Bug#697751: pu: package gdm3/2.30.5-6squeeze5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
as already discussed, I’d like to propose a stable upload for gdm3 in
order to avoid a security risk when doing upgrades.
Theoretically, with the greeter session of gdm 2.30 and the glib version
in wheezy, you could use default URI handlers, and launch things such as
a web browser. A bit of testing didn’t show any dialog from which this
could be triggered, but it’s better to be on the safe side.
Therefore this update would, when a newer glib is installed, disable all
URI handlers, as already done by gdm3 3.4 in wheezy.
Proposed diff attached.
Cheers,
--
.''`. Josselin Mouette
: :' :
`. `'
`-
Index: debian/applications/mime-dummy-handler.desktop
===================================================================
--- debian/applications/mime-dummy-handler.desktop (révision 0)
+++ debian/applications/mime-dummy-handler.desktop (révision 36541)
@@ -0,0 +1,6 @@
+[Desktop Entry]
+Type=Application
+Name=Dummy URI Handler
+Exec=/bin/true %U
+Terminal=false
+StartupNotify=false
Index: debian/applications/mimeapps.list
===================================================================
--- debian/applications/mimeapps.list (révision 0)
+++ debian/applications/mimeapps.list (révision 36541)
@@ -0,0 +1,19 @@
+[Default Applications]
+x-scheme-handler/file=mime-dummy-handler.desktop
+x-scheme-handler/ftp=mime-dummy-handler.desktop
+x-scheme-handler/ghelp=mime-dummy-handler.desktop
+x-scheme-handler/help=mime-dummy-handler.desktop
+x-scheme-handler/http=mime-dummy-handler.desktop
+x-scheme-handler/https=mime-dummy-handler.desktop
+x-scheme-handler/info=mime-dummy-handler.desktop
+x-scheme-handler/irc=mime-dummy-handler.desktop
+x-scheme-handler/itms=mime-dummy-handler.desktop
+x-scheme-handler/mailto=mime-dummy-handler.desktop
+x-scheme-handler/man=mime-dummy-handler.desktop
+x-scheme-handler/mms=mime-dummy-handler.desktop
+x-scheme-handler/rtp=mime-dummy-handler.desktop
+x-scheme-handler/rtsp=mime-dummy-handler.desktop
+x-scheme-handler/sip=mime-dummy-handler.desktop
+x-scheme-handler/trash=mime-dummy-handler.desktop
+x-scheme-handler/webcal=mime-dummy-handler.desktop
+x-scheme-handler/xmpp=mime-dummy-handler.desktop
Index: debian/patches/series
===================================================================
--- debian/patches/series (révision 36540)
+++ debian/patches/series (révision 36541)
@@ -35,5 +35,6 @@
35_double_free.patch
36_windowpath.patch
37_shutdown_buttons.patch
+38_greeter_datadir.patch
90_relibtoolize.patch
99_CVE-2011-0727.patch
Index: debian/patches/38_greeter_datadir.patch
===================================================================
--- debian/patches/38_greeter_datadir.patch (révision 0)
+++ debian/patches/38_greeter_datadir.patch (révision 36541)
@@ -0,0 +1,49 @@
+From 48705abd751e6e2f1d20b51098e1b97d74855338 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Mon, 20 Jun 2011 17:21:35 +0000
+Subject: daemon: use gnome-session session files instead of autostart
+
+Before we were doing some sort of weird hybrid thing with
+a session file and an autostart directory that wasn't that
+much different than just having an autostart directory by
+itself.
+
+Now we fully define the session component list from the session
+file, and merely provide a pool of new candidate desktop files to
+select that sessoin from.
+
+This modernizes how we use gnome-session and as a side-effect
+enables us the ability to have fallback sessions (which will
+be important when defaulting to a shell based greeter later).
+---
+(limited to 'daemon/gdm-welcome-session.c')
+(refreshed against 2.30)
+
+Index: gdm3-2.30.5/daemon/gdm-welcome-session.c
+===================================================================
+--- gdm3-2.30.5.orig/daemon/gdm-welcome-session.c 2013-01-07 12:02:30.717944131 +0100
++++ gdm3-2.30.5/daemon/gdm-welcome-session.c 2013-01-07 12:02:42.682002617 +0100
+@@ -356,6 +356,7 @@ get_welcome_environment (GdmWelcomeSessi
+ "LC_IDENTIFICATION", "LC_ALL",
+ NULL
+ };
++ char *system_data_dirs;
+ int i;
+
+ load_lang_config_file (LANG_CONFIG_FILE,
+@@ -375,6 +376,15 @@ get_welcome_environment (GdmWelcomeSessi
+ g_strdup (g_getenv (optional_environment[i])));
+ }
+
++ system_data_dirs = g_strjoinv (":", (char **) g_get_system_data_dirs ());
++
++ g_hash_table_insert (hash,
++ g_strdup ("XDG_DATA_DIRS"),
++ g_strdup_printf ("%s:%s",
++ DATADIR "/gdm/greeter",
++ system_data_dirs));
++ g_free (system_data_dirs);
++
+ if (welcome_session->priv->dbus_bus_address != NULL) {
+ g_hash_table_insert (hash,
+ g_strdup ("DBUS_SESSION_BUS_ADDRESS"),
Index: debian/gdm3.install
===================================================================
--- debian/gdm3.install (révision 36540)
+++ debian/gdm3.install (révision 36541)
@@ -8,3 +8,4 @@
debian/default.desktop usr/share/gdm/BuiltInSessions
data/session-setup.entries usr/share/gdm/greeter-config
debian/insserv.conf.d etc
+debian/applications usr/share/gdm/greeter
Index: debian/changelog
===================================================================
--- debian/changelog (révision 36540)
+++ debian/changelog (révision 36541)
@@ -1,3 +1,19 @@
+gdm3 (2.30.5-6squeeze5) UNRELEASED; urgency=low
+
+ * Handle partial upgrades to wheezy, where a glib version that relies
+ on x-scheme-* for URL handlers gets installed. In this case, using
+ the defaults in /usr/share/applications leads to a security
+ vulnerability where anyone can launch an URI handler from the
+ greeter session.
+ + 38_greeter_datadir.patch: modified patch from version 3.0. Add
+ XDG_DATA_DIRS to the greeter session.
+ + debian/applications/{mime-dummy-handler.desktop,mimeapps.list}:
+ copied from version 3.4. The former is a dummy handler for URIs,
+ the latter associates it with every known URI scheme.
+ + gdm3.install: install these in /usr/share/gdm/greeter/applications
+
+ -- Josselin Mouette <joss@debian.org> Mon, 07 Jan 2013 12:03:06 +0100
+
gdm3 (2.30.5-6squeeze4) stable; urgency=low
* 35_double_free.patch: stolen from 2.30.7. Fix a double free issue in
Reply to: