pool/kdeconnect-kde
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 839178 from KDE:Applications

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/839178
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/kdeconnect-kde?expand=0&rev=26
This commit is contained in:
Dominique Leuenberger 2020-10-08 11:07:41 +00:00 committed by Git OBS Bridge
commit fdff9cecf4
11 changed files with 455 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
0001-Do-not-leak-the-local-user-in-the-device-name.patch Normal file
View File

@ -0,0 +1,32 @@
From b279c52101d3f7cc30a26086d58de0b5f1c547fa Mon Sep 17 00:00:00 2001
From: Albert Vaca Cintora <albertvaka@gmail.com>
Date: Thu, 24 Sep 2020 17:01:03 +0200
Subject: [PATCH 1/9] Do not leak the local user in the device name.
Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
---
core/kdeconnectconfig.cpp | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/core/kdeconnectconfig.cpp b/core/kdeconnectconfig.cpp
index 91719303..a8dbcf5c 100644
--- a/core/kdeconnectconfig.cpp
+++ b/core/kdeconnectconfig.cpp
@@ -90,13 +90,7 @@ KdeConnectConfig::KdeConnectConfig()
QString KdeConnectConfig::name()
{
- QString username;
- #ifdef Q_OS_WIN
- username = QString::fromLatin1(qgetenv("USERNAME"));
- #else
- username = QString::fromLatin1(qgetenv("USER"));
- #endif
- QString defaultName = username + QStringLiteral("@") + QHostInfo::localHostName();
+ QString defaultName = QHostInfo::localHostName();
QString name = d->m_config->value(QStringLiteral("name"), defaultName).toString();
return name;
}
--
2.28.0

28
0002-Fix-use-after-free-in-LanLinkProvider-connectError.patch Normal file
View File

@ -0,0 +1,28 @@
From d35b88c1b25fe13715f9170f18674d476ca9acdc Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <mgerstner@suse.de>
Date: Thu, 24 Sep 2020 17:03:06 +0200
Subject: [PATCH 2/9] Fix use after free in LanLinkProvider::connectError()
If QSslSocket::connectToHost() hasn't finished running.
Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
---
core/backends/lan/lanlinkprovider.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
index fc005cee..235c221f 100644
--- a/core/backends/lan/lanlinkprovider.cpp
+++ b/core/backends/lan/lanlinkprovider.cpp
@@ -252,7 +252,7 @@ void LanLinkProvider::connectError(QAbstractSocket::SocketError socketError)
//The socket we created didn't work, and we didn't manage
//to create a LanDeviceLink from it, deleting everything.
delete m_receivedIdentityPackets.take(socket).np;
- delete socket;
+ socket->deleteLater();
}
//We received a UDP packet and answered by connecting to them by TCP. This gets called on a successful connection.
--
2.28.0

36
0003-Limit-identity-packets-to-8KiB.patch Normal file
View File

@ -0,0 +1,36 @@
From b496e66899e5bc9547b6537a7f44ab44dd0aaf38 Mon Sep 17 00:00:00 2001
From: Aleix Pol <aleixpol@kde.org>
Date: Wed, 16 Sep 2020 02:28:58 +0200
Subject: [PATCH 3/9] Limit identity packets to 8KiB
Healthy identity packages shouldn't be that big and we don't want to
allow systems around us to send us ever humongous packages that will
just leave us without any memory.
Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
---
core/backends/lan/lanlinkprovider.cpp | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
index 235c221f..1fd3870e 100644
--- a/core/backends/lan/lanlinkprovider.cpp
+++ b/core/backends/lan/lanlinkprovider.cpp
@@ -381,6 +381,14 @@ void LanLinkProvider::newConnection()
void LanLinkProvider::dataReceived()
{
QSslSocket* socket = qobject_cast<QSslSocket*>(sender());
+ //the size here is arbitrary and is now at 8192 bytes. It needs to be considerably long as it includes the capabilities but there needs to be a limit
+ //Tested between my systems and I get around 2000 per identity package.
+ if (socket->bytesAvailable() > 8192) {
+ qCWarning(KDECONNECT_CORE) << "LanLinkProvider/newConnection: Suspiciously long identity package received. Closing connection." << socket->peerAddress() << socket->bytesAvailable();
+ socket->disconnectFromHost();
+ return;
+ }
+
#if QT_VERSION < QT_VERSION_CHECK(5,7,0)
if (!socket->canReadLine())
return;
--
2.28.0

