oweals/cde.git
13 months agoConvert uses of XKeycodeToKeysym (deprecated) to XkbKeycodeToKeysym master
Jon Trulson [Mon, 23 Mar 2020 18:51:18 +0000 (12:51 -0600)]
Convert uses of XKeycodeToKeysym (deprecated) to XkbKeycodeToKeysym

patch supplied from Peter G.

14 months agodtksh: fix 32b/64b issues with XmTextGetString and XmTextFieldGetString
Jon Trulson [Sun, 8 Mar 2020 21:05:48 +0000 (15:05 -0600)]
dtksh: fix 32b/64b issues with XmTextGetString and XmTextFieldGetString

Some of these functions were returning pointers cast as integers,
which of course is bad on a 64b LP64 systems.

This code should probably just be refactored at some point.  There may
be other hidden issues, and all the casting just sucks.

15 months agodesktopentry/README: Clarify that the login manager is responsible for setting language
Jon Trulson [Sat, 8 Feb 2020 23:16:13 +0000 (16:16 -0700)]
desktopentry/README: Clarify that the login manager is responsible for setting language

15 months agoRevert "Add a new contrib/desktopentry-setlang/ mechanism"
Jon Trulson [Sat, 8 Feb 2020 23:12:31 +0000 (16:12 -0700)]
Revert "Add a new contrib/desktopentry-setlang/ mechanism"

This reverts commit 08b6281f60ab543510d9b4c74c81d1d8c9391906.

The Login manager is reponsible for setting the correct language
(LANG, etc) information before starting a CDE session.

15 months agoAdd a new contrib/desktopentry-setlang/ mechanism
Jon Trulson [Sun, 26 Jan 2020 18:54:38 +0000 (11:54 -0700)]
Add a new contrib/desktopentry-setlang/ mechanism

This was supplied by Antonis Tsolomitis
<antonis.tsolomitis@gmail.com>, and allows you to hardcode a LANG
setting before starting up CDE, if your login manager does not do that
for you.

16 months agodtsession, DtSvc: fix CVE-2020-2696/VU#308289
Jon Trulson [Sun, 12 Jan 2020 02:30:51 +0000 (19:30 -0700)]
dtsession, DtSvc: fix CVE-2020-2696/VU#308289

Marco Ivaldi <marco.ivaldi@mediaservice.net> has identified 3
vulnerabilities in CDE.

Two of them could affect our CDE (open-source version), while the 3rd
(sdtcm_convert) is Solaris specific.

The two vulnerabilities, both of which affect dtsession could allow a
local privilege escalation to root.  A POC exists for Solaris.  The
POC will not function on our CDE for two main reasons:

- the POC is Solaris specific
- The overflowed variables in question are allocated on the heap,
  whereas in Solaris these variables are located on the stack.

The first vulnerability allows an extra long palette name to be used
to cause a crash via insufficient validation in
SrvPalette.c:CheckMonitor().

The second, which has not yet been assigned a CERT CVE resides in
SmCreateDirs.c:_DtCreateDtDirs() in libDtSvc.  Due to insufficient
bounds checking, a crash or corruption can be achieved by using a very
long DISPLAY name.

This one is considered difficult to exploit, and no POC code is
available at this time.  CDE 2.x code-bases are also listed as not
vulnerable, however some work has been done anyway to do some proper
bounds checking in this function.

The following text portions are copied from the relevant advisories,
which have not been released as of this writing.

NOTE: Oracle CDE does NOT use CDE 2.3.0a or earlier as mentioned
below.  They are completely different code-bases):

Regarding CVE-2020-2692:

  A buffer overflow in the CheckMonitor() function in the Common
  Desktop Environment 2.3.0a and earlier, as distributed with Oracle
  Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
  root privileges via a long palette name passed to dtsession in a
  malicious .Xdefaults file.

  Note that Oracle Solaris CDE is based on the original CDE 1.x train,
  which is different from the CDE 2.x codebase that was later open
  sourced. Most notably, the vulnerable buffer in the Oracle Solaris
  CDE is stack-based, while in the open source version it is
  heap-based.

Regarding the DtSvc bug, which does not currently have a CERT CVE:

  A difficult to exploit stack-based buffer overflow in the
  _DtCreateDtDirs() function in the Common Desktop Environment version
  distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may
  allow local users to corrupt memory and potentially execute
  arbitrary code in order to escalate privileges via a long X11
  display name. The vulnerable function is located in the libDtSvc
  library and can be reached by executing the setuid program
  dtsession.

  The open source version of CDE (based on the CDE 2.x codebase) is
  not affected.

