Bug#755814: kde4libs: CVE-2014-5033
Hi Moritz,
On Wed, 23 Jul 2014 16:05:25 +0200 Moritz Muehlenhoff <jmm@inutil.org> wrote:
> Package: kde4libs
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> please see https://bugzilla.novell.com/show_bug.cgi?id=864716 for the original
> bug report. The upstream fix is available here:
> http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23
>
> We should also fix this in Wheezy.
Attached is a debdiff that adds the upstream patch to kde4libs/wheezy.
I've tested that kauth still works (e.g. changing the display manager setting in system settings).
Please let me know if I can go ahead and upload it to the security archive.
Cheers,
Felix
diff -Nru kde4libs-4.8.4/debian/changelog kde4libs-4.8.4/debian/changelog
--- kde4libs-4.8.4/debian/changelog 2012-10-26 00:02:15.000000000 +0200
+++ kde4libs-4.8.4/debian/changelog 2014-07-31 20:39:56.000000000 +0200
@@ -1,3 +1,11 @@
+kde4libs (4:4.8.4-4+deb7u1) wheezy-security; urgency=medium
+
+ * Fix kauth authentication bypass. (Closes: #755814)
+ - Add CVE-2014-5033.patch, cherry-picked from upstream.
+ - CVE-2014-5033
+
+ -- Felix Geyer <fgeyer@debian.org> Thu, 31 Jul 2014 20:20:00 +0200
+
kde4libs (4:4.8.4-4) unstable; urgency=low
* Backport an upstream patch to fix copying of files with extended ACLs.
diff -Nru kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch
--- kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch 1970-01-01 01:00:00.000000000 +0100
+++ kde4libs-4.8.4/debian/patches/CVE-2014-5033.patch 2014-07-30 21:36:06.000000000 +0200
@@ -0,0 +1,50 @@
+From: Martin T. H. Sandsmark <martin.sandsmark@kde.org>
+Date: Mon, 21 Jul 2014 20:52:40 +0000
+Subject: Use dbus system bus name instead of PID for authentication.
+X-Git-Url: http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
+---
+Use dbus system bus name instead of PID for authentication.
+
+Using the PID for authentication is prone to a PID reuse
+race condition, and a security issue.
+
+REVIEW: 119323
+---
+
+
+--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+@@ -144,7 +144,7 @@
+
+ Action::AuthStatus Polkit1Backend::actionStatus(const QString &action)
+ {
+- PolkitQt1::UnixProcessSubject subject(QCoreApplication::applicationPid());
++ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID()));
+ PolkitQt1::Authority::Result r = PolkitQt1::Authority::instance()->checkAuthorizationSync(action, subject,
+ PolkitQt1::Authority::None);
+ switch (r) {
+@@ -160,21 +160,12 @@
+
+ QByteArray Polkit1Backend::callerID() const
+ {
+- QByteArray a;
+- QDataStream s(&a, QIODevice::WriteOnly);
+- s << QCoreApplication::applicationPid();
+-
+- return a;
++ return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+- QDataStream s(&callerID, QIODevice::ReadOnly);
+- qint64 pid;
+-
+- s >> pid;
+-
+- PolkitQt1::UnixProcessSubject subject(pid);
++ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+ PolkitQt1::Authority *authority = PolkitQt1::Authority::instance();
+
+ PolkitResultEventLoop e;
+
diff -Nru kde4libs-4.8.4/debian/patches/series kde4libs-4.8.4/debian/patches/series
--- kde4libs-4.8.4/debian/patches/series 2012-10-25 23:06:36.000000000 +0200
+++ kde4libs-4.8.4/debian/patches/series 2014-07-31 20:19:56.000000000 +0200
@@ -26,3 +26,4 @@
glibc_filesystem.diff
python3-support-bytecode.patch
fix-copying-of-files-with-extended-ACLs.patch
+CVE-2014-5033.patch
Reply to: