Bug#862347: unblock: kauth/5.28.0-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release team
kauth has recently received CVE-2017-8422 [1]. I have already uploaded the
patched version to unstable and it built fine in all the architectures.
I'm attaching the corresponding debdiff.
Please unblock package kauth
Regards,
[1]: https://security-tracker.debian.org/tracker/CVE-2017-8422
unblock kauth/5.28.0-2
-- System Information:
Debian Release: 9.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
diff -Nru kauth-5.28.0/debian/changelog kauth-5.28.0/debian/changelog
--- kauth-5.28.0/debian/changelog 2016-11-18 16:03:28.000000000 +0100
+++ kauth-5.28.0/debian/changelog 2017-05-10 15:03:15.000000000 +0200
@@ -1,3 +1,13 @@
+kauth (5.28.0-2) unstable; urgency=medium
+
+ * Drop applied patch: kauth_add_license
+ * Add new upstream patch:
+ Verify-that-whoever-is-calling-us-is-actually-who-he-says.patch.
+ Fixes CVE-2017-8422 in kauth
+ * Update symbols files.
+
+ -- Maximiliano Curia <maxy@debian.org> Wed, 10 May 2017 15:03:15 +0200
+
kauth (5.28.0-1) unstable; urgency=medium
[ Automatic packaging ]
diff -Nru kauth-5.28.0/debian/libkf5auth5.symbols kauth-5.28.0/debian/libkf5auth5.symbols
--- kauth-5.28.0/debian/libkf5auth5.symbols 2016-11-18 16:03:28.000000000 +0100
+++ kauth-5.28.0/debian/libkf5auth5.symbols 2017-05-10 15:03:15.000000000 +0200
@@ -1,4 +1,4 @@
-# SymbolsHelper-Confirmed: 5.27.0 alpha amd64 arm64 armel armhf hppa hurd-i386 i386 m68k mips mips64el mipsel powerpc powerpcspe ppc64 ppc64el s390x sparc64 x32
+# SymbolsHelper-Confirmed: 5.28.0 amd64
kauth_backend_plugin.so libkf5auth5 #MINVER#
qt_plugin_instance@Base 5.0.0
qt_plugin_query_metadata@Base 5.0.0
@@ -73,6 +73,7 @@
_ZN5KAuth6Action11setHelperIdERK7QString@Base 4.96.0
_ZN5KAuth6Action12setArgumentsERK4QMapI7QString8QVariantE@Base 4.96.0
_ZN5KAuth6Action15setParentWidgetEP7QWidget@Base 4.96.0
+ _ZN5KAuth6Action16staticMetaObjectE@Base 5.28.0
_ZN5KAuth6Action7executeENS0_13ExecutionModeE@Base 4.96.0
_ZN5KAuth6Action7setNameERK7QString@Base 4.96.0
_ZN5KAuth6ActionC1ERK7QString@Base 4.96.0
diff -Nru kauth-5.28.0/debian/patches/kauth_add_license kauth-5.28.0/debian/patches/kauth_add_license
--- kauth-5.28.0/debian/patches/kauth_add_license 2016-11-18 16:03:28.000000000 +0100
+++ kauth-5.28.0/debian/patches/kauth_add_license 1970-01-01 01:00:00.000000000 +0100
@@ -1,52 +0,0 @@
-From: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
-Date: Sun, 15 May 2016 14:44:11 +0200
-Subject: kauth_add_license
-
-commit 748e9dc14325ca50dbd2789824acf888a85dc049
-Author: Maximiliano Curia <maxy@gnuservers.com.ar>
-Date: Fri Mar 20 13:59:59 2015 +0100
-
- Add missing license
-
- The cmake files:
- cmake/FindPolkitQt.cmake
- cmake/KF5AuthMacros.cmake
- cmake/FindPolkitQt-1.cmake
- claim:
- Redistribution and use is allowed according to the terms of the BSD license.
- For details see the accompanying COPYING-CMAKE-SCRIPTS file.
-
- So we need to distribute the COPYING-CMAKE-SCRIPTS file with this package.