16 months agoDtSvc: always use vsnprintf
Jon Trulson [Sun, 12 Jan 2020 01:21:37 +0000 (18:21 -0700)]
DtSvc: always use vsnprintf

There was code (_DtSimpleError() and _DtSimpleErrornoError()) that
only used snprintf when USE_SNPRINTF was defined, which it never was
of course.  We just remove the 2 checks and always use [v]snprintf.

16 months agoFreeBSD 12/libDtHelp: fix link errors with missing libjpeg
Jon Trulson [Sat, 4 Jan 2020 21:36:06 +0000 (14:36 -0700)]
FreeBSD 12/libDtHelp: fix link errors with missing libjpeg

16 months agoextra.h: remove unused prototypes
Chase [Sun, 15 Dec 2019 21:02:21 +0000 (15:02 -0600)]
extra.h: remove unused prototypes

16 months agodtksh: remove needless OS defines
Chase [Sun, 15 Dec 2019 16:28:22 +0000 (10:28 -0600)]
dtksh: remove needless OS defines

16 months agodtkcmds.c: avoid c99 collision
Chase [Sun, 15 Dec 2019 16:22:54 +0000 (10:22 -0600)]
dtkcmds.c: avoid c99 collision

16 months agodtksh: remove unused files and functions
Chase [Sun, 15 Dec 2019 16:19:37 +0000 (10:19 -0600)]
dtksh: remove unused files and functions

17 months agolinux.cf: always use bison
Jon Trulson [Mon, 2 Dec 2019 01:57:07 +0000 (18:57 -0700)]
linux.cf: always use bison

For some reason, whenever OSMajorVersion was >= 2 (this equates to a
2.x kernel or above), yacc would be used instead of bison.

On Ubuntu, and probably other linux systems, yacc is just a shell
wrapper around bison, so let's just use that directly.

17 months agodtdocbook/instant: fix buffer overlow on German umlaut in latin-1
Marcin Cieślak [Sat, 30 Nov 2019 03:51:40 +0000 (03:51 +0000)]
dtdocbook/instant: fix buffer overlow on German umlaut in latin-1

One-off error:

Old buffer length was 6 for one character (3 * 1 + 3)
We need one more byte par character in the buffer for
the hex representation of it.

+0 '"'
+1 '\\'
+2 'x'
+3 'f'
+4 'c'
+5 '"'
+6 0x0 << overflow

tcl combined with RCHECK will abort because memory blocks
are allocated contiguously and we overwrite the magic marker
of the next block.

17 months agott_type_comp: use CppCmd definition
Nina Didenko [Sun, 24 Nov 2019 07:42:05 +0000 (10:42 +0300)]
tt_type_comp: use CppCmd definition

Hi.

This patch makes tt_type_comp respect CppCmd

Thanks!

17 months agoinstallCDE: don't hardcode path to whoami
Nina Didenko [Wed, 20 Nov 2019 19:50:06 +0000 (22:50 +0300)]
installCDE: don't hardcode path to whoami

Hi.

Patch removes hardcoded paths to echo and whoami in installation scripts.

Thanks.

17 months agoSet version to 2.3.1a (devel) for current master
Jon Trulson [Mon, 18 Nov 2019 20:03:52 +0000 (13:03 -0700)]
Set version to 2.3.1a (devel) for current master

17 months agogitignore: add infolib/etc UTF-8 locales
Jon Trulson [Mon, 18 Nov 2019 19:52:17 +0000 (12:52 -0700)]
gitignore: add infolib/etc UTF-8 locales

17 months agosite.def: add define guards around DtLocalesToBuild
Jon Trulson [Sun, 17 Nov 2019 22:08:20 +0000 (15:08 -0700)]
site.def: add define guards around DtLocalesToBuild

17 months agodtinfo: link proper localized (utf8) dirs
Jon Trulson [Sun, 17 Nov 2019 22:07:14 +0000 (15:07 -0700)]
dtinfo: link proper localized (utf8) dirs

17 months agoMerge branch 'master' into utf8-conversion after 2.3.1 release
Jon Trulson [Sat, 16 Nov 2019 23:34:48 +0000 (16:34 -0700)]
Merge branch 'master' into utf8-conversion after 2.3.1 release

17 months agoHISTORY: update for 2.3.1 release 2.3.1
Jon Trulson [Sat, 16 Nov 2019 02:06:01 +0000 (19:06 -0700)]
HISTORY: update for 2.3.1 release

17 months agoChange CDE version info for 2.3.1 release
Jon Trulson [Sat, 16 Nov 2019 01:04:01 +0000 (18:04 -0700)]
Change CDE version info for 2.3.1 release

18 months agosym2num: don't hardcode path to cpp
Nina Didenko [Tue, 5 Nov 2019 17:45:44 +0000 (20:45 +0300)]
sym2num: don't hardcode path to cpp

18 months agomerge: don't hardcode path to gencat
Nina Didenko [Tue, 5 Nov 2019 17:45:43 +0000 (20:45 +0300)]
merge: don't hardcode path to gencat

18 months agoudbToAny.ksh: don't hardcode path to awk
Nina Didenko [Tue, 5 Nov 2019 17:45:42 +0000 (20:45 +0300)]
udbToAny.ksh: don't hardcode path to awk

18 months agodtinfogen: don't override PATH
Nina Didenko [Tue, 5 Nov 2019 17:45:41 +0000 (20:45 +0300)]
dtinfogen: don't override PATH

18 months agoil: remove various deprecated files
Chase [Tue, 29 Oct 2019 02:23:47 +0000 (21:23 -0500)]
il: remove various deprecated files

18 months agoremove more internal jpeg headers
Chase [Tue, 29 Oct 2019 01:27:35 +0000 (20:27 -0500)]
remove more internal jpeg headers

18 months agoDtSvc/DtUtil2: fix implicit function declarations
Jon Trulson [Mon, 28 Oct 2019 19:27:47 +0000 (13:27 -0600)]
DtSvc/DtUtil2: fix implicit function declarations

18 months agoDtSvc/DtUtil1: fix implicit function declarations
Jon Trulson [Mon, 28 Oct 2019 19:22:09 +0000 (13:22 -0600)]
DtSvc/DtUtil1: fix implicit function declarations

18 months agottserver: fixup forward (vexing) fucntion decl's in main, get rid of **environ
Jon Trulson [Sun, 20 Oct 2019 00:36:54 +0000 (18:36 -0600)]
ttserver: fixup forward (vexing) fucntion decl's in main, get rid of **environ

18 months agoRemove all optional compile flags from dtwm that are not referenced anywhere, and...
wmoxam [Mon, 14 Oct 2019 04:31:57 +0000 (00:31 -0400)]
Remove all optional compile flags from dtwm that are not referenced anywhere, and are unlikely to ever be used

18 months agodtmail: fix extra format args warnings
Jon Trulson [Wed, 16 Oct 2019 03:22:11 +0000 (21:22 -0600)]
dtmail: fix extra format args warnings

18 months agodtmail: fix NULL char embedded in format string
Jon Trulson [Wed, 16 Oct 2019 03:12:17 +0000 (21:12 -0600)]
dtmail: fix NULL char embedded in format string

18 months ago'notdef' means it's not used, so we remove it
wmoxam [Mon, 14 Oct 2019 03:33:24 +0000 (23:33 -0400)]
'notdef' means it's not used, so we remove it

18 months agoRemove ancient HP VUE compatibility support
wmoxam [Mon, 14 Oct 2019 13:39:50 +0000 (09:39 -0400)]
Remove ancient HP VUE compatibility support

19 months agoRemove old jpeg files
Chase [Mon, 14 Oct 2019 23:46:55 +0000 (18:46 -0500)]
Remove old jpeg files

19 months agoRemove 'oldcode'
wmoxam [Mon, 14 Oct 2019 03:15:52 +0000 (23:15 -0400)]
Remove 'oldcode'

19 months agoRemove legacysun code blocks
wmoxam [Mon, 14 Oct 2019 03:12:13 +0000 (23:12 -0400)]
Remove legacysun code blocks

19 months agoRemove unused HP_EXTENSIONS code blocks
wmoxam [Mon, 14 Oct 2019 02:28:38 +0000 (22:28 -0400)]
Remove unused HP_EXTENSIONS code blocks

19 months agodtpad: emit error on catopen() failure
Jon Trulson [Mon, 14 Oct 2019 20:42:21 +0000 (14:42 -0600)]
dtpad: emit error on catopen() failure

This patch was manually added via a diff supplied from a user on the
CDE mailing list: Michele Ghisolfo <ghisolfo.m@gmail.com>

19 months agodtfile: Add scroll wheel support
Jon Trulson [Mon, 14 Oct 2019 20:34:56 +0000 (14:34 -0600)]
dtfile: Add scroll wheel support

This patch was manually added via a diff supplied from a user on the
CDE mailing list: Michele Ghisolfo <ghisolfo.m@gmail.com>

19 months agodtcalc: increase highlight thickness to match Solaris CDE
Jon Trulson [Mon, 14 Oct 2019 20:30:58 +0000 (14:30 -0600)]
dtcalc: increase highlight thickness to match Solaris CDE

This patch was manually added via a diff supplied from a user on the
CDE mailing list: Michele Ghisolfo <ghisolfo.m@gmail.com>

19 months agodtterm: add scroll wheel support
Jon Trulson [Mon, 14 Oct 2019 20:08:43 +0000 (14:08 -0600)]
dtterm: add scroll wheel support

This patch was manually added via a diff supplied from a user on the
CDE mailing list: Michele Ghisolfo <ghisolfo.m@gmail.com>

19 months agoRemove NOTDONE code
wmoxam [Mon, 14 Oct 2019 03:41:22 +0000 (23:41 -0400)]
Remove NOTDONE code

19 months agolinux: build all languages by default again
Jon Trulson [Mon, 14 Oct 2019 03:11:59 +0000 (21:11 -0600)]
linux: build all languages by default again

Someday we should be able to detect which languages are installed and
only build support for those.  Until then, build them all.

19 months agoMerge /u/jrubio/cdesktopenv/ branch discarded-qualifiers into master
Jon Trulson [Sun, 13 Oct 2019 17:09:04 +0000 (17:09 +0000)]
Merge /u/jrubio/cdesktopenv/ branch discarded-qualifiers into master

https://sourceforge.net/p/cdesktopenv/code/merge-requests/17/

19 months agoMerge /u/jrubio/cdesktopenv/ branch delete-incomplete into master
Jon Trulson [Sun, 13 Oct 2019 17:06:14 +0000 (17:06 +0000)]
Merge /u/jrubio/cdesktopenv/ branch delete-incomplete into master

https://sourceforge.net/p/cdesktopenv/code/merge-requests/18/

19 months agoget rid of the 'extern sys_errlist' and 'sys_nerr' in SysErrorMsg.
Jose Rubio [Sun, 13 Oct 2019 08:19:00 +0000 (10:19 +0200)]
get rid of the 'extern sys_errlist' and 'sys_nerr' in SysErrorMsg.

19 months agoMerge branch 'master' into utf8-conversion, after 2.3.0a release
Jon Trulson [Sun, 13 Oct 2019 01:17:42 +0000 (19:17 -0600)]
Merge branch 'master' into utf8-conversion, after 2.3.0a release

19 months agoMerge /u/jrubio/cdesktopenv/ branch incompatible-pointer-types into master 2.3.0a
Jon Trulson [Sat, 12 Oct 2019 21:43:45 +0000 (21:43 +0000)]
Merge /u/jrubio/cdesktopenv/ branch incompatible-pointer-types into master

https://sourceforge.net/p/cdesktopenv/code/merge-requests/16/

19 months agoFixes for a few -Wincompatible-pointer-types
Jose Rubio [Sat, 12 Oct 2019 20:29:44 +0000 (22:29 +0200)]
Fixes for a few -Wincompatible-pointer-types

19 months agoMerge /u/jrubio/cdesktopenv/ branch int-conversion into master
Jon Trulson [Fri, 11 Oct 2019 23:58:44 +0000 (23:58 +0000)]
Merge /u/jrubio/cdesktopenv/ branch int-conversion into master

https://sourceforge.net/p/cdesktopenv/code/merge-requests/14/

19 months agoFix to delete-incomplete warnings.
Jose Rubio [Fri, 11 Oct 2019 11:43:08 +0000 (13:43 +0200)]
Fix to delete-incomplete warnings.

19 months agoFix to compile warnings.
Jose Rubio [Fri, 11 Oct 2019 08:49:48 +0000 (10:49 +0200)]
Fix to compile warnings.

* discarded-qualifiers warnings.
* Function definitions, the .h doesn't match the .c.
* Added some include to ensure the .c has function definition.

19 months agoFix to different compile warnings.
Jose Rubio [Thu, 10 Oct 2019 17:25:07 +0000 (19:25 +0200)]
Fix to different compile warnings.

Fix to multiple int-conversion
Removal of duplicated function definition in dtudcfonted/util.h
Added XtEventHandler prototypes to mtfgui

19 months agoFix to Wenum-compare
Jose Rubio [Thu, 10 Oct 2019 15:01:56 +0000 (17:01 +0200)]
Fix to Wenum-compare

It seems the purpose is to define a constant as an anonymous enum.
that behaviour triggers the enum  compare. Let's make it a constant.

19 months agoFix openbsd compile build errors due to dependency on libiconv
Jose Rubio [Fri, 27 Sep 2019 19:54:06 +0000 (21:54 +0200)]
Fix openbsd compile build errors due to dependency on libiconv

The path to libiconv is selected in config/cf/OpenBSD.cf reusing the
same trick  as FreeBSD does.

19 months agoMerge branch 'master' into utf8-conversion
Jon Trulson [Mon, 16 Sep 2019 19:24:18 +0000 (13:24 -0600)]
Merge branch 'master' into utf8-conversion

19 months agoMerge branch 'linux-suse-tcl-link' of https://git.code.sf.net/u/jrubio/cdesktopenv...
Jose Rubio [Mon, 16 Sep 2019 12:59:24 +0000 (14:59 +0200)]
Merge branch 'linux-suse-tcl-link' of https://git.code.sf.net/u/jrubio/cdesktopenv into linux-suse-tcl-link

19 months agoLink TCL libraries and restrict tcl8.6 to SuSE only.
Jose Rubio [Sun, 15 Sep 2019 17:01:17 +0000 (19:01 +0200)]
Link TCL libraries and restrict tcl8.6 to SuSE only.

