Slackware 14.0slackware-14.0

Wed Sep 26 01:10:42 UTC 2012
Slackware 14.0 x86_64 stable is released!

We're perfectionists here at Slackware, so this release has been a long
time a-brewing.  But we think you'll agree that it was worth the wait.
Slackware 14.0 combines modern components, ease of use, and flexible
configuration... our "KISS" philosophy demands it.

The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a
dual-sided
32-bit/64-bit x86/x86_64 DVD.  Please consider supporting the Slackware
project by picking up a copy from store.slackware.com.  We're taking
pre-orders now, and offer a discount if you sign up for a subscription.

Thanks to everyone who helped make this happen.  The Slackware team, the
upstream developers, and (of course) the awesome Slackware user
community.

Have fun!  :-)

1 files changed, 0 insertions, 127 deletions

diff --git a/source/l/polkit/CVE-2011-1485/0004-pkexec-Avoid-TOCTTOU-problems-with-parent-process.patch b/source/l/polkit/CVE-2011-1485/0004-pkexec-Avoid-TOCTTOU-problems-with-parent-process.patch
deleted file mode 100644
index 8572f732d..000000000
--- a/source/l/polkit/CVE-2011-1485/0004-pkexec-Avoid-TOCTTOU-problems-with-parent-process.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 3b12cfac29dddd27f1f166a7574d8374cc1dccf2 Mon Sep 17 00:00:00 2001
-From: David Zeuthen <davidz@redhat.com>
-Date: Fri, 1 Apr 2011 12:13:15 -0400
-Subject: [PATCH 4/4] pkexec: Avoid TOCTTOU problems with parent process
-
-In a nutshell, the parent process may change its uid (either real- or
-effective uid) after launching pkexec. It can do this by exec()'ing
-e.g. a setuid root program.
-
-To avoid this problem, just use the uid the parent process had when it
-executed pkexec. This happens to be the same uid of the pkexec process
-itself.
-
-Additionally, remove some dubious code that allowed pkexec to continue
-when the parent process died as there is no reason to support
-something like that. Also ensure that the pkexec process is killed if
-the parent process dies.
-
-This problem was pointed out by Neel Mehta <nmehta@google.com>.
-
-Signed-off-by: David Zeuthen <davidz@redhat.com>
----
- src/programs/pkexec.c |   66 +++++++++++++++++++++++++++++--------------------
- 1 files changed, 39 insertions(+), 27 deletions(-)
-
-diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
-index 9217954..3e656be 100644
---- a/src/programs/pkexec.c
-+++ b/src/programs/pkexec.c
-@@ -35,6 +35,10 @@
- #include <pwd.h>
- #include <errno.h>
- 
-+#ifdef __linux__
-+#include <sys/prctl.h>
-+#endif
-+
- #include <glib/gi18n.h>
- 
- #ifdef POLKIT_AUTHFW_PAM
-@@ -423,7 +427,6 @@ main (int argc, char *argv[])
-   GPtrArray *saved_env;
-   gchar *opt_user;
-   pid_t pid_of_caller;
--  uid_t uid_of_caller;
-   gpointer local_agent_handle;
- 
-   ret = 127;
-@@ -598,40 +601,49 @@ main (int argc, char *argv[])
-    */
-   g_type_init ();
- 
--  /* now check if the program that invoked us is authorized */
-+  /* make sure we are nuked if the parent process dies */
-+#ifdef __linux__
-+  if (prctl (PR_SET_PDEATHSIG, SIGTERM) != 0)
-+    {
-+      g_printerr ("prctl(PR_SET_PDEATHSIG, SIGTERM) failed: %s\n", g_strerror (errno));
-+      goto out;
-+    }
-+#else
-+#warning "Please add OS specific code to catch when the parent dies"
-+#endif
-+
-+  /* Figure out the parent process */
-   pid_of_caller = getppid ();
-   if (pid_of_caller == 1)
-     {
-       /* getppid() can return 1 if the parent died (meaning that we are reaped
--       * by /sbin/init); get process group leader instead - for example, this
--       * happens when launching via gnome-panel (alt+f2, then 'pkexec gedit').
-+       * by /sbin/init); In that case we simpy bail.
-        */
--      pid_of_caller = getpgrp ();
--    }
--
--  subject = polkit_unix_process_new (pid_of_caller);
--  if (subject == NULL)
--    {
--      g_printerr ("No such process for pid %d: %s\n", (gint) pid_of_caller, error->message);
--      g_error_free (error);
-+      g_printerr ("Refusing to render service to dead parents.\n");
-       goto out;
-     }
- 
--  /* paranoia: check that the uid of pid_of_caller matches getuid() */
--  error = NULL;
--  uid_of_caller = polkit_unix_process_get_owner (POLKIT_UNIX_PROCESS (subject),
--                                                 &error);
--  if (error != NULL)
--    {
--      g_printerr ("Error determing pid of caller (pid %d): %s\n", (gint) pid_of_caller, error->message);
--      g_error_free (error);
--      goto out;
--    }
--  if (uid_of_caller != getuid ())
--    {
--      g_printerr ("User of caller (%d) does not match our uid (%d)\n", uid_of_caller, getuid ());
--      goto out;
--    }
-+  /* This process we want to check an authorization for is the process
-+   * that launched us - our parent process.
-+   *
-+   * At the time the parent process fork()'ed and exec()'ed us, the
-+   * process had the same real-uid that we have now. So we use this
-+   * real-uid instead of of looking it up to avoid TOCTTOU issues
-+   * (consider the parent process exec()'ing a setuid helper).
-+   *
-+   * On the other hand, the monotonic process start-time is guaranteed
-+   * to never change so it's safe to look that up given only the PID
-+   * since we are guaranteed to be nuked if the parent goes away
-+   * (cf. the prctl(2) call above).
-+   */
-+  subject = polkit_unix_process_new_for_owner (pid_of_caller,
-+                                               0, /* 0 means "look up start-time in /proc" */
-+                                               getuid ());
-+  /* really double-check the invariants guaranteed by the PolkitUnixProcess class */
-+  g_assert (subject != NULL);
-+  g_assert (polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject)) == pid_of_caller);
-+  g_assert (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0);
-+  g_assert (polkit_unix_process_get_start_time (POLKIT_UNIX_PROCESS (subject)) > 0);
- 
-   error = NULL;
-   authority = polkit_authority_get_sync (NULL /* GCancellable* */, &error);
--- 
-1.7.4.4
-