Hi Moritz,
On Wed, 23 Jul 2014 16:05:25 +0200 Moritz Muehlenhoff j...@inutil.org wrote:
Package: kde4libs
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see https://bugzilla.novell.com/show_bug.cgi?id=864716 for the original
bug report. The upstream fix is available here:
http://quickgit.kde.org/?p=kdelibs.gita=commith=e4e7b53b71e2659adaf52691d4accc3594203b23
We should also fix this in Wheezy.
Attached is a debdiff that adds the upstream patch to kde4libs/wheezy.
I've tested that kauth still works (e.g. changing the display manager setting
in system settings).
Please let me know if I can go ahead and upload it to the security archive.
Cheers,
Felix
diff -Nru kde4libs-4.8.4/debian/changelog kde4libs-4.8.4/debian/changelog
--- kde4libs-4.8.4/debian/changelog 2012-10-26 00:02:15.0 +0200
+++ kde4libs-4.8.4/debian/changelog 2014-07-31 20:39:56.0 +0200
@@ -1,3 +1,11 @@
+kde4libs (4:4.8.4-4+deb7u1) wheezy-security; urgency=medium
+
+ * Fix kauth authentication bypass. (Closes: #755814)
+- Add CVE-2014-5033.patch, cherry-picked from upstream.
+- CVE-2014-5033
+
+ -- Felix Geyer fge...@debian.org Thu, 31 Jul 2014 20:20:00 +0200
+
kde4libs (4:4.8.4-4) unstable; urgency=low
* Backport an upstream patch to fix copying of files with extended ACLs.
diff -Nru kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch
kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch
--- kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch 1970-01-01
01:00:00.0 +0100
+++ kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch 2014-07-30
21:36:06.0 +0200
@@ -0,0 +1,50 @@
+From: Martin T. H. Sandsmark martin.sandsm...@kde.org
+Date: Mon, 21 Jul 2014 20:52:40 +
+Subject: Use dbus system bus name instead of PID for authentication.
+X-Git-Url:
http://quickgit.kde.org/?p=kdelibs.gita=commitdiffh=e4e7b53b71e2659adaf52691d4accc3594203b23
+---
+Use dbus system bus name instead of PID for authentication.
+
+Using the PID for authentication is prone to a PID reuse
+race condition, and a security issue.
+
+REVIEW: 119323
+---
+
+
+--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+@@ -144,7 +144,7 @@
+
+ Action::AuthStatus Polkit1Backend::actionStatus(const QString action)
+ {
+-PolkitQt1::UnixProcessSubject subject(QCoreApplication::applicationPid());
++PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID()));
+ PolkitQt1::Authority::Result r =
PolkitQt1::Authority::instance()-checkAuthorizationSync(action, subject,
+
PolkitQt1::Authority::None);
+ switch (r) {
+@@ -160,21 +160,12 @@
+
+ QByteArray Polkit1Backend::callerID() const
+ {
+-QByteArray a;
+-QDataStream s(a, QIODevice::WriteOnly);
+-s QCoreApplication::applicationPid();
+-
+-return a;
++return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+
+ bool Polkit1Backend::isCallerAuthorized(const QString action, QByteArray
callerID)
+ {
+-QDataStream s(callerID, QIODevice::ReadOnly);
+-qint64 pid;
+-
+-s pid;
+-
+-PolkitQt1::UnixProcessSubject subject(pid);
++PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+ PolkitQt1::Authority *authority = PolkitQt1::Authority::instance();
+
+ PolkitResultEventLoop e;
+
diff -Nru kde4libs-4.8.4/debian/patches/series
kde4libs-4.8.4/debian/patches/series
--- kde4libs-4.8.4/debian/patches/series2012-10-25 23:06:36.0
+0200
+++ kde4libs-4.8.4/debian/patches/series2014-07-31 20:19:56.0
+0200
@@ -26,3 +26,4 @@
glibc_filesystem.diff
python3-support-bytecode.patch
fix-copying-of-files-with-extended-ACLs.patch
+CVE-2014-5033.patch