accountsservice: 22.08.8 → 23.13.9

https://gitlab.freedesktop.org/accountsservice/accountsservice/-/compare/22.08.8...23.13.9

Fixes CVE-2012-6655
This commit is contained in:
Bobby Rong 2023-05-28 16:33:55 +08:00
parent f91ee3065d
commit 798e1e0c65
No known key found for this signature in database
6 changed files with 93 additions and 60 deletions

View file

@ -10,10 +10,10 @@ Only if environment variable NIXOS_USERS_PURE is set.
2 files changed, 45 insertions(+)
diff --git a/src/daemon.c b/src/daemon.c
index e62e124..87459b2 100644
index 861430f..aefaf2d 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -931,6 +931,11 @@ daemon_create_user (AccountsAccounts *accounts,
@@ -1378,6 +1378,11 @@ daemon_create_user (AccountsAccounts *accounts,
const gchar *real_name,
gint account_type)
{
@ -22,10 +22,10 @@ index e62e124..87459b2 100644
+ return;
+ }
+
Daemon *daemon = (Daemon*)accounts;
Daemon *daemon = (Daemon *) accounts;
CreateUserData *data;
@@ -1138,6 +1143,11 @@ daemon_delete_user (AccountsAccounts *accounts,
@@ -1581,6 +1586,11 @@ daemon_delete_user (AccountsAccounts *accounts,
gint64 uid,
gboolean remove_files)
{
@ -34,14 +34,14 @@ index e62e124..87459b2 100644
+ return;
+ }
+
Daemon *daemon = (Daemon*)accounts;
Daemon *daemon = (Daemon *) accounts;
DeleteUserData *data;
diff --git a/src/user.c b/src/user.c
index 0fb1a17..dbdebaf 100644
index 28170db..df947a1 100644
--- a/src/user.c
+++ b/src/user.c
@@ -904,6 +904,11 @@ user_set_real_name (AccountsUser *auser,
@@ -1216,6 +1216,11 @@ user_set_real_name (AccountsUser *auser,
GDBusMethodInvocation *context,
const gchar *real_name)
{
@ -50,10 +50,10 @@ index 0fb1a17..dbdebaf 100644
+ return;
+ }
+
User *user = (User*)auser;
User *user = (User *) auser;
int uid;
const gchar *action_id;
@@ -981,6 +986,11 @@ user_set_user_name (AccountsUser *auser,
@@ -1293,6 +1298,11 @@ user_set_user_name (AccountsUser *auser,
GDBusMethodInvocation *context,
const gchar *user_name)
{
@ -62,10 +62,10 @@ index 0fb1a17..dbdebaf 100644
+ return;
+ }
+
User *user = (User*)auser;
User *user = (User *) auser;
daemon_local_check_auth (user->daemon,
user,
@@ -1263,6 +1273,11 @@ user_set_home_directory (AccountsUser *auser,
@@ -1945,6 +1955,11 @@ user_set_home_directory (AccountsUser *auser,
GDBusMethodInvocation *context,
const gchar *home_dir)
{
@ -74,10 +74,10 @@ index 0fb1a17..dbdebaf 100644
+ return;
+ }
+
User *user = (User*)auser;
User *user = (User *) auser;
daemon_local_check_auth (user->daemon,
user,
@@ -1322,6 +1337,11 @@ user_set_shell (AccountsUser *auser,
@@ -2000,6 +2015,11 @@ user_set_shell (AccountsUser *auser,
GDBusMethodInvocation *context,
const gchar *shell)
{
@ -86,10 +86,10 @@ index 0fb1a17..dbdebaf 100644
+ return;
+ }
+
User *user = (User*)auser;
User *user = (User *) auser;
daemon_local_check_auth (user->daemon,
user,
@@ -1602,6 +1622,11 @@ user_set_locked (AccountsUser *auser,
@@ -2249,6 +2269,11 @@ user_set_locked (AccountsUser *auser,
GDBusMethodInvocation *context,
gboolean locked)
{
@ -98,10 +98,10 @@ index 0fb1a17..dbdebaf 100644
+ return;
+ }
+
User *user = (User*)auser;
User *user = (User *) auser;
daemon_local_check_auth (user->daemon,
user,
@@ -1814,6 +1839,11 @@ user_set_password_mode (AccountsUser *auser,
@@ -2457,6 +2482,11 @@ user_set_password_mode (AccountsUser *auser,
GDBusMethodInvocation *context,
gint mode)
{
@ -110,10 +110,10 @@ index 0fb1a17..dbdebaf 100644
+ return;
+ }
+
User *user = (User*)auser;
User *user = (User *) auser;
const gchar *action_id;
@@ -1905,6 +1935,11 @@ user_set_password (AccountsUser *auser,
gint uid;
@@ -2550,6 +2580,11 @@ user_set_password (AccountsUser *auser,
const gchar *password,
const gchar *hint)
{
@ -122,9 +122,6 @@ index 0fb1a17..dbdebaf 100644
+ return;
+ }
+
User *user = (User*)auser;
User *user = (User *) auser;
gchar **data;
--
2.9.3
const gchar *action_id;

View file

@ -21,13 +21,13 @@
stdenv.mkDerivation rec {
pname = "accountsservice";
version = "22.08.8";
version = "23.13.9";
outputs = [ "out" "dev" ];
src = fetchurl {
url = "https://www.freedesktop.org/software/accountsservice/accountsservice-${version}.tar.xz";
sha256 = "kJmXp2kZ/n3BOKmgHOpwvWItWpMtvJ+xMBARMCOno5E=";
sha256 = "rdpM3q4k+gmS598///nv+nCQvjrCM6Pt/fadWpybkk8=";
};
patches = [
@ -46,6 +46,10 @@ stdenv.mkDerivation rec {
# Do not ignore third-party (e.g Pantheon) extensions not matching FHS path scheme.
# Fixes https://github.com/NixOS/nixpkgs/issues/72396
./drop-prefix-check-extensions.patch
# Detect DM type from config file.
# `readlink display-manager.service` won't return any of the candidates.
./get-dm-type-from-config.patch
];
nativeBuildInputs = [

View file

@ -1,8 +1,8 @@
diff --git a/src/extensions.c b/src/extensions.c
index 038dcb2..830465d 100644
index 354f476..8d020a6 100644
--- a/src/extensions.c
+++ b/src/extensions.c
@@ -121,16 +121,7 @@ daemon_read_extension_directory (GHashTable *ifaces,
@@ -122,15 +122,7 @@ daemon_read_extension_directory (GHashTable *ifaces,
continue;
}
@ -10,8 +10,7 @@ index 038dcb2..830465d 100644
- const gchar * const prefix = "../../dbus-1/interfaces/";
- if (g_str_has_prefix (symlink, prefix) && g_str_equal (symlink + strlen (prefix), name)) {
- daemon_read_extension_file (ifaces, filename);
- }
- else {
- } else {
- g_warning ("Found accounts service vendor extension symlink %s, but it must be exactly "
- "equal to '../../dbus-1/interfaces/%s' for forwards-compatibility reasons.",
- filename, name);

View file

@ -1,8 +1,8 @@
diff --git a/src/daemon.c b/src/daemon.c
index c8b6320..2b74949 100644
index aa9d050..861430f 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -1102,7 +1102,7 @@ daemon_create_user_authorized_cb (Daemon *daemon,
@@ -1319,7 +1319,7 @@ daemon_create_user_authorized_cb (Daemon *daemon,
sys_log (context, "create user '%s'", cd->user_name);
@ -11,7 +11,7 @@ index c8b6320..2b74949 100644
argv[1] = "-m";
argv[2] = "-c";
argv[3] = cd->real_name;
@@ -1335,7 +1335,7 @@ daemon_delete_user_authorized_cb (Daemon *daemon,
@@ -1552,7 +1552,7 @@ daemon_delete_user_authorized_cb (Daemon *daemon,
}
free (resolved_homedir);
@ -21,10 +21,10 @@ index c8b6320..2b74949 100644
argv[1] = "-f";
argv[2] = "-r";
diff --git a/src/user.c b/src/user.c
index 189b2c5..5358c02 100644
index 917d427..28170db 100644
--- a/src/user.c
+++ b/src/user.c
@@ -1145,7 +1145,7 @@ user_change_real_name_authorized_cb (Daemon *daemon,
@@ -1193,7 +1193,7 @@ user_change_real_name_authorized_cb (Daemon *daemon,
new_gecos = g_strdup (name);
}
@ -33,7 +33,7 @@ index 189b2c5..5358c02 100644
argv[1] = "-c";
argv[2] = new_gecos;
argv[3] = "--";
@@ -1218,7 +1218,7 @@ user_change_user_name_authorized_cb (Daemon *daemon,
@@ -1267,7 +1267,7 @@ user_change_user_name_authorized_cb (Daemon *daemon,
accounts_user_get_uid (ACCOUNTS_USER (user)),
name);
@ -42,7 +42,25 @@ index 189b2c5..5358c02 100644
argv[1] = "-l";
argv[2] = name;
argv[3] = "--";
@@ -1627,7 +1627,7 @@ user_change_home_dir_authorized_cb (Daemon *daemon,
@@ -1718,7 +1718,7 @@ user_set_password_expiration_policy_authorized_cb (Daemon *daemon
accounts_user_get_uid (ACCOUNTS_USER (user)));
g_object_freeze_notify (G_OBJECT (user));
- argv[0] = "/usr/bin/chage";
+ argv[0] = "@shadow@/bin/chage";
argv[1] = "-m";
argv[2] = pwd_expiration->min_days_between_changes;
argv[3] = "-M";
@@ -1806,7 +1806,7 @@ user_set_user_expiration_policy_authorized_cb (Daemon *daemon,
} else {
expiration_time = g_strdup ("-1");
}
- argv[0] = "/usr/bin/chage";
+ argv[0] = "@shadow@/bin/chage";
argv[1] = "-E";
argv[2] = expiration_time;
argv[3] = accounts_user_get_user_name (ACCOUNTS_USER (user));
@@ -1919,7 +1919,7 @@ user_change_home_dir_authorized_cb (Daemon *daemon,
accounts_user_get_uid (ACCOUNTS_USER (user)),
home_dir);
@ -51,7 +69,7 @@ index 189b2c5..5358c02 100644
argv[1] = "-m";
argv[2] = "-d";
argv[3] = home_dir;
@@ -1683,7 +1683,7 @@ user_change_shell_authorized_cb (Daemon *daemon,
@@ -1977,7 +1977,7 @@ user_change_shell_authorized_cb (Daemon *daemon,
accounts_user_get_uid (ACCOUNTS_USER (user)),
shell);
@ -60,7 +78,7 @@ index 189b2c5..5358c02 100644
argv[1] = "-s";
argv[2] = shell;
argv[3] = "--";
@@ -1824,7 +1824,7 @@ user_change_icon_file_authorized_cb (Daemon *daemon,
@@ -2120,7 +2120,7 @@ user_change_icon_file_authorized_cb (Daemon *daemon,
return;
}
@ -69,7 +87,7 @@ index 189b2c5..5358c02 100644
argv[1] = filename;
argv[2] = NULL;
@@ -1904,7 +1904,7 @@ user_change_locked_authorized_cb (Daemon *daemon,
@@ -2201,7 +2201,7 @@ user_change_locked_authorized_cb (Daemon *daemon,
locked ? "locking" : "unlocking",
accounts_user_get_user_name (ACCOUNTS_USER (user)),
accounts_user_get_uid (ACCOUNTS_USER (user)));
@ -78,7 +96,7 @@ index 189b2c5..5358c02 100644
argv[1] = locked ? "-L" : "-U";
argv[2] = "--";
argv[3] = accounts_user_get_user_name (ACCOUNTS_USER (user));
@@ -2026,7 +2026,7 @@ user_change_account_type_authorized_cb (Daemon *daemon,
@@ -2328,7 +2328,7 @@ user_change_account_type_authorized_cb (Daemon *daemon,
g_free (groups);
@ -87,16 +105,16 @@ index 189b2c5..5358c02 100644
argv[1] = "-G";
argv[2] = str->str;
argv[3] = "--";
@@ -2093,7 +2093,7 @@ user_change_password_mode_authorized_cb (Daemon *daemon,
@@ -2396,7 +2396,7 @@ user_change_password_mode_authorized_cb (Daemon *daemon,
if (mode == PASSWORD_MODE_SET_AT_LOGIN ||
mode == PASSWORD_MODE_NONE) {
- argv[0] = "/usr/bin/passwd";
+ argv[0] = "/run/wrappers/bin/passwd";
argv[1] = "-d";
argv[2] = "--";
argv[3] = accounts_user_get_user_name (ACCOUNTS_USER (user));
@@ -2105,7 +2105,7 @@ user_change_password_mode_authorized_cb (Daemon *daemon,
@@ -2408,7 +2408,7 @@ user_change_password_mode_authorized_cb (Daemon *daemon,
}
if (mode == PASSWORD_MODE_SET_AT_LOGIN) {
@ -105,21 +123,21 @@ index 189b2c5..5358c02 100644
argv[1] = "-d";
argv[2] = "0";
argv[3] = "--";
@@ -2126,7 +2126,7 @@ user_change_password_mode_authorized_cb (Daemon *daemon,
@@ -2428,7 +2428,7 @@ user_change_password_mode_authorized_cb (Daemon *daemon,
*/
accounts_user_set_locked (ACCOUNTS_USER (user), FALSE);
}
else if (accounts_user_get_locked (ACCOUNTS_USER (user))) {
} else if (accounts_user_get_locked (ACCOUNTS_USER (user))) {
- argv[0] = "/usr/sbin/usermod";
+ argv[0] = "@shadow@/bin/usermod";
argv[1] = "-U";
argv[2] = "--";
argv[3] = accounts_user_get_user_name (ACCOUNTS_USER (user));
@@ -2203,7 +2203,7 @@ user_change_password_authorized_cb (Daemon *daemon,
@@ -2505,7 +2505,7 @@ user_change_password_authorized_cb (Daemon *daemon,
g_object_freeze_notify (G_OBJECT (user));
g_autoptr (GError) error = NULL;
g_autoptr (GSubprocess) process = NULL;
- const char *argv[] = { "/usr/sbin/chpasswd", "-e", NULL };
+ const char *argv[] = { "@shadow@/bin/chpasswd", "-e", NULL };
- argv[0] = "/usr/sbin/usermod";
+ argv[0] = "@shadow@/bin/usermod";
argv[1] = "-p";
argv[2] = strings[0];
argv[3] = "--";
sys_log (context,
"set password and hint of user '%s' (%" G_GUINT64_FORMAT ")",

