Gentoo Archives: gentoo-commits

From: Andreas Sturmlechner <asturm@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: x11-misc/sddm/, x11-misc/sddm/files/
Date: Fri, 01 Apr 2022 14:48:57
Message-Id: 1648824427.943445b50d918a2a5ac0712105e109973147eb6e.asturm@gentoo
1 commit: 943445b50d918a2a5ac0712105e109973147eb6e
2 Author: Conrad Kostecki <conikost <AT> gentoo <DOT> org>
3 AuthorDate: Sun Mar 27 19:42:50 2022 +0000
4 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
5 CommitDate: Fri Apr 1 14:47:07 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=943445b5
7
8 x11-misc/sddm: migrate to glep-81
9
10 Also added tmpfiles handling and patch for CVE-2020-28049.
11
12 Bug: https://bugs.gentoo.org/753104
13 Closes: https://bugs.gentoo.org/802306
14 Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
15 Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>
16
17 .../sddm/files/sddm-0.18.1-cve-2020-28049.patch | 94 +++++++++++++++++
18 x11-misc/sddm/files/sddm.tmpfiles | 1 +
19 x11-misc/sddm/sddm-0.18.1-r6.ebuild | 116 +++++++++++++++++++++
20 3 files changed, 211 insertions(+)
21
22 diff --git a/x11-misc/sddm/files/sddm-0.18.1-cve-2020-28049.patch b/x11-misc/sddm/files/sddm-0.18.1-cve-2020-28049.patch
23 new file mode 100644
24 index 000000000000..8209c0739dc6
25 --- /dev/null
26 +++ b/x11-misc/sddm/files/sddm-0.18.1-cve-2020-28049.patch
27 @@ -0,0 +1,94 @@
28 +From be202f533ab98a684c6a007e8d5b4357846bc222 Mon Sep 17 00:00:00 2001
29 +From: Fabian Vogt <fabian@×××××××××××.de>
30 +Date: Tue, 6 Oct 2020 21:21:38 +0200
31 +Subject: [PATCH] Fix X not having access control on startup
32 +
33 +If the auth file is empty, X allows any local application (= any user on the
34 +system) to connect. This is currently the case until X wrote the display
35 +number to sddm and sddm used that to write the entry into the file.
36 +To work around this chicken-and-egg problem, make use of the fact that X
37 +doesn't actually look at the display number in the passed auth file and just
38 +use :0 unconditionally. Also make sure that writing the entry was actually
39 +successful.
40 +
41 +CVE-2020-28049
42 +---
43 + src/daemon/XorgDisplayServer.cpp | 25 ++++++++++++++++++++-----
44 + src/daemon/XorgDisplayServer.h | 2 +-
45 + 2 files changed, 21 insertions(+), 6 deletions(-)
46 +
47 +diff --git a/src/daemon/XorgDisplayServer.cpp b/src/daemon/XorgDisplayServer.cpp
48 +index d04f6344..df685b2d 100644
49 +--- a/src/daemon/XorgDisplayServer.cpp
50 ++++ b/src/daemon/XorgDisplayServer.cpp
51 +@@ -88,7 +88,7 @@ namespace SDDM {
52 + return m_cookie;
53 + }
54 +
55 +- void XorgDisplayServer::addCookie(const QString &file) {
56 ++ bool XorgDisplayServer::addCookie(const QString &file) {
57 + // log message
58 + qDebug() << "Adding cookie to" << file;
59 +
60 +@@ -104,13 +104,13 @@ namespace SDDM {
61 +
62 + // check file
63 + if (!fp)
64 +- return;
65 ++ return false;
66 + fprintf(fp, "remove %s\n", qPrintable(m_display));
67 + fprintf(fp, "add %s . %s\n", qPrintable(m_display), qPrintable(m_cookie));
68 + fprintf(fp, "exit\n");
69 +
70 + // close pipe
71 +- pclose(fp);
72 ++ return pclose(fp) == 0;
73 + }
74 +
75 + bool XorgDisplayServer::start() {
76 +@@ -127,6 +127,15 @@ namespace SDDM {
77 + // log message
78 + qDebug() << "Display server starting...";
79 +
80 ++ // generate auth file.
