgDisplayServer.h |
110 |
+index d2bdf6d4..e97a0b53 100644 |
111 |
+--- a/src/daemon/XorgDisplayServer.h |
112 |
++++ b/src/daemon/XorgDisplayServer.h |
113 |
+@@ -40,7 +40,7 @@ namespace SDDM { |
114 |
+ |
115 |
+ const QString &cookie() const; |
116 |
+ |
117 |
+- void addCookie(const QString &file); |
118 |
++ bool addCookie(const QString &file); |
119 |
+ |
120 |
+ public slots: |
121 |
+ bool start(); |
122 |
|
123 |
diff --git a/x11-misc/sddm/files/sddm.tmpfiles b/x11-misc/sddm/files/sddm.tmpfiles |
124 |
new file mode 100644 |
125 |
index 000000000000..300d646138c1 |
126 |
--- /dev/null |
127 |
+++ b/x11-misc/sddm/files/sddm.tmpfiles |
128 |
@@ -0,0 +1 @@ |
129 |
+d /var/lib/sddm 0755 sddm sddm |
130 |
|
131 |
diff --git a/x11-misc/sddm/sddm-0.18.1-r6.ebuild b/x11-misc/sddm/sddm-0.18.1-r6.ebuild |
132 |
new file mode 100644 |
133 |
index 000000000000..ee7fbfa1a60b |
134 |
--- /dev/null |
135 |
+++ b/x11-misc/sddm/sddm-0.18.1-r6.ebuild |
136 |
@@ -0,0 +1,116 @@ |
137 |
+# Copyright 1999-2022 Gentoo Authors |
138 |
+# Distributed under the terms of the GNU General Public License v2 |
139 |
+ |
140 |
+EAPI=7 |
141 |
+ |
142 |
+PLOCALES="ar bn ca cs da de es et fi fr hi_IN hu is it ja kk ko lt lv nb nl nn pl pt_BR pt_PT ro ru sk sr sr@ijekavian sr@ijekavianlatin sr@latin sv tr uk zh_CN zh_TW" |
143 |
+inherit cmake plocale systemd tmpfiles |
144 |
+ |
145 |
+DESCRIPTION="Simple Desktop Display Manager" |
146 |
+HOMEPAGE="https://github.com/sddm/sddm" |
147 |
+SRC_URI="https://github.com/${PN}/${PN}/releases/download/v${PV}/${P}.tar.xz" |
148 |
+ |
149 |
+LICENSE="GPL-2+ MIT CC-BY-3.0 CC-BY-SA-3.0 public-domain" |
150 |
+SLOT="0" |
151 |
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" |
152 |
+IUSE="elogind +pam systemd test" |
153 |
+RESTRICT="!test? ( test )" |
154 |
+ |
155 |
+REQUIRED_USE="?? ( elogind systemd )" |
156 |
+ |
157 |
+BDEPEND=" |
158 |
+ dev-python/docutils |
159 |
+ >=dev-qt/linguist-tools-5.9.4:5 |
160 |
+ kde-frameworks/extra-cmake-modules:5 |
161 |
+ virtual/pkgconfig |
162 |
+" |
163 |
+RDEPEND=" |
164 |
+ acct-group/sddm |
165 |
+ acct-user/sddm |
166 |
+ >=dev-qt/qtcore-5.9.4:5 |
167 |
+ >=dev-qt/qtdbus-5.9.4:5 |
168 |
+ >=dev-qt/qtdeclarative-5.9.4:5 |
169 |
+ >=dev-qt/qtgui-5.9.4:5 |
170 |
+ >=dev-qt/qtnetwork-5.9.4:5 |
171 |
+ >=x11-base/xorg-server-1.15.1 |
172 |
+ x11-libs/libxcb[xkb] |
173 |
+ elogind? ( sys-auth/elogind ) |
174 |
+ pam? ( sys-libs/pam ) |
175 |
+ !pam? ( virtual/libcrypt:= ) |
176 |
+ systemd? ( sys-apps/systemd:= ) |
177 |
+ !systemd? ( sys-power/upower ) |
178 |
+" |
179 |
+DEPEND="${RDEPEND} |
180 |
+ test? ( >=dev-qt/qttest-5.9.4:5 ) |
181 |
+" |
182 |
+ |
183 |