19 months agoUpdate TCL libraries link and restrict tcl8.6 only to SuSE.
Jose Rubio [Sun, 15 Sep 2019 17:01:17 +0000 (19:01 +0200)]
Update TCL libraries link and restrict tcl8.6 only to SuSE.

20 months agoMerge /u/jrubio/cdesktopenv/ branch implicit-int into master
Jon Trulson [Thu, 12 Sep 2019 22:14:19 +0000 (22:14 +0000)]
Merge /u/jrubio/cdesktopenv/ branch implicit-int into master

https://sourceforge.net/p/cdesktopenv/code/merge-requests/9/

20 months agoMerge /u/jrubio/cdesktopenv/ branch pointer-compare into master
Jon Trulson [Thu, 12 Sep 2019 22:11:52 +0000 (22:11 +0000)]
Merge /u/jrubio/cdesktopenv/ branch pointer-compare into master

https://sourceforge.net/p/cdesktopenv/code/merge-requests/8/

20 months agoMerge /u/jrubio/cdesktopenv/ branch linux_aarch64 into master
Jon Trulson [Thu, 12 Sep 2019 22:05:43 +0000 (22:05 +0000)]
Merge /u/jrubio/cdesktopenv/ branch linux_aarch64 into master

https://sourceforge.net/p/cdesktopenv/code/merge-requests/6/

20 months agoMerge /u/jrubio/cdesktopenv/ branch dtksh_include_sys_sysmacros into master
Jon Trulson [Thu, 12 Sep 2019 22:02:51 +0000 (22:02 +0000)]
Merge /u/jrubio/cdesktopenv/ branch dtksh_include_sys_sysmacros into master

https://sourceforge.net/p/cdesktopenv/code/merge-requests/10/

20 months agoFix for deprecated warnings related to gnu libc sys macros.
Jose Rubio [Thu, 12 Sep 2019 11:10:02 +0000 (13:10 +0200)]
Fix for deprecated warnings related to gnu libc sys macros.

The patch only includes sysmacros for linux, the only target with gnu libc to avoid regression issues.

20 months agoisfname.c: remove register keyword
Jon Trulson [Wed, 11 Sep 2019 23:48:06 +0000 (17:48 -0600)]
isfname.c: remove register keyword

20 months agoksh/libast: include sys/sysmacros.h in fmtdev.c for linux systems
Jon Trulson [Wed, 11 Sep 2019 23:30:55 +0000 (17:30 -0600)]
ksh/libast: include sys/sysmacros.h in fmtdev.c for linux systems

Fix scraped from CDE forum post:
https://sourceforge.net/p/cdesktopenv/discussion/general/thread/24d7511a39/

20 months agoFIX: Define Aarch64 as little endian so DtInfo compiles.
Jose Rubio [Thu, 29 Aug 2019 09:12:26 +0000 (11:12 +0200)]
FIX: Define Aarch64 as little endian so DtInfo compiles.

20 months agoFixes for warnings related to -Wimplicit-int.
Jose Rubio [Tue, 20 Aug 2019 10:52:43 +0000 (12:52 +0200)]
Fixes for warnings related to -Wimplicit-int.

20 months agoCleanup of -Wpointer-compare warnings.
Jose Rubio [Mon, 19 Aug 2019 16:02:25 +0000 (18:02 +0200)]
Cleanup of -Wpointer-compare warnings.

20 months agoAdded linux/aarch64 as valid target.
Jose Rubio [Mon, 19 Aug 2019 14:55:11 +0000 (16:55 +0200)]
Added linux/aarch64 as valid target.

2 years agodtprintinfo: remove SUID root on install
Jon Trulson [Tue, 7 May 2019 00:32:14 +0000 (18:32 -0600)]
dtprintinfo: remove SUID root on install

This program should not be SUID root.  If you need it's services, just
run

sudo dtprintinfo -populate

TODO: dtprintinfo should only create it's actions (if ever) in a
user's .dt/types/ directory and not in any system-wide dirs.  No need
for root access at all.

2 years agodtprintinfo: correct another possible buffer overflow
Jon Trulson [Tue, 7 May 2019 00:23:36 +0000 (18:23 -0600)]
dtprintinfo: correct another possible buffer overflow

2 years agodtprintinfo: Fix a potential exploitable buffer overrun
Jon Trulson [Mon, 6 May 2019 23:55:49 +0000 (17:55 -0600)]
dtprintinfo: Fix a potential exploitable buffer overrun

This fixes a potentially exploitable buffer overrun in dtprintinfo.
This was brought to my attention based on a 0day exploit released for
Solaris CDE.

