Backport security fixes for x11/sddm

The 0.18 release of x11/sddm contains a fix for a security error
that probably doesn't affect us: session-reuse. In any case our
default configuration is not vulnerable. This doesn't update to
0.18 because there's a bunch of other changes that would need to
be chased, further delaying this update.

While here, pet portlint and Tijl, who asked for a pkg-message.

PR:		230029
Reported by:	doctorwhoguy@gmail.com
Security:	f00acdec-b59f-11e8-805d-001e2a3f778d

4 files changed, 114 insertions, 0 deletions

diff --git a/x11/sddm/Makefile b/x11/sddm/Makefile
index 4afbef341268..9df805e30fa4 100644
--- a/x11/sddm/Makefile
+++ b/x11/sddm/Makefile
@@ -3,11 +3,21 @@
 PORTNAME=	sddm
 PORTVERSION=	0.17.0
 DISTVERSIONPREFIX=	v
+PORTREVISION=	1
 CATEGORIES=	x11
 
 MAINTAINER=	kde@FreeBSD.org
 COMMENT=	QML based login manager
 
+# The source code is GPLv2+, but the provided themes are:
+#  - CC-BY 3.0 (default greeter theme, maldives)
+#  - CC-BY 4.0 (maya)
+#  - Apache20 (font included with maya)
+LICENSE=	GPLv2+ CC-BY-3.0 CC-BY-4.0 APACHE20
+LICENSE_COMB=	multi
+LICENSE_FILE_GPLv2+=	${WRKSRC}/LICENSE
+LICENSE_FILE_CC-BY-3.0=	${WRKSRC}/LICENSE.CC-BY-3.0
+
 RUN_DEPENDS=	dbus-run-session:devel/dbus
 
 USES=		cmake:outsource kde:5 qt:5
@@ -29,6 +39,10 @@ GROUPS=		sddm
 
 USE_GITHUB=	yes
 
+# There are multiple patches that apply to Display.cpp,
+# fixing CVE-2018-14345 and backported from 0.18.
+EXTRA_PATCHES=	${PATCHDIR}/git-patch-147cec38d ${PATCHDIR}/git-patch-b02b00559
+
 post-patch:
 	@${REINPLACE_CMD} -e 's#/etc/X11#${LOCALBASE}/etc/X11#' \
 		-e 's#/usr/bin/#${LOCALBASE}/bin/#g' \
diff --git a/x11/sddm/files/git-patch-147cec38d b/x11/sddm/files/git-patch-147cec38d
new file mode 100644
index 000000000000..91c44e245192
--- /dev/null
+++ b/x11/sddm/files/git-patch-147cec38d
@@ -0,0 +1,28 @@
+diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
+index 5abfc9a..57d7ecb 100644
+--- src/daemon/Display.cpp
++++ src/daemon/Display.cpp
+@@ -339,7 +339,9 @@ namespace SDDM {
+         } else {
+             //we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session
+             //by not setting the session and the helper will emit authentication and then quit
+-            connect(m_auth, &Auth::authentication, this, [=](){
++            connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){
++                if(!success)
++                    return;
+                 qDebug() << "activating existing seat";
+                 OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
+                 manager.UnlockSession(existingSessionId);
+diff --git a/src/helper/backend/PamBackend.cpp b/src/helper/backend/PamBackend.cpp
+index 69cbd2c..5467282 100644
+--- src/helper/backend/PamBackend.cpp
++++ src/helper/backend/PamBackend.cpp
+@@ -219,8 +219,6 @@ namespace SDDM {
+ 
+         if (user == QStringLiteral("sddm") && m_greeter)
+             service = QStringLiteral("sddm-greeter");
+-        else if (m_app->session()->path().isEmpty())
+-            service = QStringLiteral("sddm-check");
+         else if (m_autologin)
+             service = QStringLiteral("sddm-autologin");
+         result = m_pam->start(service, user);
diff --git a/x11/sddm/files/git-patch-b02b00559 b/x11/sddm/files/git-patch-b02b00559
new file mode 100644
index 000000000000..d934c4f03996
--- /dev/null
+++ b/x11/sddm/files/git-patch-b02b00559
@@ -0,0 +1,70 @@
+diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
+index 57d7ecb..c2ea728 100644
+--- src/daemon/Display.cpp
++++ src/daemon/Display.cpp
+@@ -280,7 +280,7 @@ namespace SDDM {
+             return;
+         }
+ 
+-        QString existingSessionId;
++        m_reuseSessionId = QString();
+ 
+         if (Logind::isAvailable() && mainConfig.Users.ReuseSession.get()) {
+             OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
+@@ -291,7 +291,7 @@ namespace SDDM {
+                 if (s.userName == user) {
+                     OrgFreedesktopLogin1SessionInterface session(Logind::serviceName(), s.sessionPath.path(), QDBusConnection::systemBus());
+                     if (session.service() == QLatin1String("sddm")) {
+-                        existingSessionId =  s.sessionId;
++                        m_reuseSessionId =  s.sessionId;
+                         break;
+                     }
+                 }
+@@ -334,19 +334,8 @@ namespace SDDM {
+         m_auth->insertEnvironment(env);
+ 
+         m_auth->setUser(user);
+-        if (existingSessionId.isNull()) {
++        if (m_reuseSessionId.isNull()) {
+             m_auth->setSession(session.exec());
+-        } else {
+-            //we only want to unlock the session if we can lock in, so we want to go via PAM auth, but not start a new session
+-            //by not setting the session and the helper will emit authentication and then quit
+-            connect(m_auth, &Auth::authentication, this, [=](const QString &, bool success){
+-                if(!success)
+-                    return;
+-                qDebug() << "activating existing seat";
+-                OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
+-                manager.UnlockSession(existingSessionId);
+-                manager.ActivateSession(existingSessionId);
+-            });
+         }
+         m_auth->start();
+     }
+@@ -355,7 +344,13 @@ namespace SDDM {
+         if (success) {
+             qDebug() << "Authenticated successfully";
+ 
+-            m_auth->setCookie(qobject_cast<XorgDisplayServer *>(m_displayServer)->cookie());
++            if (!m_reuseSessionId.isNull()) {
++                OrgFreedesktopLogin1ManagerInterface manager(Logind::serviceName(), Logind::managerPath(), QDBusConnection::systemBus());
++                manager.UnlockSession(m_reuseSessionId);
++                manager.ActivateSession(m_reuseSessionId);
++            } else {
++                m_auth->setCookie(qobject_cast<XorgDisplayServer *>(m_displayServer)->cookie());
++            }
+ 
+             // save last user and last session
+             if (mainConfig.Users.RememberLastUser.get())
+diff --git a/src/daemon/Display.h b/src/daemon/Display.h
+index 09d3cf9..a6a06b2 100644
+--- src/daemon/Display.h
++++ src/daemon/Display.h
+@@ -85,6 +85,7 @@ namespace SDDM {
+ 
+         QString m_passPhrase;
+         QString m_sessionName;
++        QString m_reuseSessionId;
+ 
+         Auth *m_auth { nullptr };
+         DisplayServer *m_displayServer { nullptr };
diff --git a/x11/sddm/pkg-message b/x11/sddm/pkg-message
new file mode 100644
index 000000000000..902e8dc954a7
--- /dev/null
+++ b/x11/sddm/pkg-message
@@ -0,0 +1,2 @@
+SDDM does not support login.conf(5), and no special restrictions
+or settings from login.conf are enforced or applied.