[Pkg-kde-commits] rev 1703 - in
branches/kde-3.4.0/packages/kdebase/debian: . man patches
Christopher Martin
chrsmrtn-guest at costa.debian.org
Mon Sep 5 23:34:33 UTC 2005
Author: chrsmrtn-guest
Date: 2005-09-05 23:34:32 +0000 (Mon, 05 Sep 2005)
New Revision: 1703
Added:
branches/kde-3.4.0/packages/kdebase/debian/patches/01_kdebase_branch_r457324.diff
branches/kde-3.4.0/packages/kdebase/debian/patches/27_CAN-2005-2494.diff
Modified:
branches/kde-3.4.0/packages/kdebase/debian/changelog
branches/kde-3.4.0/packages/kdebase/debian/control
branches/kde-3.4.0/packages/kdebase/debian/man/kdesu.1
Log:
A branch update for kdebase, and add the security fix, oddly not yet in the BRANCH.
Modified: branches/kde-3.4.0/packages/kdebase/debian/changelog
===================================================================
--- branches/kde-3.4.0/packages/kdebase/debian/changelog 2005-09-05 23:32:19 UTC (rev 1702)
+++ branches/kde-3.4.0/packages/kdebase/debian/changelog 2005-09-05 23:34:32 UTC (rev 1703)
@@ -1,7 +1,12 @@
kdebase (4:3.4.2-3) unstable; urgency=low
+ * KDE_3_4_BRANCH update.
+
+++ Changes by Christopher Martin:
+ * Add an upstream patch for a local root exploit, CAN-2005-2494, in the
+ kcheckpass binary.
+
* Add a NEWS entry that explains the KDM upgrade process for users moving
from KDM 3.3.x. (Closes: #326542)
Modified: branches/kde-3.4.0/packages/kdebase/debian/control
===================================================================
--- branches/kde-3.4.0/packages/kdebase/debian/control 2005-09-05 23:32:19 UTC (rev 1702)
+++ branches/kde-3.4.0/packages/kdebase/debian/control 2005-09-05 23:34:32 UTC (rev 1703)
@@ -2,7 +2,7 @@
Section: kde
Priority: optional
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org>
-Uploaders: Isaac Clerencia <isaac at debian.org>, Pierre Habouzit <madcoder at debian.org>, Christopher Martin <chrsmrtn at freeshell.org>, Adeodato Simó <asp16 at alu.ua.es>, Riku Voipio <riku.voipio at iki.fi>
+Uploaders: Isaac Clerencia <isaac at debian.org>, Pierre Habouzit <madcoder at debian.org>, Christopher Martin <chrsmrtn at debian.org>, Adeodato Simó <asp16 at alu.ua.es>, Riku Voipio <riku.voipio at iki.fi>
Build-Depends: g++-3.4 [arm m68k hppa], cdbs (>= 0.4.27), debhelper (>= 4.2.30), autotools-dev, gawk, gettext, kdelibs4-dev (>= 4:3.4.2), dbus-qt-1-dev, libldap2-dev, libhal-dev, libhal-storage-dev, libncurses5-dev, libpam0g-dev, libpopt-dev, libraw1394-dev, libsensors-dev, libsmbclient-dev, libusb-dev, libxtst-dev, xutils, xlibs-static-pic, libxss-dev, libxxf86misc-dev, libxau-dev, libxdmcp-dev, libxcomposite-dev, libxdamage-dev, sharutils, texinfo
Build-Depends-Indep: doxygen, qt3-doc, graphviz, gsfonts-x11
Build-Conflicts: nvidia-glx
Modified: branches/kde-3.4.0/packages/kdebase/debian/man/kdesu.1
===================================================================
--- branches/kde-3.4.0/packages/kdebase/debian/man/kdesu.1 2005-09-05 23:32:19 UTC (rev 1702)
+++ branches/kde-3.4.0/packages/kdebase/debian/man/kdesu.1 2005-09-05 23:34:32 UTC (rev 1703)
@@ -87,4 +87,4 @@
.br
Pietro Iglio <iglio at fub.it>
.PP
-This manual page was written by Christopher Martin <chrsmrtn at freeshell.org> for Debian GNU/Linux, but may be used by others. It borrows from an earlier manpage by Karolina Lindqvist <pgd\-karolinali at algonet.se>.
+This manual page was written by Christopher Martin <chrsmrtn at debian.org> for Debian GNU/Linux, but may be used by others. It borrows from an earlier manpage by Karolina Lindqvist <pgd\-karolinali at algonet.se>.
Added: branches/kde-3.4.0/packages/kdebase/debian/patches/01_kdebase_branch_r457324.diff
===================================================================
--- branches/kde-3.4.0/packages/kdebase/debian/patches/01_kdebase_branch_r457324.diff 2005-09-05 23:32:19 UTC (rev 1702)
+++ branches/kde-3.4.0/packages/kdebase/debian/patches/01_kdebase_branch_r457324.diff 2005-09-05 23:34:32 UTC (rev 1703)
@@ -0,0 +1,155 @@
+#DPATCHLEVEL=0
+--- kicker/menuext/system/systemmenu.desktop (revision 456201)
++++ kicker/menuext/system/systemmenu.desktop (revision 457324)
+@@ -47,7 +47,7 @@
+ Name[pt]=Sistema
+ Name[pt_BR]=Sistema
+ Name[ro]=Sistem
+-Name[ru]=Системные
++Name[ru]=Система
+ Name[se]=Vuogádat
+ Name[sk]=Systém
+ Name[sl]=Sistem
+--- kappfinder/apps/Internet/Sylpheed.desktop (revision 456201)
++++ kappfinder/apps/Internet/Sylpheed.desktop (revision 457324)
+@@ -56,7 +56,7 @@
+ GenericName[oc]=Programari de correu electrònic
+ GenericName[pa]=ਪੱਤਰ ਕਲਾਂਇਟ
+ GenericName[pl]=Program do wysyłania i odbierania poczty elektronicznej
+-GenericName[pt]=Client de E-mail
++GenericName[pt]=Cliente de E-mail
+ GenericName[pt_BR]=Cliente de E-mail
+ GenericName[ro]=Program de poştă electronică
+ GenericName[ru]=Клиент электронной почты
+--- kappfinder/apps/Internet/mozilla-thunderbird.desktop (revision 456201)
++++ kappfinder/apps/Internet/mozilla-thunderbird.desktop (revision 457324)
+@@ -59,7 +59,7 @@
+ GenericName[oc]=Programari de correu electrònic
+ GenericName[pa]=ਪੱਤਰ ਕਲਾਂਇਟ
+ GenericName[pl]=Program do wysyłania i odbierania poczty elektronicznej
+-GenericName[pt]=Client de E-mail
++GenericName[pt]=Cliente de E-mail
+ GenericName[pt_BR]=Cliente de E-mail
+ GenericName[ro]=Program de poştă electronică
+ GenericName[ru]=Клиент электронной почты
+--- kappfinder/apps/Internet/xfmail.desktop (revision 456201)
++++ kappfinder/apps/Internet/xfmail.desktop (revision 457324)
+@@ -68,7 +68,7 @@
+ GenericName[oc]=Programari de correu electrònic
+ GenericName[pa]=ਪੱਤਰ ਕਲਾਂਇਟ
+ GenericName[pl]=Program do wysyłania i odbierania poczty elektronicznej
+-GenericName[pt]=Client de E-mail
++GenericName[pt]=Cliente de E-mail
+ GenericName[pt_BR]=Cliente de E-mail
+ GenericName[ro]=Program de poştă electronică
+ GenericName[ru]=Клиент электронной почты
+--- kappfinder/apps/Internet/balsa.desktop (revision 456201)
++++ kappfinder/apps/Internet/balsa.desktop (revision 457324)
+@@ -58,7 +58,7 @@
+ GenericName[oc]=Programari de correu electrònic
+ GenericName[pa]=ਪੱਤਰ ਕਲਾਂਇਟ
+ GenericName[pl]=Program do wysyłania i odbierania poczty elektronicznej
+-GenericName[pt]=Client de E-mail
++GenericName[pt]=Cliente de E-mail
+ GenericName[pt_BR]=Cliente de E-mail
+ GenericName[ro]=Program de poştă electronică
+ GenericName[ru]=Клиент электронной почты
+--- kappfinder/apps/Internet/Netscapemessenger.desktop (revision 456201)
