summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Sturmlechner <asturm@gentoo.org>2019-02-16 19:20:06 +0100
committerAndreas Sturmlechner <asturm@gentoo.org>2019-02-16 19:23:03 +0100
commit623b0c1dc6d907b02f350d18fb3d60ecc9c97a63 (patch)
tree991b7c7f76c0046c1052ae4c42c62a33d526942d /kde-frameworks
parentdev-libs/opencryptoki: fix libressl support (diff)
downloadgentoo-623b0c1dc6d907b02f350d18fb3d60ecc9c97a63.tar.gz
gentoo-623b0c1dc6d907b02f350d18fb3d60ecc9c97a63.tar.bz2
gentoo-623b0c1dc6d907b02f350d18fb3d60ecc9c97a63.zip
kde-frameworks/kauth: Fix CVE-2019-7443
kauth: Insecure handling of arguments in helpers KAuth allows to pass parameters with arbitrary types to helpers running as root over DBus. Certain types can cause crashes and trigger decoding arbitrary images with dynamically loaded plugins. Package-Manager: Portage-2.3.60, Repoman-2.3.12 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
Diffstat (limited to 'kde-frameworks')
-rw-r--r--kde-frameworks/kauth/files/kauth-5.54.0-CVE-2019-7443.patch68
-rw-r--r--kde-frameworks/kauth/kauth-5.54.0-r1.ebuild43
2 files changed, 111 insertions, 0 deletions
diff --git a/kde-frameworks/kauth/files/kauth-5.54.0-CVE-2019-7443.patch b/kde-frameworks/kauth/files/kauth-5.54.0-CVE-2019-7443.patch
new file mode 100644
index 00000000000..5b11cd8f5e9
--- /dev/null
+++ b/kde-frameworks/kauth/files/kauth-5.54.0-CVE-2019-7443.patch
@@ -0,0 +1,68 @@
+From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sat, 2 Feb 2019 14:35:25 +0100
+Subject: Remove support for passing gui QVariants to KAuth helpers
+
+Supporting gui variants is very dangerous since they can end up triggering
+image loading plugins which are one of the biggest vectors for crashes, which
+for very smart people mean possible code execution, which is very dangerous
+in code that is executed as root.
+
+We've checked all the KAuth helpers inside KDE git and none seems to be using
+gui variants, so we're not actually limiting anything that people wanted to do.
+
+Reviewed by security@kde.org and Aleix Pol
+
+Issue reported by Fabian Vogt
+---
+ src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++
+ src/kauthaction.h | 2 ++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index 10c14c6..8f0d336 100644
+--- a/src/backends/dbus/DBusHelperProxy.cpp
++++ b/src/backends/dbus/DBusHelperProxy.cpp
+@@ -31,6 +31,8 @@
+ #include "kf5authadaptor.h"
+ #include "kauthdebug.h"
+
++extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper;
++
+ namespace KAuth
+ {
+
+@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+ return ActionReply::HelperBusyReply().serialized();
+ }
+
++ // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous
++ // since they end up calling the image loaders and thus are a vector for crashing → executing code
++ auto origMetaTypeGuiHelper = qMetaTypeGuiHelper;
++ qMetaTypeGuiHelper = nullptr;
++
+ QVariantMap args;
+ QDataStream s(&arguments, QIODevice::ReadOnly);
+ s >> args;
+
++ qMetaTypeGuiHelper = origMetaTypeGuiHelper;
++
+ m_currentAction = action;
+ emit remoteSignal(ActionStarted, action, QByteArray());
+ QEventLoop e;
+diff --git a/src/kauthaction.h b/src/kauthaction.h
+index c67a70a..01f3ba1 100644
+--- a/src/kauthaction.h
++++ b/src/kauthaction.h
+@@ -298,6 +298,8 @@ public:
+ * This method sets the variant map that the application
+ * can use to pass arbitrary data to the helper when executing the action.
+ *
++ * Only non-gui variants are supported.
++ *
+ * @param arguments The new arguments map
+ */
+ void setArguments(const QVariantMap &arguments);
+--
+cgit v1.1
+
diff --git a/kde-frameworks/kauth/kauth-5.54.0-r1.ebuild b/kde-frameworks/kauth/kauth-5.54.0-r1.ebuild
new file mode 100644
index 00000000000..8c8a8020545
--- /dev/null
+++ b/kde-frameworks/kauth/kauth-5.54.0-r1.ebuild
@@ -0,0 +1,43 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+VIRTUALX_REQUIRED="test"
+inherit kde5
+
+DESCRIPTION="Framework to let applications perform actions as a privileged user"
+LICENSE="LGPL-2.1+"
+KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+IUSE="nls +policykit"
+
+RDEPEND="
+ $(add_frameworks_dep kcoreaddons)
+ $(add_qt_dep qtdbus)
+ $(add_qt_dep qtgui)
+ $(add_qt_dep qtwidgets)
+ policykit? ( sys-auth/polkit-qt[qt5(+)] )
+"
+DEPEND="${RDEPEND}
+ nls? ( $(add_qt_dep linguist-tools) )
+"
+PDEPEND="policykit? ( kde-plasma/polkit-kde-agent )"
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2019-7443.patch" )
+
+src_configure() {
+ local mycmakeargs=(
+ $(cmake-utils_use_find_package policykit PolkitQt5-1)
+ )
+
+ kde5_src_configure
+}
+
+src_test() {
+ # KAuthHelperTest test fails, bug 654842
+ local myctestargs=(
+ -E "(KAuthHelperTest)"
+ )
+
+ kde5_src_test
+}