It _probably_ works to just pass free(ptr) another two arguments, but
compilers don't like this kind of sloppiness anymore.
The call site only expects this function to free the first value,
ignoring the other two, so model that in the local wrapper function.
This has meant very little for a long time as configure.ac just
hardcoded these values depending on the current OS versions at the
time.
The only place where this is really 'needed' is XlationSvc.c in DtSvc
so that differences between locale specifications on various versions
of an OS can be accounted for. So for now, we just define those when
building DtSvc.
We could probably safely remove them as well with an update to the
Xlate locale DB to remove ancient cruft we don't care about anymore.
For various other modules, like dtlogin, dtsession, etc we just use
the code that was already being used due to the hardcoded values we've
had for the last 10-ish years.
Previously we would fail in some parts of the code if we did not have a
premade configuration, now we use any code that was marked as Linux, BSD and
Solaris as our basis in order to support building unknown Unix systems.
Ticket #120
Change libtool's shared library version info to 3:0:1 to preserve the
previous library version of 2.1.0.
See https://autotools.io/libtool/version.html for the details on how
libtool handles this versioning info.
See https://verbump.de/ for a handy 'version calculator' using
libtools rules.
Many of these were real bugs, like:
if (cond);
do_something
etc...
Others were just cosmetic - like placing the ';' on a separate line to
make the intention clear.
return(NULL) is correct for the other functions here but not for this
one, since it's meant to return a DtHELP_ error code. The man page also
says it should also set *widget to NULL on error.
This commit will not completely remove all Imake files, specifically
those for sections that have not been completed yet.
Also, the databases dir has been moved to databases-delete-later until
we have everything building and installed properly.
CDE has relied upon catgets() implementations following a relaxed
interpretation of the XPG internationalization standard that ignored
-1, the standard error value returned by catopen, as the catalog
argument. However, this same behavior causes segmentation faults with
the musl C library.
This patch:
- Centralizes (with the exception of ToolTalk) all calls to catopen(),
catgets(), and catclose() through MsgCat within the DtSvc library.
- Prevents calls to catgets() and catclose() that rely upon
undefined behavior.
- Eliminates a number of bespoke catgets() wrappers, including multiple
redundant caching implementations designed to work around a design
peculiarity in HP/UX.
- Eases building CDE without XPG internationalization support by providing
the appropriate macros.
Marco Ivaldi <marco.ivaldi@mediaservice.net> has identified 3
vulnerabilities in CDE.
Two of them could affect our CDE (open-source version), while the 3rd
(sdtcm_convert) is Solaris specific.
The two vulnerabilities, both of which affect dtsession could allow a
local privilege escalation to root. A POC exists for Solaris. The
POC will not function on our CDE for two main reasons:
- the POC is Solaris specific
- The overflowed variables in question are allocated on the heap,
whereas in Solaris these variables are located on the stack.
The first vulnerability allows an extra long palette name to be used
to cause a crash via insufficient validation in
SrvPalette.c:CheckMonitor().
The second, which has not yet been assigned a CERT CVE resides in
SmCreateDirs.c:_DtCreateDtDirs() in libDtSvc. Due to insufficient
bounds checking, a crash or corruption can be achieved by using a very
long DISPLAY name.
This one is considered difficult to exploit, and no POC code is
available at this time. CDE 2.x code-bases are also listed as not
vulnerable, however some work has been done anyway to do some proper
bounds checking in this function.
The following text portions are copied from the relevant advisories,
which have not been released as of this writing.
NOTE: Oracle CDE does NOT use CDE 2.3.0a or earlier as mentioned
below. They are completely different code-bases):
Regarding CVE-2020-2692:
A buffer overflow in the CheckMonitor() function in the Common
Desktop Environment 2.3.0a and earlier, as distributed with Oracle
Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
root privileges via a long palette name passed to dtsession in a
malicious .Xdefaults file.
Note that Oracle Solaris CDE is based on the original CDE 1.x train,
which is different from the CDE 2.x codebase that was later open
sourced. Most notably, the vulnerable buffer in the Oracle Solaris
CDE is stack-based, while in the open source version it is
heap-based.
Regarding the DtSvc bug, which does not currently have a CERT CVE:
A difficult to exploit stack-based buffer overflow in the
_DtCreateDtDirs() function in the Common Desktop Environment version
distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may
allow local users to corrupt memory and potentially execute
arbitrary code in order to escalate privileges via a long X11
display name. The vulnerable function is located in the libDtSvc
library and can be reached by executing the setuid program
dtsession.
The open source version of CDE (based on the CDE 2.x codebase) is
not affected.
There was code (_DtSimpleError() and _DtSimpleErrornoError()) that
only used snprintf when USE_SNPRINTF was defined, which it never was
of course. We just remove the 2 checks and always use [v]snprintf.
Also, restructure some of the dependencies in the lib/tt binaries. We
will link with libtt (which will include libtirpc as a dependency),
and XTOOLLIB - all the right X11 stuff without needing to add it to
every OS. Removed several uneeded OS specializations ("if LINUX",
etc) as a result.
We take advantage of subdir-object and just build the subdir source
files directly as normal dependencies of libDtSvc in the top level
Makefile.am.
This means the intevening subdirectory Makefiles are no longer needed,
and no need to replicate flags and the like between the
subdirectory Makefile.am files.
Also, no need to build fake .a libs we can't really use.
configure: remove AC_OUTPUT_FILES related the the lib/DtSvc/*
subdirectories. They are no longer needed.
We were building subsets of this library as archive.a objects, then
trying to combine them into a shared object. This warnings, and link
failures due to the lack of 0fPIC when building the archive libraries.
Now, we do not buld archive libraries, and the main libDtSvc.so
library is build by adding all of the .lo file in the component
subdirectories.
In a future commit, we could just remove the SUBDIR builds (DtUtil1,
etc) and build the sub objects directly.
Peter Howkins