svn commit: r440556 - in head: devel/kf5-kauth devel/kf5-kauth/files x11/kdelibs4 x11/kdelibs4/files
Tobias C. Berner
tcberner at FreeBSD.org
Wed May 10 12:03:59 UTC 2017
Author: tcberner
Date: Wed May 10 12:03:58 2017
New Revision: 440556
URL: https://svnweb.freebsd.org/changeset/ports/440556
Log:
Add upstream fixes for CVE-2017-8422 to x11/kdelibs4 and devel/kf5-kauth
KAuth contains a logic flaw in which the service invoking dbus
is not properly checked.
This allows spoofing the identity of the caller and with some
carefully crafted calls can lead to gaining root from an
unprivileged account.
https://www.kde.org/info/security/advisory-20170510-1.txt
Reviewed by: rakuco
Approved by: rakuco (mentor)
Obtained from: https://www.kde.org/info/security/advisory-20170510-1.txt
MFH: 2017Q2
Security: CVE-2017-8422
Differential Revision: https://reviews.freebsd.org/D10660
Added:
head/devel/kf5-kauth/files/
head/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422 (contents, props changed)
head/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422 (contents, props changed)
Modified:
head/devel/kf5-kauth/Makefile
head/x11/kdelibs4/Makefile
Modified: head/devel/kf5-kauth/Makefile
==============================================================================
--- head/devel/kf5-kauth/Makefile Wed May 10 12:02:02 2017 (r440555)
+++ head/devel/kf5-kauth/Makefile Wed May 10 12:03:58 2017 (r440556)
@@ -3,6 +3,7 @@
PORTNAME= kauth
PORTVERSION= ${KDE_FRAMEWORKS_VERSION}
+PORTREVISION= 1
CATEGORIES= devel kde kde-frameworks
MAINTAINER= kde at FreeBSD.org
Added: head/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422 Wed May 10 12:03:58 2017 (r440556)
@@ -0,0 +1,198 @@
+From df875f725293af53399f5146362eb158b4f9216a Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid at kde.org>
+Date: Wed, 10 May 2017 10:03:45 +0200
+Subject: Verify that whoever is calling us is actually who he says he is
+
+CVE-2017-8422
+---
+ src/AuthBackend.cpp | 5 +++++
+ src/AuthBackend.h | 7 +++++++
+ src/backends/dbus/DBusHelperProxy.cpp | 27 +++++++++++++++++++++++++--
+ src/backends/dbus/DBusHelperProxy.h | 6 +++++-
+ src/backends/policykit/PolicyKitBackend.cpp | 5 +++++
+ src/backends/policykit/PolicyKitBackend.h | 1 +
+ src/backends/polkit-1/Polkit1Backend.cpp | 5 +++++
+ src/backends/polkit-1/Polkit1Backend.h | 1 +
+ 8 files changed, 54 insertions(+), 3 deletions(-)
+
+diff --git a/src/AuthBackend.cpp b/src/AuthBackend.cpp
+index a41d4f1..a847494 100644
+--- src/AuthBackend.cpp
++++ src/AuthBackend.cpp
+@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
+ d->capabilities = capabilities;
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
++{
++ return NoExtraCallerIDVerificationMethod;
++}
++
+ bool AuthBackend::actionExists(const QString &action)
+ {
+ Q_UNUSED(action);
+diff --git a/src/AuthBackend.h b/src/AuthBackend.h
+index c67a706..09195ef 100644
+--- src/AuthBackend.h
++++ src/AuthBackend.h
+@@ -43,6 +43,12 @@ public:
+ };
+ Q_DECLARE_FLAGS(Capabilities, Capability)
+
++ enum ExtraCallerIDVerificationMethod {
++ NoExtraCallerIDVerificationMethod,
++ VerifyAgainstDBusServiceName,
++ VerifyAgainstDBusServicePid,
++ };
++
+ AuthBackend();
+ virtual ~AuthBackend();
+ virtual void setupAction(const QString &action) = 0;
+@@ -50,6 +56,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
+ virtual Action::AuthStatus actionStatus(const QString &action) = 0;
+ virtual QByteArray callerID() const = 0;
++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
+ virtual bool actionExists(const QString &action);
+
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index 9c5cb96..3c1c108 100644
+--- src/backends/dbus/DBusHelperProxy.cpp
++++ src/backends/dbus/DBusHelperProxy.cpp
+@@ -235,6 +235,29 @@ bool DBusHelperProxy::hasToStopAction()
+ return m_stopRequest;
+ }
+
++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
++{
++ // Check the caller is really who it says it is
++ switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
++ case AuthBackend::NoExtraCallerIDVerificationMethod:
++ break;
++
++ case AuthBackend::VerifyAgainstDBusServiceName:
++ if (message().service().toUtf8() != callerID) {
++ return false;
++ }
++ break;
++
++ case AuthBackend::VerifyAgainstDBusServicePid:
++ if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
++ return false;
++ }
++ break;
++ }
++
++ return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
++}
++
+ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
+ {
+ if (!responder) {
+@@ -259,7 +282,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+ QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
+ timer->stop();
+
+- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++ if (isCallerAuthorized(action, callerID)) {
+ QString slotname = action;
+ if (slotname.startsWith(m_name + QLatin1Char('.'))) {
+ slotname = slotname.right(slotname.length() - m_name.length() - 1);
+@@ -301,7 +324,7 @@ uint DBusHelperProxy::authorizeAction(const QString &action, const QByteArray &c
+ QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
+ timer->stop();
+
+- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++ if (isCallerAuthorized(action, callerID)) {
+ retVal = static_cast<uint>(Action::AuthorizedStatus);
+ } else {
+ retVal = static_cast<uint>(Action::DeniedStatus);
+diff --git a/src/backends/dbus/DBusHelperProxy.h b/src/backends/dbus/DBusHelperProxy.h
+index 52b0ac4..82cec5a 100644
+--- src/backends/dbus/DBusHelperProxy.h
++++ src/backends/dbus/DBusHelperProxy.h
+@@ -25,12 +25,13 @@
+ #include "kauthactionreply.h"
+
+ #include <QDBusConnection>
++#include <QDBusContext>
+ #include <QVariant>
+
+ namespace KAuth
+ {
+
+-class DBusHelperProxy : public HelperProxy
++class DBusHelperProxy : public HelperProxy, protected QDBusContext
+ {
+ Q_OBJECT
+ Q_PLUGIN_METADATA(IID "org.kde.DBusHelperProxy")
+@@ -79,6 +80,9 @@ Q_SIGNALS:
+
+ private Q_SLOTS:
+ void remoteSignalReceived(int type, const QString &action, QByteArray blob);
++
++private:
++ bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
+ };
+
+ } // namespace Auth
+diff --git a/src/backends/policykit/PolicyKitBackend.cpp b/src/backends/policykit/PolicyKitBackend.cpp
+index c2b4d42..bf038a8 100644
+--- src/backends/policykit/PolicyKitBackend.cpp
++++ src/backends/policykit/PolicyKitBackend.cpp
+@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
+ return a;
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++ return VerifyAgainstDBusServicePid;
++}
++
+ bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+ QDataStream s(&callerID, QIODevice::ReadOnly);
+diff --git a/src/backends/policykit/PolicyKitBackend.h b/src/backends/policykit/PolicyKitBackend.h
+index eb17a3a..38b0240 100644
+--- src/backends/policykit/PolicyKitBackend.h
++++ src/backends/policykit/PolicyKitBackend.h
+@@ -40,6 +40,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString &);
+ virtual Action::AuthStatus actionStatus(const QString &);
+ virtual QByteArray callerID() const;
++ ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+
+ private Q_SLOTS:
+diff --git a/src/backends/polkit-1/Polkit1Backend.cpp b/src/backends/polkit-1/Polkit1Backend.cpp
+index 78ee5bb..774588c 100644
+--- src/backends/polkit-1/Polkit1Backend.cpp
++++ src/backends/polkit-1/Polkit1Backend.cpp
+@@ -162,6 +162,11 @@ QByteArray Polkit1Backend::callerID() const
+ return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++ return VerifyAgainstDBusServiceName;
++}
++
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+diff --git a/src/backends/polkit-1/Polkit1Backend.h b/src/backends/polkit-1/Polkit1Backend.h
+index d7d1e3a..2357892 100644
+--- src/backends/polkit-1/Polkit1Backend.h
