Hi Moritz, On Wed, 23 Jul 2014 16:05:25 +0200 Moritz Muehlenhoff <j...@inutil.org> wrote: > Package: kde4libs > Severity: grave > Tags: security > Justification: user security hole > > Hi, > please see https://bugzilla.novell.com/show_bug.cgi?id=864716 for the original > bug report. The upstream fix is available here: > http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23 > > We should also fix this in Wheezy.
Attached is a debdiff that adds the upstream patch to kde4libs/wheezy. I've tested that kauth still works (e.g. changing the display manager setting in system settings). Please let me know if I can go ahead and upload it to the security archive. Cheers, Felix
diff -Nru kde4libs-4.8.4/debian/changelog kde4libs-4.8.4/debian/changelog --- kde4libs-4.8.4/debian/changelog 2012-10-26 00:02:15.000000000 +0200 +++ kde4libs-4.8.4/debian/changelog 2014-07-31 20:39:56.000000000 +0200 @@ -1,3 +1,11 @@ +kde4libs (4:4.8.4-4+deb7u1) wheezy-security; urgency=medium + + * Fix kauth authentication bypass. (Closes: #755814) + - Add CVE-2014-5033.patch, cherry-picked from upstream. + - CVE-2014-5033 + + -- Felix Geyer <fge...@debian.org> Thu, 31 Jul 2014 20:20:00 +0200 + kde4libs (4:4.8.4-4) unstable; urgency=low * Backport an upstream patch to fix copying of files with extended ACLs. diff -Nru kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch --- kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch 1970-01-01 01:00:00.000000000 +0100 +++ kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch 2014-07-30 21:36:06.000000000 +0200 @@ -0,0 +1,50 @@ +From: Martin T. H. Sandsmark <martin.sandsm...@kde.org> +Date: Mon, 21 Jul 2014 20:52:40 +0000 +Subject: Use dbus system bus name instead of PID for authentication. +X-Git-Url: http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23 +--- +Use dbus system bus name instead of PID for authentication. + +Using the PID for authentication is prone to a PID reuse +race condition, and a security issue. + +REVIEW: 119323 +--- + + +--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp ++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp +@@ -144,7 +144,7 @@ + + Action::AuthStatus Polkit1Backend::actionStatus(const QString &action) + { +- PolkitQt1::UnixProcessSubject subject(QCoreApplication::applicationPid()); ++ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID())); + PolkitQt1::Authority::Result r = PolkitQt1::Authority::instance()->checkAuthorizationSync(action, subject, + PolkitQt1::Authority::None); + switch (r) { +@@ -160,21 +160,12 @@ + + QByteArray Polkit1Backend::callerID() const + { +- QByteArray a; +- QDataStream s(&a, QIODevice::WriteOnly); +- s << QCoreApplication::applicationPid(); +- +- return a; ++ return QDBusConnection::systemBus().baseService().toUtf8(); + } + + bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID) + { +- QDataStream s(&callerID, QIODevice::ReadOnly); +- qint64 pid; +- +- s >> pid; +- +- PolkitQt1::UnixProcessSubject subject(pid); ++ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID)); + PolkitQt1::Authority *authority = PolkitQt1::Authority::instance(); + + PolkitResultEventLoop e; + diff -Nru kde4libs-4.8.4/debian/patches/series kde4libs-4.8.4/debian/patches/series --- kde4libs-4.8.4/debian/patches/series 2012-10-25 23:06:36.000000000 +0200 +++ kde4libs-4.8.4/debian/patches/series 2014-07-31 20:19:56.000000000 +0200 @@ -26,3 +26,4 @@ glibc_filesystem.diff python3-support-bytecode.patch fix-copying-of-files-with-extended-ACLs.patch +CVE-2014-5033.patch