Marco Ivaldi <marco.ivaldi@mediaservice.net> has identified 3
vulnerabilities in CDE.
Two of them could affect our CDE (open-source version), while the 3rd
(sdtcm_convert) is Solaris specific.
The two vulnerabilities, both of which affect dtsession could allow a
local privilege escalation to root. A POC exists for Solaris. The
POC will not function on our CDE for two main reasons:
- the POC is Solaris specific
- The overflowed variables in question are allocated on the heap,
whereas in Solaris these variables are located on the stack.
The first vulnerability allows an extra long palette name to be used
to cause a crash via insufficient validation in
SrvPalette.c:CheckMonitor().
The second, which has not yet been assigned a CERT CVE resides in
SmCreateDirs.c:_DtCreateDtDirs() in libDtSvc. Due to insufficient
bounds checking, a crash or corruption can be achieved by using a very
long DISPLAY name.
This one is considered difficult to exploit, and no POC code is
available at this time. CDE 2.x code-bases are also listed as not
vulnerable, however some work has been done anyway to do some proper
bounds checking in this function.
The following text portions are copied from the relevant advisories,
which have not been released as of this writing.
NOTE: Oracle CDE does NOT use CDE 2.3.0a or earlier as mentioned
below. They are completely different code-bases):
Regarding CVE-2020-2692:
A buffer overflow in the CheckMonitor() function in the Common
Desktop Environment 2.3.0a and earlier, as distributed with Oracle
Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
root privileges via a long palette name passed to dtsession in a
malicious .Xdefaults file.
Note that Oracle Solaris CDE is based on the original CDE 1.x train,
which is different from the CDE 2.x codebase that was later open
sourced. Most notably, the vulnerable buffer in the Oracle Solaris
CDE is stack-based, while in the open source version it is
heap-based.
Regarding the DtSvc bug, which does not currently have a CERT CVE:
A difficult to exploit stack-based buffer overflow in the
_DtCreateDtDirs() function in the Common Desktop Environment version
distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may
allow local users to corrupt memory and potentially execute
arbitrary code in order to escalate privileges via a long X11
display name. The vulnerable function is located in the libDtSvc
library and can be reached by executing the setuid program
dtsession.
The open source version of CDE (based on the CDE 2.x codebase) is
not affected.
We take advantage of subdir-object and just build the subdir source
files directly as normal dependencies of libDtSvc in the top level
Makefile.am.
This means the intevening subdirectory Makefiles are no longer needed,
and no need to replicate flags and the like between the
subdirectory Makefile.am files.
Also, no need to build fake .a libs we can't really use.
configure: remove AC_OUTPUT_FILES related the the lib/DtSvc/*
subdirectories. They are no longer needed.
Ok - so one of the steps in building CDE is an early phase called the
includes phase (make includes). At this point, all of the public
header files are exported to exports/include/Dt, DtI, ...
Then, the software is built using that include dir.
This of course does not work in autotools. Much of the software does
things like #include <Dt/something.h>, so in order for the build to
succeed, this behavior must be represented/replicated in some way.
It seems the usual way of dealing with this is to place all public
headers (and in some projects, ALL headers) into a toplevel include
directory.
We now do this for all public headers - they have been moved from
wherever they were and placed in the appropriate spot in includes/
This will break the Imake 'make includes' phase unless the Imakefiles
are fixed (remove the HEADERS = stuff, and the incdir defines). This
has not been done at this point since in reality, once autotools works
properly, there will be no need for the Imake stuff anymore, and I
intend to get rid of it.
This is just a warning for now - Imake builds in this tree will now
fail at the 'includes' stage.
This commit is only the migration. In upcoming commits, libtt will be
fixed so that the hack being used before to get around this problem is
removed as there will no longer be any need.
And then the autotools work continues...
This should allow an autoregen and ./confiure to work. We only
generate Makefiles for lib/* and ./Makefile for now. We'll ad more as
we go along.
Make still fails as we need to figure out TT - tirpc lib, rpcgen,
etc. But it's a start!
Fixes the following warning:
In file included from ../../../imports/x11/include/X11/Xutil.h:54,
from ../../../imports/x11/include/X11/Intrinsic.h:54,
from Action.c:64:
../../../imports/x11/include/X11/keysym.h:49:1: warning: "XK_MISCELLANY" redefined
<command-line>: warning: this is the location of the previous definition
<keysym.h> which includes all key symbols and loads <keysymdef.h>
is automaticlly included by the X Toolkit.
This patch removes #include <keysymdef.h> whenever not needed,
and adds #define XK_MISCALLANY in the source code where required.
This is a non-POSIX/ISO-C header. It is ok to include this on Linux, but it
is obsolete on BSD; FreeBSD even throws an error if you include it with
__STDC__ defined. Every system should nowadays have malloc() defined in
stdlib.h.
Diff is largely mechanical, replacing malloc.h with stdlib.h where it is not
yet included anyway.