++++ src/backends/polkit-1/Polkit1Backend.h
+@@ -49,6 +49,7 @@ public:
+ Action::AuthStatus authorizeAction(const QString &) Q_DECL_OVERRIDE;
+ Action::AuthStatus actionStatus(const QString &) Q_DECL_OVERRIDE;
+ QByteArray callerID() const Q_DECL_OVERRIDE;
++ ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
+ bool isCallerAuthorized(const QString &action, QByteArray callerID) Q_DECL_OVERRIDE;
+ bool actionExists(const QString &action) Q_DECL_OVERRIDE;
+
+--
+cgit v0.11.2
+
Modified: head/x11/kdelibs4/Makefile
==============================================================================
--- head/x11/kdelibs4/Makefile Wed May 10 12:02:02 2017 (r440555)
+++ head/x11/kdelibs4/Makefile Wed May 10 12:03:58 2017 (r440556)
@@ -3,7 +3,7 @@
PORTNAME= kdelibs
PORTVERSION= ${KDE4_KDELIBS_VERSION}
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= x11 kde kde-applications
MAINTAINER= kde at FreeBSD.org
Added: head/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422 Wed May 10 12:03:58 2017 (r440556)
@@ -0,0 +1,200 @@
+From 264e97625abe2e0334f97de17f6ffb52582888ab Mon Sep 17 00:00:00 2001
+From: Albert Ast/.als Cid <aacid at kde.org>
+Date: Wed, 10 May 2017 10:06:07 +0200
+Subject: Verify that whoever is calling us is actually who he says he is
+
+CVE-2017-8422
+---
+ kdecore/auth/AuthBackend.cpp | 5 ++++
+ kdecore/auth/AuthBackend.h | 7 ++++++
+ kdecore/auth/backends/dbus/DBusHelperProxy.cpp | 27 ++++++++++++++++++++--
+ kdecore/auth/backends/dbus/DBusHelperProxy.h | 6 ++++-
+ .../auth/backends/policykit/PolicyKitBackend.cpp | 5 ++++
+ kdecore/auth/backends/policykit/PolicyKitBackend.h | 1 +
+ kdecore/auth/backends/polkit-1/Polkit1Backend.cpp | 5 ++++
+ kdecore/auth/backends/polkit-1/Polkit1Backend.h | 1 +
+ 8 files changed, 54 insertions(+), 3 deletions(-)
+
+diff --git a/kdecore/auth/AuthBackend.cpp b/kdecore/auth/AuthBackend.cpp
+index c953b81..0ba4650 100644
+--- kdecore/auth/AuthBackend.cpp
++++ kdecore/auth/AuthBackend.cpp
+@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
+ d->capabilities = capabilities;
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
++{
++ return NoExtraCallerIDVerificationMethod;
++}
++
+ bool AuthBackend::actionExists(const QString& action)
+ {
+ Q_UNUSED(action);
+diff --git a/kdecore/auth/AuthBackend.h b/kdecore/auth/AuthBackend.h
+index a86732e..6f4b1bc 100644
+--- kdecore/auth/AuthBackend.h
++++ kdecore/auth/AuthBackend.h
+@@ -43,6 +43,12 @@ public:
+ };
+ Q_DECLARE_FLAGS(Capabilities, Capability)
+
++ enum ExtraCallerIDVerificationMethod {
++ NoExtraCallerIDVerificationMethod,
++ VerifyAgainstDBusServiceName,
++ VerifyAgainstDBusServicePid,
++ };
++
+ AuthBackend();
+ virtual ~AuthBackend();
+ virtual void setupAction(const QString &action) = 0;
+@@ -50,6 +56,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
+ virtual Action::AuthStatus actionStatus(const QString &action) = 0;
+ virtual QByteArray callerID() const = 0;
++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
+ virtual bool actionExists(const QString &action);
+
+diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp
+index 9557a0f..ca59f1c 100644
+--- kdecore/auth/backends/dbus/DBusHelperProxy.cpp
++++ kdecore/auth/backends/dbus/DBusHelperProxy.cpp
+@@ -271,6 +271,29 @@ void DBusHelperProxy::performActions(QByteArray blob, const QByteArray &callerID
+ }
+ }
+
++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
++{
++ // Check the caller is really who it says it is
++ switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
++ case AuthBackend::NoExtraCallerIDVerificationMethod:
++ break;
++
++ case AuthBackend::VerifyAgainstDBusServiceName:
++ if (message().service().toUtf8() != callerID) {
++ return false;
++ }
++ break;
++
++ case AuthBackend::VerifyAgainstDBusServicePid:
++ if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
++ return false;
++ }
++ break;
++ }
++
++ return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
++}
++
+ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
+ {
+ if (!responder) {
+@@ -295,7 +318,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+ QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>();
+ timer->stop();
+
+- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++ if (isCallerAuthorized(action, callerID)) {
+ QString slotname = action;
+ if (slotname.startsWith(m_name + QLatin1Char('.'))) {
+ slotname = slotname.right(slotname.length() - m_name.length() - 1);
+@@ -338,7 +361,7 @@ uint DBusHelperProxy::authorizeAction(const QString& action, const QByteArray& c
+ QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>();
+ timer->stop();
+
+- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++ if (isCallerAuthorized(action, callerID)) {
+ retVal = static_cast<uint>(Action::Authorized);
+ } else {
+ retVal = static_cast<uint>(Action::Denied);
+diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.h b/kdecore/auth/backends/dbus/DBusHelperProxy.h
+index 455cf51..264f6cc 100644
+--- kdecore/auth/backends/dbus/DBusHelperProxy.h
++++ kdecore/auth/backends/dbus/DBusHelperProxy.h
+@@ -21,6 +21,7 @@
+ #ifndef DBUS_HELPER_PROXY_H
+ #define DBUS_HELPER_PROXY_H
+
++#include <QDBusContext>
+ #include <QVariant>
+ #include "HelperProxy.h"
+ #include "kauthactionreply.h"
+@@ -28,7 +29,7 @@
+ namespace KAuth
+ {
+
+-class DBusHelperProxy : public HelperProxy
++class DBusHelperProxy : public HelperProxy, protected QDBusContext
+ {
+ Q_OBJECT
+ Q_INTERFACES(KAuth::HelperProxy)
+@@ -73,6 +74,9 @@ signals:
+
+ private slots:
+ void remoteSignalReceived(int type, const QString &action, QByteArray blob);
++
++private:
++ bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
+ };
+
+ } // namespace Auth
+diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp
+index 3be97f2..9d041d1 100644
+--- kdecore/auth/backends/policykit/PolicyKitBackend.cpp
++++ kdecore/auth/backends/policykit/PolicyKitBackend.cpp
+@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
+ return a;
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++ return VerifyAgainstDBusServicePid;
++}
++
+ bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+ QDataStream s(&callerID, QIODevice::ReadOnly);
+diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.h b/kdecore/auth/backends/policykit/PolicyKitBackend.h
+index 7154e93..0d3d8f9 100644
+--- kdecore/auth/backends/policykit/PolicyKitBackend.h
++++ kdecore/auth/backends/policykit/PolicyKitBackend.h
+@@ -40,6 +40,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString&);
+ virtual Action::AuthStatus actionStatus(const QString&);
+ virtual QByteArray callerID() const;
++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+
+ private Q_SLOTS:
+diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+index 732d2cb..63c0e1e 100644
+--- kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
++++ kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+@@ -163,6 +163,11 @@ QByteArray Polkit1Backend::callerID() const
+ return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++ return VerifyAgainstDBusServiceName;
++}
++
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.h b/kdecore/auth/backends/polkit-1/Polkit1Backend.h
+index 18ed1a2..d579da2 100644
+--- kdecore/auth/backends/polkit-1/Polkit1Backend.h
++++ kdecore/auth/backends/polkit-1/Polkit1Backend.h
+@@ -48,6 +48,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString&);
+ virtual Action::AuthStatus actionStatus(const QString&);
+ virtual QByteArray callerID() const;
++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+ virtual bool actionExists(const QString& action);
+
+--
+cgit v0.11.2
+
More information about the svn-ports-head
mailing list