Date: Monday, November 10, 2014 @ 15:30:48 Author: andrea Revision: 225876
upgpkg: kdebase-workspace 4.11.13-2 CVE-2014-8651 Added: kdebase-workspace/trunk/CVE-2014-8651-2.patch kdebase-workspace/trunk/CVE-2014-8651.patch Modified: kdebase-workspace/trunk/PKGBUILD -----------------------+ CVE-2014-8651-2.patch | 30 ++++++++++++ CVE-2014-8651.patch | 120 ++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 13 ++++- 3 files changed, 160 insertions(+), 3 deletions(-) Added: CVE-2014-8651-2.patch =================================================================== --- CVE-2014-8651-2.patch (rev 0) +++ CVE-2014-8651-2.patch 2014-11-10 14:30:48 UTC (rev 225876) @@ -0,0 +1,30 @@ +From: David Edmundson <k...@davidedmundson.co.uk> +Date: Tue, 04 Nov 2014 13:00:54 +0000 +Subject: Validate timezone name before setting +X-Git-Url: http://quickgit.kde.org/?p=kde-workspace.git&a=commitdiff&h=54d0bfb5effff9c8cf60da890b7728cbe36a454e +--- +Validate timezone name before setting + +This patch ensures that the symlink /etc/localtime always points to a +file in /usr/share/timezones and not an arbitrary file in a user's home +directory. +--- + + +--- a/kcontrol/dateandtime/helper.cpp ++++ b/kcontrol/dateandtime/helper.cpp +@@ -123,6 +123,13 @@ + int ClockHelper::tz( const QString& selectedzone ) + { + int ret = 0; ++ ++ //only allow letters, numbers hyphen underscore plus and forward slash ++ //allowed pattern taken from time-util.c in systemd ++ if (!QRegExp("[a-zA-Z0-9-_+/]*").exactMatch(selectedzone)) { ++ return ret; ++ } ++ + #if defined(USE_SOLARIS) // MARCO + + KTemporaryFile tf; + Added: CVE-2014-8651.patch =================================================================== --- CVE-2014-8651.patch (rev 0) +++ CVE-2014-8651.patch 2014-11-10 14:30:48 UTC (rev 225876) @@ -0,0 +1,120 @@ +From: David Edmundson <k...@davidedmundson.co.uk> +Date: Tue, 04 Nov 2014 12:57:59 +0000 +Subject: Do not pass ntpUtility as an argument to datetime helper +X-Git-Url: http://quickgit.kde.org/?p=kde-workspace.git&a=commitdiff&h=eebcb17746d9fa86ea8c5a7344709ef6750781cf +--- +Do not pass ntpUtility as an argument to datetime helper + +Passing the name of a binary to run to a polkit helper is a security +risk as it allows any arbitrary process to be executed. + +This patch moves the detection of ntp utility location into the helper +function. + +REVIEW: 120977 +--- + + +--- a/kcontrol/dateandtime/dtime.cpp ++++ b/kcontrol/dateandtime/dtime.cpp +@@ -142,27 +142,15 @@ + //kclock->setEnabled(enabled); + } + +-void Dtime::findNTPutility(){ +- QByteArray envpath = qgetenv("PATH"); +- if (!envpath.isEmpty() && envpath[0] == ':') { +- envpath = envpath.mid(1); +- } +- +- QString path = "/sbin:/usr/sbin:"; +- if (!envpath.isEmpty()) { +- path += QString::fromLocal8Bit(envpath); +- } else { +- path += QLatin1String("/bin:/usr/bin"); +- } +- +- foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { +- if( !((ntpUtility = KStandardDirs::findExe(possible_ntputility, path)).isEmpty()) ) { +- kDebug() << "ntpUtility = " << ntpUtility; +- return; +- } +- } +- +- kDebug() << "ntpUtility not found!"; ++void Dtime::findNTPutility() ++{ ++ const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin"); ++ foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { ++ ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath); ++ if (!ntpUtility.isEmpty()) { ++ return; ++ } ++ } + } + + void Dtime::set_time() +@@ -238,7 +226,6 @@ + helperargs["ntp"] = true; + helperargs["ntpServers"] = list; + helperargs["ntpEnabled"] = setDateTimeAuto->isChecked(); +- helperargs["ntpUtility"] = ntpUtility; + + if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){ + // NTP Time setting - done in helper + +--- a/kcontrol/dateandtime/helper.cpp ++++ b/kcontrol/dateandtime/helper.cpp +@@ -52,8 +52,18 @@ + // clears it. So we have to use a reasonable default. + static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin"); + +-int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled, +- const QString& ntpUtility ) ++static QString findNtpUtility() ++{ ++ foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { ++ const QString ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath); ++ if (!ntpUtility.isEmpty()) { ++ return ntpUtility; ++ } ++ } ++ return QString(); ++} ++ ++int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled ) + { + int ret = 0; + +@@ -68,6 +78,8 @@ + KConfigGroup config(&_config, "NTP"); + config.writeEntry("servers", ntpServers ); + config.writeEntry("enabled", ntpEnabled ); ++ ++ QString ntpUtility(findNtpUtility()); + + if ( ntpEnabled && !ntpUtility.isEmpty() ) { + // NTP Time setting +@@ -227,7 +239,7 @@ + int ret = 0; // error code + // The order here is important + if( _ntp ) +- ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() ); ++ ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool()); + if( _date ) + ret |= date( args.value("newdate").toString(), args.value("olddate").toString() ); + if( _tz ) + +--- a/kcontrol/dateandtime/helper.h ++++ b/kcontrol/dateandtime/helper.h +@@ -42,8 +42,7 @@ + ActionReply save(const QVariantMap &map); + + private: +- int ntp(const QStringList& ntpServers, bool ntpEnabled, +- const QString& ntpUtility); ++ int ntp(const QStringList& ntpServers, bool ntpEnabled); + int date(const QString& newdate, const QString& olddate); + int tz(const QString& selectedzone); + int tzreset(); + Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-11-10 12:09:31 UTC (rev 225875) +++ PKGBUILD 2014-11-10 14:30:48 UTC (rev 225876) @@ -6,7 +6,7 @@ _pkgname=kde-workspace pkgver=4.11.13 _pkgver=4.14.2 -pkgrel=1 +pkgrel=2 pkgdesc="Provides the interface and basic tools for the KDE workspace" arch=('i686' 'x86_64') url='https://projects.kde.org/projects/kde/kde-workspace' @@ -29,7 +29,8 @@ source=("http://download.kde.org/stable/${_pkgver}/src/${_pkgname}-${pkgver}.tar.xz"; 'kde.pam' 'kde-np.pam' 'kscreensaver.pam' 'kdm.service' 'kdm.logrotate' 'etc-scripts.patch' 'terminate-server.patch' 'kdm-xinitrd.patch' - 'khotkeys-qt4.patch') + 'khotkeys-qt4.patch' + 'CVE-2014-8651.patch' 'CVE-2014-8651-2.patch') sha1sums=('34dcc710ad8628fefa1cf0fa8eab4efc98ff138f' '660eae40a707d2711d8d7f32a93214865506b795' '6aeecc9e0e221f0515c6bf544f9a3c11cb6961fe' @@ -39,7 +40,9 @@ 'c079ebd157c836ba996190f0d2bcea1a7828d02c' 'ac7bc292c865bc1ab8c02e6341aa7aeaf1a3eeee' 'd509dac592bd8b310df27991b208c95b6d907514' - 'aa9d2e5a69986c4c3d47829721ea99edb473be12') + 'aa9d2e5a69986c4c3d47829721ea99edb473be12' + '9aa1cff4d69317debe83fc9ff1ea07fff350e717' + '9c025005d7830c54b99674bfcbfbc54155d6ecc1') prepare() { mkdir build @@ -55,6 +58,10 @@ # KDEBUG#202629 patch -p0 -i "${srcdir}"/terminate-server.patch + + # Fixed in 4.11.14 + patch -p1 -i "${srcdir}"/CVE-2014-8651.patch + patch -p1 -i "${srcdir}"/CVE-2014-8651-2.patch } build() {