----
- COPYING-CMAKE-SCRIPTS | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
- create mode 100644 COPYING-CMAKE-SCRIPTS
-
-diff --git a/COPYING-CMAKE-SCRIPTS b/COPYING-CMAKE-SCRIPTS
-new file mode 100644
-index 0000000..53b6b71
---- /dev/null
-+++ b/COPYING-CMAKE-SCRIPTS
-@@ -0,0 +1,22 @@
-+Redistribution and use in source and binary forms, with or without
-+modification, are permitted provided that the following conditions
-+are met:
-+
-+1. Redistributions of source code must retain the copyright
-+ notice, this list of conditions and the following disclaimer.
-+2. Redistributions in binary form must reproduce the copyright
-+ notice, this list of conditions and the following disclaimer in the
-+ documentation and/or other materials provided with the distribution.
-+3. The name of the author may not be used to endorse or promote products
-+ derived from this software without specific prior written permission.
-+
-+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff -Nru kauth-5.28.0/debian/patches/series kauth-5.28.0/debian/patches/series
--- kauth-5.28.0/debian/patches/series 2016-11-18 16:03:28.000000000 +0100
+++ kauth-5.28.0/debian/patches/series 2017-05-10 15:03:15.000000000 +0200
@@ -1 +1 @@
-kauth_add_license
+Verify-that-whoever-is-calling-us-is-actually-who-he-says.patch
diff -Nru kauth-5.28.0/debian/patches/Verify-that-whoever-is-calling-us-is-actually-who-he-says.patch kauth-5.28.0/debian/patches/Verify-that-whoever-is-calling-us-is-actually-who-he-says.patch
--- kauth-5.28.0/debian/patches/Verify-that-whoever-is-calling-us-is-actually-who-he-says.patch 1970-01-01 01:00:00.000000000 +0100
+++ kauth-5.28.0/debian/patches/Verify-that-whoever-is-calling-us-is-actually-who-he-says.patch 2017-05-10 15:03:15.000000000 +0200
@@ -0,0 +1,194 @@
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 10 May 2017 10:03:45 +0200
+Subject: Verify that whoever is calling us is actually who he says he is
+
+CVE-2017-8422
+---
+ src/AuthBackend.cpp | 5 +++++
+ src/AuthBackend.h | 7 +++++++
+ src/backends/dbus/DBusHelperProxy.cpp | 27 +++++++++++++++++++++++++--
+ src/backends/dbus/DBusHelperProxy.h | 6 +++++-
+ src/backends/policykit/PolicyKitBackend.cpp | 5 +++++
+ src/backends/policykit/PolicyKitBackend.h | 1 +
+ src/backends/polkit-1/Polkit1Backend.cpp | 5 +++++
+ src/backends/polkit-1/Polkit1Backend.h | 1 +
+ 8 files changed, 54 insertions(+), 3 deletions(-)
+
+diff --git a/src/AuthBackend.cpp b/src/AuthBackend.cpp
+index ff91dd5..fa8c258 100644
+--- a/src/AuthBackend.cpp
++++ b/src/AuthBackend.cpp
+@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
+ d->capabilities = capabilities;
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
++{
++ return NoExtraCallerIDVerificationMethod;
++}
++
+ bool AuthBackend::actionExists(const QString &action)
+ {
+ Q_UNUSED(action);
+diff --git a/src/AuthBackend.h b/src/AuthBackend.h
+index c67a706..09195ef 100644
+--- a/src/AuthBackend.h
++++ b/src/AuthBackend.h
+@@ -43,6 +43,12 @@ public:
+ };
+ Q_DECLARE_FLAGS(Capabilities, Capability)
+
++ enum ExtraCallerIDVerificationMethod {
++ NoExtraCallerIDVerificationMethod,
++ VerifyAgainstDBusServiceName,
++ VerifyAgainstDBusServicePid,
++ };
++
+ AuthBackend();
+ virtual ~AuthBackend();
+ virtual void setupAction(const QString &action) = 0;
+@@ -50,6 +56,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
+ virtual Action::AuthStatus actionStatus(const QString &action) = 0;
+ virtual QByteArray callerID() const = 0;
++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
+ virtual bool actionExists(const QString &action);
+
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index d2620ac..36bc6a8 100644
+--- a/src/backends/dbus/DBusHelperProxy.cpp
++++ b/src/backends/dbus/DBusHelperProxy.cpp
+@@ -232,6 +232,29 @@ bool DBusHelperProxy::hasToStopAction()
+ return m_stopRequest;
+ }
+
++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
++{
++ // Check the caller is really who it says it is
++ switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
