--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package kauth/5.28.0-2+deb9u1
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Tue, 26 Feb 2019 19:42:32 +0100
- Message-id: <155120655283.5535.9497957342446661028.reportbug@hullmann.westfalen.local>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
This fixes CVE-2019-7443 /
https://mail.kde.org/pipermail/kde-announce/2019-February/000011.html.
Debdiff attached.
Cheers,
Moritz
diff -Nru kauth-5.28.0/debian/changelog kauth-5.28.0/debian/changelog
--- kauth-5.28.0/debian/changelog 2017-05-10 15:03:15.000000000 +0200
+++ kauth-5.28.0/debian/changelog 2019-02-15 00:03:40.000000000 +0100
@@ -1,3 +1,9 @@
+kauth (5.28.0-2+deb9u1) stretch; urgency=medium
+
+ * CVE-2019-7443 (Closes: #921995)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Fri, 15 Feb 2019 00:03:40 +0100
+
kauth (5.28.0-2) unstable; urgency=medium
* Drop applied patch: kauth_add_license
diff -Nru kauth-5.28.0/debian/patches/CVE-2019-7443.patch kauth-5.28.0/debian/patches/CVE-2019-7443.patch
--- kauth-5.28.0/debian/patches/CVE-2019-7443.patch 1970-01-01 01:00:00.000000000 +0100
+++ kauth-5.28.0/debian/patches/CVE-2019-7443.patch 2019-02-15 00:03:40.000000000 +0100
@@ -0,0 +1,68 @@
+From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sat, 2 Feb 2019 14:35:25 +0100
+Subject: Remove support for passing gui QVariants to KAuth helpers
+
+Supporting gui variants is very dangerous since they can end up triggering
+image loading plugins which are one of the biggest vectors for crashes, which
+for very smart people mean possible code execution, which is very dangerous
+in code that is executed as root.
+
+We've checked all the KAuth helpers inside KDE git and none seems to be using
+gui variants, so we're not actually limiting anything that people wanted to do.
+
+Reviewed by security@kde.org and Aleix Pol
+
+Issue reported by Fabian Vogt
+---
+ src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++
+ src/kauthaction.h | 2 ++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index 10c14c6..8f0d336 100644
+--- a/src/backends/dbus/DBusHelperProxy.cpp
++++ b/src/backends/dbus/DBusHelperProxy.cpp
+@@ -31,6 +31,8 @@
+ #include "kf5authadaptor.h"
+ #include "kauthdebug.h"
+
++extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper;
++
+ namespace KAuth
+ {
+
+@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+ return ActionReply::HelperBusyReply().serialized();
+ }
+
++ // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous
++ // since they end up calling the image loaders and thus are a vector for crashing → executing code
++ auto origMetaTypeGuiHelper = qMetaTypeGuiHelper;
++ qMetaTypeGuiHelper = nullptr;
++
+ QVariantMap args;
+ QDataStream s(&arguments, QIODevice::ReadOnly);
+ s >> args;
+
++ qMetaTypeGuiHelper = origMetaTypeGuiHelper;
++
+ m_currentAction = action;
+ emit remoteSignal(ActionStarted, action, QByteArray());
+ QEventLoop e;
+diff --git a/src/kauthaction.h b/src/kauthaction.h
+index c67a70a..01f3ba1 100644
+--- a/src/kauthaction.h
++++ b/src/kauthaction.h
+@@ -298,6 +298,8 @@ public:
+ * This method sets the variant map that the application
+ * can use to pass arbitrary data to the helper when executing the action.
+ *
++ * Only non-gui variants are supported.
++ *
+ * @param arguments The new arguments map
+ */
+ void setArguments(const QVariantMap &arguments);
+--
+cgit v1.1
+
diff -Nru kauth-5.28.0/debian/patches/series kauth-5.28.0/debian/patches/series
--- kauth-5.28.0/debian/patches/series 2017-05-10 15:03:15.000000000 +0200
+++ kauth-5.28.0/debian/patches/series 2019-02-15 00:03:40.000000000 +0100
@@ -1 +1,2 @@
Verify-that-whoever-is-calling-us-is-actually-who-he-says.patch
+CVE-2019-7443.patch
--- End Message ---