37
0004-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch Normal file
View File

@ -0,0 +1,37 @@
From 5310eae85dbdf92fba30375238a2481f2e34943e Mon Sep 17 00:00:00 2001
From: Aleix Pol <aleixpol@kde.org>
Date: Wed, 16 Sep 2020 02:44:38 +0200
Subject: [PATCH 4/9] Do not let lanlink connections stay open for long without
authenticating
If there's no information received, close the socket to try again.
Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
---
core/backends/lan/lanlinkprovider.cpp | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
index 1fd3870e..a4942c65 100644
--- a/core/backends/lan/lanlinkprovider.cpp
+++ b/core/backends/lan/lanlinkprovider.cpp
@@ -374,6 +374,16 @@ void LanLinkProvider::newConnection()
connect(socket, &QIODevice::readyRead,
this, &LanLinkProvider::dataReceived);
+ QTimer* timer = new QTimer(socket);
+ timer->setSingleShot(true);
+ timer->setInterval(1000);
+ connect(socket, &QSslSocket::encrypted,
+ timer, &QObject::deleteLater);
+ connect(timer, &QTimer::timeout, socket, [socket] {
+ qCWarning(KDECONNECT_CORE) << "LanLinkProvider/newConnection: Host timed out without sending any identity." << socket->peerAddress();
+ socket->disconnectFromHost();
+ });
+ timer->start();
}
}
--
2.28.0

102
0005-Don-t-brute-force-reading-the-socket.patch Normal file
View File

@ -0,0 +1,102 @@
From 721ba9faafb79aac73973410ee1dd3624ded97a5 Mon Sep 17 00:00:00 2001
From: Aleix Pol <aleixpol@kde.org>
Date: Wed, 16 Sep 2020 02:27:13 +0200
Subject: [PATCH 5/9] Don't brute-force reading the socket
The package will arrive eventually, and dataReceived will be emitted.
Otherwise we just end up calling dataReceived to no end.
Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
---
core/backends/lan/socketlinereader.cpp | 8 -------
tests/testsocketlinereader.cpp | 31 ++++++++++++++++++++++++--
2 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/core/backends/lan/socketlinereader.cpp b/core/backends/lan/socketlinereader.cpp
index f67fdf3f..da77052a 100644
--- a/core/backends/lan/socketlinereader.cpp
+++ b/core/backends/lan/socketlinereader.cpp
@@ -38,14 +38,6 @@ void SocketLineReader::dataReceived()
}
}
- //If we still have things to read from the socket, call dataReceived again
- //We do this manually because we do not trust readyRead to be emitted again
- //So we call this method again just in case.
- if (m_socket->bytesAvailable() > 0) {
- QMetaObject::invokeMethod(this, "dataReceived", Qt::QueuedConnection);
- return;
- }
-
//If we have any packets, tell it to the world.
if (!m_packets.isEmpty()) {
Q_EMIT readyRead();
diff --git a/tests/testsocketlinereader.cpp b/tests/testsocketlinereader.cpp
index 75584556..b6425b03 100644
--- a/tests/testsocketlinereader.cpp
+++ b/tests/testsocketlinereader.cpp
@@ -25,16 +25,19 @@
#include <QProcess>
#include <QEventLoop>
#include <QTimer>
+#include <QSignalSpy>
class TestSocketLineReader : public QObject
{
Q_OBJECT
public Q_SLOTS:
- void initTestCase();
+ void init();
+ void cleanup() { delete m_server; }
void newPacket();
private Q_SLOTS:
void socketLineReader();
+ void badData();
private:
QTimer m_timer;
@@ -45,8 +48,9 @@ private:
SocketLineReader* m_reader;
};
-void TestSocketLineReader::initTestCase()
+void TestSocketLineReader::init()
{
+ m_packets.clear();
m_server = new Server(this);
QVERIFY2(m_server->listen(QHostAddress::LocalHost, 8694), "Failed to create local tcp server");
@@ -97,6 +101,29 @@ void TestSocketLineReader::socketLineReader()
}
}
+void TestSocketLineReader::badData()
+{
+ const QList<QByteArray> dataToSend = { "data1\n", "data" }; //does not end in a \n
+ for (const QByteArray& line : qAsConst(dataToSend)) {
+ m_conn->write(line);
+ }
+ m_conn->flush();
+
+ QSignalSpy spy(m_server, &QTcpServer::newConnection);
+ QVERIFY(m_server->hasPendingConnections() || spy.wait(1000));
+ QSslSocket* sock = m_server->nextPendingConnection();
+
+ QVERIFY2(sock != nullptr, "Could not open a connection to the client");
+
+ m_reader = new SocketLineReader(sock, this);
+ connect(m_reader, &SocketLineReader::readyRead, this, &TestSocketLineReader::newPacket);
+ m_timer.start();
+ m_loop.exec();
+
+ QCOMPARE(m_packets.count(), 1);
+ QCOMPARE(m_packets[0], dataToSend[0]);
+}
+
void TestSocketLineReader::newPacket()
{
if (!m_reader->bytesAvailable()) {
--
2.28.0

