Bug#768430: unblock: kde-workspace/4:4.11.13-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#768430: unblock: kde-workspace/4:4.11.13-2
From: Maximiliano Curia <maxy@debian.org>
Date: Fri, 07 Nov 2014 12:19:25 +0100
Message-id: <[🔎] 20141107111925.27148.42352.reportbug@amadeus.maxy.com.ar>
Reply-to: Maximiliano Curia <maxy@debian.org>, 768430@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package kde-workspace

In order to fix CVE-2014-8651:
https://security-tracker.debian.org/tracker/CVE-2014-8651

unblock kde-workspace/4:4.11.13-2

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -Nru kde-workspace-4.11.13/debian/changelog kde-workspace-4.11.13/debian/changelog
--- kde-workspace-4.11.13/debian/changelog	2014-10-20 17:13:03.000000000 +0200
+++ kde-workspace-4.11.13/debian/changelog	2014-11-07 10:11:29.000000000 +0100
@@ -1,3 +1,13 @@
+kde-workspace (4:4.11.13-2) unstable; urgency=medium
+
+  * New patch: upstream_do_not_pass_ntpUtility_as_an_argument.patch fix
+    for https://www.kde.org/info/security/advisory-20141106-1.txt
+    (CVE-2014-8651 : https://security-tracker.debian.org/tracker/CVE-2014-8651)
+  * New patch: upstream_validate_timezone_name_before_setting.patch,
+    avoids .. in timezone name.
+
+ -- Maximiliano Curia <maxy@debian.org>  Fri, 07 Nov 2014 10:11:28 +0100
+
 kde-workspace (4:4.11.13-1) unstable; urgency=medium
 
   * New upstream release (4.11.13).
diff -Nru kde-workspace-4.11.13/debian/patches/series kde-workspace-4.11.13/debian/patches/series
--- kde-workspace-4.11.13/debian/patches/series	2014-10-20 17:13:03.000000000 +0200
+++ kde-workspace-4.11.13/debian/patches/series	2014-11-07 10:11:29.000000000 +0100
@@ -26,3 +26,5 @@
 kubuntu_avoid_zic_and_deep_copy_timezone_data.diff
 check_if_SensorMgr
 ksysguardd_acpi_valgrind_complain
+upstream_do_not_pass_ntpUtility_as_an_argument.patch
+upstream_validate_timezone_name_before_setting.patch
diff -Nru kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch
--- kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch	1970-01-01 01:00:00.000000000 +0100
+++ kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch	2014-11-07 10:11:29.000000000 +0100
@@ -0,0 +1,119 @@
+commit eebcb17746d9fa86ea8c5a7344709ef6750781cf
+Author: David Edmundson <kde@davidedmundson.co.uk>
+Date:   Tue Nov 4 13:57:59 2014 +0100
+
+    Do not pass ntpUtility as an argument to datetime helper
+    
+    Passing the name of a binary to run to a polkit helper is a security
+    risk as it allows any arbitrary process to be executed.
+    
+    This patch moves the detection of ntp utility location into the helper
+    function.
+    
+    REVIEW: 120977
+
+Index: kde-workspace/kcontrol/dateandtime/dtime.cpp
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/dtime.cpp	2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/dtime.cpp	2014-11-07 09:09:30.997905785 +0100
+@@ -142,27 +142,15 @@
+   //kclock->setEnabled(enabled);
+ }
+ 
+-void Dtime::findNTPutility(){
+-  QByteArray envpath = qgetenv("PATH");
+-  if (!envpath.isEmpty() && envpath[0] == ':') {
+-    envpath = envpath.mid(1);
+-  }
+-
+-  QString path = "/sbin:/usr/sbin:";
+-  if (!envpath.isEmpty()) {
+-    path += QString::fromLocal8Bit(envpath);
+-  } else {
+-    path += QLatin1String("/bin:/usr/bin");
+-  }
+-
+-  foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
+-    if( !((ntpUtility = KStandardDirs::findExe(possible_ntputility, path)).isEmpty()) ) {
+-      kDebug() << "ntpUtility = " << ntpUtility;
+-      return;
++void Dtime::findNTPutility()
++{
++    const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
++    foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
++        ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
++        if (!ntpUtility.isEmpty()) {
++            return;
++        }
+     }
+-  }
+-
+-  kDebug() << "ntpUtility not found!";
+ }
+ 
+ void Dtime::set_time()
+@@ -238,7 +226,6 @@
+   helperargs["ntp"] = true;
+   helperargs["ntpServers"] = list;
+   helperargs["ntpEnabled"] = setDateTimeAuto->isChecked();
+-  helperargs["ntpUtility"] = ntpUtility;
+ 
+   if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){
+     // NTP Time setting - done in helper
+Index: kde-workspace/kcontrol/dateandtime/helper.cpp
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/helper.cpp	2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/helper.cpp	2014-11-07 09:09:30.997905785 +0100
+@@ -52,8 +52,18 @@
+ // clears it. So we have to use a reasonable default.
+ static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
+ 
+-int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled,
+-                      const QString& ntpUtility )
++static QString findNtpUtility()
++{
++    foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
++        const QString ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
++        if (!ntpUtility.isEmpty()) {
++            return ntpUtility;
++        }
++    }
++    return QString();
++}
++
++int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled )
+ {
+   int ret = 0;
+ 
+@@ -69,6 +79,8 @@
+   config.writeEntry("servers", ntpServers );
+   config.writeEntry("enabled", ntpEnabled );
+ 
++  QString ntpUtility(findNtpUtility());
++
+   if ( ntpEnabled && !ntpUtility.isEmpty() ) {
+     // NTP Time setting
+     QString timeServer = ntpServers.first();
+@@ -236,7 +248,7 @@
+   int ret = 0; // error code
+ //  The order here is important
+   if( _ntp )
+-    ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() );
++    ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool());
+   if( _date )
+     ret |= date( args.value("newdate").toString(), args.value("olddate").toString() );
+   if( _tz )
+Index: kde-workspace/kcontrol/dateandtime/helper.h
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/helper.h	2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/helper.h	2014-11-07 09:09:31.001905624 +0100
+@@ -42,8 +42,7 @@
+         ActionReply save(const QVariantMap &map);
+ 
+     private:
+-        int ntp(const QStringList& ntpServers, bool ntpEnabled,
+-                const QString& ntpUtility);
++        int ntp(const QStringList& ntpServers, bool ntpEnabled);
+         int date(const QString& newdate, const QString& olddate);
+         int tz(const QString& selectedzone);
+         int tzreset();
diff -Nru kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch
--- kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch	1970-01-01 01:00:00.000000000 +0100
+++ kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch	2014-11-07 10:11:29.000000000 +0100
@@ -0,0 +1,28 @@
+commit 54d0bfb5effff9c8cf60da890b7728cbe36a454e
+Author: David Edmundson <kde@davidedmundson.co.uk>
+Date:   Tue Nov 4 14:00:54 2014 +0100
+
+    Validate timezone name before setting
+    
+    This patch ensures that the symlink /etc/localtime always points to a
+    file in /usr/share/timezones and not an arbitrary file in a user's home
+    directory.
+
+diff --git a/kcontrol/dateandtime/helper.cpp b/kcontrol/dateandtime/helper.cpp
+index 101d8ca..21fc51a 100644
+--- a/kcontrol/dateandtime/helper.cpp
++++ b/kcontrol/dateandtime/helper.cpp
+@@ -123,6 +123,13 @@ int ClockHelper::date( const QString& newdate, const QString& olddate )
+ int ClockHelper::tz( const QString& selectedzone )
+ {
+     int ret = 0;
++
++    //only allow letters, numbers hyphen underscore plus and forward slash
++    //allowed pattern taken from time-util.c in systemd
++    if (!QRegExp("[a-zA-Z0-9-_+/]*").exactMatch(selectedzone)) {
++        return ret;
++    }
++
+ #if defined(USE_SOLARIS)	// MARCO
+ 
+         KTemporaryFile tf;

Reply to:

Prev by Date: qtdeclarative-opensource-src_5.3.2-4~bpo70+2_amd64.changes ACCEPTED into wheezy-backports
Next by Date: Bug#768434: [kbreakout] Doesn't capture mouse pointer while playing
Previous by thread: qtdeclarative-opensource-src_5.3.2-4~bpo70+2_amd64.changes ACCEPTED into wheezy-backports
Next by thread: Bug#768434: [kbreakout] Doesn't capture mouse pointer while playing
Index(es):
- Date
- Thread