Date: Wed, 10 May 2017 12:03:58 +0000 (UTC) From: "Tobias C. Berner" <tcberner@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r440556 - in head: devel/kf5-kauth devel/kf5-kauth/files x11/kdelibs4 x11/kdelibs4/files Message-ID: <201705101203.v4AC3w6Q022889@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tcberner Date: Wed May 10 12:03:58 2017 New Revision: 440556 URL: https://svnweb.freebsd.org/changeset/ports/440556 Log: Add upstream fixes for CVE-2017-8422 to x11/kdelibs4 and devel/kf5-kauth KAuth contains a logic flaw in which the service invoking dbus is not properly checked. This allows spoofing the identity of the caller and with some carefully crafted calls can lead to gaining root from an unprivileged account. https://www.kde.org/info/security/advisory-20170510-1.txt Reviewed by: rakuco Approved by: rakuco (mentor) Obtained from: https://www.kde.org/info/security/advisory-20170510-1.txt MFH: 2017Q2 Security: CVE-2017-8422 Differential Revision: https://reviews.freebsd.org/D10660 Added: head/devel/kf5-kauth/files/ head/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422 (contents, props changed) head/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422 (contents, props changed) Modified: head/devel/kf5-kauth/Makefile head/x11/kdelibs4/Makefile Modified: head/devel/kf5-kauth/Makefile ============================================================================== --- head/devel/kf5-kauth/Makefile Wed May 10 12:02:02 2017 (r440555) +++ head/devel/kf5-kauth/Makefile Wed May 10 12:03:58 2017 (r440556) @@ -3,6 +3,7 @@ PORTNAME= kauth PORTVERSION= ${KDE_FRAMEWORKS_VERSION} +PORTREVISION= 1 CATEGORIES= devel kde kde-frameworks MAINTAINER= kde@FreeBSD.org Added: head/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422 Wed May 10 12:03:58 2017 (r440556) @@ -0,0 +1,198 @@ +From df875f725293af53399f5146362eb158b4f9216a Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Wed, 10 May 2017 10:03:45 +0200 +Subject: Verify that whoever is calling us is actually who he says he is + +CVE-2017-8422 +--- + src/AuthBackend.cpp | 5 +++++ + src/AuthBackend.h | 7 +++++++ + src/backends/dbus/DBusHelperProxy.cpp | 27 +++++++++++++++++++++++++-- + src/backends/dbus/DBusHelperProxy.h | 6 +++++- + src/backends/policykit/PolicyKitBackend.cpp | 5 +++++ + src/backends/policykit/PolicyKitBackend.h | 1 + + src/backends/polkit-1/Polkit1Backend.cpp | 5 +++++ + src/backends/polkit-1/Polkit1Backend.h | 1 + + 8 files changed, 54 insertions(+), 3 deletions(-) + +diff --git a/src/AuthBackend.cpp b/src/AuthBackend.cpp +index a41d4f1..a847494 100644 +--- src/AuthBackend.cpp ++++ src/AuthBackend.cpp +@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities) + d->capabilities = capabilities; + } + ++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const ++{ ++ return NoExtraCallerIDVerificationMethod; ++} ++ + bool AuthBackend::actionExists(const QString &action) + { + Q_UNUSED(action); +diff --git a/src/AuthBackend.h b/src/AuthBackend.h +index c67a706..09195ef 100644 +--- src/AuthBackend.h ++++ src/AuthBackend.h +@@ -43,6 +43,12 @@ public: + }; + Q_DECLARE_FLAGS(Capabilities, Capability) + ++ enum ExtraCallerIDVerificationMethod { ++ NoExtraCallerIDVerificationMethod, ++ VerifyAgainstDBusServiceName, ++ VerifyAgainstDBusServicePid, ++ }; ++ + AuthBackend(); + virtual ~AuthBackend(); + virtual void setupAction(const QString &action) = 0; +@@ -50,6 +56,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString &action) = 0; + virtual Action::AuthStatus actionStatus(const QString &action) = 0; + virtual QByteArray callerID() const = 0; ++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0; + virtual bool actionExists(const QString &action); + +diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp +index 9c5cb96..3c1c108 100644 +--- src/backends/dbus/DBusHelperProxy.cpp ++++ src/backends/dbus/DBusHelperProxy.cpp +@@ -235,6 +235,29 @@ bool DBusHelperProxy::hasToStopAction() + return m_stopRequest; + } + ++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID) ++{ ++ // Check the caller is really who it says it is ++ switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) { ++ case AuthBackend::NoExtraCallerIDVerificationMethod: ++ break; ++ ++ case AuthBackend::VerifyAgainstDBusServiceName: ++ if (message().service().toUtf8() != callerID) { ++ return false; ++ } ++ break; ++ ++ case AuthBackend::VerifyAgainstDBusServicePid: ++ if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) { ++ return false; ++ } ++ break; ++ } ++ ++ return BackendsManager::authBackend()->isCallerAuthorized(action, callerID); ++} ++ + QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments) + { + if (!responder) { +@@ -259,7 +282,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra + QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>(); + timer->stop(); + +- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) { ++ if (isCallerAuthorized(action, callerID)) { + QString slotname = action; + if (slotname.startsWith(m_name + QLatin1Char('.'))) { + slotname = slotname.right(slotname.length() - m_name.length() - 1); +@@ -301,7 +324,7 @@ uint DBusHelperProxy::authorizeAction(const QString &action, const QByteArray &c + QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>(); + timer->stop(); + +- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) { ++ if (isCallerAuthorized(action, callerID)) { + retVal = static_cast<uint>(Action::AuthorizedStatus); + } else { + retVal = static_cast<uint>(Action::DeniedStatus); +diff --git a/src/backends/dbus/DBusHelperProxy.h b/src/backends/dbus/DBusHelperProxy.h +index 52b0ac4..82cec5a 100644 +--- src/backends/dbus/DBusHelperProxy.h ++++ src/backends/dbus/DBusHelperProxy.h +@@ -25,12 +25,13 @@ + #include "kauthactionreply.h" + + #include <QDBusConnection> ++#include <QDBusContext> + #include <QVariant> + + namespace KAuth + { + +-class DBusHelperProxy : public HelperProxy ++class DBusHelperProxy : public HelperProxy, protected QDBusContext + { + Q_OBJECT + Q_PLUGIN_METADATA(IID "org.kde.DBusHelperProxy") +@@ -79,6 +80,9 @@ Q_SIGNALS: + + private Q_SLOTS: + void remoteSignalReceived(int type, const QString &action, QByteArray blob); ++ ++private: ++ bool isCallerAuthorized(const QString &action, const QByteArray &callerID); + }; + + } // namespace Auth +diff --git a/src/backends/policykit/PolicyKitBackend.cpp b/src/backends/policykit/PolicyKitBackend.cpp +index c2b4d42..bf038a8 100644 +--- src/backends/policykit/PolicyKitBackend.cpp ++++ src/backends/policykit/PolicyKitBackend.cpp +@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const + return a; + } + ++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const ++{ ++ return VerifyAgainstDBusServicePid; ++} ++ + bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID) + { + QDataStream s(&callerID, QIODevice::ReadOnly); +diff --git a/src/backends/policykit/PolicyKitBackend.h b/src/backends/policykit/PolicyKitBackend.h +index eb17a3a..38b0240 100644 +--- src/backends/policykit/PolicyKitBackend.h ++++ src/backends/policykit/PolicyKitBackend.h +@@ -40,6 +40,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString &); + virtual Action::AuthStatus actionStatus(const QString &); + virtual QByteArray callerID() const; ++ ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID); + + private Q_SLOTS: +diff --git a/src/backends/polkit-1/Polkit1Backend.cpp b/src/backends/polkit-1/Polkit1Backend.cpp +index 78ee5bb..774588c 100644 +--- src/backends/polkit-1/Polkit1Backend.cpp ++++ src/backends/polkit-1/Polkit1Backend.cpp +@@ -162,6 +162,11 @@ QByteArray Polkit1Backend::callerID() const + return QDBusConnection::systemBus().baseService().toUtf8(); + } + ++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const ++{ ++ return VerifyAgainstDBusServiceName; ++} ++ + bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID) + { + PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID)); +diff --git a/src/backends/polkit-1/Polkit1Backend.h b/src/backends/polkit-1/Polkit1Backend.h +index d7d1e3a..2357892 100644 +--- src/backends/polkit-1/Polkit1Backend.h ++++ src/backends/polkit-1/Polkit1Backend.h +@@ -49,6 +49,7 @@ public: + Action::AuthStatus authorizeAction(const QString &) Q_DECL_OVERRIDE; + Action::AuthStatus actionStatus(const QString &) Q_DECL_OVERRIDE; + QByteArray callerID() const Q_DECL_OVERRIDE; ++ ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE; + bool isCallerAuthorized(const QString &action, QByteArray callerID) Q_DECL_OVERRIDE; + bool actionExists(const QString &action) Q_DECL_OVERRIDE; + +-- +cgit v0.11.2 + Modified: head/x11/kdelibs4/Makefile ============================================================================== --- head/x11/kdelibs4/Makefile Wed May 10 12:02:02 2017 (r440555) +++ head/x11/kdelibs4/Makefile Wed May 10 12:03:58 2017 (r440556) @@ -3,7 +3,7 @@ PORTNAME= kdelibs PORTVERSION= ${KDE4_KDELIBS_VERSION} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= x11 kde kde-applications MAINTAINER= kde@FreeBSD.org Added: head/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422 Wed May 10 12:03:58 2017 (r440556) @@ -0,0 +1,200 @@ +From 264e97625abe2e0334f97de17f6ffb52582888ab Mon Sep 17 00:00:00 2001 +From: Albert Ast/.als Cid <aacid@kde.org> +Date: Wed, 10 May 2017 10:06:07 +0200 +Subject: Verify that whoever is calling us is actually who he says he is + +CVE-2017-8422 +--- + kdecore/auth/AuthBackend.cpp | 5 ++++ + kdecore/auth/AuthBackend.h | 7 ++++++ + kdecore/auth/backends/dbus/DBusHelperProxy.cpp | 27 ++++++++++++++++++++-- + kdecore/auth/backends/dbus/DBusHelperProxy.h | 6 ++++- + .../auth/backends/policykit/PolicyKitBackend.cpp | 5 ++++ + kdecore/auth/backends/policykit/PolicyKitBackend.h | 1 + + kdecore/auth/backends/polkit-1/Polkit1Backend.cpp | 5 ++++ + kdecore/auth/backends/polkit-1/Polkit1Backend.h | 1 + + 8 files changed, 54 insertions(+), 3 deletions(-) + +diff --git a/kdecore/auth/AuthBackend.cpp b/kdecore/auth/AuthBackend.cpp +index c953b81..0ba4650 100644 +--- kdecore/auth/AuthBackend.cpp ++++ kdecore/auth/AuthBackend.cpp +@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities) + d->capabilities = capabilities; + } + ++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const ++{ ++ return NoExtraCallerIDVerificationMethod; ++} ++ + bool AuthBackend::actionExists(const QString& action) + { + Q_UNUSED(action); +diff --git a/kdecore/auth/AuthBackend.h b/kdecore/auth/AuthBackend.h +index a86732e..6f4b1bc 100644 +--- kdecore/auth/AuthBackend.h ++++ kdecore/auth/AuthBackend.h +@@ -43,6 +43,12 @@ public: + }; + Q_DECLARE_FLAGS(Capabilities, Capability) + ++ enum ExtraCallerIDVerificationMethod { ++ NoExtraCallerIDVerificationMethod, ++ VerifyAgainstDBusServiceName, ++ VerifyAgainstDBusServicePid, ++ }; ++ + AuthBackend(); + virtual ~AuthBackend(); + virtual void setupAction(const QString &action) = 0; +@@ -50,6 +56,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString &action) = 0; + virtual Action::AuthStatus actionStatus(const QString &action) = 0; + virtual QByteArray callerID() const = 0; ++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0; + virtual bool actionExists(const QString &action); + +diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp +index 9557a0f..ca59f1c 100644 +--- kdecore/auth/backends/dbus/DBusHelperProxy.cpp ++++ kdecore/auth/backends/dbus/DBusHelperProxy.cpp +@@ -271,6 +271,29 @@ void DBusHelperProxy::performActions(QByteArray blob, const QByteArray &callerID + } + } + ++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID) ++{ ++ // Check the caller is really who it says it is ++ switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) { ++ case AuthBackend::NoExtraCallerIDVerificationMethod: ++ break; ++ ++ case AuthBackend::VerifyAgainstDBusServiceName: ++ if (message().service().toUtf8() != callerID) { ++ return false; ++ } ++ break; ++ ++ case AuthBackend::VerifyAgainstDBusServicePid: ++ if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) { ++ return false; ++ } ++ break; ++ } ++ ++ return BackendsManager::authBackend()->isCallerAuthorized(action, callerID); ++} ++ + QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments) + { + if (!responder) { +@@ -295,7 +318,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra + QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>(); + timer->stop(); + +- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) { ++ if (isCallerAuthorized(action, callerID)) { + QString slotname = action; + if (slotname.startsWith(m_name + QLatin1Char('.'))) { + slotname = slotname.right(slotname.length() - m_name.length() - 1); +@@ -338,7 +361,7 @@ uint DBusHelperProxy::authorizeAction(const QString& action, const QByteArray& c + QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>(); + timer->stop(); + +- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) { ++ if (isCallerAuthorized(action, callerID)) { + retVal = static_cast<uint>(Action::Authorized); + } else { + retVal = static_cast<uint>(Action::Denied); +diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.h b/kdecore/auth/backends/dbus/DBusHelperProxy.h +index 455cf51..264f6cc 100644 +--- kdecore/auth/backends/dbus/DBusHelperProxy.h ++++ kdecore/auth/backends/dbus/DBusHelperProxy.h +@@ -21,6 +21,7 @@ + #ifndef DBUS_HELPER_PROXY_H + #define DBUS_HELPER_PROXY_H + ++#include <QDBusContext> + #include <QVariant> + #include "HelperProxy.h" + #include "kauthactionreply.h" +@@ -28,7 +29,7 @@ + namespace KAuth + { + +-class DBusHelperProxy : public HelperProxy ++class DBusHelperProxy : public HelperProxy, protected QDBusContext + { + Q_OBJECT + Q_INTERFACES(KAuth::HelperProxy) +@@ -73,6 +74,9 @@ signals: + + private slots: + void remoteSignalReceived(int type, const QString &action, QByteArray blob); ++ ++private: ++ bool isCallerAuthorized(const QString &action, const QByteArray &callerID); + }; + + } // namespace Auth +diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp +index 3be97f2..9d041d1 100644 +--- kdecore/auth/backends/policykit/PolicyKitBackend.cpp ++++ kdecore/auth/backends/policykit/PolicyKitBackend.cpp +@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const + return a; + } + ++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const ++{ ++ return VerifyAgainstDBusServicePid; ++} ++ + bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID) + { + QDataStream s(&callerID, QIODevice::ReadOnly); +diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.h b/kdecore/auth/backends/policykit/PolicyKitBackend.h +index 7154e93..0d3d8f9 100644 +--- kdecore/auth/backends/policykit/PolicyKitBackend.h ++++ kdecore/auth/backends/policykit/PolicyKitBackend.h +@@ -40,6 +40,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString&); + virtual Action::AuthStatus actionStatus(const QString&); + virtual QByteArray callerID() const; ++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID); + + private Q_SLOTS: +diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp +index 732d2cb..63c0e1e 100644 +--- kdecore/auth/backends/polkit-1/Polkit1Backend.cpp ++++ kdecore/auth/backends/polkit-1/Polkit1Backend.cpp +@@ -163,6 +163,11 @@ QByteArray Polkit1Backend::callerID() const + return QDBusConnection::systemBus().baseService().toUtf8(); + } + ++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const ++{ ++ return VerifyAgainstDBusServiceName; ++} ++ + bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID) + { + PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID)); +diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.h b/kdecore/auth/backends/polkit-1/Polkit1Backend.h +index 18ed1a2..d579da2 100644 +--- kdecore/auth/backends/polkit-1/Polkit1Backend.h ++++ kdecore/auth/backends/polkit-1/Polkit1Backend.h +@@ -48,6 +48,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString&); + virtual Action::AuthStatus actionStatus(const QString&); + virtual QByteArray callerID() const; ++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID); + virtual bool actionExists(const QString& action); + +-- +cgit v0.11.2 +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705101203.v4AC3w6Q022889>