[gentoo-commits] repo/gentoo:master commit in: x11-misc/sddm/, x11-misc/sddm/files/

["Andreas Sturmlechner" <asturm@gentoo.org>]

commit:     943445b50d918a2a5ac0712105e109973147eb6e
Author:     Conrad Kostecki <conikost <AT> gentoo <DOT> org>
AuthorDate: Sun Mar 27 19:42:50 2022 +0000
Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Fri Apr  1 14:47:07 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=943445b5

x11-misc/sddm: migrate to glep-81

Also added tmpfiles handling and patch for CVE-2020-28049.

Bug: https://bugs.gentoo.org/753104
Closes: https://bugs.gentoo.org/802306
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>

 .../sddm/files/sddm-0.18.1-cve-2020-28049.patch    |  94 +++++++++++++++++
 x11-misc/sddm/files/sddm.tmpfiles                  |   1 +
 x11-misc/sddm/sddm-0.18.1-r6.ebuild                | 116 +++++++++++++++++++++
 3 files changed, 211 insertions(+)

diff --git a/x11-misc/sddm/files/sddm-0.18.1-cve-2020-28049.patch b/x11-misc/sddm/files/sddm-0.18.1-cve-2020-28049.patch
new file mode 100644
index 000000000000..8209c0739dc6
--- /dev/null
+++ b/x11-misc/sddm/files/sddm-0.18.1-cve-2020-28049.patch
@@ -0,0 +1,94 @@
+From be202f533ab98a684c6a007e8d5b4357846bc222 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Tue, 6 Oct 2020 21:21:38 +0200
+Subject: [PATCH] Fix X not having access control on startup
+
+If the auth file is empty, X allows any local application (= any user on the
+system) to connect. This is currently the case until X wrote the display
+number to sddm and sddm used that to write the entry into the file.
+To work around this chicken-and-egg problem, make use of the fact that X
+doesn't actually look at the display number in the passed auth file and just
+use :0 unconditionally. Also make sure that writing the entry was actually
+successful.
+
+CVE-2020-28049
+---
+ src/daemon/XorgDisplayServer.cpp | 25 ++++++++++++++++++++-----
+ src/daemon/XorgDisplayServer.h   |  2 +-
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/src/daemon/XorgDisplayServer.cpp b/src/daemon/XorgDisplayServer.cpp
+index d04f6344..df685b2d 100644
+--- a/src/daemon/XorgDisplayServer.cpp
++++ b/src/daemon/XorgDisplayServer.cpp
+@@ -88,7 +88,7 @@ namespace SDDM {
+         return m_cookie;
+     }
+ 
+-    void XorgDisplayServer::addCookie(const QString &file) {
++    bool XorgDisplayServer::addCookie(const QString &file) {
+         // log message
+         qDebug() << "Adding cookie to" << file;
+ 
+@@ -104,13 +104,13 @@ namespace SDDM {
+ 
+         // check file
+         if (!fp)
+-            return;
++            return false;
+         fprintf(fp, "remove %s\n", qPrintable(m_display));
+         fprintf(fp, "add %s . %s\n", qPrintable(m_display), qPrintable(m_cookie));
+         fprintf(fp, "exit\n");
+ 
+         // close pipe
+-        pclose(fp);
++        return pclose(fp) == 0;
+     }
+ 
+     bool XorgDisplayServer::start() {
+@@ -127,6 +127,15 @@ namespace SDDM {
+         // log message
+         qDebug() << "Display server starting...";
+ 
++        // generate auth file.
++        // For the X server's copy, the display number doesn't matter.
++        // An empty file would result in no access control!
++        m_display = QStringLiteral(":0");
++        if(!addCookie(m_authPath)) {
++            qCritical() << "Failed to write xauth file";
++            return false;
++        }
++
+         if (daemonApp->testing()) {
+             QStringList args;
+             QDir x11socketDir(QStringLiteral("/tmp/.X11-unix"));
+@@ -217,8 +226,14 @@ namespace SDDM {
+             emit started();
+         }
+ 
+-        // generate auth file
+-        addCookie(m_authPath);
++        // The file is also used by the greeter, which does care about the
++        // display number. Write the proper entry, if it's different.
++        if(m_display != QStringLiteral(":0")) {
++            if(!addCookie(m_authPath)) {
++                qCritical() << "Failed to write xauth file";
++                return false;
++            }
++        }
+         changeOwner(m_authPath);
+ 
+         // set flag
+diff --git a/src/daemon/XorgDisplayServer.h b/src/daemon/XorgDisplayServer.h
+index d2bdf6d4..e97a0b53 100644
+--- a/src/daemon/XorgDisplayServer.h
++++ b/src/daemon/XorgDisplayServer.h
+@@ -40,7 +40,7 @@ namespace SDDM {
+ 
+         const QString &cookie() const;
+ 
+-        void addCookie(const QString &file);
++        bool addCookie(const QString &file);
+ 
+     public slots:
+         bool start();

diff --git a/x11-misc/sddm/files/sddm.tmpfiles b/x11-misc/sddm/files/sddm.tmpfiles
new file mode 100644
index 000000000000..300d646138c1
--- /dev/null
+++ b/x11-misc/sddm/files/sddm.tmpfiles
@@ -0,0 +1 @@
+d /var/lib/sddm 0755 sddm sddm

