[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#768430: marked as done (unblock: kde-workspace/4:4.11.13-2)

Your message dated Fri, 7 Nov 2014 13:07:33 +0100
with message-id <20141107120732.GD3095@coloquinte.cristau.org>
and subject line Re: Bug#768430: unblock: kde-workspace/4:4.11.13-2
has caused the Debian Bug report #768430,
regarding unblock: kde-workspace/4:4.11.13-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
768430: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768430
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package kde-workspace

In order to fix CVE-2014-8651:
https://security-tracker.debian.org/tracker/CVE-2014-8651

unblock kde-workspace/4:4.11.13-2

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -Nru kde-workspace-4.11.13/debian/changelog kde-workspace-4.11.13/debian/changelog
--- kde-workspace-4.11.13/debian/changelog	2014-10-20 17:13:03.000000000 +0200
+++ kde-workspace-4.11.13/debian/changelog	2014-11-07 10:11:29.000000000 +0100
@@ -1,3 +1,13 @@
+kde-workspace (4:4.11.13-2) unstable; urgency=medium
+
+  * New patch: upstream_do_not_pass_ntpUtility_as_an_argument.patch fix
+    for https://www.kde.org/info/security/advisory-20141106-1.txt
+    (CVE-2014-8651 : https://security-tracker.debian.org/tracker/CVE-2014-8651)
+  * New patch: upstream_validate_timezone_name_before_setting.patch,
+    avoids .. in timezone name.
+
+ -- Maximiliano Curia <maxy@debian.org>  Fri, 07 Nov 2014 10:11:28 +0100
+
 kde-workspace (4:4.11.13-1) unstable; urgency=medium
 
