Bug#843790: kde-cli-tools: CVE-2016-7787

2017-06-18 Thread Salvatore Bonaccorso 
Hi

On Wed, Nov 09, 2016 at 05:52:59PM +0100, Balint Reczey wrote:
> On Thu, 6 Oct 2016 02:31:33 +0200 Balint Reczey 
> wrote:
> > On Wed, 05 Oct 2016 21:48:58 +0200 Salvatore Bonaccorso
> >  wrote:
> > > Hi,
> > > 
> > > the following vulnerability was published for kde-cli-tools.
> > > 
> > > CVE-2016-7787[0]:
> > > kdesu: Displayed command truncated by unicode string terminator
> > > 
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > > 
> > > For further information see:
> > > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2016-7787
> > > [1] https://www.kde.org/info/security/advisory-20160930-1.txt
> > > 
> > > Please adjust the affected versions in the BTS as needed. I'm not sure
> > > if kde-runtime is as well affected (it looks source wise, since the
> > > same file can be patched).
> > 
> > It seems both Jessie and Wheezy are affected in some way.
> > Both show the command in the dialog, but on my vagrant VM installations
> > the string terminator was not interpreted on Wheezy, just on Jessie.
> > 
> > Test command: kdesudo ls $(printf 'aa\u9chidden')
> > 
> > On Jessie it shows the following dialog:
> > +---
> > |  ls aa[]hidden needs administrative privileges. Please eneter your
> > |  password.
> > |
> > | Command ls aa
> > | Password:|
> > | OK Cancel
> > +---
> > Thus the string terminator takes effect only once.
> > 
> > On Wheezy the dialog looks like this:
> > +---
> > |  ls aa[?]hidden needs administrative privileges. Please eneter your
> > |  password.
> > |
> > | Command ls aa[?]hidden
> > | Password:|
> > | OK Cancel
> > +---
> 
> Attaching the patch for kdesudo.
> 
> Wheezy's version is not affected and not fixed by the patch because it
> interprets the command as Latin-1 instead of UTF-8.
> https://wiki.qt.io/Strings_and_encodings_in_Qt
> 
> Cheers,
> Balint

> Description: Make sure people are not trying to sneak invisible characters
>  on the kdesu label
>  .
>  Based on Martin Sandsmark's commit 5eda179a099ba68a20dc21dc0da63e85a565a171
>  .
> Author: Balint Reczey 
> 
> --- a/kdesudo/kdesudo.cpp
> +++ b/kdesudo/kdesudo.cpp
> @@ -275,6 +275,13 @@
>  }
>  
>  m_process->setOutputChannelMode(KProcess::MergedChannels);
> +
> +for (const QChar character : cmd) {
> +  if (!character.isPrint() && character.category() != 
> QChar::Other_Surrogate) {
> +error(i18n("Cannot execute command '%1'. It contains invalid 
> characters.", cmd));
> +exit(1);
> +  }
> +}
>  
>  if (noExec) {
>  exit(0);

Now that stretch is released, friendly ping for this one to get it
fixed in unstable/buster.

Any fix for jessie and stretch does not seem to warrant a DSA, so
updating it via an upcoming point release would be great!

Regards,
Salvatore

Bug#843790: kde-cli-tools: CVE-2016-7787

2016-11-09 Thread Balint Reczey 
On Thu, 6 Oct 2016 02:31:33 +0200 Balint Reczey 
wrote:
> On Wed, 05 Oct 2016 21:48:58 +0200 Salvatore Bonaccorso
>  wrote:
> > Hi,
> > 
> > the following vulnerability was published for kde-cli-tools.
> > 
> > CVE-2016-7787[0]:
> > kdesu: Displayed command truncated by unicode string terminator
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-7787
> > [1] https://www.kde.org/info/security/advisory-20160930-1.txt
> > 
> > Please adjust the affected versions in the BTS as needed. I'm not sure
> > if kde-runtime is as well affected (it looks source wise, since the
> > same file can be patched).
> 
> It seems both Jessie and Wheezy are affected in some way.
> Both show the command in the dialog, but on my vagrant VM installations
> the string terminator was not interpreted on Wheezy, just on Jessie.
> 
> Test command: kdesudo ls $(printf 'aa\u9chidden')
> 
> On Jessie it shows the following dialog:
> +---
> |  ls aa[]hidden needs administrative privileges. Please eneter your
> |  password.
> |
> | Command ls aa
> | Password:|
> | OK Cancel
> +---
> Thus the string terminator takes effect only once.
> 
> On Wheezy the dialog looks like this:
> +---
> |  ls aa[?]hidden needs administrative privileges. Please eneter your
> |  password.
> |
> | Command ls aa[?]hidden
> | Password:|
> | OK Cancel
> +---

Attaching the patch for kdesudo.

Wheezy's version is not affected and not fixed by the patch because it
interprets the command as Latin-1 instead of UTF-8.
https://wiki.qt.io/Strings_and_encodings_in_Qt

Cheers,
Balint
Description: Make sure people are not trying to sneak invisible characters
 on the kdesu label
 .
 Based on Martin Sandsmark's commit 5eda179a099ba68a20dc21dc0da63e85a565a171
 .
Author: Balint Reczey 

--- a/kdesudo/kdesudo.cpp
+++ b/kdesudo/kdesudo.cpp
@@ -275,6 +275,13 @@
 }
 
 m_process->setOutputChannelMode(KProcess::MergedChannels);
+
+for (const QChar character : cmd) {
+  if (!character.isPrint() && character.category() != QChar::Other_Surrogate) {
+error(i18n("Cannot execute command '%1'. It contains invalid characters.", cmd));
+exit(1);
+  }
+}
 
 if (noExec) {
 exit(0);