Re: Wheezy update of kde4libs?
Hi Maxy,
> > Would you like to take care of this yourself?
>
> Currently no, sorry. If you manage to work on this, please send me the
> diff or the format-patch queue so I can record the upload in our vcs.
I don't have a format-patch-formatted patch (:P), but please find attached the
debdiff that I have just uploaded.
Cheers,
Emilio
diff -Nru kde4libs-4.8.4/debian/changelog kde4libs-4.8.4/debian/changelog
--- kde4libs-4.8.4/debian/changelog 2016-07-25 15:13:22.000000000 +0200
+++ kde4libs-4.8.4/debian/changelog 2017-05-23 21:10:51.000000000 +0200
@@ -1,3 +1,15 @@
+kde4libs (4:4.8.4-4+deb7u3) wheezy-security; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Sanitize URLs before passing them to FindProxyForURL (CVE-2017-6410)
+ (Closes: #856890)
+ * Verify that whoever is calling us is actually who he says he is
+ (CVE-2017-8422)
+ * Don't show passwords contained in HTTP URLs in error messages
+ (CVE-2013-2074)
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org> Tue, 23 May 2017 21:10:51 +0200
+
kde4libs (4:4.8.4-4+deb7u2) wheezy-security; urgency=medium
* Add new patch: cve-2016-6232.patch
diff -Nru kde4libs-4.8.4/debian/files kde4libs-4.8.4/debian/files
--- kde4libs-4.8.4/debian/files 1970-01-01 01:00:00.000000000 +0100
+++ kde4libs-4.8.4/debian/files 2017-05-23 21:10:51.000000000 +0200
@@ -0,0 +1 @@
+kde4libs_4.8.4-4+deb7u3_source.buildinfo libs optional
diff -Nru kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-1.patch kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-1.patch
--- kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-1.patch 2017-05-23 21:10:51.000000000 +0200
@@ -0,0 +1,38 @@
+From 65d736dab592bced4410ccfa4699de89f78c96ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Gr=C3=A9gory=20Oestreicher?= <greg@kamago.net>
+Date: Wed, 8 May 2013 23:16:00 +0200
+Subject: Don't show passwords contained in HTTP URLs in error messages BUG:
+ 319428
+
+---
+ kioslave/http/http.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
+index 2d139a9..129fc7b 100644
+--- a/kioslave/http/http.cpp
++++ b/kioslave/http/http.cpp
+@@ -3056,7 +3056,7 @@ try_again:
+ ; // Ignore error
+ } else {
+ if (!sendErrorPageNotification()) {
+- error(ERR_INTERNAL_SERVER, m_request.url.url());
++ error(ERR_INTERNAL_SERVER, m_request.url.prettyUrl());
+ return false;
+ }
+ }
+@@ -3072,9 +3072,9 @@ try_again:
+ // Tell that we will only get an error page here.
+ if (!sendErrorPageNotification()) {
+ if (m_request.responseCode == 403)
+- error(ERR_ACCESS_DENIED, m_request.url.url());
++ error(ERR_ACCESS_DENIED, m_request.url.prettyUrl());
+ else
+- error(ERR_DOES_NOT_EXIST, m_request.url.url());
++ error(ERR_DOES_NOT_EXIST, m_request.url.prettyUrl());
+ return false;
+ }
+ } else if (m_request.responseCode >= 301 && m_request.responseCode<= 303) {
+--
+cgit v0.11.2
+
diff -Nru kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-2.patch kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-2.patch
--- kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-2.patch 2017-05-23 21:10:51.000000000 +0200
@@ -0,0 +1,36 @@
+From 898135a59d91184692ed1bcee8bb4c6d80d6f7b9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Gr=C3=A9gory=20Oestreicher?= <greg@kamago.net>
+Date: Wed, 15 May 2013 21:56:29 +0200
+Subject: Continue hiding passwords in URLs displayed to the user The fix
+ introduced by 65d736da missed two usages of url() instead of prettyUrl().
+ Thanks to Kevin Kofler for spotting those. BUG: 319428
+
+---
+ kioslave/http/http.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
+index 129fc7b..0c887bd 100644
+--- a/kioslave/http/http.cpp
++++ b/kioslave/http/http.cpp
+@@ -1581,7 +1581,7 @@ QString HTTPProtocol::davError( int code /* = -1 */, const QString &_url )
+
+ QString url = _url;
+ if ( !url.isNull() )
+- url = m_request.url.url();
++ url = m_request.url.prettyUrl();
+
+ QString action, errorString;
+ int errorCode = ERR_SLAVE_DEFINED;
+@@ -3464,7 +3464,7 @@ endParsing:
+ KUrl u(m_request.url, locationStr);
+ if(!u.isValid())
+ {
+- error(ERR_MALFORMED_URL, u.url());
++ error(ERR_MALFORMED_URL, u.prettyUrl());
+ return false;
+ }
+
+--
+cgit v0.11.2
+
diff -Nru kde4libs-4.8.4/debian/patches/CVE-2017-6410.diff kde4libs-4.8.4/debian/patches/CVE-2017-6410.diff
--- kde4libs-4.8.4/debian/patches/CVE-2017-6410.diff 1970-01-01 01:00:00.000000000 +0100
+++ kde4libs-4.8.4/debian/patches/CVE-2017-6410.diff 2017-05-23 21:09:00.000000000 +0200
@@ -0,0 +1,39 @@
+From 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:08:50 +0100
+Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
+---
+ kio/misc/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp
+index a595301..9ab360a 100644
+--- a/kio/misc/kpac/script.cpp
++++ b/kio/misc/kpac/script.cpp
+@@ -754,9 +754,16 @@ namespace KPAC
+ }
+ }
+
++ KUrl cleanUrl = url;
++ cleanUrl.setUserInfo(QString());
++ if (cleanUrl.scheme().toLower() == QLatin1String("https")) {
++ cleanUrl.setPath(QString());
++ cleanUrl.setQuery(QString());
++ }
++
+ QScriptValueList args;
+- args << url.url();
+- args << url.host();
++ args << cleanUrl.url();
++ args << cleanUrl.host();
+
+ QScriptValue result = func.call(QScriptValue(), args);
+ if (result.isError()) {
+--
+2.1.4
+
diff -Nru kde4libs-4.8.4/debian/patches/CVE-2017-8422.diff kde4libs-4.8.4/debian/patches/CVE-2017-8422.diff
--- kde4libs-4.8.4/debian/patches/CVE-2017-8422.diff 1970-01-01 01:00:00.000000000 +0100
+++ kde4libs-4.8.4/debian/patches/CVE-2017-8422.diff 2017-05-23 21:09:00.000000000 +0200
@@ -0,0 +1,201 @@
+From 264e97625abe2e0334f97de17f6ffb52582888ab Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 10 May 2017 10:06:07 +0200
+Subject: [PATCH] Verify that whoever is calling us is actually who he says he
+ is
+
+CVE-2017-8422
+---
+ kdecore/auth/AuthBackend.cpp | 5 ++++
+ kdecore/auth/AuthBackend.h | 7 ++++++
+ kdecore/auth/backends/dbus/DBusHelperProxy.cpp | 27 ++++++++++++++++++++--
+ kdecore/auth/backends/dbus/DBusHelperProxy.h | 6 ++++-
+ .../auth/backends/policykit/PolicyKitBackend.cpp | 5 ++++
+ kdecore/auth/backends/policykit/PolicyKitBackend.h | 1 +
+ kdecore/auth/backends/polkit-1/Polkit1Backend.cpp | 5 ++++
+ kdecore/auth/backends/polkit-1/Polkit1Backend.h | 1 +
+ 8 files changed, 54 insertions(+), 3 deletions(-)
+
+diff --git a/kdecore/auth/AuthBackend.cpp b/kdecore/auth/AuthBackend.cpp
+index c953b81..0ba4650 100644
+--- a/kdecore/auth/AuthBackend.cpp
++++ b/kdecore/auth/AuthBackend.cpp
+@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
+ d->capabilities = capabilities;
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
++{
++ return NoExtraCallerIDVerificationMethod;
++}
++
+ bool AuthBackend::actionExists(const QString& action)
+ {
+ Q_UNUSED(action);
+diff --git a/kdecore/auth/AuthBackend.h b/kdecore/auth/AuthBackend.h
+index a86732e..6f4b1bc 100644
+--- a/kdecore/auth/AuthBackend.h
++++ b/kdecore/auth/AuthBackend.h
+@@ -43,6 +43,12 @@ public:
+ };
+ Q_DECLARE_FLAGS(Capabilities, Capability)
+
++ enum ExtraCallerIDVerificationMethod {
++ NoExtraCallerIDVerificationMethod,
++ VerifyAgainstDBusServiceName,
++ VerifyAgainstDBusServicePid,
++ };
++
+ AuthBackend();
+ virtual ~AuthBackend();
+ virtual void setupAction(const QString &action) = 0;
+@@ -50,6 +56,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
+ virtual Action::AuthStatus actionStatus(const QString &action) = 0;
+ virtual QByteArray callerID() const = 0;
++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
+ virtual bool actionExists(const QString &action);
+
+diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp
+index 9557a0f..ca59f1c 100644
+--- a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp
++++ b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp
+@@ -271,6 +271,29 @@ void DBusHelperProxy::performActions(QByteArray blob, const QByteArray &callerID
+ }
+ }
+
++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
++{
++ // Check the caller is really who it says it is
++ switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
++ case AuthBackend::NoExtraCallerIDVerificationMethod:
++ break;
++
++ case AuthBackend::VerifyAgainstDBusServiceName:
++ if (message().service().toUtf8() != callerID) {
++ return false;
++ }
++ break;
++
++ case AuthBackend::VerifyAgainstDBusServicePid:
++ if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
++ return false;
++ }
++ break;
++ }
++
++ return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
++}
++
+ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
+ {
+ if (!responder) {
+@@ -295,7 +318,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+ QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>();
+ timer->stop();
+
+- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++ if (isCallerAuthorized(action, callerID)) {
+ QString slotname = action;
+ if (slotname.startsWith(m_name + QLatin1Char('.'))) {
+ slotname = slotname.right(slotname.length() - m_name.length() - 1);
+@@ -338,7 +361,7 @@ uint DBusHelperProxy::authorizeAction(const QString& action, const QByteArray& c
+ QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>();
+ timer->stop();
+
+- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++ if (isCallerAuthorized(action, callerID)) {
+ retVal = static_cast<uint>(Action::Authorized);
+ } else {
+ retVal = static_cast<uint>(Action::Denied);
+diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.h b/kdecore/auth/backends/dbus/DBusHelperProxy.h
+index 455cf51..264f6cc 100644
+--- a/kdecore/auth/backends/dbus/DBusHelperProxy.h
++++ b/kdecore/auth/backends/dbus/DBusHelperProxy.h
+@@ -21,6 +21,7 @@
+ #ifndef DBUS_HELPER_PROXY_H
+ #define DBUS_HELPER_PROXY_H
+
++#include <QDBusContext>
+ #include <QVariant>
+ #include "HelperProxy.h"
+ #include "kauthactionreply.h"
+@@ -28,7 +29,7 @@
+ namespace KAuth
+ {
+
+-class DBusHelperProxy : public HelperProxy
++class DBusHelperProxy : public HelperProxy, protected QDBusContext
+ {
+ Q_OBJECT
+ Q_INTERFACES(KAuth::HelperProxy)
+@@ -73,6 +74,9 @@ signals:
+
+ private slots:
+ void remoteSignalReceived(int type, const QString &action, QByteArray blob);
++
++private:
++ bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
+ };
+
+ } // namespace Auth
+diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp
+index 3be97f2..9d041d1 100644
+--- a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp
++++ b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp
+@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
+ return a;
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++ return VerifyAgainstDBusServicePid;
++}
++
+ bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+ QDataStream s(&callerID, QIODevice::ReadOnly);
+diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.h b/kdecore/auth/backends/policykit/PolicyKitBackend.h
+index 7154e93..0d3d8f9 100644
+--- a/kdecore/auth/backends/policykit/PolicyKitBackend.h
++++ b/kdecore/auth/backends/policykit/PolicyKitBackend.h
+@@ -40,6 +40,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString&);
+ virtual Action::AuthStatus actionStatus(const QString&);
+ virtual QByteArray callerID() const;
++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+
+ private Q_SLOTS:
+diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+index 732d2cb..63c0e1e 100644
+--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+@@ -163,6 +163,11 @@ QByteArray Polkit1Backend::callerID() const
+ return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++ return VerifyAgainstDBusServiceName;
++}
++
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.h b/kdecore/auth/backends/polkit-1/Polkit1Backend.h
+index 18ed1a2..d579da2 100644
+--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.h
++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.h
+@@ -48,6 +48,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString&);
+ virtual Action::AuthStatus actionStatus(const QString&);
+ virtual QByteArray callerID() const;
++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+ virtual bool actionExists(const QString& action);
+
+--
+2.1.4
+
diff -Nru kde4libs-4.8.4/debian/patches/series kde4libs-4.8.4/debian/patches/series
--- kde4libs-4.8.4/debian/patches/series 2016-07-25 15:12:25.000000000 +0200
+++ kde4libs-4.8.4/debian/patches/series 2017-05-23 21:10:51.000000000 +0200
@@ -28,3 +28,7 @@
fix-copying-of-files-with-extended-ACLs.patch
CVE-2014-5033.patch
cve-2016-6232.patch
+CVE-2013-2074-part-1.patch
+CVE-2013-2074-part-2.patch
+CVE-2017-6410.diff
+CVE-2017-8422.diff
Reply to: