debian: . patches

X Strike Force SVN Admin Thu, 25 Sep 2003 00:58:05 -0500

Author: branden
Date: 2003-09-25 00:57:32 -0500 (Thu, 25 Sep 2003)
New Revision: 584


Modified:
   branches/4.3.0/sid/debian/changelog
   branches/4.3.0/sid/debian/patches/002_xdm_fixes.diff
Log:
Update pam_setcred() security fix to xdm to use pam_error and
pam_strerror().

Also make some cosmetic updates to xc/programs/xdm/session.c for stylistic
consistency.

- debian/patches/002_xdm_fixes.diff


Modified: branches/4.3.0/sid/debian/changelog
===================================================================
--- branches/4.3.0/sid/debian/changelog 2003-09-25 05:53:54 UTC (rev 583)
+++ branches/4.3.0/sid/debian/changelog 2003-09-25 05:57:32 UTC (rev 584)
@@ -1,3 +1,11 @@
+xfree86 (4.3.0-0pre1v3) experimental; urgency=low
+
+  * Update pam_setcred() security fix to xdm to use pam_error and
+    pam_strerror().
+    - debian/patches/002_xdm_fixes.diff
+
+ -- Branden Robinson <[EMAIL PROTECTED]>  Thu, 25 Sep 2003 00:55:11 -0500
+
 xfree86 (4.3.0-0pre1v2) experimental; urgency=low
 
   * debian/patches/911_debian_XF86Config_to_XF86Config-4.diff: merge this

Modified: branches/4.3.0/sid/debian/patches/002_xdm_fixes.diff
===================================================================
--- branches/4.3.0/sid/debian/patches/002_xdm_fixes.diff        2003-09-25 
05:53:54 UTC (rev 583)
+++ branches/4.3.0/sid/debian/patches/002_xdm_fixes.diff        2003-09-25 
05:57:32 UTC (rev 584)
@@ -93,7 +93,8 @@
     Use _SysErrorMsg() instead of strerror().
 * xc/programs/xdm/session.c:
     Indent pre-processor statements.  Use _SysErrorMsg() instead of
-    strerror().  Recognize that GNU LibC-based systems as well as Linux
+    strerror(), except when handling PAM errors, when we use
+    pam_strerror().  Recognize that GNU LibC-based systems as well as Linux
     systems in general have the endpwent() function.  Recognize that GNU
     LibC-based systems as well as CSRG_BASED ones have the getpwnam() and
     crypt() functions.  Style fix: put function names flush left when
@@ -2552,9 +2553,8 @@
      XSetIOErrorHandler (oldError);
      return 1;
  }
-diff -urN xc/programs/xdm~/session.c xc/programs/xdm/session.c
---- xc/programs/xdm~/session.c 2003-09-21 15:39:23.000000000 -0500
-+++ xc/programs/xdm/session.c  2003-09-21 15:40:41.000000000 -0500
+--- xc/programs/xdm/session.c~ 2003-09-25 00:19:35.000000000 -0500
++++ xc/programs/xdm/session.c  2003-09-25 00:29:10.000000000 -0500
 @@ -61,17 +61,17 @@
  #endif
  
