$OpenBSD: patch-kdm_backend_ctrl_c,v 1.1 2010/05/13 07:01:00 ajacoutot Exp $ CVE-2010-0436, see: http://www.kde.org/info/security/advisory-20100413-1.txt --- kdm/backend/ctrl.c.orig Mon Jan 15 12:32:23 2007 +++ kdm/backend/ctrl.c Thu May 13 08:57:25 2010 @@ -140,22 +140,24 @@ openCtrl( struct display *d ) if (strlen( cr->path ) >= sizeof(sa.sun_path)) LogError( "path %\"s too long; no control sockets will be available\n", cr->path ); - else if (mkdir( sockdir, 0755 ) && errno != EEXIST) + else if (mkdir( sockdir, 0700 ) && errno != EEXIST) LogError( "mkdir %\"s failed; no control sockets will be available\n", sockdir ); + else if (unlink( cr->path ) && errno != ENOENT) + LogError( "unlink %\"s failed: %m; control socket will not be available\n", + cr->path ); else { - if (!d) - chown( sockdir, -1, fifoGroup ); - chmod( sockdir, 0750 ); if ((cr->fd = socket( PF_UNIX, SOCK_STREAM, 0 )) < 0) LogError( "Cannot create control socket\n" ); else { - unlink( cr->path ); sa.sun_family = AF_UNIX; strcpy( sa.sun_path, cr->path ); if (!bind( cr->fd, (struct sockaddr *)&sa, sizeof(sa) )) { if (!listen( cr->fd, 5 )) { - chmod( cr->path, 0666 ); + chmod( cr->path, 0660 ); + if (!d) + chown( cr->path, -1, fifoGroup ); + chmod( sockdir, 0755 ); RegisterCloseOnFork( cr->fd ); RegisterInput( cr->fd ); free( sockdir ); @@ -218,12 +220,8 @@ chownCtrl( CtrlRec *cr, int uid ) { if (cr->fpath) chown( cr->fpath, uid, -1 ); - if (cr->path) { - char *ptr = strrchr( cr->path, '/' ); - *ptr = 0; + if (cr->path) chown( cr->path, uid, -1 ); - *ptr = '/'; - } } void