Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 10 Feb 2019 18:04:58 +0000 (UTC)
From:      "Tobias C. Berner" <tcberner@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r492623 - in head/devel/kf5-kauth: . files
Message-ID:  <201902101804.x1AI4wZx050006@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: tcberner
Date: Sun Feb 10 18:04:58 2019
New Revision: 492623
URL: https://svnweb.freebsd.org/changeset/ports/492623

Log:
  devel/kf5-kauth: add fix for CVE-2019-7443
  
  From https://www.kde.org/info/security/advisory-20190209-1.txt :
  
  KDE Project Security Advisory
  =============================
  
  Title:          kauth: Insecure handling of arguments in helpers
  Risk Rating:    Medium
  CVE:            CVE-2019-7443
  Versions:       KDE Frameworks < 5.55.0
  Date:           9 February 2019
  
  Overview
  ========
  KAuth allows to pass parameters with arbitrary types to helpers running as root
  over DBus. Certain types can cause crashes and trigger decoding arbitrary
  images with dynamically loaded plugins.
  
  Solution
  ========
  Update to kauth >= 5.55.0
  
  Or apply the following patch to kauth:
  https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a
  
  Credits
  =======
  Thanks to Fabian Vogt for the report and Albert Astals Cid for the fix.
  
  MFH:		2019Q1
  Security:	CVE-2019-7443

Added:
  head/devel/kf5-kauth/files/
  head/devel/kf5-kauth/files/patch-git_fc70fb0   (contents, props changed)
Modified:
  head/devel/kf5-kauth/Makefile

Modified: head/devel/kf5-kauth/Makefile
==============================================================================
--- head/devel/kf5-kauth/Makefile	Sun Feb 10 18:02:37 2019	(r492622)
+++ head/devel/kf5-kauth/Makefile	Sun Feb 10 18:04:58 2019	(r492623)
@@ -2,7 +2,7 @@
 
 PORTNAME=	kauth
 DISTVERSION=	${KDE_FRAMEWORKS_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	devel kde kde-frameworks
 
 MAINTAINER=	kde@FreeBSD.org

Added: head/devel/kf5-kauth/files/patch-git_fc70fb0
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/devel/kf5-kauth/files/patch-git_fc70fb0	Sun Feb 10 18:04:58 2019	(r492623)
@@ -0,0 +1,68 @@
+From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sat, 2 Feb 2019 14:35:25 +0100
+Subject: Remove support for passing gui QVariants to KAuth helpers
+
+Supporting gui variants is very dangerous since they can end up triggering
+image loading plugins which are one of the biggest vectors for crashes, which
+for very smart people mean possible code execution, which is very dangerous
+in code that is executed as root.
+
+We've checked all the KAuth helpers inside KDE git and none seems to be using
+gui variants, so we're not actually limiting anything that people wanted to do.
+
+Reviewed by security@kde.org and Aleix Pol
+
+Issue reported by Fabian Vogt
+---
+ src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++
+ src/kauthaction.h                     | 2 ++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index 10c14c6..8f0d336 100644
+--- src/backends/dbus/DBusHelperProxy.cpp
++++ src/backends/dbus/DBusHelperProxy.cpp
+@@ -31,6 +31,8 @@
+ #include "kf5authadaptor.h"
+ #include "kauthdebug.h"
+ 
++extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper;
++
+ namespace KAuth
+ {
+ 
+@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+         return ActionReply::HelperBusyReply().serialized();
+     }
+ 
++    // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous
++    // since they end up calling the image loaders and thus are a vector for crashing → executing code
++    auto origMetaTypeGuiHelper = qMetaTypeGuiHelper;
++    qMetaTypeGuiHelper = nullptr;
++
+     QVariantMap args;
+     QDataStream s(&arguments, QIODevice::ReadOnly);
+     s >> args;
+ 
++    qMetaTypeGuiHelper = origMetaTypeGuiHelper;
++
+     m_currentAction = action;
+     emit remoteSignal(ActionStarted, action, QByteArray());
+     QEventLoop e;
+diff --git a/src/kauthaction.h b/src/kauthaction.h
+index c67a70a..01f3ba1 100644
+--- src/kauthaction.h
++++ src/kauthaction.h
+@@ -298,6 +298,8 @@ public:
+      * This method sets the variant map that the application
+      * can use to pass arbitrary data to the helper when executing the action.
+      *
++     * Only non-gui variants are supported.
++     *
+      * @param arguments The new arguments map
+      */
+     void setArguments(const QVariantMap &arguments);
+-- 
+cgit v1.1
+



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902101804.x1AI4wZx050006>