X Strike Force SVN commit: rev 583 - in trunk/debian: . patches

To: debian-x@lists.debian.org
Subject: X Strike Force SVN commit: rev 583 - in trunk/debian: . patches
From: X Strike Force SVN Admin <branden@debian.org>
Date: Thu, 25 Sep 2003 00:54:14 -0500 (EST)
Message-id: <[🔎] 20030925055414.ADFEF5C089@necrotic.deadbeast.net>
Reply-to: debian-x@lists.debian.org
Author: branden
Date: 2003-09-25 00:53:54 -0500 (Thu, 25 Sep 2003)
New Revision: 583

Modified:
   trunk/debian/changelog
   trunk/debian/patches/000_stolen_from_HEAD.diff
   trunk/debian/patches/002_xdm_fixes.diff
Log:
SECURITY: Fix for CAN-2003-0690; xdm did not verify the return value of
the pam_setcred() function, which could allow attackers to gain root
privileges by triggering error conditions within PAM modules, as
demonstrated in certain configurations of the MIT pam_krb5 module.
Fix backported from XFree86 CVS xf-4_3-branch: xdm now checks the return
value of pam_setcred(), issues an error message if it is not zero, and
treats this situation as an authentication failure.

- debian/patches/000_stolen_from_HEAD.diff: added patch
- debian/patches/002_xdm_fixes.diff: resynced offsets; update
  pam_setcred() patch to use pam_error and pam_strerror() when reporting
  problems


Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2003-09-25 04:16:01 UTC (rev 582)
+++ trunk/debian/changelog	2003-09-25 05:53:54 UTC (rev 583)
@@ -1,7 +1,7 @@
 xfree86 (4.2.1-12) unstable; urgency=high
 
   * urgency high due to security fix for font service integer overflow attacks
-    (see below)
+    and xdm's failure to verify return value of pam_setcred() (see below)
 
   * debian/twm.menu-method: correctly escape doublequote characters in menu
     entry titles (thanks, Bill Allombert) (Closes: #193759)
@@ -242,8 +242,20 @@
     UTF-8.
     - debian/{copyright,changelog,changelog.Debian.old}: recoded with iconv
 
- -- Branden Robinson <branden@debian.org>  Wed, 24 Sep 2003 15:56:28 -0500
+  * SECURITY: Fix for CAN-2003-0690; xdm did not verify the return value of
+    the pam_setcred() function, which could allow attackers to gain root
+    privileges by triggering error conditions within PAM modules, as
+    demonstrated in certain configurations of the MIT pam_krb5 module.
+    Fix backported from XFree86 CVS xf-4_3-branch: xdm now checks the return
+    value of pam_setcred(), issues an error message if it is not zero, and
+    treats this situation as an authentication failure.
+    - debian/patches/000_stolen_from_HEAD.diff: added patch
+    - debian/patches/002_xdm_fixes.diff: resynced offsets; update
+      pam_setcred() patch to use pam_error and pam_strerror() when reporting
+      problems
 
+ -- Branden Robinson <branden@debian.org>  Wed, 24 Sep 2003 23:07:26 -0500
+
 xfree86 (4.2.1-11) unstable; urgency=medium
 
   * urgency set to medium because bug #206790 bites a lot of people (but,

Modified: trunk/debian/patches/000_stolen_from_HEAD.diff
===================================================================
--- trunk/debian/patches/000_stolen_from_HEAD.diff	2003-09-25 04:16:01 UTC (rev 582)
+++ trunk/debian/patches/000_stolen_from_HEAD.diff	2003-09-25 05:53:54 UTC (rev 583)
@@ -5411,3 +5411,18 @@
  	}
  
      if (versions[version_index].major_version > Dont_Check)
+--- xc/programs/xdm/session.c~	2003-09-24 17:23:56.000000000 -0500
++++ xc/programs/xdm/session.c	2003-09-24 17:24:02.000000000 -0500
+@@ -599,7 +599,11 @@
+ #endif   /* QNX4 doesn't support multi-groups, no initgroups() */
+ #ifdef USE_PAM
+ 	if (thepamh()) {
+-	    pam_setcred(thepamh(), PAM_ESTABLISH_CRED);
++	    if (pam_setcred(thepamh(), PAM_ESTABLISH_CRED) != PAM_SUCCESS) {
++		LogError("pam_setcred for %\"s failed, errno=%d\n",
++			 name, errno);
++		return(0);
++	    }
+ 	}
+ #endif
+ 	if (setuid(verify->uid) < 0)

Modified: trunk/debian/patches/002_xdm_fixes.diff
===================================================================
--- trunk/debian/patches/002_xdm_fixes.diff	2003-09-25 04:16:01 UTC (rev 582)
+++ trunk/debian/patches/002_xdm_fixes.diff	2003-09-25 05:53:54 UTC (rev 583)
@@ -95,7 +95,8 @@
     Use _SysErrorMsg() instead of strerror().
 * session.c:
     Indent pre-processor statements.  Use _SysErrorMsg() instead of
-    strerror().  Recognize that GNU LibC-based systems as well as Linux
+    strerror(), except when handling PAM errors, when we use
+    pam_strerror().  Recognize that GNU LibC-based systems as well as Linux
     systems in general have the endpwent() function.  Recognize that GNU
     LibC-based systems as well as CSRG_BASED ones have the getpwnam() and
     crypt() functions.  Style fix: put function names flush left when
@@ -1394,9 +1395,8 @@
  	} else {
  	    user_pass = sp->sp_pwdp;
  	}
-diff -urN xc/programs/xdm~/session.c xc/programs/xdm/session.c
---- xc/programs/xdm~/session.c	2001-12-14 15:01:23.000000000 -0500
-+++ xc/programs/xdm/session.c	2003-02-23 17:04:25.000000000 -0500
+--- xc/programs/xdm/session.c~	2003-09-25 00:40:10.000000000 -0500
++++ xc/programs/xdm/session.c	2003-09-25 00:43:33.000000000 -0500
 @@ -60,17 +60,17 @@
  #endif
  
@@ -1490,8 +1490,70 @@
  #endif
  
  static void
-@@ -577,35 +583,33 @@
+@@ -246,7 +252,7 @@
+ static int
+ IOErrorHandler (Display *dpy)
+ {
+-    LogError("fatal IO error %d (%s)\n", errno, _SysErrorMsg(errno));
++    LogError ("fatal IO error %d (%s)\n", errno, _SysErrorMsg(errno));
+     exit(RESERVER_DISPLAY);
+     /*NOTREACHED*/
+     return 0;
+@@ -255,7 +261,7 @@
+ static int
+ ErrorHandler(Display *dpy, XErrorEvent *event)
+ {
+-    LogError("X error\n");
++    LogError ("X error\n");
+     if (XmuPrintDefaultErrorMessage (dpy, event, stderr) == 0) return 0;
+     exit(UNMANAGE_DISPLAY);
+     /*NOTREACHED*/
+@@ -288,13 +294,13 @@
+ #ifdef GREET_USER_STATIC
+     greet_user_proc = GreetUser;
+ #else
+-    Debug("ManageSession: loading greeter library %s\n", greeterLib);
++    Debug ("ManageSession: loading greeter library %s\n", greeterLib);
+     greet_lib_handle = dlopen(greeterLib, RTLD_NOW);
+     if (greet_lib_handle != NULL)
+ 	greet_user_proc = (GreetUserProc)dlsym(greet_lib_handle, "GreetUser");
+     if (greet_user_proc == NULL)
+ 	{
+-	LogError("%s while loading %s\n", dlerror(), greeterLib);
++	LogError ("%s while loading %s\n", dlerror(), greeterLib);
+ 	exit(UNMANAGE_DISPLAY);
+ 	}
+ #endif
+@@ -500,7 +506,7 @@
  
