"a local privilege escalation has been discovered in the sddm display manager [1]. sddm passes the -auth and -displayfd command line arguments when starting the Xserver. It then waits for the display number to be received from the Xserver via the `displayfd`, before the Xauthority file specified via the `-auth` parameter is actually written. This results in a race condition, creating a time window in which no valid Xauthority file is existing while the Xserver is already running. The X.Org server, when encountering a non-existing, empty or corrupt/incomplete Xauthority file, will grant any connecting client access to the Xorg display [2]. A local unprivileged attacker can thus create an unauthorized connection to the Xserver and grab e.g. keyboard input events from other legitimate users accessing the Xserver. A simple reproducer works like this: ``` # run this from an unpriliged account before sddm is started to exploit # the race condition and kill the X server inotifywait /tmp/.X11-unix; while ! xkill; do :; done ``` The security issue was discovered by our SUSE sddm package maintainer Fabian Vogt. The issue is included in sddm since version 0.12.0 and was recently fixed in a new upstream release 0.19.0. The upstream commit fixing this issue is found in [3]. The SUSE bugzilla bug tracking this issue is found in [4]."
Patch: https://github.com/sddm/sddm/commit/be202f533ab98a684c6a007e8d5b4357846bc222. Please apply or bump to 0.19.0.
Ping.
We should perhaps wait with a bump to 0.19.0 until upstream fixed the following regression: https://github.com/sddm/sddm/issues/1316
Created attachment 671800 [details, diff] sddm-0.19.0-pam-1.4-substack.patch While toying with 0.19.0 I had to "fix" the pam-1.4 patch
Yup, we don't need yet another race condition in SDDM. A big update on the ebuild will be incoming soon, anyway, perhaps I should just make a PR with 0.19.0 while we wait for them to fix their stuff.
*** Bug 790713 has been marked as a duplicate of this bug. ***
Ping: any news?
Package list is empty or all packages have requested keywords.
*** Bug 832635 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4358362c18fef2411b0053d9556745e749d3afdd commit 4358362c18fef2411b0053d9556745e749d3afdd Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-18 18:59:55 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-02-26 21:06:43 +0000 x11-misc/sddm: Drop vulnerable 0.15.0 Bug: https://bugs.gentoo.org/753104 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> profiles/package.mask | 5 --- x11-misc/sddm/Manifest | 1 - x11-misc/sddm/sddm-0.15.0-r2.ebuild | 63 ------------------------------------- 3 files changed, 69 deletions(-)
Cleanup done, kde proj out.
Actually not done yet.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=943445b50d918a2a5ac0712105e109973147eb6e commit 943445b50d918a2a5ac0712105e109973147eb6e Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2022-03-27 19:42:50 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-04-01 14:47:07 +0000 x11-misc/sddm: migrate to glep-81 Also added tmpfiles handling and patch for CVE-2020-28049. Bug: https://bugs.gentoo.org/753104 Closes: https://bugs.gentoo.org/802306 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../sddm/files/sddm-0.18.1-cve-2020-28049.patch | 94 +++++++++++++++++ x11-misc/sddm/files/sddm.tmpfiles | 1 + x11-misc/sddm/sddm-0.18.1-r6.ebuild | 116 +++++++++++++++++++++ 3 files changed, 211 insertions(+)
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c2f2e12abcee705d727ecccbf9f6b6d07374710 commit 4c2f2e12abcee705d727ecccbf9f6b6d07374710 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2022-04-02 12:37:49 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-04-02 12:37:49 +0000 x11-misc/sddm: Cleanup vulnerable 0.18.1-r5 Bug: https://bugs.gentoo.org/753104 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> x11-misc/sddm/files/sddm-0.16.0-ck2-revert.patch | 20 ---- x11-misc/sddm/files/sddm-0.18.0-Xsession.patch | 24 ----- x11-misc/sddm/sddm-0.18.1-r5.ebuild | 111 ----------------------- 3 files changed, 155 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=24849bc07aa8af43e4c5725512424f704a3d63a2 commit 24849bc07aa8af43e4c5725512424f704a3d63a2 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-03 06:18:59 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-02-03 06:23:15 +0000 [ GLSA 202402-02 ] SDDM: Privilege Escalation Bug: https://bugs.gentoo.org/753104 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202402-02.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)