81 ++ // For the X server's copy, the display number doesn't matter.
82 ++ // An empty file would result in no access control!
83 ++ m_display = QStringLiteral(":0");
84 ++ if(!addCookie(m_authPath)) {
85 ++ qCritical() << "Failed to write xauth file";
86 ++ return false;
87 ++ }
88 ++
89 + if (daemonApp->testing()) {
90 + QStringList args;
91 + QDir x11socketDir(QStringLiteral("/tmp/.X11-unix"));
92 +@@ -217,8 +226,14 @@ namespace SDDM {
93 + emit started();
94 + }
95 +
96 +- // generate auth file
97 +- addCookie(m_authPath);
98 ++ // The file is also used by the greeter, which does care about the
99 ++ // display number. Write the proper entry, if it's different.
100 ++ if(m_display != QStringLiteral(":0")) {
101 ++ if(!addCookie(m_authPath)) {
102 ++ qCritical() << "Failed to write xauth file";
103 ++ return false;
104 ++ }
105 ++ }
106 + changeOwner(m_authPath);
107 +
108 + // set flag
109 +diff --git a/src/daemon/XorgDisplayServer.h b/src/daemon/XorgDisplayServer.h
110 +index d2bdf6d4..e97a0b53 100644
111 +--- a/src/daemon/XorgDisplayServer.h
112 ++++ b/src/daemon/XorgDisplayServer.h
113 +@@ -40,7 +40,7 @@ namespace SDDM {
114 +
115 + const QString &cookie() const;
116 +
117 +- void addCookie(const QString &file);
118 ++ bool addCookie(const QString &file);
119 +
120 + public slots:
121 + bool start();
122
123 diff --git a/x11-misc/sddm/files/sddm.tmpfiles b/x11-misc/sddm/files/sddm.tmpfiles
124 new file mode 100644
125 index 000000000000..300d646138c1
126 --- /dev/null
127 +++ b/x11-misc/sddm/files/sddm.tmpfiles
128 @@ -0,0 +1 @@
129 +d /var/lib/sddm 0755 sddm sddm
130
131 diff --git a/x11-misc/sddm/sddm-0.18.1-r6.ebuild b/x11-misc/sddm/sddm-0.18.1-r6.ebuild
132 new file mode 100644
133 index 000000000000..ee7fbfa1a60b
134 --- /dev/null
135 +++ b/x11-misc/sddm/sddm-0.18.1-r6.ebuild
136 @@ -0,0 +1,116 @@
137 +# Copyright 1999-2022 Gentoo Authors
138 +# Distributed under the terms of the GNU General Public License v2
139 +
140 +EAPI=7
141 +
142 +PLOCALES="ar bn ca cs da de es et fi fr hi_IN hu is it ja kk ko lt lv nb nl nn pl pt_BR pt_PT ro ru sk sr sr@ijekavian sr@ijekavianlatin sr@latin sv tr uk zh_CN zh_TW"
143 +inherit cmake plocale systemd tmpfiles
144 +
145 +DESCRIPTION="Simple Desktop Display Manager"
146 +HOMEPAGE="https://github.com/sddm/sddm"
147 +SRC_URI="https://github.com/${PN}/${PN}/releases/download/v${PV}/${P}.tar.xz"
148 +
149 +LICENSE="GPL-2+ MIT CC-BY-3.0 CC-BY-SA-3.0 public-domain"
150 +SLOT="0"
151 +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
152 +IUSE="elogind +pam systemd test"
153 +RESTRICT="!test? ( test )"
154 +
155 +REQUIRED_USE="?? ( elogind systemd )"
156 +
157 +BDEPEND="
158 + dev-python/docutils
159 + >=dev-qt/linguist-tools-5.9.4:5
160 + kde-frameworks/extra-cmake-modules:5
161 + virtual/pkgconfig
162 +"
163 +RDEPEND="
164 + acct-group/sddm
165 + acct-user/sddm
166 + >=dev-qt/qtcore-5.9.4:5
167 + >=dev-qt/qtdbus-5.9.4:5
168 + >=dev-qt/qtdeclarative-5.9.4:5
169 + >=dev-qt/qtgui-5.9.4:5
170 + >=dev-qt/qtnetwork-5.9.4:5
171 + >=x11-base/xorg-server-1.15.1
172 + x11-libs/libxcb[xkb]
173 + elogind? ( sys-auth/elogind )
174 + pam? ( sys-libs/pam )
175 + !pam? ( virtual/libcrypt:= )
176 + systemd? ( sys-apps/systemd:= )
177 + !systemd? ( sys-power/upower )
178 +"
179 +DEPEND="${RDEPEND}
180 + test? ( >=dev-qt/qttest-5.9.4:5 )
181 +"
182 +
183 +PATCHES=(
184 + "${FILESDIR}/${PN}-0.12.0-respect-user-flags.patch"
185 + "${FILESDIR}/${PN}-0.18.0-Xsession.patch" # bug 611210
186 + "${FILESDIR}/${PN}-0.18.0-sddmconfdir.patch"
187 + # fix for groups: https://github.com/sddm/sddm/issues/1159
188 + "${FILESDIR}/${P}-revert-honor-PAM-supplemental-groups.patch"
189 + "${FILESDIR}/${P}-honor-PAM-supplemental-groups-v2.patch"
190 + # fix for ReuseSession=true
191 + "${FILESDIR}/${P}-only-reuse-online-sessions.patch"
192 + # TODO: fix properly
193 + "${FILESDIR}/${PN}-0.16.0-ck2-revert.patch" # bug 633920
194 + "${FILESDIR}/pam-1.4-substack.patch"
195 + # upstream git develop branch:
196 + "${FILESDIR}/${P}-qt-5.15.2.patch"
197 + # bug 753104
198 + "${FILESDIR}/${P}-cve-2020-28049.patch"
199 +)
200 +
201 +src_prepare() {
202 + cmake_src_prepare
203 +
204 + disable_locale() {
205 + sed -e "/${1}\.ts/d" -i data/translations/CMakeLists.txt || die
206 + }
207 + plocale_find_changes "data/translations" "" ".ts"
208 + plocale_for_each_disabled_locale disable_locale
209 +
210 + if ! use test; then
211 + sed -e "/^find_package/s/ Test//" -i CMakeLists.txt || die
212 + cmake_comment_add_subdirectory test
213 + fi
214 +}
215 +
216 +src_configure() {
217 + local mycmakeargs=(
218 + -DENABLE_PAM=$(usex pam)
219 + -DNO_SYSTEMD=$(usex '!systemd')
220 + -DUSE_ELOGIND=$(usex 'elogind')
221 + -DBUILD_MAN_PAGES=ON
222 + -DDBUS_CONFIG_FILENAME="org.freedesktop.sddm.conf"
223 + )
224 + cmake_src_configure
225 +}
226 +
227 +src_install() {
228 + cmake_src_install
229 +
230 + newtmpfiles "${FILESDIR}/${PN}.tmpfiles" "${PN}.conf"
231 +
232 + # Create a default.conf as upstream dropped /etc/sddm.conf w/o replacement
233 + local confd="/usr/share/sddm/sddm.conf.d"
234 + dodir ${confd}
235 + "${D}"/usr/bin/sddm --example-config > "${D}/${confd}"/00default.conf \
236 + || die "Failed to create 00default.conf"
237 +
238 + sed -e "/^InputMethod/s/qtvirtualkeyboard//" \
239 + -e "/^ReuseSession/s/false/true/" \
240 + -e "/^EnableHiDPI/s/false/true/" \
241 + -i "${D}/${confd}"/00default.conf || die
242 +}
243 +
244 +pkg_postinst() {
245 + tmpfiles_process "${PN}.conf"
246 +
247 + elog "Starting with 0.18.0, SDDM no longer installs /etc/sddm.conf"
248 + elog "Use it to override specific options. SDDM defaults are now"
249 + elog "found in: /usr/share/sddm/sddm.conf.d/00default.conf"
250 +
251 + systemd_reenable sddm.service
252 +}