View file

@ -0,0 +1,15 @@
diff --git a/src/daemon.c b/src/daemon.c
index aefaf2d..7c004d0 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -193,9 +193,9 @@ get_current_system_dm_type (void)
basename = g_file_get_basename (file);
g_object_unref (file);
- if (g_strcmp0 (basename, "lightdm.service") == 0)
+ if (g_file_test (PATH_LIGHTDM_CONF, G_FILE_TEST_EXISTS))
return DISPLAY_MANAGER_TYPE_LIGHTDM;
- else if (g_strcmp0 (basename, "gdm.service") == 0)
+ else if (g_file_test (PATH_GDM_CUSTOM, G_FILE_TEST_EXISTS))
return DISPLAY_MANAGER_TYPE_GDM;
}

View file

@ -2,7 +2,7 @@ diff --git a/meson_post_install.py b/meson_post_install.py
index d8c3dd1..620f714 100644
--- a/meson_post_install.py
+++ b/meson_post_install.py
@@ -9,9 +9,9 @@ localstatedir = os.path.normpath(destdir + os.sep + sys.argv[1])
@@ -9,9 +9,9 @@
# FIXME: meson will not track the creation of these directories
# https://github.com/mesonbuild/meson/blob/master/mesonbuild/scripts/uninstall.py#L39
dst_dirs = [