42
0006-Limit-number-of-connected-sockets-from-unpaired-devi.patch Normal file
View File

@ -0,0 +1,42 @@
From ae58b9dec49c809b85b5404cee17946116f8a706 Mon Sep 17 00:00:00 2001
From: Albert Vaca Cintora <albertvaka@gmail.com>
Date: Thu, 24 Sep 2020 17:13:34 +0200
Subject: [PATCH 6/9] Limit number of connected sockets from unpaired devices
Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
---
core/backends/lan/lanlinkprovider.cpp | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
index a4942c65..770e7866 100644
--- a/core/backends/lan/lanlinkprovider.cpp
+++ b/core/backends/lan/lanlinkprovider.cpp
@@ -46,6 +46,8 @@
#define MIN_VERSION_WITH_SSL_SUPPORT 6
+static const int MAX_UNPAIRED_CONNECTIONS = 42;
+
LanLinkProvider::LanLinkProvider(
bool testMode,
quint16 udpBroadcastPort,
@@ -555,6 +557,15 @@ void LanLinkProvider::addLink(const QString& deviceId, QSslSocket* socket, Netwo
deviceLink->reset(socket, connectionOrigin);
} else {
deviceLink = new LanDeviceLink(deviceId, this, socket, connectionOrigin);
+ // Socket disconnection will now be handled by LanDeviceLink
+ disconnect(socket, &QAbstractSocket::disconnected, socket, &QObject::deleteLater);
+ bool isDeviceTrusted = KdeConnectConfig::instance().trustedDevices().contains(deviceId);
+ if (!isDeviceTrusted && m_links.size() > MAX_UNPAIRED_CONNECTIONS) {
+ qCWarning(KDECONNECT_CORE) << "Too many unpaired devices to remember them all. Ignoring " << deviceId;
+ socket->disconnectFromHost();
+ socket->deleteLater();
+ return;
+ }
connect(deviceLink, &QObject::destroyed, this, &LanLinkProvider::deviceLinkDestroyed);
m_links[deviceId] = deviceLink;
if (m_pairingHandlers.contains(deviceId)) {
--
2.28.0

54
0007-Do-not-remember-more-than-a-few-identity-packets-at-.patch Normal file
View File

