Bugzilla – Bug 897788
VUL-1: CVE-2014-7272: sddm: various local privilege issues
Last modified: 2016-03-17 18:14:33 UTC
A new window manager called "sddm" uses /etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf which we previously whitelisted for lightdm. We need to look at the DBUS service usage of sddm.
There are various problems with this display manager, I will make one comment for each security issue.
The user "sddm" can login without authentication. This is since if sddm detects that user in the PamBackend, it has: if (user == "sddm") service = "sddm-greeter"; else if (m_app->session()->path().isEmpty()) service = "sddm-check"; else if (m_autologin) service = "sddm-autologin"; result = m_pam->start(service, user); and the sddm-greeter PAM config basically just has a pam_permit. Dont know how the initial user-list during greeter session is created, but it seems to skip UIDs < 1000, so the sddm user is not available for choosing in the first place. Nevertheless, this is at least fail-open and might be worse in future if XDMCP is implemented or user names can be passed by other means (which might already work somehow).
The xauth cookie handling code calls xauth binary via popen() as root, which in turn dumps and creates files as root in users ~. This is a local root exploit.
After xauth has done its job, sddm chowns() the ~/.Xauthority file to user. This is a race and a local root exploit. By fixing issue from former comment, invoking xauth as user we can save this chown() and fix both issues alltogether.
The .xsession-errors file is created in ~ but as root. This allows to destroy arbitrary system files.
Patch for the sddm user: https://github.com/sddm/sddm/pull/279 (CVE-2014-7271)
File race issues: https://github.com/sddm/sddm/pull/280 (CVE-2014-7272)
Please submit patches for Factory.
I'll remove sddm from factory and 13.2 for the time being - it went into factory by mistake anyway (the file conflict with lightdm should have been spoted but wasn't)
bugbot adjusting priority
@Sebastian, please take a look at the current package at KDE:Frameworks5/sddm. i've updated to master, where both mentioned requests have been merged.
ping according to upstream, all issues should be resolved. i've updated to 0.10.0 release in KDE:Frameworks5, and i would really like with sec-team's and Stephan's permission to have it back in 13.2! thanks!
From what I see in the git, both patches make sense, so you can go ahead adding it back to Factory. We'd need to review it again anyways in quite some time, since I expect a lot of code to be added/changed.
This is an autogenerated message for OBS integration: This bug (897788) was mentioned in https://build.opensuse.org/request/show/264472 Factory / sddm
done
This is an autogenerated message for OBS integration: This bug (897788) was mentioned in https://build.opensuse.org/request/show/264718 Factory / sddm
sebastian, a rpmlint diff was also needed, but Hrvoje submitted it already. + # sddm (boo#897788) + "sddm_org.freedesktop.DisplayManager.conf", I went and accepted it.
SUSE-RU-2016:0808-1: An update that has 9 recommended fixes can now be installed. Category: recommended (low) Bug References: 897788,904060,907625,907662,915769,916766,918799,928492,941993 CVE References: Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): rpmlint-1.5-26.3.2