diff options
author | Max Rees <maxcrees@me.com> | 2019-10-16 16:21:21 -0500 |
---|---|---|
committer | Max Rees <maxcrees@me.com> | 2019-10-16 16:21:41 -0500 |
commit | 2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5 (patch) | |
tree | 1c514936ad94289c4cb855542007ae792c5bb882 | |
parent | df9cac7a84d0c945f54c5b537adcc490a8291b75 (diff) | |
download | packages-2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5.tar.gz packages-2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5.tar.bz2 packages-2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5.tar.xz packages-2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5.zip |
user/kauth: patch CVE-2019-7443 (#213)
-rw-r--r-- | user/kauth/APKBUILD | 15 | ||||
-rw-r--r-- | user/kauth/CVE-2019-7443.patch | 68 |
2 files changed, 77 insertions, 6 deletions
diff --git a/user/kauth/APKBUILD b/user/kauth/APKBUILD index 543f87712..351d00f50 100644 --- a/user/kauth/APKBUILD +++ b/user/kauth/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=kauth pkgver=5.54.0 -pkgrel=0 +pkgrel=1 pkgdesc="Framework for allowing software to gain temporary privileges" url="https://www.kde.org/" arch="all" @@ -11,10 +11,14 @@ depends="" depends_dev="polkit-qt-1-dev qt5-qtbase-dev kcoreaddons-dev" makedepends="$depends_dev cmake extra-cmake-modules qt5-qttools-dev doxygen" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" -source="https://download.kde.org/stable/frameworks/${pkgver%.*}/kauth-$pkgver.tar.xz" +source="https://download.kde.org/stable/frameworks/${pkgver%.*}/kauth-$pkgver.tar.xz + CVE-2019-7443.patch" + +# secfixes: +# 5.54.0-r1: +# - CVE-2019-7443 build() { - cd "$builddir" if [ "$CBUILD" != "$CHOST" ]; then CMAKE_CROSSOPTS="-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_HOST_SYSTEM_NAME=Linux" fi @@ -31,13 +35,12 @@ build() { } check() { - cd "$builddir" CTEST_OUTPUT_ON_FAILURE=TRUE ctest -E KAuthHelperTest } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } -sha512sums="f75c6f019d708409817a5b64d88033326a7d627cdee00e61280043d5cd8f65731f08d48405f50c7240f18670b25abfeea4b2af5966ebb2ee7e0f56669b5551c2 kauth-5.54.0.tar.xz" +sha512sums="f75c6f019d708409817a5b64d88033326a7d627cdee00e61280043d5cd8f65731f08d48405f50c7240f18670b25abfeea4b2af5966ebb2ee7e0f56669b5551c2 kauth-5.54.0.tar.xz +9cb0e37eedb5cee82c5e6d1b316f92f014c8850c9274a8d0c728f306ceabc35cbbec81b0057ebaf904bd48f3e07d6f83d91b0ef12602a0c1ba66b39a04bb45e4 CVE-2019-7443.patch" diff --git a/user/kauth/CVE-2019-7443.patch b/user/kauth/CVE-2019-7443.patch new file mode 100644 index 000000000..5b11cd8f5 --- /dev/null +++ b/user/kauth/CVE-2019-7443.patch @@ -0,0 +1,68 @@ +From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Sat, 2 Feb 2019 14:35:25 +0100 +Subject: Remove support for passing gui QVariants to KAuth helpers + +Supporting gui variants is very dangerous since they can end up triggering +image loading plugins which are one of the biggest vectors for crashes, which +for very smart people mean possible code execution, which is very dangerous +in code that is executed as root. + +We've checked all the KAuth helpers inside KDE git and none seems to be using +gui variants, so we're not actually limiting anything that people wanted to do. + +Reviewed by security@kde.org and Aleix Pol + +Issue reported by Fabian Vogt +--- + src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++ + src/kauthaction.h | 2 ++ + 2 files changed, 11 insertions(+) + +diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp +index 10c14c6..8f0d336 100644 +--- a/src/backends/dbus/DBusHelperProxy.cpp ++++ b/src/backends/dbus/DBusHelperProxy.cpp +@@ -31,6 +31,8 @@ + #include "kf5authadaptor.h" + #include "kauthdebug.h" + ++extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper; ++ + namespace KAuth + { + +@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra + return ActionReply::HelperBusyReply().serialized(); + } + ++ // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous ++ // since they end up calling the image loaders and thus are a vector for crashing → executing code ++ auto origMetaTypeGuiHelper = qMetaTypeGuiHelper; ++ qMetaTypeGuiHelper = nullptr; ++ + QVariantMap args; + QDataStream s(&arguments, QIODevice::ReadOnly); + s >> args; + ++ qMetaTypeGuiHelper = origMetaTypeGuiHelper; ++ + m_currentAction = action; + emit remoteSignal(ActionStarted, action, QByteArray()); + QEventLoop e; +diff --git a/src/kauthaction.h b/src/kauthaction.h +index c67a70a..01f3ba1 100644 +--- a/src/kauthaction.h ++++ b/src/kauthaction.h +@@ -298,6 +298,8 @@ public: + * This method sets the variant map that the application + * can use to pass arbitrary data to the helper when executing the action. + * ++ * Only non-gui variants are supported. ++ * + * @param arguments The new arguments map + */ + void setArguments(const QVariantMap &arguments); +-- +cgit v1.1 + |