summary refs log tree commit diff
path: root/gnu/packages/patches/gdm-CVE-2018-14424.patch
blob: 88a71f4151f7d0a0abb029872f6967ae2e1b22c9 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
Fix CVE-2018-14424:

https://gitlab.gnome.org/GNOME/gdm/issues/401
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14424

Patch copied from upstream source repository:

https://gitlab.gnome.org/GNOME/gdm/commit/1ac1697b3b019f50729a6e992065959586e170da

From 1ac1697b3b019f50729a6e992065959586e170da Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Thu, 19 Jul 2018 18:26:05 +0100
Subject: [PATCH] display-store: Pass the display object rather than the id in
 the removed signal

By the time GdmDisplayStore emits the "display-removed" signal, the display
is no longer in the store and gdm_display_store_lookup will not work in
signal handlers.

Change the "display-removed" parameter from the display id to the GdmDisplay
object, so that signal handers can perform any cleanup they need to do

CVE-2018-14424

Closes: https://gitlab.gnome.org/GNOME/gdm/issues/401
---
 daemon/gdm-display-store.c         | 11 +++--------
 daemon/gdm-display-store.h         |  2 +-
 daemon/gdm-local-display-factory.c | 13 +++----------
 daemon/gdm-manager.c               | 19 +++++++++----------
 daemon/gdm-manager.h               |  3 ++-
 5 files changed, 18 insertions(+), 30 deletions(-)

diff --git a/daemon/gdm-display-store.c b/daemon/gdm-display-store.c
index af76f519..fd24334e 100644
--- a/daemon/gdm-display-store.c
+++ b/daemon/gdm-display-store.c
@@ -76,15 +76,10 @@ stored_display_new (GdmDisplayStore *store,
 static void
 stored_display_free (StoredDisplay *stored_display)
 {
-        char *id;
-
-        gdm_display_get_id (stored_display->display, &id, NULL);
-
         g_signal_emit (G_OBJECT (stored_display->store),
                        signals[DISPLAY_REMOVED],
                        0,
-                       id);
-        g_free (id);
+                       stored_display->display);
 
         g_debug ("GdmDisplayStore: Unreffing display: %p",
                  stored_display->display);
@@ -281,9 +276,9 @@ gdm_display_store_class_init (GdmDisplayStoreClass *klass)
                               G_STRUCT_OFFSET (GdmDisplayStoreClass, display_removed),
                               NULL,
                               NULL,
-                              g_cclosure_marshal_VOID__STRING,
+                              g_cclosure_marshal_VOID__OBJECT,
                               G_TYPE_NONE,
-                              1, G_TYPE_STRING);
+                              1, G_TYPE_OBJECT);
 
         g_type_class_add_private (klass, sizeof (GdmDisplayStorePrivate));
 }
diff --git a/daemon/gdm-display-store.h b/daemon/gdm-display-store.h
index 28359933..0aff8ee2 100644
--- a/daemon/gdm-display-store.h
+++ b/daemon/gdm-display-store.h
@@ -49,7 +49,7 @@ typedef struct
         void          (* display_added)    (GdmDisplayStore *display_store,
                                             const char      *id);
         void          (* display_removed)  (GdmDisplayStore *display_store,
-                                            const char      *id);
+                                            GdmDisplay      *display);
 } GdmDisplayStoreClass;
 
 typedef enum
diff --git a/daemon/gdm-local-display-factory.c b/daemon/gdm-local-display-factory.c
index 5f1ae89e..39f3e30a 100644
--- a/daemon/gdm-local-display-factory.c
+++ b/daemon/gdm-local-display-factory.c
@@ -805,18 +805,11 @@ on_display_added (GdmDisplayStore        *display_store,
 
 static void
 on_display_removed (GdmDisplayStore        *display_store,
-                    const char             *id,
+                    GdmDisplay             *display,
                     GdmLocalDisplayFactory *factory)
 {
-        GdmDisplay *display;
-
-        display = gdm_display_store_lookup (display_store, id);
-
-        if (display != NULL) {
-                g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), factory);
-                g_object_weak_unref (G_OBJECT (display), (GWeakNotify)on_display_disposed, factory);
-
-        }
+        g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), factory);
+        g_object_weak_unref (G_OBJECT (display), (GWeakNotify)on_display_disposed, factory);
 }
 
 static gboolean
diff --git a/daemon/gdm-manager.c b/daemon/gdm-manager.c
index f17bd1a5..f6684a8b 100644
--- a/daemon/gdm-manager.c
+++ b/daemon/gdm-manager.c
@@ -1541,19 +1541,18 @@ on_display_status_changed (GdmDisplay *display,
 
 static void
 on_display_removed (GdmDisplayStore *display_store,
-                    const char      *id,
+                    GdmDisplay      *display,
                     GdmManager      *manager)
 {
-        GdmDisplay *display;
+        char    *id;
 
-        display = gdm_display_store_lookup (display_store, id);
-        if (display != NULL) {
-                g_dbus_object_manager_server_unexport (manager->priv->object_manager, id);
+        gdm_display_get_id (display, &id, NULL);
+        g_dbus_object_manager_server_unexport (manager->priv->object_manager, id);
+        g_free (id);
 
-                g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), manager);
+        g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), manager);
 
-                g_signal_emit (manager, signals[DISPLAY_REMOVED], 0, id);
-        }
+        g_signal_emit (manager, signals[DISPLAY_REMOVED], 0, display);
 }
 
 static void
@@ -2535,9 +2534,9 @@ gdm_manager_class_init (GdmManagerClass *klass)
                               G_STRUCT_OFFSET (GdmManagerClass, display_removed),
                               NULL,
                               NULL,
-                              g_cclosure_marshal_VOID__STRING,
+                              g_cclosure_marshal_VOID__OBJECT,
                               G_TYPE_NONE,
-                              1, G_TYPE_STRING);
+                              1, G_TYPE_OBJECT);
 
         g_object_class_install_property (object_class,
                                          PROP_XDMCP_ENABLED,
diff --git a/daemon/gdm-manager.h b/daemon/gdm-manager.h
index 41c68a7a..c8fb3f22 100644
--- a/daemon/gdm-manager.h
+++ b/daemon/gdm-manager.h
@@ -24,6 +24,7 @@
 
 #include <glib-object.h>
 
+#include "gdm-display.h"
 #include "gdm-manager-glue.h"
 
 G_BEGIN_DECLS
@@ -50,7 +51,7 @@ typedef struct
         void          (* display_added)    (GdmManager      *manager,
                                             const char      *id);
         void          (* display_removed)  (GdmManager      *manager,
-                                            const char      *id);
+                                            GdmDisplay      *display);
 } GdmManagerClass;
 
 typedef enum
-- 
2.17.1