The exploit code does not work (or build) on linux, and the overrun is
in the heap rather than the stack as on Solaris, but it's easy to see
how this could be exploited.

The following is the content of the advisory:

8<-----------------------------------------------------------

@Mediaservice.net (Cybaze Group) Security Advisory #2019-01 (2019-05-07)

         Title: Local privilege escalation via CDE dtprintinfo
   Application: Common Desktop Environment 2.3.0 and earlier
     Platforms: Oracle Solaris 10 1/13 (Update 11) and earlier
   Description: A local attacker can gain root privileges by exploiting
a buffer overflow in CDE dtprintinfo
        Author: Marco Ivaldi <marco.ivaldi@mediaservice.net>
   Contributor: Dave Aitel <dave.aitel@cyxtera.com> (original discovery)
 Vendor Status: <secalert_us@oracle.com> notified on 2019-05-05
<cdesktopenv-devel@lists.sourceforge.net> notified on 2019-05-05
           CVE: The Common Vulnerabilities and Exposures project has not assigned
a name to this issue yet
    References: https://lab.mediaservice.net/advisory/2019-01-cde-dtprintinfo.txt
https://github.com/0xdea/raptor_infiltrate19
https://sourceforge.net/p/cdesktopenv/wiki/Home/
https://www.oracle.com/technetwork/server-storage/solaris10/
https://www.mediaservice.net/
https://infiltratecon.com/

1. Abstract.

A buffer overflow in the DtPrinterAction::PrintActionExists() function in the
Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13
(Update 11) and earlier, allows local users to gain root privileges via a long
printer name passed to dtprintinfo by a malicious lpstat program.

This is a 0day vulnerability demonstrated at #INFILTRATE19 on May 2nd, 2019 in
the talk "A bug's life: story of a Solaris 0day".

2. Example Attack Session.

bash-3.2$ cat /etc/release
                    Oracle Solaris 10 1/13 s10x_u11wos_24a X86
  Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
                            Assembled 17 January 2013
bash-3.2$ uname -a
SunOS nostalgia 5.10 Generic_147148-26 i86pc i386 i86pc
bash-3.2$ id
uid=54322(raptor) gid=1(other)
bash-3.2$ gcc raptor_dtprintname_intel.c -o raptor_dtprintname_intel -Wall
bash-3.2$ ./raptor_dtprintname_intel 192.168.1.1:0
raptor_dtprintname_intel.c - dtprintinfo 0day, Solaris/Intel
Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Using SI_PLATFORM       : i86pc (5.10)
Using stack base        : 0x8047fff
Using rwx_mem address   : 0xfeffa004
Using sc address        : 0x8047f60
Using strcpy() address  : 0xfefe26a0

lpstat called with -v
lpstat called with -v
lpstat called with -d
uid=0(root) gid=1(other)

3. Affected Platforms.

All platforms shipping the Common Desktop Environment are potentially
affected. This includes:

* Oracle Solaris 10 1/13 (Update 11) and earlier [default installation]

According to the CDE Wiki, the following platforms are officially supported:

* All Official Ubuntu variants 12.04 - 18.04
* Debian 6, 7, 8, 9
* Fedora 17 at least
* Archlinux
* Red Hat
* Slackware 14.0
* OpenBSD
* NetBSD
* FreeBSD 9.2, 10.x, 11.x
* openSUSE Tumbleweed (gcc7)
* openSUSE Leap 4.2 (gcc4)
* SUSE 12 SP3 (gcc4)
* Solaris, OpenIndiana

4. Fix.

The upstream CDE maintainers have issued a patch for this vulnerability. Oracle
is investigating the issue via tracking# S1153109 and is expected to release a
fix for all affected-supported versions of Solaris via their quarterly Critical
Patch Update (CPU) program.

As a temporary workaround, it is possible to remove the setuid bit from the
dtprintinfo executable as follows:

bash-3.2# chmod -s /usr/dt/bin/dtprintinfo

5. Proof of Concept.

A working exploit for Oracle Solaris 10 1/13 (Update 11) Intel has been
developed as a proof of concept. Exploits for other Solaris versions and for
the SPARC architecture are also available. All exploits can be downloaded at:

https://github.com/0xdea/raptor_infiltrate19/
https://github.com/0xdea/exploits/

8<-----------------------------------------------------------

2 years agoNLS: fix quote issue with various OS's in C/types/_common.dt.tmsg
Jon Trulson [Sun, 24 Feb 2019 19:58:31 +0000 (12:58 -0700)]
NLS: fix quote issue with various OS's in C/types/_common.dt.tmsg

2 years agoMerge branch 'master' of ssh://git.code.sf.net/p/cdesktopenv/code
Jon Trulson [Sun, 24 Feb 2019 19:56:10 +0000 (12:56 -0700)]
Merge branch 'master' of ssh://git.code.sf.net/p/cdesktopenv/code

2 years agodtdockbook/instant: Add the proper paths for TCL on NetBSD
Jon Trulson [Sun, 24 Feb 2019 19:54:42 +0000 (12:54 -0700)]
dtdockbook/instant: Add the proper paths for TCL on NetBSD

Patch submitted by Danilo Pecher <danilo.pecher@data-experts.biz>

2 years agoExplicitly initialise two more static pointers
Adam Sampson [Sat, 26 Jan 2019 00:07:36 +0000 (00:07 +0000)]
Explicitly initialise two more static pointers

"dtcm: Coverity 88006" fixed this for buf, but not for string in the
same function (and we may as well initialise string_head for consistency
too).

2 years agoDon't dereference an uninitialised pointer
Adam Sampson [Sat, 26 Jan 2019 00:05:23 +0000 (00:05 +0000)]
Don't dereference an uninitialised pointer

This was an incorrect fix in "dtcm: Coverity 88382".

2 years agoAvoid a NULL pointer dereference
Adam Sampson [Sat, 26 Jan 2019 00:03:34 +0000 (00:03 +0000)]
Avoid a NULL pointer dereference

"dtcm: Coverity 89051" fixed an instance of this on the previous line,
but not this one.

2 years agoMerge branch 'master' into utf8-conversion
Jon Trulson [Tue, 15 Jan 2019 19:02:49 +0000 (12:02 -0700)]
Merge branch 'master' into utf8-conversion

2 years agoUse iconv on linux
Chase [Sat, 12 Jan 2019 22:54:57 +0000 (16:54 -0600)]
Use iconv on linux

2 years agodefine M4Cmd
Alex Ivanov [Tue, 8 Jan 2019 19:13:32 +0000 (22:13 +0300)]
define M4Cmd

2 years agoFixed segfault for mode switching when compiled with clang
tu83 [Sun, 6 Jan 2019 17:55:19 +0000 (18:55 +0100)]
Fixed segfault for mode switching when compiled with clang

dtcalc compiled with clang segfaulted when switched
to a different mode like Deg to Rad or Financial to
Scientific. Was reproducable at least under FreeBSD/AMD64.
Fixed now.

2 years agoMerge branch 'master' into utf8-conversion
Jon Trulson [Thu, 8 Nov 2018 21:51:46 +0000 (14:51 -0700)]
Merge branch 'master' into utf8-conversion

2 years agodtcalc/calctool.h: Use include stdlib rather than extern declarations
Jon Trulson [Thu, 8 Nov 2018 21:19:25 +0000 (14:19 -0700)]
dtcalc/calctool.h: Use include stdlib rather than extern declarations

2 years agoMerge branch 'master' into utf8-conversion-2
Jon Trulson [Wed, 7 Nov 2018 18:24:00 +0000 (11:24 -0700)]
Merge branch 'master' into utf8-conversion-2

2 years agolibDtHelp: Fix another regression caused by Coverity fix, clicking 'Help Manager...
Peter Howkins [Wed, 7 Nov 2018 17:04:59 +0000 (17:04 +0000)]
libDtHelp: Fix another regression caused by Coverity fix, clicking 'Help Manager' works again.

2 years agolibDtHelp: Fix a regression with the Help Index pages caused by an overzealous Coveri...
Peter Howkins [Wed, 7 Nov 2018 01:05:56 +0000 (01:05 +0000)]
libDtHelp: Fix a regression with the Help Index pages caused by an overzealous Coverity fix

2 years agoMerge branch 'master' into utf8-conversion-2
Jon Trulson [Mon, 5 Nov 2018 22:52:14 +0000 (15:52 -0700)]
Merge branch 'master' into utf8-conversion-2

2 years agolinux: DtHelp/StringFuncs, enable real iconv() support
Jon Trulson [Mon, 5 Nov 2018 22:33:16 +0000 (15:33 -0700)]
linux: DtHelp/StringFuncs, enable real iconv() support

For some reason, the #include of iconv.h was removed, and dummy stubs
were put in place on linux systems (only).  This caused iconv() calls
to be completely ignored.

Now we use iconv() just like very other OS we support.

2 years agoutf8 conversion: mostly working, help has issues
Jon Trulson [Mon, 5 Nov 2018 03:18:54 +0000 (20:18 -0700)]
utf8 conversion: mostly working, help has issues

Localization seems to work.  The main help viewer dies though.  Other
parts of help seem to work.  Index causes a crash too.