++++ kappfinder/apps/Internet/Netscapemessenger.desktop (revision 457324)
+@@ -73,7 +73,7 @@
+ GenericName[oc]=Programari de correu electrònic
+ GenericName[pa]=ਪੱਤਰ ਕਲਾਂਇਟ
+ GenericName[pl]=Program do wysyłania i odbierania poczty elektronicznej
+-GenericName[pt]=Client de E-mail
++GenericName[pt]=Cliente de E-mail
+ GenericName[pt_BR]=Cliente de E-mail
+ GenericName[ro]=Program de poştă electronică
+ GenericName[ru]=Клиент электронной почты
+--- kappfinder/apps/Internet/Evolution.desktop (revision 456201)
++++ kappfinder/apps/Internet/Evolution.desktop (revision 457324)
+@@ -64,7 +64,7 @@
+ GenericName[oc]=Programari de correu electrònic
+ GenericName[pa]=ਪੱਤਰ ਕਲਾਂਇਟ
+ GenericName[pl]=Program do wysyłania i odbierania poczty elektronicznej
+-GenericName[pt]=Client de E-mail
++GenericName[pt]=Cliente de E-mail
+ GenericName[pt_BR]=Cliente de E-mail
+ GenericName[ro]=Program de poştă electronică
+ GenericName[ru]=Клиент электронной почты
+--- kappfinder/apps/Internet/Terminal/mutt.desktop (revision 456201)
++++ kappfinder/apps/Internet/Terminal/mutt.desktop (revision 457324)
+@@ -60,7 +60,7 @@
+ GenericName[oc]=Programari de correu electrònic
+ GenericName[pa]=ਪੱਤਰ ਕਲਾਂਇਟ
+ GenericName[pl]=Program do wysyłania i odbierania poczty elektronicznej
+-GenericName[pt]=Client de E-mail
++GenericName[pt]=Cliente de E-mail
+ GenericName[pt_BR]=Cliente de E-mail
+ GenericName[ro]=Program de poştă electronică
+ GenericName[ru]=Клиент электронной почты
+--- kappfinder/apps/Internet/Terminal/pine.desktop (revision 456201)
++++ kappfinder/apps/Internet/Terminal/pine.desktop (revision 457324)
+@@ -64,7 +64,7 @@
+ GenericName[oc]=Programari de correu electrònic
+ GenericName[pa]=ਪੱਤਰ ਕਲਾਂਇਟ
+ GenericName[pl]=Program do wysyłania i odbierania poczty elektronicznej
+-GenericName[pt]=Client de E-mail
++GenericName[pt]=Cliente de E-mail
+ GenericName[pt_BR]=Cliente de E-mail
+ GenericName[ro]=Program de poştă electronică
+ GenericName[ru]=Клиент электронной почты
+--- kdesktop/init/System.desktop (revision 456201)
++++ kdesktop/init/System.desktop (revision 457324)
+@@ -47,7 +47,7 @@
+ Name[pt]=Sistema
+ Name[pt_BR]=Sistema
+ Name[ro]=Sistem
+-Name[ru]=Системные
++Name[ru]=Система
+ Name[se]=Vuogádat
+ Name[sk]=Systém
+ Name[sl]=Sistem
+--- kdesktop/init/Templates/linkURL.desktop (revision 456201)
++++ kdesktop/init/Templates/linkURL.desktop (revision 457324)
+@@ -104,7 +104,7 @@
+ Comment[pt]=Indique o atalho para a localização (URL):
+ Comment[pt_BR]=Digite o link para a localização (URL):
+ Comment[ro]=Introduceţi legătura către locaţie (URL):
+-Comment[ru]=Адрес на ресурс Интернета:
++Comment[ru]=Адрес в Интернете:
+ Comment[se]=Bija leaŋkka fierpmádatčujuhussii (URL):
+ Comment[sk]=Zadajte odkaz na umiestnenie (URL):
+ Comment[sl]=Vnesite povezavo do mesta (URL):
+--- kdesktop/init/Templates/linkProgram.desktop (revision 456201)
++++ kdesktop/init/Templates/linkProgram.desktop (revision 457324)
+@@ -44,7 +44,7 @@
+ Name[pt]=Atalho para Aplicação...
+ Name[pt_BR]=Link para Aplicativo...
+ Name[ro]=Legătură către aplicaţie...
+-Name[ru]=Ссылку на приложение...
++Name[ru]=Ссылка на приложение...
+ Name[se]=Leaŋka prográmmii ...
+ Name[sk]=Odkaz na aplikáciu...
+ Name[sl]=Povezava do programa ...
+--- kdesktop/init/Templates/HTMLFile.desktop (revision 456201)
++++ kdesktop/init/Templates/HTMLFile.desktop (revision 457324)
+@@ -44,7 +44,7 @@
+ Name[pt]=Ficheiro HTML...
+ Name[pt_BR]=Arquivo HTML...
+ Name[ro]=Fişier HTML...
+-Name[ru]=Страницу HTML...
++Name[ru]=Страница HTML...
+ Name[se]=HTML-fiila ...
+ Name[sk]=Súbor HTML...
+ Name[sl]=Datoteka HTML ...
+--- applnk/kde-system.directory (revision 456201)
++++ applnk/kde-system.directory (revision 457324)
+@@ -48,7 +48,7 @@
+ Name[pt]=Sistema
+ Name[pt_BR]=Sistema
+ Name[ro]=Sistem
+-Name[ru]=Системные
++Name[ru]=Система
+ Name[se]=Vuogádat
+ Name[sk]=Systém
+ Name[sl]=Sistem
Added: branches/kde-3.4.0/packages/kdebase/debian/patches/27_CAN-2005-2494.diff
===================================================================
--- branches/kde-3.4.0/packages/kdebase/debian/patches/27_CAN-2005-2494.diff 2005-09-05 23:32:19 UTC (rev 1702)
+++ branches/kde-3.4.0/packages/kdebase/debian/patches/27_CAN-2005-2494.diff 2005-09-05 23:34:32 UTC (rev 1703)
@@ -0,0 +1,154 @@
+--- kde.orig/kcheckpass/kcheckpass.c
++++ kde.patched/kcheckpass/kcheckpass.c
+@@ -14,7 +14,7 @@
+ *
+ * You should have received a copy of the GNU General Public
+ * License along with this program; if not, write to the Free
+- * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++ * Software Foundation, Inc., 51 Franklin Steet, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * kcheckpass is a simple password checker. Just invoke and
+@@ -264,8 +264,13 @@
+
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
++ va_end(ap);
+ }
+
++#ifndef O_NOFOLLOW
++# define O_NOFOLLOW 0
++#endif
++
+ static void ATTR_NORETURN
+ usage(int exitval)
+ {
+@@ -286,6 +291,14 @@
+ exit(exitval);
+ }
+
++static int exclusive_lock(int fd)
++{
++ struct flock lk;
++ lk.l_type = F_WRLCK;
++ lk.l_whence = SEEK_SET;
++ lk.l_start = lk.l_len = 0;
++ return fcntl(fd, F_SETLKW, &lk);
++}
+
+ int
+ main(int argc, char **argv)
+@@ -299,10 +312,13 @@
+ char *p;
+ #endif
+ struct passwd *pw;
+- int c, nfd, lfd, numtries;
++ int c, nfd, tfd, lfd;
+ uid_t uid;
+- long lasttime;
++ time_t lasttime;
+ AuthReturn ret;
++ char tmpname[64], fname[64], fcont[64];
++ time_t left = 3;
++ lfd = tfd = 0;
+
+ #ifdef HAVE_OSF_C2_PASSWD
+ initialize_osf_security(argc, argv);
+@@ -371,6 +387,41 @@
+ return AuthError;
+ }
+ }
++
++ /* see if we had already a failed attempt */
++ if ( uid != geteuid() ) {
++ strcpy(tmpname, "/var/lock/kcheckpass.tmp.XXXXXX");
++ if ((tfd=mkstemp(tmpname)) < 0)
++ return AuthError;
++
++ /* try locking out concurrent kcheckpass processes */
++ exclusive_lock(tfd);
++
++ write(tfd, fcont, sprintf(fcont, "%lu\n", time(0)+left));
++ (void) lseek(tfd, 0, SEEK_SET);
++
++ sprintf(fname, "/var/lock/kcheckpass.%d", uid );
++
++ if ((lfd = open(fname, O_RDWR | O_NOFOLLOW)) >= 0) {
++ if (exclusive_lock(lfd) == 0) {
++ if ((c = read(lfd, fcont, sizeof(fcont)-1)) > 0 &&
++ (fcont[c] = '\0', sscanf(fcont, "%ld", &lasttime) == 1))
++ {
++ time_t ct = time(0);
++
++ /* in case we were killed early, sleep the remaining time
++ * to properly enforce invocation throttling and make sure
++ * that users can't use kcheckpass for bruteforcing password
++ */
++ if(lasttime > ct && lasttime < ct + left)
++ sleep (lasttime - ct);
++ }
++ }
++ close(lfd);
++ }
++ rename(tmpname, fname);
++ }
++
+ /* Now do the fandango */
+ ret = Authenticate(
+ #ifdef HAVE_PAM
+@@ -379,35 +430,21 @@
+ method,
+ username,
+ sfd < 0 ? conv_legacy : conv_server);
++
+ if (ret == AuthOk || ret == AuthBad) {
+ /* Security: Don't undermine the shadow system. */
+ if (uid != geteuid()) {
+- char fname[32], fcont[32];
+- sprintf(fname, "/var/lock/kcheckpass.%d", uid);
+- if ((lfd = open(fname, O_RDWR | O_CREAT)) >= 0) {
+- struct flock lk;
+- lk.l_type = F_WRLCK;
+- lk.l_whence = SEEK_SET;
+- lk.l_start = lk.l_len = 0;
+- if (fcntl(lfd, F_SETLKW, &lk))
+- return AuthError;
+- if ((c = read(lfd, fcont, sizeof(fcont))) > 0 &&
+- (fcont[c] = 0, sscanf(fcont, "%ld %d\n", &lasttime, &numtries) == 2))
+- {
+- time_t left = lasttime - time(0);
+- if (numtries < 20)
+- numtries++;
+- left += 2 << (numtries > 10 ? numtries - 10 : 0);
+- if (left > 0)
+- sleep(left);
+- } else
+- numtries = 0;
+- if (ret == AuthBad) {
+- lseek(lfd, 0, SEEK_SET);
+- write(lfd, fcont, sprintf(fcont, "%ld %d\n", time(0), numtries));
+- } else
+- unlink(fname);
+- }
++ if (ret == AuthBad) {
++ write(tfd, fcont, sprintf(fcont, "%lu\n", time(0)+left));
++ } else
++ unlink(fname);
++
++ unlink(tmpname);
++
++ if (ret == AuthBad)
++ sleep(left);
++
++ close(tfd);
+ }
+ if (ret == AuthBad) {
+ message("Authentication failure\n");
+@@ -417,6 +454,7 @@
+ }
+ }
+ }
++
+ return ret;
+ }
+
More information about the pkg-kde-commits
mailing list