rpms / kdelibs

Clone
Source Code
GIT

Blame SOURCES/kdelibs-kauth-CVE-2017-8422.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta
  1.   f60c5127226422724ea94fe1e1f9d2413f0b3171
  2.   SOURCES
  3.   kdelibs-kauth-CVE-2017-8422.patch
Blob History Raw
a106d1 
From 264e97625abe2e0334f97de17f6ffb52582888ab Mon Sep 17 00:00:00 2001
a106d1 
From: Albert Astals Cid <aacid@kde.org>
a106d1 
Date: Wed, 10 May 2017 10:06:07 +0200
a106d1 
Subject: Verify that whoever is calling us is actually who he says he is
a106d1
a106d1 
CVE-2017-8422
a106d1 
---
a106d1 
 kdecore/auth/AuthBackend.cpp                       |  5 ++++
a106d1 
 kdecore/auth/AuthBackend.h                         |  7 ++++++
a106d1 
 kdecore/auth/backends/dbus/DBusHelperProxy.cpp     | 27 ++++++++++++++++++++--
a106d1 
 kdecore/auth/backends/dbus/DBusHelperProxy.h       |  6 ++++-
a106d1 
 .../auth/backends/policykit/PolicyKitBackend.cpp   |  5 ++++
a106d1 
 kdecore/auth/backends/policykit/PolicyKitBackend.h |  1 +
a106d1 
 kdecore/auth/backends/polkit-1/Polkit1Backend.cpp  |  5 ++++
a106d1 
 kdecore/auth/backends/polkit-1/Polkit1Backend.h    |  1 +
a106d1 
 8 files changed, 54 insertions(+), 3 deletions(-)
a106d1
a106d1 
diff --git a/kdecore/auth/AuthBackend.cpp b/kdecore/auth/AuthBackend.cpp
a106d1 
index c953b81..0ba4650 100644
a106d1 
--- a/kdecore/auth/AuthBackend.cpp
a106d1 
+++ b/kdecore/auth/AuthBackend.cpp
a106d1 
@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
a106d1 
     d->capabilities = capabilities;
a106d1 
 }
a106d1
a106d1 
+AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
a106d1 
+{
a106d1 
+    return NoExtraCallerIDVerificationMethod;
a106d1 
+}
a106d1 
+
a106d1 
 bool AuthBackend::actionExists(const QString& action)
a106d1 
 {
a106d1 
     Q_UNUSED(action);
a106d1 
diff --git a/kdecore/auth/AuthBackend.h b/kdecore/auth/AuthBackend.h
a106d1 
index a86732e..6f4b1bc 100644
a106d1 
--- a/kdecore/auth/AuthBackend.h
a106d1 
+++ b/kdecore/auth/AuthBackend.h
a106d1 
@@ -43,6 +43,12 @@ public:
a106d1 
     };
a106d1 
     Q_DECLARE_FLAGS(Capabilities, Capability)
a106d1
a106d1 
+    enum ExtraCallerIDVerificationMethod {
a106d1 
+        NoExtraCallerIDVerificationMethod,
a106d1 
+        VerifyAgainstDBusServiceName,
a106d1 
+        VerifyAgainstDBusServicePid,
a106d1 
+    };
a106d1 
+
a106d1 
     AuthBackend();
a106d1 
     virtual ~AuthBackend();
a106d1 
     virtual void setupAction(const QString &action) = 0;
a106d1 
@@ -50,6 +56,7 @@ public:
a106d1 
     virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
a106d1 
     virtual Action::AuthStatus actionStatus(const QString &action) = 0;
a106d1 
     virtual QByteArray callerID() const = 0;
a106d1 
+    virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
a106d1 
     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
a106d1 
     virtual bool actionExists(const QString &action);
a106d1
a106d1 
diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp
a106d1 
index 9557a0f..ca59f1c 100644
a106d1 
--- a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp
a106d1 
+++ b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp
a106d1 
@@ -271,6 +271,29 @@ void DBusHelperProxy::performActions(QByteArray blob, const QByteArray &callerID
a106d1 
     }
a106d1 
 }
a106d1
a106d1 
+bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
a106d1 
+{
a106d1 
+    // Check the caller is really who it says it is
a106d1 
+    switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
a106d1 
+        case AuthBackend::NoExtraCallerIDVerificationMethod:
a106d1 
+        break;
a106d1 
+
a106d1 
+        case AuthBackend::VerifyAgainstDBusServiceName:
a106d1 
+            if (message().service().toUtf8() != callerID) {
a106d1 
+                return false;
a106d1 
+            }
a106d1 
+        break;
a106d1 
+
a106d1 
+        case AuthBackend::VerifyAgainstDBusServicePid:
a106d1 
+            if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
a106d1 
+                return false;
a106d1 
+            }
a106d1 
+        break;
a106d1 
+    }
a106d1 
+
a106d1 
+    return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
a106d1 
+}
a106d1 
+
a106d1 
 QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
a106d1 
 {
a106d1 
     if (!responder) {
a106d1 
@@ -295,7 +318,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
a106d1 
     QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>();
a106d1 
     timer->stop();
a106d1
a106d1 
-    if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
a106d1 
+    if (isCallerAuthorized(action, callerID)) {
a106d1 
