[SCM] KDE Development Platform Libraries module packaging branch, master, updated. debian/4.13.3-1-12-g49ab15a

Maximiliano Curia maxy at moszumanska.debian.org
Wed Aug 20 12:40:22 UTC 2014


Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commitdiff;h=fb95bcc

The following commit has been merged in the master branch:
commit fb95bcc68d4e3d00a69409ce3ac564e2f0b8e597
Author: Maximiliano Curia <maxy at debian.org>
Date:   Fri Jul 25 10:25:23 2014 +0200

    New upstream patch: upstream_use-dbus-system-bus-name-instead-of-pid.patch (Closes: #755814) Fixes: CVE-2014-5033
---
 debian/changelog                                   |  2 +
 debian/patches/series                              |  1 +
 ...m_use-dbus-system-bus-name-instead-of-pid.patch | 48 ++++++++++++++++++++++
 3 files changed, 51 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 3d1638f..2837b1d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
 kde4libs (4:4.13.3-2) UNRELEASED; urgency=medium
 
   * Update symbols with the buildds logs.
+  * New upstream patch: upstream_use-dbus-system-bus-name-instead-of-
+    pid.patch (Closes: #755814) Fixes: CVE-2014-5033
 
  -- Maximiliano Curia <maxy at debian.org>  Thu, 24 Jul 2014 11:24:34 +0200
 
diff --git a/debian/patches/series b/debian/patches/series
index a02f337..194dae9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,3 +29,4 @@ disable_bogus_test.diff
 disable_bogus_tests
 upstream-make_include_style_be_the_same_for_QtCore.patch
 fix_solidlex_destroy_signature.patch
+upstream_use-dbus-system-bus-name-instead-of-pid.patch
diff --git a/debian/patches/upstream_use-dbus-system-bus-name-instead-of-pid.patch b/debian/patches/upstream_use-dbus-system-bus-name-instead-of-pid.patch
new file mode 100644
index 0000000..b75033d
--- /dev/null
+++ b/debian/patches/upstream_use-dbus-system-bus-name-instead-of-pid.patch
@@ -0,0 +1,48 @@
+commit c36bf4f314e6ee1203898697abe294ed0c8dcb32
+Author: Martin T. H. Sandsmark <martin.sandsmark at kde.org>
+Date:   Mon Jul 21 22:52:40 2014 +0200
+
+    Use dbus system bus name instead of PID for authentication.
+    
+    Using the PID for authentication is prone to a PID reuse
+    race condition, and a security issue.
+    
+    REVIEW: 119323
+
+diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+index cd7f6f3..732d2cb 100644
+--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+@@ -144,7 +144,7 @@ void Polkit1Backend::setupAction(const QString &action)
+ 
+ Action::AuthStatus Polkit1Backend::actionStatus(const QString &action)
+ {
+-    PolkitQt1::UnixProcessSubject subject(QCoreApplication::applicationPid());
++    PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID()));
+     PolkitQt1::Authority::Result r = PolkitQt1::Authority::instance()->checkAuthorizationSync(action, subject,
+                                                                                               PolkitQt1::Authority::None);
+     switch (r) {
+@@ -160,21 +160,12 @@ Action::AuthStatus Polkit1Backend::actionStatus(const QString &action)
+ 
+ QByteArray Polkit1Backend::callerID() const
+ {
+-    QByteArray a;
+-    QDataStream s(&a, QIODevice::WriteOnly);
+-    s << QCoreApplication::applicationPid();
+-
+-    return a;
++    return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+ 
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+-    QDataStream s(&callerID, QIODevice::ReadOnly);
+-    qint64 pid;
+-
+-    s >> pid;
+-
+-    PolkitQt1::UnixProcessSubject subject(pid);
++    PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+     PolkitQt1::Authority *authority = PolkitQt1::Authority::instance();
+ 
+     PolkitResultEventLoop e;

-- 
KDE Development Platform Libraries module packaging



More information about the pkg-kde-commits mailing list