Marco Ivaldi <marco.ivaldi@mediaservice.net> has identified 3
vulnerabilities in CDE.
Two of them could affect our CDE (open-source version), while the 3rd
(sdtcm_convert) is Solaris specific.
The two vulnerabilities, both of which affect dtsession could allow a
local privilege escalation to root. A POC exists for Solaris. The
POC will not function on our CDE for two main reasons:
- the POC is Solaris specific
- The overflowed variables in question are allocated on the heap,
whereas in Solaris these variables are located on the stack.
The first vulnerability allows an extra long palette name to be used
to cause a crash via insufficient validation in
SrvPalette.c:CheckMonitor().
The second, which has not yet been assigned a CERT CVE resides in
SmCreateDirs.c:_DtCreateDtDirs() in libDtSvc. Due to insufficient
bounds checking, a crash or corruption can be achieved by using a very
long DISPLAY name.
This one is considered difficult to exploit, and no POC code is
available at this time. CDE 2.x code-bases are also listed as not
vulnerable, however some work has been done anyway to do some proper
bounds checking in this function.
The following text portions are copied from the relevant advisories,
which have not been released as of this writing.
NOTE: Oracle CDE does NOT use CDE 2.3.0a or earlier as mentioned
below. They are completely different code-bases):
Regarding CVE-2020-2692:
A buffer overflow in the CheckMonitor() function in the Common
Desktop Environment 2.3.0a and earlier, as distributed with Oracle
Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
root privileges via a long palette name passed to dtsession in a
malicious .Xdefaults file.
Note that Oracle Solaris CDE is based on the original CDE 1.x train,
which is different from the CDE 2.x codebase that was later open
sourced. Most notably, the vulnerable buffer in the Oracle Solaris
CDE is stack-based, while in the open source version it is
heap-based.
Regarding the DtSvc bug, which does not currently have a CERT CVE:
A difficult to exploit stack-based buffer overflow in the
_DtCreateDtDirs() function in the Common Desktop Environment version
distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may
allow local users to corrupt memory and potentially execute
arbitrary code in order to escalate privileges via a long X11
display name. The vulnerable function is located in the libDtSvc
library and can be reached by executing the setuid program
dtsession.
The open source version of CDE (based on the CDE 2.x codebase) is
not affected.
The POSIX __linux__ commit broke the special detection on linux used
to determine whether a secure system was in use or not.
This commit reworks the logic a little bit to avoid special casing
linux in main().
It also reworks the logic in CanReAuthenticate() to fix up some issues
"fixed" to correct converity warnings. The logic in this case was
mostly ok, but still didn't account for the proper usage of this
function. Error detection improved somewhat as a result.
This is enabled by default. To disable, add:
in the config/cf/site.def or host.def file.
You will need to have the libtirpc-dev package installed.
The benefit is that you will no longer need to run rpcbind in insecure
mode (the -i option). There are other benefits we may be able to take
advantage of in the future, like supporting IPV6 for ToolTalk.
This adds a basic library and support to dtsession and dtlogin to
support Xinerama/Twinview, where multimple monitors are used to make
up an X11 screen.
The main goal here is to draw dialogs and such centered on a monitor,
rather than spread out over multiple monitors.
Might need to add sorting - as on my test system, what I would
consider monitor 0, appears to actually be monitor 1. So a sort might
need to be added to sort the screens according to increasing x and y
offsets so it make sense to a user.
Also, this library is built statically and not documented. Maybe it
could be 'filled' out and refactored/redesigned in the futre if need
be and suppoerted.
It is enabled via a define, CDE_USEXINERAMA in site.def. It's a very
simple lib, so I do not expect any issues with the BSD's - it should
build and work fine, assuming your X server has the XINERAMA
extension, which I think pretty much all of them do at this point.
According to the spec, blank lines in message catalogs or lines
beginning with '$ ' are valid comments.
However, there were many cases where lines in the message catalogs
contained just a single '$', without the required space after it.
Under linux, this caused 126766 error lines (in my builds) of the
form:
... unknown directive `': line ignored
This also causes gencat to exit with a non-0 exit code. Even though
gencat says it ignores the line, it really doesn't.
An early porting change to programs/localized/util/merge.c was made to
ignore this return value on linux. This hack has now been removed.
Build logs are a lot smaller and cleaner now.
This patch removes instances of hardcoded
invocation of /bin/ksh and allows to
replace it with, for, example,
/usr/local/bin/ksh93
Also "ksh93" is accepted whenever "ksh" is.
Tested using the following /bin/ksh:
----8<----
WHAT=`ps -o command= -p $PPID`
msg="Something tried to call /bin/ksh: $PPID: $WHAT"
print -u2 "$msg"
logger user.warn "$msg"
exit 99
----8<----
(Warning: first two lines are FreeBSD specific)
Scripts from Makefiles should now be executed either
with
$(KORNSHELL) korn-shell-script
or
$(SHELL) bourne-shell-script
therefore #!/bin/ksh has not been changed everywhere.
/usr/dt/bin/ scripts have been converted (e.g. Xsession)
Whenever possible Imake and CPP facilities have been used.
For C and C++ programs KORNSHELL needs to be defined to
"/path/to/your/ksh" (with quotes) so that it can make
a valid C constant.
Therefore, when adding KORNSHELL to Imakefile for C files,
you have to add
CXXEXTRA_DEFINES = -DKORNSHELL=\"$(KORNSHELL)\"
or similar (for example, see programs/dtprintinfo)
But for simple shell script substitution we usually change
LOCAL_CPP_DEFINES = -DCDE_CONFIGURATION_TOP=$(CDE_CONFIGURATION_TOP) \
-DCDE_INSTALLATION_TOP=$(CDE_INSTALLATION_TOP) \
-DCDE_LOGFILES_TOP=$(CDE_LOGFILES_TOP)
to:
LOCAL_CPP_DEFINES = -DCDE_CONFIGURATION_TOP=$(CDE_CONFIGURATION_TOP) \
-DCDE_INSTALLATION_TOP=$(CDE_INSTALLATION_TOP) \
-DCDE_LOGFILES_TOP=$(CDE_LOGFILES_TOP) \
-DKORNSHELL=$(KORNSHELL) \
-DXPROJECTROOT=X11ProjectRoot
since we don't want quotes for shell scripts.
Lev Kujawski