Crash:
*** Error in `/usr/dt/bin/dthelpview': malloc(): memory corruption (fast): 0x00000000021fefb0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f61814917e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x82651)[0x7f618149c651]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7f618149e184]
/usr/lib/x86_64-linux-gnu/libxcb.so.1(+0xc2ab)[0x7f617f71d2ab]
/usr/lib/x86_64-linux-gnu/libxcb.so.1(+0x9ed1)[0x7f617f71aed1]
/usr/lib/x86_64-linux-gnu/libxcb.so.1(+0xa31d)[0x7f617f71b31d]
/usr/lib/x86_64-linux-gnu/libxcb.so.1(xcb_writev+0x45)[0x7f617f71b3a5]
/usr/lib/x86_64-linux-gnu/libX11.so.6(_XSend+0x19e)[0x7f6181b2a54e]
/usr/lib/x86_64-linux-gnu/libX11.so.6(_XReply+0x82)[0x7f6181b2aa42]
/usr/lib/x86_64-linux-gnu/libX11.so.6(XSync+0x4d)[0x7f6181b2652d]
/usr/lib/x86_64-linux-gnu/libXm.so.4(XmUpdateDisplay+0x49)[0x7f61821c1d89]
/usr/dt/lib/libDtHelp.so.2(+0x2cf1d)[0x7f6182ae8f1d]
/usr/dt/lib/libDtHelp.so.2(+0x2d66d)[0x7f6182ae966d]
/usr/dt/lib/libDtHelp.so.2(_DtHelpGlobSrchDisplayDialog+0x2205)[0x7f6182aebca5]
/usr/dt/lib/libDtHelp.so.2(_DtHelpDisplayIndexCB+0x26)[0x7f6182af07e6]
/usr/lib/x86_64-linux-gnu/libXm.so.4(+0xde9d5)[0x7f618216e9d5]
/usr/lib/x86_64-linux-gnu/libXm.so.4(+0xdf0c5)[0x7f618216f0c5]
/usr/lib/x86_64-linux-gnu/libXm.so.4(_XmDispatchGadgetInput+0x113)[0x7f6182140683]
/usr/lib/x86_64-linux-gnu/libXm.so.4(_XmGadgetActivate+0x22)[0x7f61821ef0b2]
/usr/lib/x86_64-linux-gnu/libXt.so.6(+0x48965)[0x7f6181e6f965]
/usr/lib/x86_64-linux-gnu/libXt.so.6(_XtTranslateEvent+0x31a)[0x7f6181e7090a]
/usr/lib/x86_64-linux-gnu/libXt.so.6(XtDispatchEventToWidget+0x4cb)[0x7f6181e4921b]
/usr/lib/x86_64-linux-gnu/libXt.so.6(+0x228dd)[0x7f6181e498dd]
/usr/lib/x86_64-linux-gnu/libXt.so.6(XtDispatchEvent+0xc9)[0x7f6181e499b9]
/usr/lib/x86_64-linux-gnu/libXt.so.6(XtAppProcessEvent+0x1d7)[0x7f6181e555d7]
/usr/lib/x86_64-linux-gnu/libXt.so.6(XtAppMainLoop+0x2d)[0x7f6181e49d9d]
/usr/dt/bin/dthelpview[0x401b77]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f618143a830]
/usr/dt/bin/dthelpview[0x401c89]

2 years agoFix .gitignore for ISO8859-1 docs
Jon Trulson [Mon, 5 Nov 2018 02:31:22 +0000 (19:31 -0700)]
Fix .gitignore for ISO8859-1 docs

2 years agoutf8 conversion: fix up seperation of locale and doc building
Jon Trulson [Mon, 5 Nov 2018 02:25:57 +0000 (19:25 -0700)]
utf8 conversion: fix up seperation of locale and doc building

Docs (help and the dtinfo guides) are now always built using the
ISO8859-1 locale.  To support UTF-8, our docbook needs to be updated
to something from this century, ideally this decade.  In addition, a
conversion to XML would also be required as a result.  So, until that
happens, use ISO8859-1 for docs.

However, other locale information, like message catalogs, resource
files, and the like are now converted to UTF-8.

All supported languages are now built by default on linux again.

2 years agoUTF-8 conversion: fixup database Imakefiles, config and gitignore
Jon Trulson [Mon, 24 Sep 2018 19:43:13 +0000 (13:43 -0600)]
UTF-8 conversion: fixup database Imakefiles, config and gitignore

2 years agoUTF-8 conversion: programs/localized/sv_SE
Jon Trulson [Mon, 24 Sep 2018 01:18:02 +0000 (19:18 -0600)]
UTF-8 conversion: programs/localized/sv_SE

2 years agoUTF-8 conversion: programs/localized/it_IT
Jon Trulson [Mon, 24 Sep 2018 01:08:47 +0000 (19:08 -0600)]
UTF-8 conversion: programs/localized/it_IT