Bug#768430: unblock: kde-workspace/4:4.11.13-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package kde-workspace
In order to fix CVE-2014-8651:
https://security-tracker.debian.org/tracker/CVE-2014-8651
unblock kde-workspace/4:4.11.13-2
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -Nru kde-workspace-4.11.13/debian/changelog kde-workspace-4.11.13/debian/changelog
--- kde-workspace-4.11.13/debian/changelog 2014-10-20 17:13:03.000000000 +0200
+++ kde-workspace-4.11.13/debian/changelog 2014-11-07 10:11:29.000000000 +0100
@@ -1,3 +1,13 @@
+kde-workspace (4:4.11.13-2) unstable; urgency=medium
+
+ * New patch: upstream_do_not_pass_ntpUtility_as_an_argument.patch fix
+ for https://www.kde.org/info/security/advisory-20141106-1.txt
+ (CVE-2014-8651 : https://security-tracker.debian.org/tracker/CVE-2014-8651)
+ * New patch: upstream_validate_timezone_name_before_setting.patch,
+ avoids .. in timezone name.
+
+ -- Maximiliano Curia <maxy@debian.org> Fri, 07 Nov 2014 10:11:28 +0100
+
kde-workspace (4:4.11.13-1) unstable; urgency=medium
* New upstream release (4.11.13).
diff -Nru kde-workspace-4.11.13/debian/patches/series kde-workspace-4.11.13/debian/patches/series
--- kde-workspace-4.11.13/debian/patches/series 2014-10-20 17:13:03.000000000 +0200
+++ kde-workspace-4.11.13/debian/patches/series 2014-11-07 10:11:29.000000000 +0100
@@ -26,3 +26,5 @@
kubuntu_avoid_zic_and_deep_copy_timezone_data.diff
check_if_SensorMgr
ksysguardd_acpi_valgrind_complain
+upstream_do_not_pass_ntpUtility_as_an_argument.patch
+upstream_validate_timezone_name_before_setting.patch
diff -Nru kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch
--- kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch 1970-01-01 01:00:00.000000000 +0100
+++ kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch 2014-11-07 10:11:29.000000000 +0100
@@ -0,0 +1,119 @@
+commit eebcb17746d9fa86ea8c5a7344709ef6750781cf
+Author: David Edmundson <kde@davidedmundson.co.uk>
+Date: Tue Nov 4 13:57:59 2014 +0100
+
+ Do not pass ntpUtility as an argument to datetime helper
+
+ Passing the name of a binary to run to a polkit helper is a security
+ risk as it allows any arbitrary process to be executed.
+
+ This patch moves the detection of ntp utility location into the helper
+ function.
+
+ REVIEW: 120977
+
+Index: kde-workspace/kcontrol/dateandtime/dtime.cpp
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/dtime.cpp 2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/dtime.cpp 2014-11-07 09:09:30.997905785 +0100
+@@ -142,27 +142,15 @@
+ //kclock->setEnabled(enabled);
+ }
+
+-void Dtime::findNTPutility(){
+- QByteArray envpath = qgetenv("PATH");
+- if (!envpath.isEmpty() && envpath[0] == ':') {
+- envpath = envpath.mid(1);
+- }
+-
+- QString path = "/sbin:/usr/sbin:";
+- if (!envpath.isEmpty()) {
+- path += QString::fromLocal8Bit(envpath);
+- } else {
+- path += QLatin1String("/bin:/usr/bin");
+- }
+-
+- foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
+- if( !((ntpUtility = KStandardDirs::findExe(possible_ntputility, path)).isEmpty()) ) {
+- kDebug() << "ntpUtility = " << ntpUtility;
+- return;
++void Dtime::findNTPutility()
++{
++ const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
++ foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
++ ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
++ if (!ntpUtility.isEmpty()) {
++ return;
++ }
+ }
+- }
+-
+- kDebug() << "ntpUtility not found!";
+ }
+
+ void Dtime::set_time()
+@@ -238,7 +226,6 @@
+ helperargs["ntp"] = true;
+ helperargs["ntpServers"] = list;
+ helperargs["ntpEnabled"] = setDateTimeAuto->isChecked();
+- helperargs["ntpUtility"] = ntpUtility;
+
+ if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){
+ // NTP Time setting - done in helper
+Index: kde-workspace/kcontrol/dateandtime/helper.cpp
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/helper.cpp 2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/helper.cpp 2014-11-07 09:09:30.997905785 +0100
+@@ -52,8 +52,18 @@
+ // clears it. So we have to use a reasonable default.
+ static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
+
+-int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled,
+- const QString& ntpUtility )
++static QString findNtpUtility()
++{
++ foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
++ const QString ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
++ if (!ntpUtility.isEmpty()) {
++ return ntpUtility;
++ }
++ }
++ return QString();
++}
++
++int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled )
+ {
+ int ret = 0;
+
+@@ -69,6 +79,8 @@
+ config.writeEntry("servers", ntpServers );
+ config.writeEntry("enabled", ntpEnabled );
+
++ QString ntpUtility(findNtpUtility());
++
+ if ( ntpEnabled && !ntpUtility.isEmpty() ) {
+ // NTP Time setting
+ QString timeServer = ntpServers.first();
+@@ -236,7 +248,7 @@
+ int ret = 0; // error code
+ // The order here is important
+ if( _ntp )
+- ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() );
++ ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool());
+ if( _date )
+ ret |= date( args.value("newdate").toString(), args.value("olddate").toString() );
+ if( _tz )
+Index: kde-workspace/kcontrol/dateandtime/helper.h
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/helper.h 2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/helper.h 2014-11-07 09:09:31.001905624 +0100
+@@ -42,8 +42,7 @@
+ ActionReply save(const QVariantMap &map);
+
+ private:
+- int ntp(const QStringList& ntpServers, bool ntpEnabled,
+- const QString& ntpUtility);
++ int ntp(const QStringList& ntpServers, bool ntpEnabled);
+ int date(const QString& newdate, const QString& olddate);
+ int tz(const QString& selectedzone);
+ int tzreset();
diff -Nru kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch
--- kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch 1970-01-01 01:00:00.000000000 +0100
+++ kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch 2014-11-07 10:11:29.000000000 +0100
@@ -0,0 +1,28 @@
+commit 54d0bfb5effff9c8cf60da890b7728cbe36a454e
+Author: David Edmundson <kde@davidedmundson.co.uk>
+Date: Tue Nov 4 14:00:54 2014 +0100
+
+ Validate timezone name before setting
+
+ This patch ensures that the symlink /etc/localtime always points to a
+ file in /usr/share/timezones and not an arbitrary file in a user's home
+ directory.
+
+diff --git a/kcontrol/dateandtime/helper.cpp b/kcontrol/dateandtime/helper.cpp
+index 101d8ca..21fc51a 100644
+--- a/kcontrol/dateandtime/helper.cpp
++++ b/kcontrol/dateandtime/helper.cpp
+@@ -123,6 +123,13 @@ int ClockHelper::date( const QString& newdate, const QString& olddate )
+ int ClockHelper::tz( const QString& selectedzone )
+ {
+ int ret = 0;
++
++ //only allow letters, numbers hyphen underscore plus and forward slash
++ //allowed pattern taken from time-util.c in systemd
++ if (!QRegExp("[a-zA-Z0-9-_+/]*").exactMatch(selectedzone)) {
++ return ret;
++ }
++
+ #if defined(USE_SOLARIS) // MARCO
+
+ KTemporaryFile tf;
Reply to: