Date: Sun, 10 Feb 2019 18:04:58 +0000 (UTC) From: "Tobias C. Berner" <tcberner@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r492623 - in head/devel/kf5-kauth: . files Message-ID: <201902101804.x1AI4wZx050006@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tcberner Date: Sun Feb 10 18:04:58 2019 New Revision: 492623 URL: https://svnweb.freebsd.org/changeset/ports/492623 Log: devel/kf5-kauth: add fix for CVE-2019-7443 From https://www.kde.org/info/security/advisory-20190209-1.txt : KDE Project Security Advisory ============================= Title: kauth: Insecure handling of arguments in helpers Risk Rating: Medium CVE: CVE-2019-7443 Versions: KDE Frameworks < 5.55.0 Date: 9 February 2019 Overview ======== KAuth allows to pass parameters with arbitrary types to helpers running as root over DBus. Certain types can cause crashes and trigger decoding arbitrary images with dynamically loaded plugins. Solution ======== Update to kauth >= 5.55.0 Or apply the following patch to kauth: https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a Credits ======= Thanks to Fabian Vogt for the report and Albert Astals Cid for the fix. MFH: 2019Q1 Security: CVE-2019-7443 Added: head/devel/kf5-kauth/files/ head/devel/kf5-kauth/files/patch-git_fc70fb0 (contents, props changed) Modified: head/devel/kf5-kauth/Makefile Modified: head/devel/kf5-kauth/Makefile ============================================================================== --- head/devel/kf5-kauth/Makefile Sun Feb 10 18:02:37 2019 (r492622) +++ head/devel/kf5-kauth/Makefile Sun Feb 10 18:04:58 2019 (r492623) @@ -2,7 +2,7 @@ PORTNAME= kauth DISTVERSION= ${KDE_FRAMEWORKS_VERSION} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= devel kde kde-frameworks MAINTAINER= kde@FreeBSD.org Added: head/devel/kf5-kauth/files/patch-git_fc70fb0 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/devel/kf5-kauth/files/patch-git_fc70fb0 Sun Feb 10 18:04:58 2019 (r492623) @@ -0,0 +1,68 @@ +From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Sat, 2 Feb 2019 14:35:25 +0100 +Subject: Remove support for passing gui QVariants to KAuth helpers + +Supporting gui variants is very dangerous since they can end up triggering +image loading plugins which are one of the biggest vectors for crashes, which +for very smart people mean possible code execution, which is very dangerous +in code that is executed as root. + +We've checked all the KAuth helpers inside KDE git and none seems to be using +gui variants, so we're not actually limiting anything that people wanted to do. + +Reviewed by security@kde.org and Aleix Pol + +Issue reported by Fabian Vogt +--- + src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++ + src/kauthaction.h | 2 ++ + 2 files changed, 11 insertions(+) + +diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp +index 10c14c6..8f0d336 100644 +--- src/backends/dbus/DBusHelperProxy.cpp ++++ src/backends/dbus/DBusHelperProxy.cpp +@@ -31,6 +31,8 @@ + #include "kf5authadaptor.h" + #include "kauthdebug.h" + ++extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper; ++ + namespace KAuth + { + +@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra + return ActionReply::HelperBusyReply().serialized(); + } + ++ // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous ++ // since they end up calling the image loaders and thus are a vector for crashing → executing code ++ auto origMetaTypeGuiHelper = qMetaTypeGuiHelper; ++ qMetaTypeGuiHelper = nullptr; ++ + QVariantMap args; + QDataStream s(&arguments, QIODevice::ReadOnly); + s >> args; + ++ qMetaTypeGuiHelper = origMetaTypeGuiHelper; ++ + m_currentAction = action; + emit remoteSignal(ActionStarted, action, QByteArray()); + QEventLoop e; +diff --git a/src/kauthaction.h b/src/kauthaction.h +index c67a70a..01f3ba1 100644 +--- src/kauthaction.h ++++ src/kauthaction.h +@@ -298,6 +298,8 @@ public: + * This method sets the variant map that the application + * can use to pass arbitrary data to the helper when executing the action. + * ++ * Only non-gui variants are supported. ++ * + * @param arguments The new arguments map + */ + void setArguments(const QVariantMap &arguments); +-- +cgit v1.1 +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902101804.x1AI4wZx050006>