Commit Graph

57 Commits

Author SHA1 Message Date
Jon Trulson eb381022a5 Change version to 2.3.2b for the new ksh93 submodule merge 2021-01-30 16:32:41 -07:00
Jon Trulson b21968f26a fix broken dev version number: 2.3.1a -> 2.3.2a 2020-11-23 17:01:37 -07:00
Jon Trulson 6b32246d06 dtsession, DtSvc: fix CVE-2020-2696/VU#308289
Marco Ivaldi <marco.ivaldi@mediaservice.net> has identified 3
vulnerabilities in CDE.

Two of them could affect our CDE (open-source version), while the 3rd
(sdtcm_convert) is Solaris specific.

The two vulnerabilities, both of which affect dtsession could allow a
local privilege escalation to root.  A POC exists for Solaris.  The
POC will not function on our CDE for two main reasons:

- the POC is Solaris specific
- The overflowed variables in question are allocated on the heap,
  whereas in Solaris these variables are located on the stack.

The first vulnerability allows an extra long palette name to be used
to cause a crash via insufficient validation in
SrvPalette.c:CheckMonitor().

The second, which has not yet been assigned a CERT CVE resides in
SmCreateDirs.c:_DtCreateDtDirs() in libDtSvc.  Due to insufficient
bounds checking, a crash or corruption can be achieved by using a very
long DISPLAY name.

This one is considered difficult to exploit, and no POC code is
available at this time.  CDE 2.x code-bases are also listed as not
vulnerable, however some work has been done anyway to do some proper
bounds checking in this function.

The following text portions are copied from the relevant advisories,
which have not been released as of this writing.

NOTE: Oracle CDE does NOT use CDE 2.3.0a or earlier as mentioned
below.  They are completely different code-bases):

Regarding CVE-2020-2692:

  A buffer overflow in the CheckMonitor() function in the Common
  Desktop Environment 2.3.0a and earlier, as distributed with Oracle
  Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
  root privileges via a long palette name passed to dtsession in a
  malicious .Xdefaults file.

  Note that Oracle Solaris CDE is based on the original CDE 1.x train,
  which is different from the CDE 2.x codebase that was later open
  sourced. Most notably, the vulnerable buffer in the Oracle Solaris
  CDE is stack-based, while in the open source version it is
  heap-based.

Regarding the DtSvc bug, which does not currently have a CERT CVE:

  A difficult to exploit stack-based buffer overflow in the
  _DtCreateDtDirs() function in the Common Desktop Environment version
  distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may
  allow local users to corrupt memory and potentially execute
  arbitrary code in order to escalate privileges via a long X11
  display name. The vulnerable function is located in the libDtSvc
  library and can be reached by executing the setuid program
  dtsession.

  The open source version of CDE (based on the CDE 2.x codebase) is
  not affected.
2020-01-13 19:13:23 -07:00
Jon Trulson 0d70d8b120 Set version to 2.3.1a (devel) for current master 2019-11-18 13:03:52 -07:00
Jon Trulson 5fe7ee5b67 Change CDE version info for 2.3.1 release 2019-11-15 18:04:01 -07:00
Jon Trulson dbce2e4337 DtSvc/DtUtil1: fix implicit function declarations 2019-10-28 14:30:36 -06:00
wmoxam de81a5b518 Remove ancient HP VUE compatibility support 2019-10-15 20:32:05 -06:00
Jon Trulson 6a72e2cea8 Change version to 2.3.0a (devel) 2018-09-20 16:49:01 -06:00
chase 5e96644596 DtsMM.c: Remove null in string 2018-08-26 15:44:47 -06:00
Jon Trulson 3d8e76a69f Merge branch 'master' into cde-next
Need to resync before folding current cde-next into master.
2018-07-06 13:19:33 -06:00
Jon Trulson cf86199b19 Stable release: 2.3.0 2018-07-06 12:05:20 -06:00
Jon Trulson f446ca54e9 DtSvc/DtUtil1: remove register keyword 2018-06-27 21:58:04 -06:00
Peter Howkins ba513278b9 libDtSvc: Change to ANSI function definitions 2018-06-28 03:58:49 +01:00
chase 6bf175ef2d Remove apollo support 2018-06-24 16:22:37 -06:00
Jon Trulson 0ec25848e9 cde: change version to 2.2.4a, for a development release 2018-06-08 13:03:39 -06:00
chase 809c3d8bb6 Spelling fixes 2018-05-31 22:23:19 -06:00
Ulrich Wilkens 297b6bd845 Fix warnings on FreeBSD 2018-05-31 22:04:08 -06:00
Ulrich Wilkens 07f272122d Fix Linux rpc problems with new glibc 2018-05-31 18:00:22 -06:00
chase 4f5e7fe5e3 Use POSIX macros for linux 2018-05-24 18:22:55 -06:00
chase 164e695cd0 remove OSF1 support 2018-05-24 14:25:26 -06:00
chase 07900bd93b Remove Unixware and openserver support 2018-05-20 12:13:07 -06:00
chase 8a4f389634 Remove UXPDS support 2018-05-15 20:27:22 -06:00
chase 33d2749ea3 Last of the spelling fixed 2018-04-28 12:36:44 -06:00
chase 6d3a19d8f9 Even more spelling fixed 2018-04-28 12:36:33 -06:00
chase 1fe5a550b2 Fix typo in license headers 2018-04-28 12:30:20 -06:00
Peter Howkins 691dffb076 lidtsvc: coverity fixes 2018-04-12 01:38:02 +01:00
Peter Howkins acc3d8868a libdtsvc: Resolve coverity warnings related to 'dereference before null check' related to free() 2018-04-02 22:10:46 +01:00
Peter Howkins b0c5941e3e libdtsvc: Compiler warning prevention 2018-04-02 21:31:50 +01:00
Jon Trulson a173dd3b3b release: update version to 2.2.4, update HISTORY 2016-06-19 12:46:29 -06:00
Jon Trulson 14b9e2efa3 cde: change revision to 2.2.3 2015-05-09 16:58:46 -06:00
Ulrich Wilkens 8b38d9ea49 Fix broken build on OpenBSD 2015-05-09 16:21:32 -06:00
Peter Howkins 5c8f66a07d libDtSvc: Resolve 28 compiler warnings. 2015-01-14 14:10:55 +00:00
Jon Trulson 775008571d DtSvc/DtUtil1: Coverity (memory corruption, moderate) 2014-12-26 15:56:10 -07:00
Jon Trulson fa0074904b DtSvc: Coverity (memory corruption) 2014-12-26 14:06:26 -07:00
Jon Trulson 2d89ad036a DtSvc: Coverity (memory corruption) 2014-12-26 14:03:17 -07:00
Ulrich Wilkens 01d6c363fa OpenIndiana and Solaris port 2014-10-28 13:40:11 -06:00
Jon Trulson 8d0551bfda Version change to 2.2.2 2014-07-23 16:16:57 -06:00
Jon Trulson 8f648927eb Version change to 2.2.1 2014-03-01 15:48:49 -07:00
Pascal Stumpf 8f98ac92cd Kill lots of warnings in DtSvc. 2013-07-21 15:54:39 -06:00
Marcin Cieslak 77ec7b56b8 2 warnings fixed (64-bit)
Fix XtVaGetValues() output for 64-bit
Fix filename comparison in Dts.c
2012-09-24 18:35:24 -06:00
Marcin Cieslak 917f7da191 157 warnings: remove -DXK_MISCELLANY from Makefiles
Fixes the following warning:

