This was supplied by Antonis Tsolomitis
<antonis.tsolomitis@gmail.com>, and allows you to hardcode a LANG
setting before starting up CDE, if your login manager does not do that
for you.
Marco Ivaldi <marco.ivaldi@mediaservice.net> has identified 3
vulnerabilities in CDE.
Two of them could affect our CDE (open-source version), while the 3rd
(sdtcm_convert) is Solaris specific.
The two vulnerabilities, both of which affect dtsession could allow a
local privilege escalation to root. A POC exists for Solaris. The
POC will not function on our CDE for two main reasons:
- the POC is Solaris specific
- The overflowed variables in question are allocated on the heap,
whereas in Solaris these variables are located on the stack.
The first vulnerability allows an extra long palette name to be used
to cause a crash via insufficient validation in
SrvPalette.c:CheckMonitor().
The second, which has not yet been assigned a CERT CVE resides in
SmCreateDirs.c:_DtCreateDtDirs() in libDtSvc. Due to insufficient
bounds checking, a crash or corruption can be achieved by using a very
long DISPLAY name.
This one is considered difficult to exploit, and no POC code is
available at this time. CDE 2.x code-bases are also listed as not
vulnerable, however some work has been done anyway to do some proper
bounds checking in this function.
The following text portions are copied from the relevant advisories,
which have not been released as of this writing.
NOTE: Oracle CDE does NOT use CDE 2.3.0a or earlier as mentioned
below. They are completely different code-bases):
Regarding CVE-2020-2692:
A buffer overflow in the CheckMonitor() function in the Common
Desktop Environment 2.3.0a and earlier, as distributed with Oracle
Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
root privileges via a long palette name passed to dtsession in a
malicious .Xdefaults file.
Note that Oracle Solaris CDE is based on the original CDE 1.x train,
which is different from the CDE 2.x codebase that was later open
sourced. Most notably, the vulnerable buffer in the Oracle Solaris
CDE is stack-based, while in the open source version it is
heap-based.
Regarding the DtSvc bug, which does not currently have a CERT CVE:
A difficult to exploit stack-based buffer overflow in the
_DtCreateDtDirs() function in the Common Desktop Environment version
distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may
allow local users to corrupt memory and potentially execute
arbitrary code in order to escalate privileges via a long X11
display name. The vulnerable function is located in the libDtSvc
library and can be reached by executing the setuid program
dtsession.
The open source version of CDE (based on the CDE 2.x codebase) is
not affected.
There was code (_DtSimpleError() and _DtSimpleErrornoError()) that
only used snprintf when USE_SNPRINTF was defined, which it never was
of course. We just remove the 2 checks and always use [v]snprintf.
With this patch, CDE (autotools) builds and runs on fbsd 12 now.
fbsd11 should work too, but not yet tested.
You must use gmake - ie:
./configure MAKE=gmake
gmake
Seems all of the BSD's will need to use gmake for now.
1. On OpenBSD, and check is made for only bison or byacc. yacc is
present, but not usable apparently. So - need to install bison on the
BSD's.
2. the libjpeg.h check fails as it is located in a non-standard
location (/usr/local) on BSD systems. Just remove the check for now
until we have a better way to check that stuff (like X11 and Xm
headers too).
A list of major things like ksh, cpp, etc are saved in a list if they
are not found. If this list is non-empty when configure is nearly
done, an error message is displayed listing the missing programs.
This is less annoying than stopping after every missing programs.
Also, removed the X11/Xm header checks for now. Those need to take
into account X_CFLAGS in some way since these files are located in
dirfferent areas on different OS's (obsd puts them in
/usr/X11R6/include for example).
... and move the PROG_CC and PROG_CXX checks toward the beginning.
Without the move the compiler search arguments are ignored. We search
for 'cc gcc clang' and 'c++ g++ clang++', in that order for CC and CXX
respectively.
This means there should be no need to override the CC
and CXX variables on the configure command line for BSD systems.
On OpenBSD for example, cc links to clang. On Linux, cc links to
gcc. You can still override these if you like with CC=... and
CXX=... on the configure command line.
gmake (MAKE=gmake) still needs to be used on the BSD's though.
With these and previous changes, CDE builds, installs, and runs
correctly on OpenBSD 6.5 now.
With this commit, CDE can install and run now. There are still some
programs/ that are not yet built:
dthelp dtksh dtappbuilder dtdocbook dtinfo nsgmls ttsnoop
and of course documentation (doc/). But this is a great start. For
the first time, things build, install, AND run correctly :)
Use a common make include file to do most of the work and set the
appropriate LANG from localized/templates/ . This should simplify it
quite a bit and reduce duplication.
Also we were not even installing them, so now we are.
Certain programs like dtlogin and tt_type_comp need access to the
system's cpp command to process certain files at runtime. tradcpp is
not installed on most systems, and is intended for use as a imake-cpp
replacement which is all we are using it for. We still need an
honest cpp for the CDE components to use.
Now, we look in various places for a 'cpp' command and set CPP_COMMAND
to it's value. This way tt_type_comp and other CDE programs can do
required processing at runtime.
There is a problem with CPP_PROGRAM - using $CPP or $GENCPP (tradcpp)
always fails in tt_type_comp with the error:
"nclude ", line 8: syntax error
If I define it to /lib/cpp (previous hardcoded value) then it seems to
work fine. Only the dtinfo and dtinfo_start ptypes use #include, and
therefore show this error. Needs investigation.