@ -0,0 +1,54 @@
From 66c768aa9e7fba30b119c8b801efd49ed1270b0a Mon Sep 17 00:00:00 2001
From: Albert Vaca Cintora <albertvaka@gmail.com>
Date: Thu, 24 Sep 2020 17:16:02 +0200
Subject: [PATCH 7/9] Do not remember more than a few identity packets at a
time
To prevent the kdeconnect process from using too much memory.
Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
---
core/backends/lan/lanlinkprovider.cpp | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
index 770e7866..6afb8552 100644
--- a/core/backends/lan/lanlinkprovider.cpp
+++ b/core/backends/lan/lanlinkprovider.cpp
@@ -47,6 +47,7 @@
#define MIN_VERSION_WITH_SSL_SUPPORT 6
static const int MAX_UNPAIRED_CONNECTIONS = 42;
+static const int MAX_REMEMBERED_IDENTITY_PACKETS = 42;
LanLinkProvider::LanLinkProvider(
bool testMode,
@@ -225,6 +226,12 @@ void LanLinkProvider::udpBroadcastReceived()
//qCDebug(KDECONNECT_CORE) << "Received Udp identity packet from" << sender << " asking for a tcp connection on port " << tcpPort;
+ if (m_receivedIdentityPackets.size() > MAX_REMEMBERED_IDENTITY_PACKETS) {
+ qCWarning(KDECONNECT_CORE) << "Too many remembered identities, ignoring" << receivedPacket->get<QString>(QStringLiteral("deviceId")) << "received via UDP";
+ delete receivedPacket;
+ continue;
+ }
+
QSslSocket* socket = new QSslSocket(this);
socket->setProxy(QNetworkProxy::NoProxy);
m_receivedIdentityPackets[socket].np = receivedPacket;
@@ -435,6 +442,12 @@ void LanLinkProvider::dataReceived()
return;
}
+ if (m_receivedIdentityPackets.size() > MAX_REMEMBERED_IDENTITY_PACKETS) {
+ qCWarning(KDECONNECT_CORE) << "Too many remembered identities, ignoring" << np->get<QString>(QStringLiteral("deviceId")) << "received via TCP";
+ delete np;
+ return;
+ }
+
// Needed in "encrypted" if ssl is used, similar to "tcpSocketConnected"
m_receivedIdentityPackets[socket].np = np;
--
2.28.0

32
0008-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch Normal file
View File

@ -0,0 +1,32 @@
From 85b691e40f525e22ca5cc4ebe79c361d71d7dc05 Mon Sep 17 00:00:00 2001
From: Albert Vaca Cintora <albertvaka@gmail.com>
Date: Thu, 24 Sep 2020 17:18:06 +0200
Subject: [PATCH 8/9] Limit the ports we try to connect to to the port range of
KDE Connect
So we can't trigger connections to other services.
Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
---
core/backends/lan/lanlinkprovider.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
index 6afb8552..f3d6801d 100644
--- a/core/backends/lan/lanlinkprovider.cpp
+++ b/core/backends/lan/lanlinkprovider.cpp
@@ -223,6 +223,11 @@ void LanLinkProvider::udpBroadcastReceived()
}
int tcpPort = receivedPacket->get<int>(QStringLiteral("tcpPort"));
+ if (tcpPort < MIN_TCP_PORT || tcpPort > MAX_TCP_PORT) {
+ qCDebug(KDECONNECT_CORE) << "TCP port outside of kdeconnect's range";
+ delete receivedPacket;
+ continue;
+ }
//qCDebug(KDECONNECT_CORE) << "Received Udp identity packet from" << sender << " asking for a tcp connection on port " << tcpPort;
--
2.28.0

58
0009-Do-not-replace-connections-for-a-given-deviceId-if-t.patch Normal file
View File

@ -0,0 +1,58 @@
From 48180b46552d40729a36b7431e97bbe2b5379306 Mon Sep 17 00:00:00 2001
From: Albert Vaca Cintora <albertvaka@gmail.com>
Date: Thu, 24 Sep 2020 18:46:57 +0200
Subject: [PATCH 9/9] Do not replace connections for a given deviceId if the
certs have changed
Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
---
core/backends/lan/landevicelink.cpp | 5 +++++
core/backends/lan/landevicelink.h | 1 +
core/backends/lan/lanlinkprovider.cpp | 6 ++++++
3 files changed, 12 insertions(+)
diff --git a/core/backends/lan/landevicelink.cpp b/core/backends/lan/landevicelink.cpp
index 8a65fb92..41af6f0e 100644
--- a/core/backends/lan/landevicelink.cpp
+++ b/core/backends/lan/landevicelink.cpp
@@ -192,3 +192,8 @@ bool LanDeviceLink::linkShouldBeKeptAlive() {
//return (mConnectionSource == ConnectionStarted::Remotely || pairStatus() == Paired);
}
+
+QSslCertificate LanDeviceLink::certificate() const
+{
+ return m_socketLineReader->peerCertificate();
+}
diff --git a/core/backends/lan/landevicelink.h b/core/backends/lan/landevicelink.h
index 28f63db2..485c58b5 100644
--- a/core/backends/lan/landevicelink.h
+++ b/core/backends/lan/landevicelink.h
@@ -56,6 +56,7 @@ public:
bool linkShouldBeKeptAlive() override;
QHostAddress hostAddress() const;
+ QSslCertificate certificate() const;
private Q_SLOTS:
void dataReceived();
diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
index f3d6801d..372cdc8f 100644
--- a/core/backends/lan/lanlinkprovider.cpp
+++ b/core/backends/lan/lanlinkprovider.cpp
@@ -345,6 +345,12 @@ void LanLinkProvider::encrypted()
NetworkPacket* receivedPacket = m_receivedIdentityPackets[socket].np;
const QString& deviceId = receivedPacket->get<QString>(QStringLiteral("deviceId"));
+ if (m_links.contains(deviceId) && m_links[deviceId]->certificate() != socket->peerCertificate()) {
+ socket->disconnectFromHost();
+ qCWarning(KDECONNECT_CORE) << "Got connection for the same deviceId but certificates don't match. Ignoring " << deviceId;
+ return;
+ }
+
addLink(deviceId, socket, receivedPacket, connectionOrigin);
// Copied from tcpSocketConnected slot, now delete received packet
--
2.28.0

15
kdeconnect-kde.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Fri Oct 2 13:43:04 UTC 2020 - Luca Beltrame <lbeltrame@kde.org>
- Add upstream patches to fix security issues in kdeconnect
(CVE-2020-26164, boo#1176268):
* 0001-Do-not-leak-the-local-user-in-the-device-name.patch
* 0002-Fix-use-after-free-in-LanLinkProvider-connectError.patch
* 0003-Limit-identity-packets-to-8KiB.patch
* 0004-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch
* 0005-Don-t-brute-force-reading-the-socket.patch
* 0006-Limit-number-of-connected-sockets-from-unpaired-devi.patch
* 0007-Do-not-remember-more-than-a-few-identity-packets-at-.patch
* 0008-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch
* 0009-Do-not-replace-connections-for-a-given-deviceId-if-t.patch
-------------------------------------------------------------------
Tue Sep 1 20:49:36 UTC 2020 - Luca Beltrame <lbeltrame@kde.org>

20
kdeconnect-kde.spec
View File

@ -32,6 +32,24 @@ Source1: https://download.kde.org/stable/release-service/%{version}/src/%
%endif
Source100: kdeconnect-kde.SuSEfirewall
Source101: kdeconnect-kde-firewalld.xml
# PATCH-FIX-UPSTREAM
Patch1: 0001-Do-not-leak-the-local-user-in-the-device-name.patch
# PATCH-FIX-UPSTREAM
Patch2: 0002-Fix-use-after-free-in-LanLinkProvider-connectError.patch
# PATCH-FIX-UPSTREAM
Patch3: 0003-Limit-identity-packets-to-8KiB.patch
# PATCH-FIX-UPSTREAM
Patch4: 0004-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch
# PATCH-FIX-UPSTREAM
Patch5: 0005-Don-t-brute-force-reading-the-socket.patch
# PATCH-FIX-UPSTREAM
Patch6: 0006-Limit-number-of-connected-sockets-from-unpaired-devi.patch
# PATCH-FIX-UPSTREAM
Patch7: 0007-Do-not-remember-more-than-a-few-identity-packets-at-.patch
# PATCH-FIX-UPSTREAM
Patch8: 0008-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch
# PATCH-FIX-UPSTREAM
Patch9: 0009-Do-not-replace-connections-for-a-given-deviceId-if-t.patch
BuildRequires: cmake >= 3.0
BuildRequires: extra-cmake-modules
BuildRequires: kf5-filesystem
@ -91,7 +109,7 @@ ZSH command line completion support for %{name}.
%lang_package
%prep
%setup -q
%autosetup -p1
%build
%cmake_kf5 -d build