From ${URL} : Sebastian Krahmer reported a number of flaws in the SDDM display manager that could allow a local user to escalate their privileges to root: https://bugzilla.suse.com/show_bug.cgi?id=897788 References: http://seclists.org/oss-sec/2014/q4/6 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Reported upstream
Masked until upstream solves this problem.
sddm-0.10.0 released excerpt from release notes: *BACKWARDS INCOMPATIBLE: Drop support for Qt 4. *BACKWARDS INCOMPATIBLE: SDDM now prioritizes loading sessions with a .desktop $ *SECURITY: Never try to login as the sddm user (CVE-2014-7271) *SECURITY: Fix race condition in XAUTHORITY file generation (CVE-2014-7272) *SECURITY: XAUTHORITY file is no longer owned by root
--- sddm-0.9.0-r1.ebuild +++ sddm-0.10.0.ebuild @@ -12,24 +12,17 @@ LICENSE="GPL-2+ MIT CC-BY-3.0 public-domain" SLOT="0" -IUSE="consolekit +qt4 qt5 systemd +upower" -REQUIRED_USE="?? ( upower systemd ) - ^^ ( qt4 qt5 )" +IUSE="consolekit systemd +upower" +REQUIRED_USE="?? ( upower systemd )" -RDEPEND="sys-libs/pam +RDEPEND="dev-qt/qtcore:5 + dev-qt/qtdbus:5 + dev-qt/qtdeclarative:5 + dev-qt/linguist-tools:5 + dev-qt/qttest:5 + sys-libs/pam >=x11-base/xorg-server-1.15.1 x11-libs/libxcb[xkb(-)] - qt4? ( - dev-qt/qtcore:4 - dev-qt/qtdbus:4 - dev-qt/qtdeclarative:4 - dev-qt/qttest:4 ) - qt5? ( - dev-qt/qtcore:5 - dev-qt/qtdbus:5 - dev-qt/qtdeclarative:5 - dev-qt/linguist-tools:5 - dev-qt/qttest:5 ) systemd? ( sys-apps/systemd:= ) upower? ( || ( sys-power/upower sys-power/upower-pm-utils ) )" DEPEND="${RDEPEND} @@ -44,8 +37,8 @@ } src_prepare() { - use consolekit && epatch "${FILESDIR}/${P}-consolekit.patch" - use upower && epatch "${FILESDIR}/${P}-upower.patch" + # use consolekit && epatch "${FILESDIR}/${P}-consolekit.patch" + # use upower && epatch "${FILESDIR}/${P}-upower.patch" # respect user's cflags sed -e 's|-Wall -march=native||' \ @@ -55,7 +48,7 @@ src_configure() { local mycmakeargs=( - $(cmake-utils_use_use qt5 QT5) + -DUSE_QT5=ON $(cmake-utils_use_no systemd SYSTEMD) ) cmake-utils_src_configure
--- sddm-0.9.0-r1.ebuild 2014-10-17 12:41:40.840065291 +0200 +++ sddm-0.10.0.ebuild 2014-10-17 12:59:02.912531522 +0200 @@ -12,24 +12,17 @@ LICENSE="GPL-2+ MIT CC-BY-3.0 public-domain" SLOT="0" -IUSE="consolekit +qt4 qt5 systemd +upower" -REQUIRED_USE="?? ( upower systemd ) - ^^ ( qt4 qt5 )" +IUSE="consolekit systemd +upower" +REQUIRED_USE="?? ( upower systemd )" -RDEPEND="sys-libs/pam +RDEPEND="dev-qt/qtcore:5 + dev-qt/qtdbus:5 + dev-qt/qtdeclarative:5 + dev-qt/linguist-tools:5 + dev-qt/qttest:5 + sys-libs/pam >=x11-base/xorg-server-1.15.1 x11-libs/libxcb[xkb(-)] - qt4? ( - dev-qt/qtcore:4 - dev-qt/qtdbus:4 - dev-qt/qtdeclarative:4 - dev-qt/qttest:4 ) - qt5? ( - dev-qt/qtcore:5 - dev-qt/qtdbus:5 - dev-qt/qtdeclarative:5 - dev-qt/linguist-tools:5 - dev-qt/qttest:5 ) systemd? ( sys-apps/systemd:= ) upower? ( || ( sys-power/upower sys-power/upower-pm-utils ) )" DEPEND="${RDEPEND} @@ -45,7 +38,6 @@ src_prepare() { use consolekit && epatch "${FILESDIR}/${P}-consolekit.patch" - use upower && epatch "${FILESDIR}/${P}-upower.patch" # respect user's cflags sed -e 's|-Wall -march=native||' \ @@ -55,7 +47,7 @@ src_configure() { local mycmakeargs=( - $(cmake-utils_use_use qt5 QT5) + -DUSE_QT5=ON $(cmake-utils_use_no systemd SYSTEMD) ) cmake-utils_src_configure
first diff is obsolete!
*** Bug 525774 has been marked as a duplicate of this bug. ***
Version bumped. Please, test if this isuue: https://github.com/sddm/sddm/issues/277 exists for you.
Maked until QT5 is unmasked.
no respective issues here; gcc 4.8.3, openrc, amd64 no-multilib, -mtune=generic -O2 -pipe
Unmasked together with Qt5.
I believe this issue has been resolved as <=0.10.0 have been dropped from the tree.