A security issue in sddm has been announced today (October 14): http://openwall.com/lists/oss-security/2015/10/14/2 The message above contains a link to the upstream commit to fix the issue. Reproducible: Steps to Reproduce:
From the patch: Some themes may use KDE components which will automatically load KDE's crash handler. If the greeter were to then somehow crash, that would leave a crash handler allowing other actions, albeit as the locked down SDDM user. Only SDDM users using the breeze theme from plasma-workspace are affected Anyways, rediffed the patch and submitted sddm-0.11.0-1.1.mga5 to core/updates_testing. Will add an advisory tomorrow if nobody beats me to it, and will also try to crash the greeter by using the breeze theme. FWIW, we do not ship the breeze theme with sddm, one would have to install plasma-workspace and explicitly choose breeze theme. And then somehow get the greeter to crash.
Status: NEW => ASSIGNEDCC: (none) => doktor5000
Well, sddm does not seem to work with the breeze theme for me. As there is no real testcase, can only pass this to QA for validation ... There is now sddm-0.11.0-1.1.mga5 in core/updates_testing to validate ======================== Suggested advisory: ======================== This update addresses the following CVEs: - CVE-2015-0856 Pavel Avgustinov discovered [1] that sddm does not disable the KDE crash handler, and certain themes would allow shell access to the sddm user as a result in case of a crash. Only SDDM users using the breeze theme from plasma-workspace are affected. This issue was assigned CVE-1234-5678. [1] http://openwall.com/lists/oss-security/2015/10/14/2 References: https://github.com/sddm/sddm/commit/4cfed6b0a625593fb43876f04badc4dd99799d86 ======================== Updated packages in {core,tainted}/updates_testing: ======================== i586 sddm-0.11.0-1.1.mga5.i586.rpm x86_64 sddm-0.11.0-1.1.mga5.x86_64.rpm Source RPMs: sddm-0.11.0-1.1.mga5.src.rpm
Assignee: doktor5000 => qa-bugs
Thanks Florian! Advisory: ======================== Pavel Avgustinov discovered that SDDM does not disable the KDE crash handler, and certain themes would allow shell access to the sddm user as a result in case of a crash (CVE-2015-0856). Only SDDM users using the Breeze theme from plasma-workspace are affected. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0856 http://openwall.com/lists/oss-security/2015/10/14/2
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
(In reply to Florian Hubold from comment #1) > Only SDDM users using the breeze theme from plasma-workspace are affected Please coach me on how to get into this mode. Thanks.
CC: (none) => wilcal.int
Into which mode? If you use sddm as login manager, then edit /etc/sddm.conf to choose the breeze theme: [Theme] Current=breeze then reboot or restart sddm (either via "systemctl restart prefdm" or "systemctl restart sddm" depending on how you setup the display manager service) with that theme and try to get sddm-greeter to crash.
Unless there's a reproducible test case for it, I wouldn't worry about trying to get it to crash. As long as it runs fine and doesn't blow up with any obvious regressions, that's the best we can test for at this point.
(In reply to Florian Hubold from comment #5) > Into which mode? If you use sddm as login manager, then edit /etc/sddm.conf > to choose the breeze theme: > > [Theme] > Current=breeze > > then reboot or restart sddm (either via "systemctl restart prefdm" or > "systemctl restart sddm" depending on how you setup the display manager > service) with that theme and try to get sddm-greeter to crash. In VirtualBox, M5, KDE, 32-bit Package(s) under test: sddm default install of sddm [root@localhost wilcal]# urpmi sddm Package sddm-0.11.0-1.mga5.i586 is already installed Well I tried all that and it only resulted in the system booting to a terminal asking for user name and password. Once entered that got me to a normal working desktop. I see no advantage to this package and it seems to be badly documented.
(In reply to William Kenney from comment #7) > Well I tried all that and it only resulted in the system booting to a > terminal asking for user name and password. Once entered that got me > to a normal working desktop. I see no advantage to this package and it > seems to be badly documented. You tried all what? What exactly is badly documented? After you install sddm, if you want to use it as login manager you need to enable it e.g. via http://doc.mageia.org/mcc/5/en/content/drakedm.html It offers a minimal login manager with theme support, which will be used instead of kdm for plasma5, and also fits well with Qt desktops. It is widely used and works fine so far. Documenting sddm or enabling it is not the scope of this bug report.
Tried the update on a 64-bit system (mga5) with the breeze theme (loads of buttons) and recovered my Mate session. Localization was automatic; i.e. as soon as the user name was given the locale changed from USA to GB. The display manager was set up and restarted via drakconf.
CC: (none) => tarazed25
FWIW, sddm provides four man pages, one for sddm itself and another for sddm.conf which should be totally sufficient. Additionally it also contains /usr/share/doc/sddm/README.md which provides links to upstream documentation and is actually their project page on github: https://github.com/sddm/sddm/blob/master/README.md
Thanks for those links Florian. If this update needs the breeze theme then my test is not valid. There is no breeze in /usr/share/sddm/themes so when I specified breeze it actually used the first theme in the list which was circles (my loads of buttons). Maybe I can import breeze from Cauldron. Shall look into it anyway.
Quote from comment 1: Only SDDM users using the Breeze theme from plasma-workspace are affected. I should have looked at that more closely. Handing this over to KDE users.
Please just ensure that sddm is working correctly with the updated packages. If so, you can add the OK. Thanks.
I'm gonna let the sddm experts work on this one.
(In reply to claire robinson from comment #13) > Please just ensure that sddm is working correctly with the updated packages. > If so, you can add the OK. Thanks. Thanks Claire. Certainly it works, with all the available themes as well, but not with breeze, probably because I simply copied breeze from a Cauldron installation. Currently "breeze" presents a blank white screen, which entails a visit to maintenance mode to repair the damage (no virtual consoles on that particular machine). breeze works fine on Cauldron. So OK for 64bits.
Whiteboard: advisory => advisory MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0429.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/663517/