Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: pkg-kde-t...@alioth-lists.debian.net
Please unblock package kglobalaccel [ Reason ] Upstream asked to backport a security fix: There is the possibility that kglobalaccel runs under a wrong UID, which would result in programs started by the logged in user under a different UID. Unrelated change: graphviz was removed from B-D since it is not necessary (as seen, all builds succeeded). [ Impact ] Security fix: Possibility of - broken functionality (programs started as different uid will behave differently) - security (different uid files can be read/changed) B-D drop: none [ Tests ] security fix: The package contains an extensive set of tests that are automatically run on build. B-D drop: builds succeeded. [ Risks ] The code change is simple and adds a check for the UID and returns in case the disagree. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock kglobalaccel/5.78.0-3 Best Norbert -- PREINING Norbert https://www.preining.info Fujitsu Research Labs + IFMGA Guide + TU Wien + TeX Live + Debian Dev GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
diff -Nru kglobalaccel-5.78.0/debian/changelog kglobalaccel-5.78.0/debian/changelog --- kglobalaccel-5.78.0/debian/changelog 2021-01-17 12:02:21.000000000 +0900 +++ kglobalaccel-5.78.0/debian/changelog 2021-03-27 07:26:39.000000000 +0900 @@ -1,3 +1,12 @@ +kglobalaccel (5.78.0-3) unstable; urgency=medium + + [ Norbert Preining ] + * Remove graphviz from build depends. + * Cherry pick upstream fix for kglobalaccel possibly running under an + incorrect uid, thus starting programs as different user. + + -- Norbert Preining <norb...@preining.info> Sat, 27 Mar 2021 07:26:39 +0900 + kglobalaccel (5.78.0-2) unstable; urgency=medium * Release to unstable. diff -Nru kglobalaccel-5.78.0/debian/control kglobalaccel-5.78.0/debian/control --- kglobalaccel-5.78.0/debian/control 2021-01-17 11:54:33.000000000 +0900 +++ kglobalaccel-5.78.0/debian/control 2021-03-27 07:22:05.000000000 +0900 @@ -8,7 +8,6 @@ debhelper-compat (= 13), doxygen, extra-cmake-modules (>= 5.78.0~), - graphviz, libkf5config-dev (>= 5.78.0~), libkf5coreaddons-dev (>= 5.78.0~), libkf5crash-dev (>= 5.78.0~), diff -Nru kglobalaccel-5.78.0/debian/patches/series kglobalaccel-5.78.0/debian/patches/series --- kglobalaccel-5.78.0/debian/patches/series 1970-01-01 09:00:00.000000000 +0900 +++ kglobalaccel-5.78.0/debian/patches/series 2021-03-27 07:23:25.000000000 +0900 @@ -0,0 +1 @@ +upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch diff -Nru kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch --- kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch 1970-01-01 09:00:00.000000000 +0900 +++ kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch 2021-03-27 07:24:20.000000000 +0900 @@ -0,0 +1,38 @@ +From bbec74337b3186bc258bd5adf849b89191789535 Mon Sep 17 00:00:00 2001 +From: Fabian Vogt <fab...@ritter-vogt.de> +Date: Fri, 29 Jan 2021 11:31:54 +0100 +Subject: [PATCH] Don't let kglobalaccel run if KDE_SESSION_UID mismatches + +Otherwise shortcuts execute actions as the wrong user. +--- + src/runtime/main.cpp | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/src/runtime/main.cpp ++++ b/src/runtime/main.cpp +@@ -10,6 +10,8 @@ + #include "kglobalacceld.h" + #include "logging_p.h" + ++#include <unistd.h> ++ + #include <KCrash> + #include <KAboutData> + #include <KDBusService> +@@ -58,6 +60,16 @@ extern "C" Q_DECL_EXPORT int main(int ar + return 0; + } + ++ // It's possible that kglobalaccel gets started as the wrong user by ++ // accident, e.g. kdesu dolphin leads to dbus activation. It then installs ++ // its grabs and the actions are run as the wrong user. ++ bool isUidset = false; ++ const int sessionuid = qEnvironmentVariableIntValue("KDE_SESSION_UID", &isUidset); ++ if(isUidset && static_cast<uid_t>(sessionuid) != getuid()) { ++ qCWarning(KGLOBALACCELD) << "kglobalaccel running as wrong user, exiting."; ++ return 0; ++ } ++ + KDBusService service(KDBusService::Unique); + + app.setQuitOnLastWindowClosed( false );