svn commit: r492623 - in head/devel/kf5-kauth: . files
Tobias C. Berner
tcberner at FreeBSD.org
Sun Feb 10 18:04:59 UTC 2019
Author: tcberner
Date: Sun Feb 10 18:04:58 2019
New Revision: 492623
URL: https://svnweb.freebsd.org/changeset/ports/492623
Log:
devel/kf5-kauth: add fix for CVE-2019-7443
From https://www.kde.org/info/security/advisory-20190209-1.txt :
KDE Project Security Advisory
=============================
Title: kauth: Insecure handling of arguments in helpers
Risk Rating: Medium
CVE: CVE-2019-7443
Versions: KDE Frameworks < 5.55.0
Date: 9 February 2019
Overview
========
KAuth allows to pass parameters with arbitrary types to helpers running as root
over DBus. Certain types can cause crashes and trigger decoding arbitrary
images with dynamically loaded plugins.
Solution
========
Update to kauth >= 5.55.0
Or apply the following patch to kauth:
https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a
Credits
=======
Thanks to Fabian Vogt for the report and Albert Astals Cid for the fix.
MFH: 2019Q1
Security: CVE-2019-7443
Added:
head/devel/kf5-kauth/files/
head/devel/kf5-kauth/files/patch-git_fc70fb0 (contents, props changed)
Modified:
head/devel/kf5-kauth/Makefile
Modified: head/devel/kf5-kauth/Makefile
==============================================================================
--- head/devel/kf5-kauth/Makefile Sun Feb 10 18:02:37 2019 (r492622)
+++ head/devel/kf5-kauth/Makefile Sun Feb 10 18:04:58 2019 (r492623)
@@ -2,7 +2,7 @@
PORTNAME= kauth
DISTVERSION= ${KDE_FRAMEWORKS_VERSION}
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= devel kde kde-frameworks
MAINTAINER= kde at FreeBSD.org
Added: head/devel/kf5-kauth/files/patch-git_fc70fb0
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/devel/kf5-kauth/files/patch-git_fc70fb0 Sun Feb 10 18:04:58 2019 (r492623)
@@ -0,0 +1,68 @@
+From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid at kde.org>
+Date: Sat, 2 Feb 2019 14:35:25 +0100
+Subject: Remove support for passing gui QVariants to KAuth helpers
+
+Supporting gui variants is very dangerous since they can end up triggering
+image loading plugins which are one of the biggest vectors for crashes, which
+for very smart people mean possible code execution, which is very dangerous
+in code that is executed as root.
+
+We've checked all the KAuth helpers inside KDE git and none seems to be using
+gui variants, so we're not actually limiting anything that people wanted to do.
+
+Reviewed by security at kde.org and Aleix Pol
+
+Issue reported by Fabian Vogt
+---
+ src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++
+ src/kauthaction.h | 2 ++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index 10c14c6..8f0d336 100644
+--- src/backends/dbus/DBusHelperProxy.cpp
++++ src/backends/dbus/DBusHelperProxy.cpp
+@@ -31,6 +31,8 @@
+ #include "kf5authadaptor.h"
+ #include "kauthdebug.h"
+
++extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper;
++
+ namespace KAuth
+ {
+
+@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+ return ActionReply::HelperBusyReply().serialized();
+ }
+
++ // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous
++ // since they end up calling the image loaders and thus are a vector for crashing → executing code
++ auto origMetaTypeGuiHelper = qMetaTypeGuiHelper;
++ qMetaTypeGuiHelper = nullptr;
++
+ QVariantMap args;
+ QDataStream s(&arguments, QIODevice::ReadOnly);
+ s >> args;
+
++ qMetaTypeGuiHelper = origMetaTypeGuiHelper;
++
+ m_currentAction = action;
+ emit remoteSignal(ActionStarted, action, QByteArray());
+ QEventLoop e;
+diff --git a/src/kauthaction.h b/src/kauthaction.h
+index c67a70a..01f3ba1 100644
+--- src/kauthaction.h
++++ src/kauthaction.h
+@@ -298,6 +298,8 @@ public:
+ * This method sets the variant map that the application
+ * can use to pass arbitrary data to the helper when executing the action.
+ *
++ * Only non-gui variants are supported.
++ *
+ * @param arguments The new arguments map
+ */
+ void setArguments(const QVariantMap &arguments);
+--
+cgit v1.1
+
More information about the svn-ports-all
mailing list