[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#985970: marked as done (unblock: kglobalaccel/5.78.0-3)

Your message dated Sat, 27 Mar 2021 08:25:40 +0000
with message-id <E1lQ4GK-0004Lc-Cs@respighi.debian.org>
and subject line unblock kglobalaccel
has caused the Debian Bug report #985970,
regarding unblock: kglobalaccel/5.78.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
985970: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985970
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-kde-talk@alioth-lists.debian.net

Please unblock package kglobalaccel

[ Reason ]
Upstream asked to backport a security fix:
There is the possibility that kglobalaccel runs under a wrong UID,
which would result in programs started by the logged in user under a
different UID.

Unrelated change: graphviz was removed from B-D since it is not
necessary (as seen, all builds succeeded).

[ Impact ]
Security fix:
Possibility of
- broken functionality (programs started as different uid will behave
  differently)
- security (different uid files can be read/changed)

B-D drop: none

[ Tests ]
security fix:
The package contains an extensive set of tests that are automatically
run on build.

B-D drop: builds succeeded.

[ Risks ]
The code change is simple and adds a check for the UID and returns in
case the disagree.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock kglobalaccel/5.78.0-3

Best

Norbert

--
PREINING Norbert                              https://www.preining.info
Fujitsu Research Labs  +  IFMGA Guide + TU Wien + TeX Live + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

diff -Nru kglobalaccel-5.78.0/debian/changelog kglobalaccel-5.78.0/debian/changelog
--- kglobalaccel-5.78.0/debian/changelog	2021-01-17 12:02:21.000000000 +0900
+++ kglobalaccel-5.78.0/debian/changelog	2021-03-27 07:26:39.000000000 +0900
@@ -1,3 +1,12 @@
+kglobalaccel (5.78.0-3) unstable; urgency=medium
+
+  [ Norbert Preining ]
+  * Remove graphviz from build depends.
+  * Cherry pick upstream fix for kglobalaccel possibly running under an
+    incorrect uid, thus starting programs as different user.
+
+ -- Norbert Preining <norbert@preining.info>  Sat, 27 Mar 2021 07:26:39 +0900
+
 kglobalaccel (5.78.0-2) unstable; urgency=medium
 
   * Release to unstable.
diff -Nru kglobalaccel-5.78.0/debian/control kglobalaccel-5.78.0/debian/control
--- kglobalaccel-5.78.0/debian/control	2021-01-17 11:54:33.000000000 +0900
+++ kglobalaccel-5.78.0/debian/control	2021-03-27 07:22:05.000000000 +0900
@@ -8,7 +8,6 @@
                debhelper-compat (= 13),
                doxygen,
                extra-cmake-modules (>= 5.78.0~),
-               graphviz,
                libkf5config-dev (>= 5.78.0~),
                libkf5coreaddons-dev (>= 5.78.0~),
                libkf5crash-dev (>= 5.78.0~),
diff -Nru kglobalaccel-5.78.0/debian/patches/series kglobalaccel-5.78.0/debian/patches/series
--- kglobalaccel-5.78.0/debian/patches/series	1970-01-01 09:00:00.000000000 +0900
+++ kglobalaccel-5.78.0/debian/patches/series	2021-03-27 07:23:25.000000000 +0900
@@ -0,0 +1 @@
+upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch
diff -Nru kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch
--- kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch	1970-01-01 09:00:00.000000000 +0900
+++ kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch	2021-03-27 07:24:20.000000000 +0900
@@ -0,0 +1,38 @@
+From bbec74337b3186bc258bd5adf849b89191789535 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Fri, 29 Jan 2021 11:31:54 +0100
+Subject: [PATCH] Don't let kglobalaccel run if KDE_SESSION_UID mismatches
+
+Otherwise shortcuts execute actions as the wrong user.
+---
+ src/runtime/main.cpp |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/src/runtime/main.cpp
++++ b/src/runtime/main.cpp
+@@ -10,6 +10,8 @@
+ #include "kglobalacceld.h"
+ #include "logging_p.h"
+ 
++#include <unistd.h>
++
+ #include <KCrash>
+ #include <KAboutData>
+ #include <KDBusService>
+@@ -58,6 +60,16 @@ extern "C" Q_DECL_EXPORT int main(int ar
+         return 0;
+     }
+ 
++    // It's possible that kglobalaccel gets started as the wrong user by
++    // accident, e.g. kdesu dolphin leads to dbus activation. It then installs
++    // its grabs and the actions are run as the wrong user.
++    bool isUidset = false;
++    const int sessionuid = qEnvironmentVariableIntValue("KDE_SESSION_UID", &isUidset);
++    if(isUidset && static_cast<uid_t>(sessionuid) != getuid()) {
++        qCWarning(KGLOBALACCELD) << "kglobalaccel running as wrong user, exiting.";
++        return 0;
++    }
++
+     KDBusService service(KDBusService::Unique);
+ 
+     app.setQuitOnLastWindowClosed( false );

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: