diff -Nru kde4libs-4.13.3/debian/changelog kde4libs-4.13.3/debian/changelog --- kde4libs-4.13.3/debian/changelog 2014-11-21 13:07:07.000000000 +0000 +++ kde4libs-4.13.3/debian/changelog 2017-05-11 13:13:43.000000000 +0000 @@ -1,3 +1,36 @@ +kde4libs (4:4.13.3-0ubuntu0.5) trusty-security; urgency=medium + + * SECURITY UPDATE: privilege escalation in DBus auth backend + - debian/patches/CVE-2017-8422.patch: verify caller in + kdecore/auth/AuthBackend.cpp, kdecore/auth/AuthBackend.h, + kdecore/auth/backends/dbus/DBusHelperProxy.cpp, + kdecore/auth/backends/dbus/DBusHelperProxy.h, + kdecore/auth/backends/policykit/PolicyKitBackend.cpp, + kdecore/auth/backends/policykit/PolicyKitBackend.h, + kdecore/auth/backends/polkit-1/Polkit1Backend.cpp, + kdecore/auth/backends/polkit-1/Polkit1Backend.h. + - CVE-2017-8422 + + -- Marc Deslauriers Thu, 11 May 2017 09:10:03 -0400 + +kde4libs (4:4.13.3-0ubuntu0.4) trusty-security; urgency=medium + + * SECURITY UPDATE: information leak via crafted PAC file (LP: #1668871) + - debian/patches/CVE-2017-6410.patch: sanitize URLs in + kio/misc/kpac/script.cpp. + - CVE-2017-6410 + + -- Marc Deslauriers Wed, 08 Mar 2017 10:25:45 -0500 + +kde4libs (4:4.13.3-0ubuntu0.3) trusty-security; urgency=medium + + * SECURITY UPDATE: file extraction out of the expected directory + - debian/patches/CVE-2016-6232.patch: limit files to extraction folder + in kdecore/io/karchive.cpp. + - CVE-2016-6232 + + -- Marc Deslauriers Mon, 25 Jul 2016 15:05:37 -0400 + kde4libs (4:4.13.3-0ubuntu0.2) trusty-security; urgency=medium * No change rebuild in the -security pocket. diff -Nru kde4libs-4.13.3/debian/patches/CVE-2016-6232.patch kde4libs-4.13.3/debian/patches/CVE-2016-6232.patch --- kde4libs-4.13.3/debian/patches/CVE-2016-6232.patch 1970-01-01 00:00:00.000000000 +0000 +++ kde4libs-4.13.3/debian/patches/CVE-2016-6232.patch 2016-07-25 19:05:33.000000000 +0000 @@ -0,0 +1,38 @@ +Description: fix file extraction out of the expected directory +Origin: backport, https://quickgit.kde.org/?p=karchive.git&a=commit&h=0cb243f64eef45565741b27364cece7d5c349c37 + +Index: kde4libs-4.14.13/kdecore/io/karchive.cpp +=================================================================== +--- kde4libs-4.14.13.orig/kdecore/io/karchive.cpp 2016-07-25 15:02:46.557559626 -0400 ++++ kde4libs-4.14.13/kdecore/io/karchive.cpp 2016-07-25 15:05:02.130954629 -0400 +@@ -800,6 +800,7 @@ + void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const + { + QDir root; ++ const QString destDir(QDir(dest).absolutePath()); // get directory path without any "." or ".." + + QList fileList; + QMap fileToDir; +@@ -809,10 +810,20 @@ + QStack dirNameStack; + + dirStack.push( this ); // init stack at current directory +- dirNameStack.push( dest ); // ... with given path ++ dirNameStack.push(destDir); // ... with given path + do { + const KArchiveDirectory* curDir = dirStack.pop(); +- const QString curDirName = dirNameStack.pop(); ++ ++ // extract only to specified folder if it is located within archive's extraction folder ++ // otherwise put file under root position in extraction folder ++ QString curDirName = dirNameStack.pop(); ++ if (!QDir(curDirName).absolutePath().startsWith(destDir)) { ++ kWarning() << "Attempted export into folder" << curDirName ++ << "which is outside of the extraction root folder" << destDir << "." ++ << "Changing export of contained files to extraction root folder."; ++ curDirName = destDir; ++ } ++ + root.mkdir(curDirName); + + const QStringList dirEntries = curDir->entries(); diff -Nru kde4libs-4.13.3/debian/patches/CVE-2017-6410.patch kde4libs-4.13.3/debian/patches/CVE-2017-6410.patch --- kde4libs-4.13.3/debian/patches/CVE-2017-6410.patch 1970-01-01 00:00:00.000000000 +0000 +++ kde4libs-4.13.3/debian/patches/CVE-2017-6410.patch 2017-03-08 15:25:21.000000000 +0000 @@ -0,0 +1,39 @@ +From 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 28 Feb 2017 19:08:50 +0100 +Subject: Sanitize URLs before passing them to FindProxyForURL + +Remove user/password information +For https: remove path and query + +Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 +--- + kio/misc/kpac/script.cpp | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp +index a595301..9ab360a 100644 +--- a/kio/misc/kpac/script.cpp ++++ b/kio/misc/kpac/script.cpp +@@ -754,9 +754,16 @@ namespace KPAC + } + } + ++ KUrl cleanUrl = url; ++ cleanUrl.setUserInfo(QString()); ++ if (cleanUrl.scheme().toLower() == QLatin1String("https")) { ++ cleanUrl.setPath(QString()); ++ cleanUrl.setQuery(QString()); ++ } ++ + QScriptValueList args; +- args << url.url(); +- args << url.host(); ++ args << cleanUrl.url(); ++ args << cleanUrl.host(); + + QScriptValue result = func.call(QScriptValue(), args); + if (result.isError()) { +-- +cgit v0.11.2 + diff -Nru kde4libs-4.13.3/debian/patches/CVE-2017-8422.patch kde4libs-4.13.3/debian/patches/CVE-2017-8422.patch --- kde4libs-4.13.3/debian/patches/CVE-2017-8422.patch 1970-01-01 00:00:00.000000000 +0000 +++ kde4libs-4.13.3/debian/patches/CVE-2017-8422.patch 2017-05-11 13:09:58.000000000 +0000 @@ -0,0 +1,200 @@ +From 264e97625abe2e0334f97de17f6ffb52582888ab Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Wed, 10 May 2017 10:06:07 +0200 +Subject: Verify that whoever is calling us is actually who he says he is + +CVE-2017-8422 +--- + kdecore/auth/AuthBackend.cpp | 5 ++++ + kdecore/auth/AuthBackend.h | 7 ++++++ + kdecore/auth/backends/dbus/DBusHelperProxy.cpp | 27 ++++++++++++++++++++-- + kdecore/auth/backends/dbus/DBusHelperProxy.h | 6 ++++- + .../auth/backends/policykit/PolicyKitBackend.cpp | 5 ++++ + kdecore/auth/backends/policykit/PolicyKitBackend.h | 1 + + kdecore/auth/backends/polkit-1/Polkit1Backend.cpp | 5 ++++ + kdecore/auth/backends/polkit-1/Polkit1Backend.h | 1 + + 8 files changed, 54 insertions(+), 3 deletions(-) + +diff --git a/kdecore/auth/AuthBackend.cpp b/kdecore/auth/AuthBackend.cpp +index c953b81..0ba4650 100644 +--- a/kdecore/auth/AuthBackend.cpp ++++ b/kdecore/auth/AuthBackend.cpp +@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities) + d->capabilities = capabilities; + } + ++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const ++{ ++ return NoExtraCallerIDVerificationMethod; ++} ++ + bool AuthBackend::actionExists(const QString& action) + { + Q_UNUSED(action); +diff --git a/kdecore/auth/AuthBackend.h b/kdecore/auth/AuthBackend.h +index a86732e..6f4b1bc 100644 +--- a/kdecore/auth/AuthBackend.h ++++ b/kdecore/auth/AuthBackend.h +@@ -43,6 +43,12 @@ public: + }; + Q_DECLARE_FLAGS(Capabilities, Capability) + ++ enum ExtraCallerIDVerificationMethod { ++ NoExtraCallerIDVerificationMethod, ++ VerifyAgainstDBusServiceName, ++ VerifyAgainstDBusServicePid, ++ }; ++ + AuthBackend(); + virtual ~AuthBackend(); + virtual void setupAction(const QString &action) = 0; +@@ -50,6 +56,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString &action) = 0; + virtual Action::AuthStatus actionStatus(const QString &action) = 0; + virtual QByteArray callerID() const = 0; ++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0; + virtual bool actionExists(const QString &action); + +diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp +index 9557a0f..ca59f1c 100644 +--- a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp ++++ b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp +@@ -271,6 +271,29 @@ void DBusHelperProxy::performActions(QByteArray blob, const QByteArray &callerID + } + } + ++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID) ++{ ++ // Check the caller is really who it says it is ++ switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) { ++ case AuthBackend::NoExtraCallerIDVerificationMethod: ++ break; ++ ++ case AuthBackend::VerifyAgainstDBusServiceName: ++ if (message().service().toUtf8() != callerID) { ++ return false; ++ } ++ break; ++ ++ case AuthBackend::VerifyAgainstDBusServicePid: ++ if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) { ++ return false; ++ } ++ break; ++ } ++ ++ return BackendsManager::authBackend()->isCallerAuthorized(action, callerID); ++} ++ + QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments) + { + if (!responder) { +@@ -295,7 +318,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra + QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value(); + timer->stop(); + +- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) { ++ if (isCallerAuthorized(action, callerID)) { + QString slotname = action; + if (slotname.startsWith(m_name + QLatin1Char('.'))) { + slotname = slotname.right(slotname.length() - m_name.length() - 1); +@@ -338,7 +361,7 @@ uint DBusHelperProxy::authorizeAction(const QString& action, const QByteArray& c + QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value(); + timer->stop(); + +- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) { ++ if (isCallerAuthorized(action, callerID)) { + retVal = static_cast(Action::Authorized); + } else { + retVal = static_cast(Action::Denied); +diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.h b/kdecore/auth/backends/dbus/DBusHelperProxy.h +index 455cf51..264f6cc 100644 +--- a/kdecore/auth/backends/dbus/DBusHelperProxy.h ++++ b/kdecore/auth/backends/dbus/DBusHelperProxy.h +@@ -21,6 +21,7 @@ + #ifndef DBUS_HELPER_PROXY_H + #define DBUS_HELPER_PROXY_H + ++#include + #include + #include "HelperProxy.h" + #include "kauthactionreply.h" +@@ -28,7 +29,7 @@ + namespace KAuth + { + +-class DBusHelperProxy : public HelperProxy ++class DBusHelperProxy : public HelperProxy, protected QDBusContext + { + Q_OBJECT + Q_INTERFACES(KAuth::HelperProxy) +@@ -73,6 +74,9 @@ signals: + + private slots: + void remoteSignalReceived(int type, const QString &action, QByteArray blob); ++ ++private: ++ bool isCallerAuthorized(const QString &action, const QByteArray &callerID); + }; + + } // namespace Auth +diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp +index 3be97f2..9d041d1 100644 +--- a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp ++++ b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp +@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const + return a; + } + ++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const ++{ ++ return VerifyAgainstDBusServicePid; ++} ++ + bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID) + { + QDataStream s(&callerID, QIODevice::ReadOnly); +diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.h b/kdecore/auth/backends/policykit/PolicyKitBackend.h +index 7154e93..0d3d8f9 100644 +--- a/kdecore/auth/backends/policykit/PolicyKitBackend.h ++++ b/kdecore/auth/backends/policykit/PolicyKitBackend.h +@@ -40,6 +40,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString&); + virtual Action::AuthStatus actionStatus(const QString&); + virtual QByteArray callerID() const; ++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID); + + private Q_SLOTS: +diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp +index 732d2cb..63c0e1e 100644 +--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp ++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp +@@ -163,6 +163,11 @@ QByteArray Polkit1Backend::callerID() const + return QDBusConnection::systemBus().baseService().toUtf8(); + } + ++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const ++{ ++ return VerifyAgainstDBusServiceName; ++} ++ + bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID) + { + PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID)); +diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.h b/kdecore/auth/backends/polkit-1/Polkit1Backend.h +index 18ed1a2..d579da2 100644 +--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.h ++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.h +@@ -48,6 +48,7 @@ public: + virtual Action::AuthStatus authorizeAction(const QString&); + virtual Action::AuthStatus actionStatus(const QString&); + virtual QByteArray callerID() const; ++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const; + virtual bool isCallerAuthorized(const QString &action, QByteArray callerID); + virtual bool actionExists(const QString& action); + +-- +cgit v0.11.2 + diff -Nru kde4libs-4.13.3/debian/patches/series kde4libs-4.13.3/debian/patches/series --- kde4libs-4.13.3/debian/patches/series 2014-07-30 19:40:09.000000000 +0000 +++ kde4libs-4.13.3/debian/patches/series 2017-05-11 13:09:58.000000000 +0000 @@ -28,3 +28,6 @@ kubuntu_no_KDE4_BUILD_TESTS.diff kubuntu_raise_after_drkonqi.patch CVE-2014-5033.patch +CVE-2016-6232.patch +CVE-2017-6410.patch +CVE-2017-8422.patch