From f05f9dc7532ea41c49b3e9385165d942dfab5d0e Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Thu, 19 Jan 2012 23:22:04 -0600 Subject: If someone manages to close down kdesktop_lock through an undiscovered security vulnerability such as http://security-tracker.debian.org/tracker/CVE-2012-0064, immediately terminate the compromised TDE session --- kdesktop/lock/lockprocess.cc | 8 +++----- kdesktop/lockeng.cc | 34 +++++++++++++++++++++++++++++++--- kdesktop/lockeng.h | 1 + 3 files changed, 35 insertions(+), 8 deletions(-) diff --git a/kdesktop/lock/lockprocess.cc b/kdesktop/lock/lockprocess.cc index 6bd18f771..2588bbfea 100644 --- a/kdesktop/lock/lockprocess.cc +++ b/kdesktop/lock/lockprocess.cc @@ -326,10 +326,8 @@ static int signal_pipe[2]; static void sigterm_handler(int) { if (!trinity_desktop_lock_in_sec_dlg) { - char tmp = 'T'; - if (::write( signal_pipe[1], &tmp, 1) == -1) { - // Error handler to shut up gcc warnings - } + // Exit uncleanly + exit(1); } } @@ -522,7 +520,7 @@ void LockProcess::setupSignals() sigaddset(&(act.sa_mask), SIGQUIT); act.sa_flags = 0; sigaction(SIGQUIT, &act, 0L); - // exit cleanly on SIGTERM + // exit uncleanly on SIGTERM act.sa_handler= sigterm_handler; sigemptyset(&(act.sa_mask)); sigaddset(&(act.sa_mask), SIGTERM); diff --git a/kdesktop/lockeng.cc b/kdesktop/lockeng.cc index b957218a1..c5306e9d6 100644 --- a/kdesktop/lockeng.cc +++ b/kdesktop/lockeng.cc @@ -36,10 +36,11 @@ bool trinity_lockeng_sak_available = TRUE; // a newly started process. // SaverEngine::SaverEngine() - : KScreensaverIface(), - TQWidget(), + : TQWidget(), + KScreensaverIface(), mBlankOnly(false), - mSAKProcess(NULL) + mSAKProcess(NULL), + mTerminationRequested(false) { // Save X screensaver parameters XGetScreenSaver(qt_xdisplay(), &mXTimeout, &mXInterval, @@ -340,6 +341,7 @@ void SaverEngine::stopLockProcess() kdDebug(1204) << "SaverEngine: stopping lock" << endl; emitDCOPSignal("KDE_stop_screensaver()", TQByteArray()); + mTerminationRequested=true; mLockProcess.kill(); if (mEnabled) @@ -357,7 +359,33 @@ void SaverEngine::stopLockProcess() void SaverEngine::lockProcessExited() { +printf("Lock process exited\n\r"); fflush(stdout); + bool abnormalExit = false; kdDebug(1204) << "SaverEngine: lock exited" << endl; + if (mLockProcess.normalExit() == false) { + abnormalExit = true; + } + else { + if (mLockProcess.exitStatus() != 0) { + abnormalExit = true; + } + } + if (mTerminationRequested == true) { + abnormalExit = false; + } + if (abnormalExit == true) { + // PROBABLE HACKING ATTEMPT DETECTED + // Terminate the TDE session ASAP! + // Values are explained at http://lists.kde.org/?l=kde-linux&m=115770988603387 + TQByteArray data; + TQDataStream arg(data, IO_WriteOnly); + arg << (int)0 << (int)0 << (int)2; + if ( ! kapp->dcopClient()->send("ksmserver", "default", "logout(int,int,int)", data) ) { + // Someone got to DCOP before we did + // Try an emergency system logout + system("logout"); + } + } if (trinity_lockeng_sak_available == TRUE) { handleSecureDialog(); } diff --git a/kdesktop/lockeng.h b/kdesktop/lockeng.h index b1e31bda4..ae81f90eb 100644 --- a/kdesktop/lockeng.h +++ b/kdesktop/lockeng.h @@ -114,6 +114,7 @@ protected: private: KProcess* mSAKProcess; + bool mTerminationRequested; }; #endif -- cgit v1.2.1