SECURITY FIX for KDM, "which would allow a normal user to login

as another user or even root without properly supplying login credentials." http://www.kde.org/info/security/advisory-20070919-1.txt Tested by ian@ and Johan M:son Lindman
2007-10-04 19:00:17 +00:00 · 2007-10-04 19:00:17 +00:00 · 9440779424
commit 9440779424
parent 49255a04fb
2 changed files with 66 additions and 2 deletions
--- a/x11/kde/base3/Makefile
+++ b/x11/kde/base3/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.77 2007/09/15 20:04:21 merdely Exp $
+# $OpenBSD: Makefile,v 1.78 2007/10/04 19:00:17 jasper Exp $

 COMMENT-main= 		K Desktop Environment, basic applications
 COMMENT-plugins=	Konqueror nsplugins, essentially native JDK
@ -6,7 +6,7 @@ COMMENT-samba=		K Desktop Environment, samba support
 CATEGORIES=		x11 x11/kde
 VERSION=		3.5.7
 DISTNAME=		kdebase-${VERSION}
-PKGNAME-main=		${DISTNAME}p1
+PKGNAME-main=		${DISTNAME}p2
 PKGNAME-samba=		kdesamba-${VERSION}
 MODKDE_VERSION?=	3.5.7
 SHARED_LIBS +=	konq                 7.0      # .6.0
--- a/x11/kde/base3/patches/patch-kdm_backend_session_c
+++ b/x11/kde/base3/patches/patch-kdm_backend_session_c
@ -0,0 +1,64 @@
+$OpenBSD: patch-kdm_backend_session_c,v 1.1 2007/10/04 19:00:17 jasper Exp $
+--- kdm/backend/session.c.orig	Thu Jan 19 18:03:14 2006
+++ kdm/backend/session.c	Tue Sep 25 20:28:25 2007
+@@ -121,8 +121,9 @@ conv_auto( int what, const char *prompt ATTR_UNUSED )
+ static void
+ DoAutoLogon( void )
+ {
+-	StrDup( &curuser, td->autoUser );
+-	StrDup( &curpass, td->autoPass );
+	ReStr( &curuser, td->autoUser );
+	ReStr( &curpass, td->autoPass );
+	ReStr( &curtype, "classic" );
+ 	cursource = PWSRC_AUTOLOGIN;
+ }
+ 
+@@ -141,7 +142,9 @@ AutoLogon( Time_t tdiff )
+ 		td->hstent->npass = 0;
+ 		newdmrc = td->hstent->nargs;
+ 		td->hstent->nargs = 0;
+		ReStr( &curtype, "classic" );
+ 		cursource = (td->hstent->rLogin == 1) ? PWSRC_RELOGIN : PWSRC_MANUAL;
+		return 1;
+ 	} else if (*td->autoUser && !td->autoDelay && (tdiff > 0 || td->autoAgain))
+ 	{
+ 		unsigned int lmask;
+@@ -153,11 +156,9 @@ AutoLogon( Time_t tdiff )
+ 		if (lmask & ShiftMask)
+ 			return 0;
+ 		DoAutoLogon();
+-	} else {
+-		cursource = PWSRC_MANUAL;
+-		return 0;
+		return 1;
+ 	}
+-	return 1;
+	return 0;
+ }
+ 
+ 
+@@ -369,6 +370,7 @@ CtrlGreeterWait( int wreply )
+ 			if (curtype) free( curtype );
+ 			curtype = GRecvStr();
+ 			Debug( " type %\"s\n", curtype );
+			cursource = PWSRC_MANUAL;
+ 			if (Verify( conv_interact, rootok )) {
+ 				Debug( " -> return success\n" );
+ 				GSendInt( V_OK );
+@@ -378,7 +380,6 @@ CtrlGreeterWait( int wreply )
+ 		case G_AutoLogin:
+ 			Debug( "G_AutoLogin\n" );
+ 			DoAutoLogon();
+-			StrDup( &curtype, "classic" );
+ 			if (Verify( conv_auto, FALSE )) {
+ 				Debug( " -> return success\n" );
+ 				GSendInt( V_OK );
+@@ -565,7 +566,7 @@ ManageSession( struct display *d )
+ 	tdiff = td->autoAgain ? 
+ 	           1 : time( 0 ) - td->hstent->lastExit - td->openDelay;
+ 	if (AutoLogon( tdiff )) {
+-		if (!StrDup( &curtype, "classic" ) || !Verify( conv_auto, FALSE ))
+		if (!Verify( conv_auto, FALSE ))
+ 			goto gcont;
+ 		if (greeter)
+ 			GSendInt( V_OK );