++ case AuthBackend::NoExtraCallerIDVerificationMethod:
++ break;
++
++ case AuthBackend::VerifyAgainstDBusServiceName:
++ if (message().service().toUtf8() != callerID) {
++ return false;
++ }
++ break;
++
++ case AuthBackend::VerifyAgainstDBusServicePid:
++ if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
++ return false;
++ }
++ break;
++ }
++
++ return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
++}
++
+ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
+ {
+ if (!responder) {
+@@ -256,7 +279,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+ QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
+ timer->stop();
+
+- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++ if (isCallerAuthorized(action, callerID)) {
+ QString slotname = action;
+ if (slotname.startsWith(m_name + QLatin1Char('.'))) {
+ slotname = slotname.right(slotname.length() - m_name.length() - 1);
+@@ -298,7 +321,7 @@ uint DBusHelperProxy::authorizeAction(const QString &action, const QByteArray &c
+ QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
+ timer->stop();
+
+- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++ if (isCallerAuthorized(action, callerID)) {
+ retVal = static_cast<uint>(Action::AuthorizedStatus);
+ } else {
+ retVal = static_cast<uint>(Action::DeniedStatus);
+diff --git a/src/backends/dbus/DBusHelperProxy.h b/src/backends/dbus/DBusHelperProxy.h
+index 8f4254c..656d669 100644
+--- a/src/backends/dbus/DBusHelperProxy.h
++++ b/src/backends/dbus/DBusHelperProxy.h
+@@ -25,12 +25,13 @@
+ #include "kauthactionreply.h"
+
+ #include <QDBusConnection>
++#include <QDBusContext>
+ #include <QVariant>
+
+ namespace KAuth
+ {
+
+-class DBusHelperProxy : public HelperProxy
++class DBusHelperProxy : public HelperProxy, protected QDBusContext
+ {
+ Q_OBJECT
+ Q_PLUGIN_METADATA(IID "org.kde.DBusHelperProxy")
+@@ -79,6 +80,9 @@ Q_SIGNALS:
+
+ private Q_SLOTS:
+ void remoteSignalReceived(int type, const QString &action, QByteArray blob);
++
++private:
++ bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
+ };
+
+ } // namespace Auth
+diff --git a/src/backends/policykit/PolicyKitBackend.cpp b/src/backends/policykit/PolicyKitBackend.cpp
+index c2b4d42..bf038a8 100644
+--- a/src/backends/policykit/PolicyKitBackend.cpp
++++ b/src/backends/policykit/PolicyKitBackend.cpp
+@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
+ return a;
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++ return VerifyAgainstDBusServicePid;
++}
++
+ bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+ QDataStream s(&callerID, QIODevice::ReadOnly);
+diff --git a/src/backends/policykit/PolicyKitBackend.h b/src/backends/policykit/PolicyKitBackend.h
+index eb17a3a..38b0240 100644
+--- a/src/backends/policykit/PolicyKitBackend.h
++++ b/src/backends/policykit/PolicyKitBackend.h
+@@ -40,6 +40,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString &);
+ virtual Action::AuthStatus actionStatus(const QString &);
+ virtual QByteArray callerID() const;
++ ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+
+ private Q_SLOTS:
+diff --git a/src/backends/polkit-1/Polkit1Backend.cpp b/src/backends/polkit-1/Polkit1Backend.cpp
+index 78ee5bb..774588c 100644
+--- a/src/backends/polkit-1/Polkit1Backend.cpp
++++ b/src/backends/polkit-1/Polkit1Backend.cpp
+@@ -162,6 +162,11 @@ QByteArray Polkit1Backend::callerID() const
+ return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++ return VerifyAgainstDBusServiceName;
++}
++
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+diff --git a/src/backends/polkit-1/Polkit1Backend.h b/src/backends/polkit-1/Polkit1Backend.h
+index e0d661b..d816664 100644
+--- a/src/backends/polkit-1/Polkit1Backend.h
++++ b/src/backends/polkit-1/Polkit1Backend.h
+@@ -49,6 +49,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString &);
+ virtual Action::AuthStatus actionStatus(const QString &);
+ virtual QByteArray callerID() const;
++ ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+ virtual bool actionExists(const QString &action);
+
Reply to: