← Back to branch summary

~gnome3-team/gdm/ubuntu

« back to all changes in this revision

Viewing changes to debian/patches/43_CVE-2011-0727.patch

  • Committer: Robert Ancell
  • Date: 2011-04-08 06:42:13 UTC
  • Revision ID: robert.ancell@canonical.com-20110408064213-yox738b5g12v1j1c
Tags: 2.32.1-0ubuntu1
releasing version 2.32.1-0ubuntu1

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/43_CVE-2011-0727.patch
1
 
From f2eb8e2b25844d6964129e0232e022995e27e11f Mon Sep 17 00:00:00 2001
2
 
From: Ray Strode <rstrode@redhat.com>
3
 
Date: Thu, 24 Mar 2011 20:47:37 +0000
4
 
Subject: worker: CVE-2011-0727: change to user before copying user files
5
 
 
6
 
This commit changes to a user before copying user files to prevent
7
 
a possible symlink local root exploit attack.
8
 
 
9
 
[Ubuntu note: natty patch refreshed against 2.32.0-0ubuntu12
10
 
 -- sbeattie]
11
 
 
12
 
---
13
 
 daemon/gdm-session-worker.c |   29 +++++++++++++++++------------
14
 
 1 file changed, 17 insertions(+), 12 deletions(-)
15
 
 
16
 
Index: b/daemon/gdm-session-worker.c
17
 
===================================================================
18
 
--- a/daemon/gdm-session-worker.c
19
 
+++ b/daemon/gdm-session-worker.c
20
 
@@ -1035,17 +1035,6 @@ gdm_cache_copy_file (GdmSessionWorker *w
21
 
                                    error->message);
22
 
                         g_error_free (error);
23
 
                  } else {
24
 
-                         int res;
25
 
-
26
 
-                         res = chown (cachefilename,
27
 
-                                      worker->priv->uid,
28
 
-                                      worker->priv->gid);
29
 
-                         if (res == -1) {
30
 
-                                 g_warning ("GdmSessionWorker: Error setting owner of cache file: %s",
31
 
-                                            g_strerror (errno));
32
 
-                         }
33
 
-
34
 
-                        g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
35
 
                         g_debug ("Copy successful");
36
 
                 }
37
 
 
38
 
@@ -1183,7 +1172,23 @@ gdm_session_worker_uninitialize_pam (Gdm
39
 
                 return;
40
 
 
41
 
         if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
42
 
-                gdm_session_worker_cache_userfiles (worker);
43
 
+                pid_t pid;
44
 
+
45
 
+                pid = fork ();
46
 
+
47
 
+                if (pid == 0) {
48
 
+                        if (setuid (worker->priv->uid) < 0) {
49
 
+                                g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
50
 
+                                _exit (1);
51
 
+                        }
52
 
+
53
 
+                        gdm_session_worker_cache_userfiles (worker);
54
 
+                        _exit (0);
55
 
+                }
56
 
+
57
 
+                if (pid > 0) {
58
 
+                        gdm_wait_on_pid (pid);
59
 
+                }
60
 
                 pam_close_session (worker->priv->pam_handle, 0);
61
 
                 gdm_session_auditor_report_logout (worker->priv->auditor);
62