In file included from ../../../imports/x11/include/X11/Xutil.h:54,
                 from ../../../imports/x11/include/X11/Intrinsic.h:54,
                 from Action.c:64:
../../../imports/x11/include/X11/keysym.h:49:1: warning: "XK_MISCELLANY" redefined
<command-line>: warning: this is the location of the previous definition

<keysym.h> which includes all key symbols and loads <keysymdef.h>
is automaticlly included by the X Toolkit.

This patch removes #include <keysymdef.h> whenever not needed,
and adds #define XK_MISCALLANY in the source code where required.
2012-09-24 18:30:21 -06:00
Peter Howkins e9bb2bcf09 libDtSvc: Resolve 89 compiler warnings. 2012-09-01 21:35:10 +01:00
Peter Howkins 0ecef859cf Merge branch 'master' of https://git.code.sf.net/p/cdesktopenv/code 2012-08-13 10:31:07 +01:00
Pascal Stumpf 0bbd4ff9aa Get rid of malloc.h.
This is a non-POSIX/ISO-C header.  It is ok to include this on Linux, but it
is obsolete on BSD; FreeBSD even throws an error if you include it with
__STDC__ defined.  Every system should nowadays have malloc() defined in
stdlib.h.

Diff is largely mechanical, replacing malloc.h with stdlib.h where it is not
yet included anyway.
2012-08-12 14:20:58 -06:00
Pascal Stumpf 185ec24999 OpenBSD fixed for lib/DtSvc. 2012-08-10 05:51:37 -06:00
Peter Howkins 1dd2eaf854 Update the sub parts of the main dt/cde version number to 2.2.0, missed from previous version increment patch. 2012-08-09 15:20:53 +01:00
Jon Trulson facb50dfde DtSvc: Fixes a segfault on Debian squeeze 64 bit and most probably other systems, too.
Patch from Marc Balmer <marc@msys.ch>:

Use strlen, not sizeof, here.  Fixes a segfault on Debian squeeze 64 bit
and most probably other systems, too.
2012-08-08 12:45:40 -06:00
Jon Trulson f9c2b3184e DtSvc/dtwm: Fix some implicit declarations of functions by adding appropriate
Patch from Frederic Koehler <f.koehler427@gmail.com>:

These implicit definitions cause segfaults on x64 because
the implicit return type is a 32-bit signed int, rather than a pointer
type.
2012-08-08 11:47:18 -06:00
Jon Trulson 91011085a4 dtdbcache: remove incorrect comment block and tmpnam_buf var (not used)
With Aaron's fixes to dtdbcache fixing a potential coredump, the
comment block in the write_db() function regarding tmpnam() no longer
applies, and the tmpnam_buf variable is no longer used.

So, remove them :)
2012-08-07 17:43:32 -06:00
Jon Trulson 80f456e3b5 dtdbcache: Remove old code in comments
Patch from Aaron W. Hsu <arcfide@sacrideo.us>
2012-08-07 16:56:11 -06:00