+PATCHES=( |
184 |
+ "${FILESDIR}/${PN}-0.12.0-respect-user-flags.patch" |
185 |
+ "${FILESDIR}/${PN}-0.18.0-Xsession.patch" # bug 611210 |
186 |
+ "${FILESDIR}/${PN}-0.18.0-sddmconfdir.patch" |
187 |
+ # fix for groups: https://github.com/sddm/sddm/issues/1159 |
188 |
+ "${FILESDIR}/${P}-revert-honor-PAM-supplemental-groups.patch" |
189 |
+ "${FILESDIR}/${P}-honor-PAM-supplemental-groups-v2.patch" |
190 |
+ # fix for ReuseSession=true |
191 |
+ "${FILESDIR}/${P}-only-reuse-online-sessions.patch" |
192 |
+ # TODO: fix properly |
193 |
+ "${FILESDIR}/${PN}-0.16.0-ck2-revert.patch" # bug 633920 |
194 |
+ "${FILESDIR}/pam-1.4-substack.patch" |
195 |
+ # upstream git develop branch: |
196 |
+ "${FILESDIR}/${P}-qt-5.15.2.patch" |
197 |
+ # bug 753104 |
198 |
+ "${FILESDIR}/${P}-cve-2020-28049.patch" |
199 |
+) |
200 |
+ |
201 |
+src_prepare() { |
202 |
+ cmake_src_prepare |
203 |
+ |
204 |
+ disable_locale() { |
205 |
+ sed -e "/${1}\.ts/d" -i data/translations/CMakeLists.txt || die |
206 |
+ } |
207 |
+ plocale_find_changes "data/translations" "" ".ts" |
208 |
+ plocale_for_each_disabled_locale disable_locale |
209 |
+ |
210 |
+ if ! use test; then |
211 |
+ sed -e "/^find_package/s/ Test//" -i CMakeLists.txt || die |
212 |
+ cmake_comment_add_subdirectory test |
213 |
+ fi |
214 |
+} |
215 |
+ |
216 |
+src_configure() { |
217 |
+ local mycmakeargs=( |
218 |
+ -DENABLE_PAM=$(usex pam) |
219 |
+ -DNO_SYSTEMD=$(usex '!systemd') |
220 |
+ -DUSE_ELOGIND=$(usex 'elogind') |
221 |
+ -DBUILD_MAN_PAGES=ON |
222 |
+ -DDBUS_CONFIG_FILENAME="org.freedesktop.sddm.conf" |
223 |
+ ) |
224 |
+ cmake_src_configure |
225 |
+} |
226 |
+ |
227 |
+src_install() { |
228 |
+ cmake_src_install |
229 |
+ |
230 |
+ newtmpfiles "${FILESDIR}/${PN}.tmpfiles" "${PN}.conf" |
231 |
+ |
232 |
+ # Create a default.conf as upstream dropped /etc/sddm.conf w/o replacement |
233 |
+ local confd="/usr/share/sddm/sddm.conf.d" |
234 |
+ dodir ${confd} |
235 |
+ "${D}"/usr/bin/sddm --example-config > "${D}/${confd}"/00default.conf \ |
236 |
+ || die "Failed to create 00default.conf" |
237 |
+ |
238 |
+ sed -e "/^InputMethod/s/qtvirtualkeyboard//" \ |
239 |
+ -e "/^ReuseSession/s/false/true/" \ |
240 |
+ -e "/^EnableHiDPI/s/false/true/" \ |
241 |
+ -i "${D}/${confd}"/00default.conf || die |
242 |
+} |
243 |
+ |
244 |
+pkg_postinst() { |
245 |
+ tmpfiles_process "${PN}.conf" |
246 |
+ |
247 |
+ elog "Starting with 0.18.0, SDDM no longer installs /etc/sddm.conf" |
248 |
+ elog "Use it to override specific options. SDDM defaults are now" |
249 |
+ elog "found in: /usr/share/sddm/sddm.conf.d/00default.conf" |
250 |
+ |
251 |
+ systemd_reenable sddm.service |
252 |
+} |