@@ -2648,6 +2648,40 @@
  #endif
  
  static void
+@@ -251,7 +257,7 @@
+ static int
+ IOErrorHandler (Display *dpy)
+ {
+-    LogError("fatal IO error %d (%s)\n", errno, _SysErrorMsg(errno));
++    LogError ("fatal IO error %d (%s)\n", errno, _SysErrorMsg(errno));
+     exit(RESERVER_DISPLAY);
+     /*NOTREACHED*/
+     return 0;
+@@ -260,7 +266,7 @@
+ static int
+ ErrorHandler(Display *dpy, XErrorEvent *event)
+ {
+-    LogError("X error\n");
++    LogError ("X error\n");
+     if (XmuPrintDefaultErrorMessage (dpy, event, stderr) == 0) return 0;
+     exit(UNMANAGE_DISPLAY);
+     /*NOTREACHED*/
+@@ -293,13 +299,13 @@
+ #ifdef GREET_USER_STATIC
+     greet_user_proc = GreetUser;
+ #else
+-    Debug("ManageSession: loading greeter library %s\n", greeterLib);
++    Debug ("ManageSession: loading greeter library %s\n", greeterLib);
+     greet_lib_handle = dlopen(greeterLib, RTLD_NOW);
+     if (greet_lib_handle != NULL)
+       greet_user_proc = (GreetUserProc)dlsym(greet_lib_handle, "GreetUser");
+     if (greet_user_proc == NULL)
+       {
+-      LogError("%s while loading %s\n", dlerror(), greeterLib);
++      LogError ("%s while loading %s\n", dlerror (), greeterLib);
+       exit(UNMANAGE_DISPLAY);
+       }
+ #endif
 @@ -321,7 +327,7 @@
             *     setting up environment and running the session
             */
@@ -2684,15 +2718,28 @@
      XGrabServer (dpy);
      if (XGrabKeyboard (dpy, DefaultRootWindow (dpy), True, GrabModeAsync,
                       GrabModeAsync, CurrentTime) != GrabSuccess)
-@@ -511,7 +517,7 @@
+@@ -505,16 +511,16 @@
+ 
+           code = Krb5DisplayCCache(d->name, &ccache);
+           if (code)
+-              LogError("%s while getting Krb5 ccache to destroy\n",
+-                       error_message(code));
++              LogError ("%s while getting Krb5 ccache to destroy\n",
++                        error_message(code));
+           else {
                code = krb5_cc_destroy(ccache);
                if (code) {
                    if (code == KRB5_FCC_NOFILE) {
 -                      Debug ("No Kerberos ccache file found to destroy\n");
 +                      Debug ("no Kerberos ccache file found to destroy\n");
                    } else
-                       LogError("%s while destroying Krb5 credentials cache\n",
-                                error_message(code));
+-                      LogError("%s while destroying Krb5 credentials cache\n",
+-                               error_message(code));
++                      LogError ("%s while destroying Krb5 credentials"
++                                " cache\n", error_message(code));
+               } else
+                   Debug ("Kerberos ccache destroyed\n");
+               krb5_cc_close(ccache);
 @@ -522,7 +528,7 @@
        }
  #endif /* K5AUTH */
@@ -2702,47 +2749,63 @@
      exit (status);
  }
  
-@@ -582,39 +588,37 @@
+@@ -540,8 +546,9 @@
+ #ifdef HAS_SETUSERCONTEXT
+     struct passwd* pwd;
+ #endif
+-#ifdef USE_PAM 
++#ifdef USE_PAM
+     pam_handle_t *pamh = thepamh();
++    int pam_error;
+ #endif
  
+     if (verify->argv) {
+@@ -582,39 +589,38 @@
+ 
  #ifndef AIXV3
  #ifndef HAS_SETUSERCONTEXT
 -      if (setgid(verify->gid) < 0)
 -      {
 -          LogError("setgid %d (user \"%s\") failed, errno=%d\n",
 -                   verify->gid, name, errno);
-+      if (setgid(verify->gid) < 0) {
-+          LogError("setgid %d (user \"%s\") failed: %s\n",
-+                   verify->gid, name, _SysErrorMsg (errno));
++      if (setgid (verify->gid) < 0) {
++          LogError ("setgid %d (user \"%s\") failed: %s\n",
++                    verify->gid, name, _SysErrorMsg (errno));
            return (0);
        }
  #if defined(BSD) && (BSD >= 199103)
 -      if (setlogin(name) < 0)
 -      {
 -          LogError("setlogin for \"%s\" failed, errno=%d", name, errno);
-+      if (setlogin(name) < 0) {
-+          LogError("setlogin for \"%s\" failed: %s\n", name,
-+                   _SysErrorMsg (errno));
-           return(0);
+-          return(0);
++      if (setlogin (name) < 0) {
++          LogError ("setlogin for \"%s\" failed: %s\n", name,
++                    _SysErrorMsg (errno));
++          return (0);
        }
  #endif
  #ifndef QNX4
 -      if (initgroups(name, verify->gid) < 0)
 -      {
 -          LogError("initgroups for \"%s\" failed, errno=%d\n", name, errno);
-+      if (initgroups(name, verify->gid) < 0) {
-+          LogError("initgroups for \"%s\" failed: %s\n", name,
++      if (initgroups (name, verify->gid) < 0) {
++          LogError ("initgroups for \"%s\" failed: %s\n", name,
 +                   _SysErrorMsg (errno));
            return (0);
        }
  #endif   /* QNX4 doesn't support multi-groups, no initgroups() */
  #ifdef USE_PAM
-       if (thepamh()) {
-           if (pam_setcred(thepamh(), PAM_ESTABLISH_CRED) != PAM_SUCCESS) {
+-      if (thepamh()) {
+-          if (pam_setcred(thepamh(), PAM_ESTABLISH_CRED) != PAM_SUCCESS) {
 -              LogError("pam_setcred for %\"s failed, errno=%d\n",
 -                       name, errno);
-+              LogError("pam_setcred for \"%s\" failed: %s\n", name,
-+                       _SysErrorMsg (errno));
-               return(0);
+-              return(0);
++      if (thepamh ()) {
++          pam_error = pam_setcred (thepamh (), PAM_ESTABLISH_CRED);
++          if (pam_error != PAM_SUCCESS) {
++              LogError ("pam_setcred for \"%s\" failed: %s\n", name,
++                        pam_strerror (pam_error));
++              return (0);
            }
        }
  #endif
@@ -2750,13 +2813,13 @@
 -      {
 -          LogError("setuid %d (user \"%s\") failed, errno=%d\n",
 -                   verify->uid, name, errno);
-+      if (setuid(verify->uid) < 0) {
-+          LogError("setuid %d (user \"%s\") failed: %s\n",
-+                   verify->uid, name, _SysErrorMsg (errno));
++      if (setuid (verify->uid) < 0) {
++          LogError ("setuid %d (user \"%s\") failed: %s\n",
++                    verify->uid, name, _SysErrorMsg (errno));
            return (0);
        }
  #else /* HAS_SETUSERCONTEXT */
-@@ -622,20 +626,17 @@
+@@ -622,20 +628,17 @@
         * Set the user's credentials: uid, gid, groups,
         * environment variables, resource limits, and umask.
         */
@@ -2786,7 +2849,7 @@
            return (0);
        }
  #endif /* HAS_SETUSERCONTEXT */
-@@ -644,9 +645,9 @@
+@@ -644,9 +647,9 @@
         * Set the user's credentials: uid, gid, groups,
         * audit classes, user limits, and umask.
         */
@@ -2799,7 +2862,7 @@
            return (0);
        }
  #endif /* AIXV3 */
-@@ -665,7 +666,7 @@
+@@ -665,7 +668,7 @@
            int     key_set_ok = 0;
  
            nameret = getnetname (netname);
@@ -2808,16 +2871,16 @@
            len = strlen (passwd);
            if (len > 8)
                bzero (passwd + 8, len - 8);
-@@ -676,7 +677,7 @@
+@@ -676,7 +679,7 @@
            netst.st_netname = strdup(netname);
            memset(netst.st_pub_key, 0, HEXKEYBYTES);
              if (key_setnet(&netst) < 0) {
 -              Debug("Could not set secret key.\n");
-+              Debug("could not set secret key\n");
++              Debug ("could not set secret key\n");
              }
            free(netst.st_netname);         
            /* is there a key, and do we have the right password? */
-@@ -759,22 +760,22 @@
+@@ -759,22 +762,22 @@
        if (verify->argv) {
                Debug ("executing session %s\n", verify->argv[0]);
                execute (verify->argv, verify->userEnviron);
@@ -2846,7 +2909,7 @@
        Debug ("StartSession, fork succeeded %d\n", pid);
        *pidp = pid;
        return 1;
-@@ -885,7 +886,7 @@
+@@ -885,7 +888,7 @@
            p = "/bin/sh";
            optarg = 0;
        }
@@ -2855,7 +2918,7 @@
                p, optarg ? optarg : "(null)");
        for (av = argv, argc = 0; *av; av++, argc++)
            /* SUPPRESS 530 */
-@@ -941,9 +942,10 @@
+@@ -941,9 +944,10 @@
      return env;
  }

X Strike Force SVN commit: rev 584 - in branches/4.3.0/sid/debian: . patches

Reply via email to