+ 	    code = Krb5DisplayCCache(d->name, &ccache);
+ 	    if (code)
+-		LogError("%s while getting Krb5 ccache to destroy\n",
++		LogError ("%s while getting Krb5 ccache to destroy\n",
+ 			 error_message(code));
+ 	    else {
+ 		code = krb5_cc_destroy(ccache);
+@@ -508,8 +514,8 @@
+ 		    if (code == KRB5_FCC_NOFILE) {
+ 			Debug ("No Kerberos ccache file found to destroy\n");
+ 		    } else
+-			LogError("%s while destroying Krb5 credentials cache\n",
+-				 error_message(code));
++			LogError ("%s while destroying Krb5 credentials"
++				  " cache\n", error_message(code));
+ 		} else
+ 		    Debug ("Kerberos ccache destroyed\n");
+ 		krb5_cc_close(ccache);
+@@ -537,6 +543,7 @@
+ #endif
+ #ifdef USE_PAM 
+     pam_handle_t *pamh = thepamh();
++    int pam_error;
+ #endif
+ 
+     if (verify->argv) {
+@@ -577,39 +584,38 @@
+ 
  #ifndef AIXV3
  #ifndef HAS_SETUSERCONTEXT
 -	if (setgid(verify->gid) < 0)
@@ -1526,9 +1588,17 @@
  #endif   /* QNX4 doesn't support multi-groups, no initgroups() */
  #ifdef USE_PAM
 -	if (thepamh()) {
--	    pam_setcred(thepamh(), PAM_ESTABLISH_CRED);
+-	    if (pam_setcred(thepamh(), PAM_ESTABLISH_CRED) != PAM_SUCCESS) {
+-		LogError("pam_setcred for %\"s failed, errno=%d\n",
+-			 name, errno);
+-		return(0);
 +	if (thepamh ()) {
-+	    pam_setcred (thepamh (), PAM_ESTABLISH_CRED);
++	    pam_error = pam_setcred (thepamh (), PAM_ESTABLISH_CRED);
++	    if (pam_error != PAM_SUCCESS) {
++		LogError ("pam_setcred for \"%s\" failed: %s\n", name,
++			  pam_strerror (pam_error));
++		return (0);
+ 	    }
  	}
  #endif
 -	if (setuid(verify->uid) < 0)
@@ -1541,7 +1611,7 @@
  	    return (0);
  	}
  #else /* HAS_SETUSERCONTEXT */
-@@ -613,20 +617,17 @@
+@@ -617,20 +623,17 @@
  	 * Set the user's credentials: uid, gid, groups,
  	 * environment variables, resource limits, and umask.
  	 */
@@ -1571,7 +1641,7 @@
  	    return (0);
  	}
  #endif /* HAS_SETUSERCONTEXT */
-@@ -635,9 +636,9 @@
+@@ -639,9 +642,9 @@
  	 * Set the user's credentials: uid, gid, groups,
  	 * audit classes, user limits, and umask.
  	 */
@@ -1584,7 +1654,7 @@
  	    return (0);
  	}
  #endif /* AIXV3 */
-@@ -751,13 +752,13 @@
+@@ -755,13 +758,13 @@
  	execute (failsafeArgv, verify->userEnviron);
  	exit (1);
      case -1:
@@ -1602,7 +1672,7 @@
  	Debug ("StartSession, fork succeeded %d\n", pid);
  	*pidp = pid;
  	return 1;
-@@ -924,9 +925,10 @@
+@@ -928,9 +931,10 @@
      return env;
  }
  
@@ -1616,7 +1686,6 @@
 +    return (s2);
  }
  #endif
-diff -urN xc/programs/xdm~/socket.c xc/programs/xdm/socket.c
 --- xc/programs/xdm~/socket.c	2001-12-14 15:01:24.000000000 -0500
 +++ xc/programs/xdm/socket.c	2003-02-23 17:04:25.000000000 -0500
 @@ -71,7 +71,7 @@
Reply to:
Prev by Date: Re: patch 017
Next by Date: X Strike Force SVN commit: rev 584 - in branches/4.3.0/sid/debian: . patches
Previous by thread: X Strike Force SVN commit: rev 582 - /
Next by thread: X Strike Force SVN commit: rev 584 - in branches/4.3.0/sid/debian: . patches
Index(es):
- Date
- Thread