summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2019-10-16 16:21:21 -0500
committerMax Rees <maxcrees@me.com>2019-10-16 16:21:41 -0500
commit2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5 (patch)
tree1c514936ad94289c4cb855542007ae792c5bb882
parentdf9cac7a84d0c945f54c5b537adcc490a8291b75 (diff)
downloadpackages-2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5.tar.gz
packages-2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5.tar.bz2
packages-2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5.tar.xz
packages-2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5.zip
user/kauth: patch CVE-2019-7443 (#213)
-rw-r--r--user/kauth/APKBUILD15
-rw-r--r--user/kauth/CVE-2019-7443.patch68
2 files changed, 77 insertions, 6 deletions
diff --git a/user/kauth/APKBUILD b/user/kauth/APKBUILD
index 543f87712..351d00f50 100644
--- a/user/kauth/APKBUILD
+++ b/user/kauth/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=kauth
pkgver=5.54.0
-pkgrel=0
+pkgrel=1
pkgdesc="Framework for allowing software to gain temporary privileges"
url="https://www.kde.org/"
arch="all"
@@ -11,10 +11,14 @@ depends=""
depends_dev="polkit-qt-1-dev qt5-qtbase-dev kcoreaddons-dev"
makedepends="$depends_dev cmake extra-cmake-modules qt5-qttools-dev doxygen"
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
-source="https://download.kde.org/stable/frameworks/${pkgver%.*}/kauth-$pkgver.tar.xz"
+source="https://download.kde.org/stable/frameworks/${pkgver%.*}/kauth-$pkgver.tar.xz
+ CVE-2019-7443.patch"
+
+# secfixes:
+# 5.54.0-r1:
+# - CVE-2019-7443
build() {
- cd "$builddir"
if [ "$CBUILD" != "$CHOST" ]; then
CMAKE_CROSSOPTS="-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_HOST_SYSTEM_NAME=Linux"
fi
@@ -31,13 +35,12 @@ build() {
}
check() {
- cd "$builddir"
CTEST_OUTPUT_ON_FAILURE=TRUE ctest -E KAuthHelperTest
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
-sha512sums="f75c6f019d708409817a5b64d88033326a7d627cdee00e61280043d5cd8f65731f08d48405f50c7240f18670b25abfeea4b2af5966ebb2ee7e0f56669b5551c2 kauth-5.54.0.tar.xz"
+sha512sums="f75c6f019d708409817a5b64d88033326a7d627cdee00e61280043d5cd8f65731f08d48405f50c7240f18670b25abfeea4b2af5966ebb2ee7e0f56669b5551c2 kauth-5.54.0.tar.xz
+9cb0e37eedb5cee82c5e6d1b316f92f014c8850c9274a8d0c728f306ceabc35cbbec81b0057ebaf904bd48f3e07d6f83d91b0ef12602a0c1ba66b39a04bb45e4 CVE-2019-7443.patch"
diff --git a/user/kauth/CVE-2019-7443.patch b/user/kauth/CVE-2019-7443.patch
new file mode 100644
index 000000000..5b11cd8f5
--- /dev/null
+++ b/user/kauth/CVE-2019-7443.patch
@@ -0,0 +1,68 @@
+From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sat, 2 Feb 2019 14:35:25 +0100
+Subject: Remove support for passing gui QVariants to KAuth helpers
+
+Supporting gui variants is very dangerous since they can end up triggering
+image loading plugins which are one of the biggest vectors for crashes, which
+for very smart people mean possible code execution, which is very dangerous
+in code that is executed as root.
+
+We've checked all the KAuth helpers inside KDE git and none seems to be using
+gui variants, so we're not actually limiting anything that people wanted to do.
+
+Reviewed by security@kde.org and Aleix Pol
+
+Issue reported by Fabian Vogt
+---
+ src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++
+ src/kauthaction.h | 2 ++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index 10c14c6..8f0d336 100644
+--- a/src/backends/dbus/DBusHelperProxy.cpp
++++ b/src/backends/dbus/DBusHelperProxy.cpp
+@@ -31,6 +31,8 @@
+ #include "kf5authadaptor.h"
+ #include "kauthdebug.h"
+
++extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper;
++
+ namespace KAuth
+ {
+
+@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+ return ActionReply::HelperBusyReply().serialized();
+ }
+
++ // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous
++ // since they end up calling the image loaders and thus are a vector for crashing → executing code
++ auto origMetaTypeGuiHelper = qMetaTypeGuiHelper;
++ qMetaTypeGuiHelper = nullptr;
++
+ QVariantMap args;
+ QDataStream s(&arguments, QIODevice::ReadOnly);
+ s >> args;
+
++ qMetaTypeGuiHelper = origMetaTypeGuiHelper;
++
+ m_currentAction = action;
+ emit remoteSignal(ActionStarted, action, QByteArray());
+ QEventLoop e;
+diff --git a/src/kauthaction.h b/src/kauthaction.h
+index c67a70a..01f3ba1 100644
+--- a/src/kauthaction.h
++++ b/src/kauthaction.h
+@@ -298,6 +298,8 @@ public:
+ * This method sets the variant map that the application
+ * can use to pass arbitrary data to the helper when executing the action.
+ *
++ * Only non-gui variants are supported.
++ *
+ * @param arguments The new arguments map
+ */
+ void setArguments(const QVariantMap &arguments);
+--
+cgit v1.1
+