diff --git a/x11-misc/sddm/sddm-0.18.1-r6.ebuild b/x11-misc/sddm/sddm-0.18.1-r6.ebuild
new file mode 100644
index 000000000000..ee7fbfa1a60b
--- /dev/null
+++ b/x11-misc/sddm/sddm-0.18.1-r6.ebuild
@@ -0,0 +1,116 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PLOCALES="ar bn ca cs da de es et fi fr hi_IN hu is it ja kk ko lt lv nb nl nn pl pt_BR pt_PT ro ru sk sr sr@ijekavian sr@ijekavianlatin sr@latin sv tr uk zh_CN zh_TW"
+inherit cmake plocale systemd tmpfiles
+
+DESCRIPTION="Simple Desktop Display Manager"
+HOMEPAGE="https://github.com/sddm/sddm"
+SRC_URI="https://github.com/${PN}/${PN}/releases/download/v${PV}/${P}.tar.xz"
+
+LICENSE="GPL-2+ MIT CC-BY-3.0 CC-BY-SA-3.0 public-domain"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="elogind +pam systemd test"
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="?? ( elogind systemd )"
+
+BDEPEND="
+	dev-python/docutils
+	>=dev-qt/linguist-tools-5.9.4:5
+	kde-frameworks/extra-cmake-modules:5
+	virtual/pkgconfig
+"
+RDEPEND="
+	acct-group/sddm
+	acct-user/sddm
+	>=dev-qt/qtcore-5.9.4:5
+	>=dev-qt/qtdbus-5.9.4:5
+	>=dev-qt/qtdeclarative-5.9.4:5
+	>=dev-qt/qtgui-5.9.4:5
+	>=dev-qt/qtnetwork-5.9.4:5
+	>=x11-base/xorg-server-1.15.1
+	x11-libs/libxcb[xkb]
+	elogind? ( sys-auth/elogind )
+	pam? ( sys-libs/pam )
+	!pam? ( virtual/libcrypt:= )
+	systemd? ( sys-apps/systemd:= )
+	!systemd? ( sys-power/upower )
+"
+DEPEND="${RDEPEND}
+	test? ( >=dev-qt/qttest-5.9.4:5 )
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-0.12.0-respect-user-flags.patch"
+	"${FILESDIR}/${PN}-0.18.0-Xsession.patch" # bug 611210
+	"${FILESDIR}/${PN}-0.18.0-sddmconfdir.patch"
+	# fix for groups: https://github.com/sddm/sddm/issues/1159
+	"${FILESDIR}/${P}-revert-honor-PAM-supplemental-groups.patch"
+	"${FILESDIR}/${P}-honor-PAM-supplemental-groups-v2.patch"
+	# fix for ReuseSession=true
+	"${FILESDIR}/${P}-only-reuse-online-sessions.patch"
+	# TODO: fix properly
+	"${FILESDIR}/${PN}-0.16.0-ck2-revert.patch" # bug 633920
+	"${FILESDIR}/pam-1.4-substack.patch"
+	# upstream git develop branch:
+	"${FILESDIR}/${P}-qt-5.15.2.patch"
+	# bug 753104
+	"${FILESDIR}/${P}-cve-2020-28049.patch"
+)
+
+src_prepare() {
+	cmake_src_prepare
+
+	disable_locale() {
+		sed -e "/${1}\.ts/d" -i data/translations/CMakeLists.txt || die
+	}
+	plocale_find_changes "data/translations" "" ".ts"
+	plocale_for_each_disabled_locale disable_locale
+
+	if ! use test; then
+		sed -e "/^find_package/s/ Test//" -i CMakeLists.txt || die
+		cmake_comment_add_subdirectory test
+	fi
+}
+
+src_configure() {
+	local mycmakeargs=(
+		-DENABLE_PAM=$(usex pam)
+		-DNO_SYSTEMD=$(usex '!systemd')
+		-DUSE_ELOGIND=$(usex 'elogind')
+		-DBUILD_MAN_PAGES=ON
+		-DDBUS_CONFIG_FILENAME="org.freedesktop.sddm.conf"
+	)
+	cmake_src_configure
+}
+
+src_install() {
+	cmake_src_install
+
+	newtmpfiles "${FILESDIR}/${PN}.tmpfiles" "${PN}.conf"
+
+	# Create a default.conf as upstream dropped /etc/sddm.conf w/o replacement
+	local confd="/usr/share/sddm/sddm.conf.d"
+	dodir ${confd}
+	"${D}"/usr/bin/sddm --example-config > "${D}/${confd}"/00default.conf \
+		|| die "Failed to create 00default.conf"
+
+	sed -e "/^InputMethod/s/qtvirtualkeyboard//" \
+		-e "/^ReuseSession/s/false/true/" \
+		-e "/^EnableHiDPI/s/false/true/" \
+		-i "${D}/${confd}"/00default.conf || die
+}
+
+pkg_postinst() {
+	tmpfiles_process "${PN}.conf"
+
+	elog "Starting with 0.18.0, SDDM no longer installs /etc/sddm.conf"
+	elog "Use it to override specific options. SDDM defaults are now"
+	elog "found in: /usr/share/sddm/sddm.conf.d/00default.conf"
+
+	systemd_reenable sddm.service
+}