[gdm/f13/master] Add patch

Ray Strode rstrode at fedoraproject.org
Mon Mar 28 18:10:19 UTC 2011 

commit 904a0cc619c239f75959559714a32e727b9f8dda
Author: Ray Strode <rstrode at redhat.com>
Date:   Mon Mar 28 14:10:08 2011 -0400

    Add patch

 CVE-2011-0727.patch |   50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 50 insertions(+), 0 deletions(-)
---
diff --git a/CVE-2011-0727.patch b/CVE-2011-0727.patch
new file mode 100644
index 0000000..be1180e
--- /dev/null
+++ b/CVE-2011-0727.patch
@@ -0,0 +1,50 @@
+From c122ebed451272090e594f3a511cc8a6017a62e2 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode at redhat.com>
+Date: Thu, 24 Mar 2011 16:47:37 -0400
+Subject: [PATCH] worker: CVE-2011-0727: change to user before copying user files
+
+This commit changes to a user before copying user files to prevent
+a possible symlink local root exploit attack.
+---
+ daemon/gdm-session-worker.c |   29 +++++++++++++++++------------
+ 1 files changed, 17 insertions(+), 12 deletions(-)
+
+diff -up gdm-2.30.2/daemon/gdm-session-worker.c.with-fix gdm-2.30.2/daemon/gdm-session-worker.c
+--- gdm-2.30.2/daemon/gdm-session-worker.c.with-fix	2011-03-28 13:56:04.488869029 -0400
++++ gdm-2.30.2/daemon/gdm-session-worker.c	2011-03-28 13:57:15.205843697 -0400
+@@ -1034,10 +1034,6 @@ gdm_cache_copy_file (GdmSessionWorker *w
+                                    error->message);
+                         g_error_free (error);
+                  } else {
+-                        chown (cachefilename,
+-                               worker->priv->uid,
+-                               worker->priv->gid);
+-                        g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+                         g_debug ("Copy successful");
+                 }
+ 
+@@ -1171,7 +1167,23 @@ gdm_session_worker_uninitialize_pam (Gdm
+                 return;
+ 
+         if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
+-                gdm_session_worker_cache_userfiles (worker);
++                pid_t pid;
++
++                pid = fork ();
++
++                if (pid == 0) {
++                        if (setuid (worker->priv->uid) < 0) {
++                                g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
++                                _exit (1);
++                        }
++
++                        gdm_session_worker_cache_userfiles (worker);
++                        _exit (0);
++                }
++
++                if (pid > 0) {
++                        gdm_wait_on_pid (pid);
++                }
+                 pam_close_session (worker->priv->pam_handle, 0);
+                 gdm_session_auditor_report_logout (worker->priv->auditor);
+

More information about the scm-commits mailing list