         QString slotname = action;
a106d1 
         if (slotname.startsWith(m_name + QLatin1Char('.'))) {
a106d1 
             slotname = slotname.right(slotname.length() - m_name.length() - 1);
a106d1 
@@ -338,7 +361,7 @@ uint DBusHelperProxy::authorizeAction(const QString& action, const QByteArray& c
a106d1 
     QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>();
a106d1 
     timer->stop();
a106d1
a106d1 
-    if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
a106d1 
+    if (isCallerAuthorized(action, callerID)) {
a106d1 
         retVal = static_cast<uint>(Action::Authorized);
a106d1 
     } else {
a106d1 
         retVal = static_cast<uint>(Action::Denied);
a106d1 
diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.h b/kdecore/auth/backends/dbus/DBusHelperProxy.h
a106d1 
index 455cf51..264f6cc 100644
a106d1 
--- a/kdecore/auth/backends/dbus/DBusHelperProxy.h
a106d1 
+++ b/kdecore/auth/backends/dbus/DBusHelperProxy.h
a106d1 
@@ -21,6 +21,7 @@
a106d1 
 #ifndef DBUS_HELPER_PROXY_H
a106d1 
 #define DBUS_HELPER_PROXY_H
a106d1
a106d1 
+#include <QDBusContext>
a106d1 
 #include <QVariant>
a106d1 
 #include "HelperProxy.h"
a106d1 
 #include "kauthactionreply.h"
a106d1 
@@ -28,7 +29,7 @@
a106d1 
 namespace KAuth
a106d1 
 {
a106d1
a106d1 
-class DBusHelperProxy : public HelperProxy
a106d1 
+class DBusHelperProxy : public HelperProxy, protected QDBusContext
a106d1 
 {
a106d1 
     Q_OBJECT
a106d1 
     Q_INTERFACES(KAuth::HelperProxy)
a106d1 
@@ -73,6 +74,9 @@ signals:
a106d1
a106d1 
 private slots:
a106d1 
     void remoteSignalReceived(int type, const QString &action, QByteArray blob);
a106d1 
+
a106d1 
+private:
a106d1 
+    bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
a106d1 
 };
a106d1
a106d1 
 } // namespace Auth
a106d1 
diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp
a106d1 
index 3be97f2..9d041d1 100644
a106d1 
--- a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp
a106d1 
+++ b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp
a106d1 
@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
a106d1 
     return a;
a106d1 
 }
a106d1
a106d1 
+AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
a106d1 
+{
a106d1 
+    return VerifyAgainstDBusServicePid;
a106d1 
+}
a106d1 
+
a106d1 
 bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
a106d1 
 {
a106d1 
     QDataStream s(&callerID, QIODevice::ReadOnly);
a106d1 
diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.h b/kdecore/auth/backends/policykit/PolicyKitBackend.h
a106d1 
index 7154e93..0d3d8f9 100644
a106d1 
--- a/kdecore/auth/backends/policykit/PolicyKitBackend.h
a106d1 
+++ b/kdecore/auth/backends/policykit/PolicyKitBackend.h
a106d1 
@@ -40,6 +40,7 @@ public:
a106d1 
     virtual Action::AuthStatus authorizeAction(const QString&);
a106d1 
     virtual Action::AuthStatus actionStatus(const QString&);
a106d1 
     virtual QByteArray callerID() const;
a106d1 
+    virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
a106d1 
     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
a106d1
a106d1 
 private Q_SLOTS:
a106d1 
diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
a106d1 
index 732d2cb..63c0e1e 100644
a106d1 
--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
a106d1 
+++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
a106d1 
@@ -163,6 +163,11 @@ QByteArray Polkit1Backend::callerID() const
a106d1 
     return QDBusConnection::systemBus().baseService().toUtf8();
a106d1 
 }
a106d1
a106d1 
+AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
a106d1 
+{
a106d1 
+    return VerifyAgainstDBusServiceName;
a106d1 
+}
a106d1 
+
a106d1 
 bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
a106d1 
 {
a106d1 
     PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
a106d1 
diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.h b/kdecore/auth/backends/polkit-1/Polkit1Backend.h
a106d1 
index 18ed1a2..d579da2 100644
a106d1 
--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.h
a106d1 
+++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.h
a106d1 
@@ -48,6 +48,7 @@ public:
a106d1 
     virtual Action::AuthStatus authorizeAction(const QString&);
a106d1 
     virtual Action::AuthStatus actionStatus(const QString&);
a106d1 
     virtual QByteArray callerID() const;
a106d1 
+    virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
a106d1 
     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
a106d1 
     virtual bool actionExists(const QString& action);
a106d1
a106d1 
--
a106d1 
cgit v0.11.2
a106d1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation