X Strike Force SVN commit: rev 584 - in branches/4.3.0/sid/debian: . patches

To: debian-x@lists.debian.org
Subject: X Strike Force SVN commit: rev 584 - in branches/4.3.0/sid/debian: . patches
From: X Strike Force SVN Admin <branden@debian.org>
Date: Thu, 25 Sep 2003 00:57:52 -0500 (EST)
Message-id: <[🔎] 20030925055752.3B06F5C089@necrotic.deadbeast.net>
Reply-to: debian-x@lists.debian.org
Author: branden
Date: 2003-09-25 00:57:32 -0500 (Thu, 25 Sep 2003)
New Revision: 584

Modified:
   branches/4.3.0/sid/debian/changelog
   branches/4.3.0/sid/debian/patches/002_xdm_fixes.diff
Log:
Update pam_setcred() security fix to xdm to use pam_error and
pam_strerror().

Also make some cosmetic updates to xc/programs/xdm/session.c for stylistic
consistency.

- debian/patches/002_xdm_fixes.diff


Modified: branches/4.3.0/sid/debian/changelog
===================================================================
--- branches/4.3.0/sid/debian/changelog	2003-09-25 05:53:54 UTC (rev 583)
+++ branches/4.3.0/sid/debian/changelog	2003-09-25 05:57:32 UTC (rev 584)
@@ -1,3 +1,11 @@
+xfree86 (4.3.0-0pre1v3) experimental; urgency=low
+
+  * Update pam_setcred() security fix to xdm to use pam_error and
+    pam_strerror().
+    - debian/patches/002_xdm_fixes.diff
+
+ -- Branden Robinson <branden@debian.org>  Thu, 25 Sep 2003 00:55:11 -0500
+
 xfree86 (4.3.0-0pre1v2) experimental; urgency=low
 
   * debian/patches/911_debian_XF86Config_to_XF86Config-4.diff: merge this

Modified: branches/4.3.0/sid/debian/patches/002_xdm_fixes.diff
===================================================================
--- branches/4.3.0/sid/debian/patches/002_xdm_fixes.diff	2003-09-25 05:53:54 UTC (rev 583)
+++ branches/4.3.0/sid/debian/patches/002_xdm_fixes.diff	2003-09-25 05:57:32 UTC (rev 584)
@@ -93,7 +93,8 @@
     Use _SysErrorMsg() instead of strerror().
 * xc/programs/xdm/session.c:
     Indent pre-processor statements.  Use _SysErrorMsg() instead of
-    strerror().  Recognize that GNU LibC-based systems as well as Linux
+    strerror(), except when handling PAM errors, when we use
+    pam_strerror().  Recognize that GNU LibC-based systems as well as Linux
     systems in general have the endpwent() function.  Recognize that GNU
     LibC-based systems as well as CSRG_BASED ones have the getpwnam() and
     crypt() functions.  Style fix: put function names flush left when
@@ -2552,9 +2553,8 @@
      XSetIOErrorHandler (oldError);
      return 1;
  }
-diff -urN xc/programs/xdm~/session.c xc/programs/xdm/session.c
---- xc/programs/xdm~/session.c	2003-09-21 15:39:23.000000000 -0500
-+++ xc/programs/xdm/session.c	2003-09-21 15:40:41.000000000 -0500
+--- xc/programs/xdm/session.c~	2003-09-25 00:19:35.000000000 -0500
++++ xc/programs/xdm/session.c	2003-09-25 00:29:10.000000000 -0500
 @@ -61,17 +61,17 @@
  #endif
  
@@ -2648,6 +2648,40 @@
  #endif
  
  static void
+@@ -251,7 +257,7 @@
+ static int
+ IOErrorHandler (Display *dpy)
+ {
+-    LogError("fatal IO error %d (%s)\n", errno, _SysErrorMsg(errno));
++    LogError ("fatal IO error %d (%s)\n", errno, _SysErrorMsg(errno));
+     exit(RESERVER_DISPLAY);
+     /*NOTREACHED*/
+     return 0;
+@@ -260,7 +266,7 @@
+ static int
+ ErrorHandler(Display *dpy, XErrorEvent *event)
+ {
+-    LogError("X error\n");
++    LogError ("X error\n");
+     if (XmuPrintDefaultErrorMessage (dpy, event, stderr) == 0) return 0;
+     exit(UNMANAGE_DISPLAY);
+     /*NOTREACHED*/
+@@ -293,13 +299,13 @@
+ #ifdef GREET_USER_STATIC
+     greet_user_proc = GreetUser;
+ #else
+-    Debug("ManageSession: loading greeter library %s\n", greeterLib);
++    Debug ("ManageSession: loading greeter library %s\n", greeterLib);
+     greet_lib_handle = dlopen(greeterLib, RTLD_NOW);
+     if (greet_lib_handle != NULL)
+ 	greet_user_proc = (GreetUserProc)dlsym(greet_lib_handle, "GreetUser");
+     if (greet_user_proc == NULL)
+ 	{
+-	LogError("%s while loading %s\n", dlerror(), greeterLib);
++	LogError ("%s while loading %s\n", dlerror (), greeterLib);
+ 	exit(UNMANAGE_DISPLAY);
+ 	}
+ #endif
 @@ -321,7 +327,7 @@
  	     *	   setting up environment and running the session
  	     */
@@ -2684,15 +2718,28 @@
      XGrabServer (dpy);
      if (XGrabKeyboard (dpy, DefaultRootWindow (dpy), True, GrabModeAsync,
  		       GrabModeAsync, CurrentTime) != GrabSuccess)
-@@ -511,7 +517,7 @@
+@@ -505,16 +511,16 @@
+ 
+ 	    code = Krb5DisplayCCache(d->name, &ccache);
+ 	    if (code)
+-		LogError("%s while getting Krb5 ccache to destroy\n",
+-			 error_message(code));
++		LogError ("%s while getting Krb5 ccache to destroy\n",
++			  error_message(code));
+ 	    else {
  		code = krb5_cc_destroy(ccache);
  		if (code) {
  		    if (code == KRB5_FCC_NOFILE) {
 -			Debug ("No Kerberos ccache file found to destroy\n");
 +			Debug ("no Kerberos ccache file found to destroy\n");
  		    } else
- 			LogError("%s while destroying Krb5 credentials cache\n",
- 				 error_message(code));
+-			LogError("%s while destroying Krb5 credentials cache\n",
+-				 error_message(code));
++			LogError ("%s while destroying Krb5 credentials"
++				  " cache\n", error_message(code));
+ 		} else
+ 		    Debug ("Kerberos ccache destroyed\n");
+ 		krb5_cc_close(ccache);
 @@ -522,7 +528,7 @@
  	}
  #endif /* K5AUTH */
@@ -2702,47 +2749,63 @@
      exit (status);
  }
  
-@@ -582,39 +588,37 @@
+@@ -540,8 +546,9 @@
+ #ifdef HAS_SETUSERCONTEXT
+     struct passwd* pwd;
+ #endif
+-#ifdef USE_PAM 
++#ifdef USE_PAM
+     pam_handle_t *pamh = thepamh();
++    int pam_error;
+ #endif
  
+     if (verify->argv) {
+@@ -582,39 +589,38 @@
+ 
  #ifndef AIXV3
  #ifndef HAS_SETUSERCONTEXT
 -	if (setgid(verify->gid) < 0)
 -	{
 -	    LogError("setgid %d (user \"%s\") failed, errno=%d\n",
 -		     verify->gid, name, errno);
-+	if (setgid(verify->gid) < 0) {
-+	    LogError("setgid %d (user \"%s\") failed: %s\n",
-+		     verify->gid, name, _SysErrorMsg (errno));
++	if (setgid (verify->gid) < 0) {
++	    LogError ("setgid %d (user \"%s\") failed: %s\n",
++		      verify->gid, name, _SysErrorMsg (errno));
  	    return (0);
  	}
  #if defined(BSD) && (BSD >= 199103)
 -	if (setlogin(name) < 0)
 -	{
 -	    LogError("setlogin for \"%s\" failed, errno=%d", name, errno);
-+	if (setlogin(name) < 0) {
-+	    LogError("setlogin for \"%s\" failed: %s\n", name,
-+		     _SysErrorMsg (errno));
- 	    return(0);
+-	    return(0);
++	if (setlogin (name) < 0) {
++	    LogError ("setlogin for \"%s\" failed: %s\n", name,
++		      _SysErrorMsg (errno));
++	    return (0);
  	}
  #endif
  #ifndef QNX4
 -	if (initgroups(name, verify->gid) < 0)
 -	{
 -	    LogError("initgroups for \"%s\" failed, errno=%d\n", name, errno);
-+	if (initgroups(name, verify->gid) < 0) {
-+	    LogError("initgroups for \"%s\" failed: %s\n", name,
++	if (initgroups (name, verify->gid) < 0) {
++	    LogError ("initgroups for \"%s\" failed: %s\n", name,
 +		     _SysErrorMsg (errno));
  	    return (0);
  	}
  #endif   /* QNX4 doesn't support multi-groups, no initgroups() */
  #ifdef USE_PAM
- 	if (thepamh()) {
- 	    if (pam_setcred(thepamh(), PAM_ESTABLISH_CRED) != PAM_SUCCESS) {
+-	if (thepamh()) {
+-	    if (pam_setcred(thepamh(), PAM_ESTABLISH_CRED) != PAM_SUCCESS) {
 -		LogError("pam_setcred for %\"s failed, errno=%d\n",
 -			 name, errno);
-+		LogError("pam_setcred for \"%s\" failed: %s\n", name,
-+		         _SysErrorMsg (errno));
- 		return(0);
+-		return(0);
++	if (thepamh ()) {
++	    pam_error = pam_setcred (thepamh (), PAM_ESTABLISH_CRED);
++	    if (pam_error != PAM_SUCCESS) {
++		LogError ("pam_setcred for \"%s\" failed: %s\n", name,
++		          pam_strerror (pam_error));
++		return (0);
  	    }
  	}
  #endif
@@ -2750,13 +2813,13 @@
 -	{
 -	    LogError("setuid %d (user \"%s\") failed, errno=%d\n",
 -		     verify->uid, name, errno);
-+	if (setuid(verify->uid) < 0) {
-+	    LogError("setuid %d (user \"%s\") failed: %s\n",
-+		     verify->uid, name, _SysErrorMsg (errno));
++	if (setuid (verify->uid) < 0) {
++	    LogError ("setuid %d (user \"%s\") failed: %s\n",
++		      verify->uid, name, _SysErrorMsg (errno));
  	    return (0);
  	}
  #else /* HAS_SETUSERCONTEXT */
-@@ -622,20 +626,17 @@
+@@ -622,20 +628,17 @@
  	 * Set the user's credentials: uid, gid, groups,
  	 * environment variables, resource limits, and umask.
  	 */
@@ -2786,7 +2849,7 @@
  	    return (0);
  	}
  #endif /* HAS_SETUSERCONTEXT */
-@@ -644,9 +645,9 @@
+@@ -644,9 +647,9 @@
  	 * Set the user's credentials: uid, gid, groups,
  	 * audit classes, user limits, and umask.
  	 */
@@ -2799,7 +2862,7 @@
  	    return (0);
  	}
  #endif /* AIXV3 */
-@@ -665,7 +666,7 @@
+@@ -665,7 +668,7 @@
  	    int     key_set_ok = 0;
  
  	    nameret = getnetname (netname);
@@ -2808,16 +2871,16 @@
  	    len = strlen (passwd);
  	    if (len > 8)
  		bzero (passwd + 8, len - 8);
-@@ -676,7 +677,7 @@
+@@ -676,7 +679,7 @@
  	    netst.st_netname = strdup(netname);
  	    memset(netst.st_pub_key, 0, HEXKEYBYTES);
              if (key_setnet(&netst) < 0) {
 -		Debug("Could not set secret key.\n");
-+		Debug("could not set secret key\n");
++		Debug ("could not set secret key\n");
              }
  	    free(netst.st_netname);	    
  	    /* is there a key, and do we have the right password? */
-@@ -759,22 +760,22 @@
+@@ -759,22 +762,22 @@
  	if (verify->argv) {
  		Debug ("executing session %s\n", verify->argv[0]);
  		execute (verify->argv, verify->userEnviron);
@@ -2846,7 +2909,7 @@
  	Debug ("StartSession, fork succeeded %d\n", pid);
  	*pidp = pid;
  	return 1;
-@@ -885,7 +886,7 @@
+@@ -885,7 +888,7 @@
  	    p = "/bin/sh";
  	    optarg = 0;
  	}
@@ -2855,7 +2918,7 @@
  		p, optarg ? optarg : "(null)");
  	for (av = argv, argc = 0; *av; av++, argc++)
  	    /* SUPPRESS 530 */
-@@ -941,9 +942,10 @@
+@@ -941,9 +944,10 @@
      return env;
  }
Reply to:
Prev by Date: X Strike Force SVN commit: rev 583 - in trunk/debian: . patches
Next by Date: Processed: Re: Bug#212186: FTB modules package with latest dpkg-dev version
Previous by thread: X Strike Force SVN commit: rev 583 - in trunk/debian: . patches
Next by thread: xfree86_4.3.0-0pre1v2_powerpc.changes is NEW
Index(es):
- Date
- Thread