diff options
| author | Koop Mast <kwm@FreeBSD.org> | 2015-11-18 10:21:07 +0000 |
|---|---|---|
| committer | Koop Mast <kwm@FreeBSD.org> | 2015-11-18 10:21:07 +0000 |
| commit | 2219b9443df8ee1c14ed87c923c3732e589e38ed (patch) | |
| tree | 5a3dd052ab7461da3fc35c40b4ea538f14d13dd1 /x11 | |
| parent | Document gdm lock screen bypass (diff) | |
Fix lockscreen bypass.
MFH: 2015Q4
Security: 68847b20-8ddc-11e5-b69c-c86000169601
Notes
Notes:
svn path=/head/; revision=401858
Diffstat (limited to 'x11')
| -rw-r--r-- | x11/gdm/Makefile | 1 | ||||
| -rw-r--r-- | x11/gdm/files/patch-CVE-2015-7496 | 207 |
2 files changed, 208 insertions, 0 deletions
diff --git a/x11/gdm/Makefile b/x11/gdm/Makefile index 4d26a3f4d2bc..8c419ff48f75 100644 --- a/x11/gdm/Makefile +++ b/x11/gdm/Makefile @@ -3,6 +3,7 @@ PORTNAME= gdm PORTVERSION= 3.16.2 +PORTREVISION= 1 CATEGORIES= x11 gnome MASTER_SITES= GNOME DIST_SUBDIR= gnome3 diff --git a/x11/gdm/files/patch-CVE-2015-7496 b/x11/gdm/files/patch-CVE-2015-7496 new file mode 100644 index 000000000000..69aefec50100 --- /dev/null +++ b/x11/gdm/files/patch-CVE-2015-7496 @@ -0,0 +1,207 @@ +From 05e5fc24b0f803098c1d05dae86f5eb05bd0c2a4 Mon Sep 17 00:00:00 2001 +From: Rui Matos <tiagomatos@gmail.com> +Date: Sun, 15 Nov 2015 14:07:53 -0500 +Subject: session: Cancel worker proxy async ops when freeing conversations + +We need to cancel ongoing async ops for worker proxies when freeing +conversations or we'll crash when the completion handler runs and we +access free'd memory. + +https://bugzilla.gnome.org/show_bug.cgi?id=758032 + +--- + +From 5ac224602f1d603aac5eaa72e1760d3e33a26f0a Mon Sep 17 00:00:00 2001 +From: Ray Strode <rstrode@redhat.com> +Date: Fri, 13 Nov 2015 11:14:59 -0500 +Subject: session: disconnect signals from worker proxy when conversation is + freed + +We don't want an outstanding reference on the worker proxy to lead to +signal handlers getting dispatched after the conversation is freed. + +https://bugzilla.gnome.org/show_bug.cgi?id=758032 + +--- + + +--- daemon/gdm-session.c.orig 2015-11-18 10:47:55.522178000 +0100 ++++ daemon/gdm-session.c 2015-11-18 10:48:00.450095000 +0100 +@@ -73,6 +73,7 @@ typedef struct + GDBusMethodInvocation *pending_invocation; + GdmDBusWorkerManager *worker_manager_interface; + GdmDBusWorker *worker_proxy; ++ GCancellable *worker_cancellable; + char *session_id; + guint32 is_stopping : 1; + +@@ -1031,6 +1032,8 @@ register_worker (GdmDBusWorkerManager * + + g_dbus_proxy_set_default_timeout (G_DBUS_PROXY (conversation->worker_proxy), G_MAXINT); + ++ conversation->worker_cancellable = g_cancellable_new (); ++ + g_signal_connect (conversation->worker_proxy, + "username-changed", + G_CALLBACK (worker_on_username_changed), conversation); +@@ -1666,7 +1669,28 @@ free_conversation (GdmSessionConversatio + g_free (conversation->starting_username); + g_free (conversation->session_id); + g_clear_object (&conversation->worker_manager_interface); +- g_clear_object (&conversation->worker_proxy); ++ ++ if (conversation->worker_proxy != NULL) { ++ g_signal_handlers_disconnect_by_func (conversation->worker_proxy, ++ G_CALLBACK (worker_on_username_changed), ++ conversation); ++ g_signal_handlers_disconnect_by_func (conversation->worker_proxy, ++ G_CALLBACK (worker_on_session_exited), ++ conversation); ++ g_signal_handlers_disconnect_by_func (conversation->worker_proxy, ++ G_CALLBACK (worker_on_reauthenticated), ++ conversation); ++ g_signal_handlers_disconnect_by_func (conversation->worker_proxy, ++ G_CALLBACK (worker_on_saved_language_name_read), ++ conversation); ++ g_signal_handlers_disconnect_by_func (conversation->worker_proxy, ++ G_CALLBACK (worker_on_saved_session_name_read), ++ conversation); ++ g_signal_handlers_disconnect_by_func (conversation->worker_proxy, ++ G_CALLBACK (worker_on_cancel_pending_query), ++ conversation); ++ g_clear_object (&conversation->worker_proxy); ++ } + g_clear_object (&conversation->session); + g_free (conversation); + } +@@ -1828,6 +1852,9 @@ close_conversation (GdmSessionConversati + g_clear_object (&conversation->worker_manager_interface); + } + ++ g_cancellable_cancel (conversation->worker_cancellable); ++ g_clear_object (&conversation->worker_cancellable); ++ + if (conversation->worker_proxy != NULL) { + GDBusConnection *connection = g_dbus_proxy_get_connection (G_DBUS_PROXY (conversation->worker_proxy)); + g_dbus_connection_close_sync (connection, NULL, NULL); +@@ -1996,7 +2023,7 @@ send_setup (GdmSession *self, + display_hostname, + self->priv->display_is_local, + self->priv->display_is_initial, +- NULL, ++ conversation->worker_cancellable, + (GAsyncReadyCallback) on_setup_complete_cb, + conversation); + } +@@ -2062,7 +2089,7 @@ send_setup_for_user (GdmSession *self, + display_hostname, + self->priv->display_is_local, + self->priv->display_is_initial, +- NULL, ++ conversation->worker_cancellable, + (GAsyncReadyCallback) on_setup_complete_cb, + conversation); + } +@@ -2124,7 +2151,7 @@ send_setup_for_program (GdmSession *self + self->priv->display_is_local, + self->priv->display_is_initial, + log_file, +- NULL, ++ conversation->worker_cancellable, + (GAsyncReadyCallback) on_setup_complete_cb, + conversation); + } +@@ -2182,7 +2209,7 @@ gdm_session_authenticate (GdmSession *se + conversation = find_conversation_by_name (self, service_name); + if (conversation != NULL) { + gdm_dbus_worker_call_authenticate (conversation->worker_proxy, +- NULL, ++ conversation->worker_cancellable, + (GAsyncReadyCallback) on_authenticate_cb, + conversation); + } +@@ -2199,7 +2226,7 @@ gdm_session_authorize (GdmSession *self, + conversation = find_conversation_by_name (self, service_name); + if (conversation != NULL) { + gdm_dbus_worker_call_authorize (conversation->worker_proxy, +- NULL, ++ conversation->worker_cancellable, + (GAsyncReadyCallback) on_authorize_cb, + conversation); + } +@@ -2216,7 +2243,7 @@ gdm_session_accredit (GdmSession *self, + conversation = find_conversation_by_name (self, service_name); + if (conversation != NULL) { + gdm_dbus_worker_call_establish_credentials (conversation->worker_proxy, +- NULL, ++ conversation->worker_cancellable, + (GAsyncReadyCallback) on_establish_credentials_cb, + conversation); + } +@@ -2230,7 +2257,8 @@ send_environment_variable (const char + { + gdm_dbus_worker_call_set_environment_variable (conversation->worker_proxy, + key, value, +- NULL, NULL, NULL); ++ conversation->worker_cancellable, ++ NULL, NULL); + } + + static void +@@ -2418,7 +2446,8 @@ send_display_mode (GdmSession *self, + mode = gdm_session_get_display_mode (self); + gdm_dbus_worker_call_set_session_display_mode (conversation->worker_proxy, + gdm_session_display_mode_to_string (mode), +- NULL, NULL, NULL); ++ conversation->worker_cancellable, ++ NULL, NULL); + } + + static void +@@ -2434,7 +2463,8 @@ send_session_type (GdmSession *self, + gdm_dbus_worker_call_set_environment_variable (conversation->worker_proxy, + "XDG_SESSION_TYPE", + session_type, +- NULL, NULL, NULL); ++ conversation->worker_cancellable, ++ NULL, NULL); + } + + void +@@ -2452,7 +2482,7 @@ gdm_session_open_session (GdmSession *se + send_session_type (self, conversation); + + gdm_dbus_worker_call_open (conversation->worker_proxy, +- NULL, ++ conversation->worker_cancellable, + (GAsyncReadyCallback) on_opened, conversation); + } + } +@@ -2638,7 +2668,7 @@ gdm_session_start_session (GdmSession *s + + gdm_dbus_worker_call_start_program (conversation->worker_proxy, + program, +- NULL, ++ conversation->worker_cancellable, + (GAsyncReadyCallback) on_start_program_cb, + conversation); + g_free (program); +@@ -2770,7 +2800,7 @@ gdm_session_start_reauthentication (GdmS + gdm_dbus_worker_call_start_reauthentication (conversation->worker_proxy, + (int) pid_of_caller, + (int) uid_of_caller, +- NULL, ++ conversation->worker_cancellable, + (GAsyncReadyCallback) on_reauthentication_started_cb, + conversation); + } +@@ -3032,7 +3062,8 @@ gdm_session_select_session (GdmSession * + + gdm_dbus_worker_call_set_session_name (conversation->worker_proxy, + get_session_name (self), +- NULL, NULL, NULL); ++ conversation->worker_cancellable, ++ NULL, NULL); + } + } + |