   * New upstream release (4.11.13).
diff -Nru kde-workspace-4.11.13/debian/patches/series kde-workspace-4.11.13/debian/patches/series
--- kde-workspace-4.11.13/debian/patches/series	2014-10-20 17:13:03.000000000 +0200
+++ kde-workspace-4.11.13/debian/patches/series	2014-11-07 10:11:29.000000000 +0100
@@ -26,3 +26,5 @@
 kubuntu_avoid_zic_and_deep_copy_timezone_data.diff
 check_if_SensorMgr
 ksysguardd_acpi_valgrind_complain
+upstream_do_not_pass_ntpUtility_as_an_argument.patch
+upstream_validate_timezone_name_before_setting.patch
diff -Nru kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch
--- kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch	1970-01-01 01:00:00.000000000 +0100
+++ kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch	2014-11-07 10:11:29.000000000 +0100
@@ -0,0 +1,119 @@
+commit eebcb17746d9fa86ea8c5a7344709ef6750781cf
+Author: David Edmundson <kde@davidedmundson.co.uk>
+Date:   Tue Nov 4 13:57:59 2014 +0100
+
+    Do not pass ntpUtility as an argument to datetime helper
+    
+    Passing the name of a binary to run to a polkit helper is a security
+    risk as it allows any arbitrary process to be executed.
+    
+    This patch moves the detection of ntp utility location into the helper
+    function.
+    
+    REVIEW: 120977
+
+Index: kde-workspace/kcontrol/dateandtime/dtime.cpp
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/dtime.cpp	2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/dtime.cpp	2014-11-07 09:09:30.997905785 +0100
+@@ -142,27 +142,15 @@
+   //kclock->setEnabled(enabled);
+ }
+ 
+-void Dtime::findNTPutility(){
+-  QByteArray envpath = qgetenv("PATH");
+-  if (!envpath.isEmpty() && envpath[0] == ':') {
+-    envpath = envpath.mid(1);
+-  }
+-
+-  QString path = "/sbin:/usr/sbin:";
+-  if (!envpath.isEmpty()) {
+-    path += QString::fromLocal8Bit(envpath);
+-  } else {
+-    path += QLatin1String("/bin:/usr/bin");
+-  }
+-
+-  foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
+-    if( !((ntpUtility = KStandardDirs::findExe(possible_ntputility, path)).isEmpty()) ) {
+-      kDebug() << "ntpUtility = " << ntpUtility;
+-      return;
++void Dtime::findNTPutility()
++{
++    const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
++    foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
++        ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
++        if (!ntpUtility.isEmpty()) {
++            return;
++        }
+     }
+-  }
+-
+-  kDebug() << "ntpUtility not found!";
+ }
+ 
+ void Dtime::set_time()
+@@ -238,7 +226,6 @@
+   helperargs["ntp"] = true;
+   helperargs["ntpServers"] = list;
+   helperargs["ntpEnabled"] = setDateTimeAuto->isChecked();
+-  helperargs["ntpUtility"] = ntpUtility;
+ 
+   if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){
+     // NTP Time setting - done in helper
+Index: kde-workspace/kcontrol/dateandtime/helper.cpp
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/helper.cpp	2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/helper.cpp	2014-11-07 09:09:30.997905785 +0100
+@@ -52,8 +52,18 @@
+ // clears it. So we have to use a reasonable default.
+ static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
+ 
+-int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled,
+-                      const QString& ntpUtility )
++static QString findNtpUtility()
++{
++    foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
++        const QString ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
++        if (!ntpUtility.isEmpty()) {
++            return ntpUtility;
++        }
++    }
++    return QString();
++}
++
++int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled )
+ {
+   int ret = 0;
+ 
+@@ -69,6 +79,8 @@
+   config.writeEntry("servers", ntpServers );
+   config.writeEntry("enabled", ntpEnabled );
+ 
++  QString ntpUtility(findNtpUtility());
++
+   if ( ntpEnabled && !ntpUtility.isEmpty() ) {
+     // NTP Time setting
+     QString timeServer = ntpServers.first();
+@@ -236,7 +248,7 @@
+   int ret = 0; // error code
+ //  The order here is important
+   if( _ntp )
+-    ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() );
++    ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool());
+   if( _date )
+     ret |= date( args.value("newdate").toString(), args.value("olddate").toString() );
+   if( _tz )
+Index: kde-workspace/kcontrol/dateandtime/helper.h
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/helper.h	2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/helper.h	2014-11-07 09:09:31.001905624 +0100
+@@ -42,8 +42,7 @@
+         ActionReply save(const QVariantMap &map);
+ 
+     private:
+-        int ntp(const QStringList& ntpServers, bool ntpEnabled,
+-                const QString& ntpUtility);
++        int ntp(const QStringList& ntpServers, bool ntpEnabled);
+         int date(const QString& newdate, const QString& olddate);
+         int tz(const QString& selectedzone);
+         int tzreset();
diff -Nru kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch
--- kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch	1970-01-01 01:00:00.000000000 +0100
+++ kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch	2014-11-07 10:11:29.000000000 +0100
@@ -0,0 +1,28 @@
+commit 54d0bfb5effff9c8cf60da890b7728cbe36a454e
+Author: David Edmundson <kde@davidedmundson.co.uk>
+Date:   Tue Nov 4 14:00:54 2014 +0100
+
+    Validate timezone name before setting
+    
+    This patch ensures that the symlink /etc/localtime always points to a
+    file in /usr/share/timezones and not an arbitrary file in a user's home
+    directory.
+
+diff --git a/kcontrol/dateandtime/helper.cpp b/kcontrol/dateandtime/helper.cpp
+index 101d8ca..21fc51a 100644
+--- a/kcontrol/dateandtime/helper.cpp
++++ b/kcontrol/dateandtime/helper.cpp
+@@ -123,6 +123,13 @@ int ClockHelper::date( const QString& newdate, const QString& olddate )
+ int ClockHelper::tz( const QString& selectedzone )
+ {
+     int ret = 0;
++
++    //only allow letters, numbers hyphen underscore plus and forward slash
++    //allowed pattern taken from time-util.c in systemd
++    if (!QRegExp("[a-zA-Z0-9-_+/]*").exactMatch(selectedzone)) {
++        return ret;
++    }
++
+ #if defined(USE_SOLARIS)	// MARCO
+ 
+         KTemporaryFile tf;

--- End Message ---
--- Begin Message --- 
On Fri, Nov  7, 2014 at 12:19:25 +0100, Maximiliano Curia wrote:

> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package kde-workspace
> 
> In order to fix CVE-2014-8651:
> https://security-tracker.debian.org/tracker/CVE-2014-8651
> 
> unblock kde-workspace/4:4.11.13-2
> 
Unblocked.

Cheers,
Julien

--- End Message ---
Reply to: