- Add verify-caller-CVE-2017-8422.patch: upstream security fix for

local privilege escalation (CVE-2017-8422) OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/kauth?expand=0&rev=131
2017-05-11 05:07:43 +00:00 · 2017-05-11 05:07:43 +00:00 · a95ffe54a9
commit a95ffe54a9
parent 348a3731ab
3 changed files with 207 additions and 0 deletions
--- a/kauth.changes
+++ b/kauth.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu May 11 05:05:08 UTC 2017 - lbeltrame@kde.org
+
+- Add verify-caller-CVE-2017-8422.patch: upstream security fix for
+  local privilege escalation (CVE-2017-8422)
+
 -------------------------------------------------------------------
 Sat Apr 15 10:11:44 CEST 2017 - lbeltrame@kde.org

--- a/kauth.spec
+++ b/kauth.spec
@ -40,6 +40,8 @@ Group:          System/GUI/KDE
 Url:            http://www.kde.org
 Source:         http://download.kde.org/stable/frameworks/%{_tar_path}/%{name}-%{version}.tar.xz
 Source1:        baselibs.conf
+# PATCH-FIX-UPSTREAM CVE-2017-8422
+Patch0:         verify-caller-CVE-2017-8422.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -70,6 +72,7 @@ Development files.
 %lang_package -n %lname
 %prep
 %setup -q
+%patch -p1

 %build
  %cmake_kf5 -d build -- -DSYSCONF_INSTALL_DIR=%{_kf5_sysconfdir}
--- a/verify-caller-CVE-2017-8422.patch
+++ b/verify-caller-CVE-2017-8422.patch
@ -0,0 +1,198 @@
+From df875f725293af53399f5146362eb158b4f9216a Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 10 May 2017 10:03:45 +0200
+Subject: Verify that whoever is calling us is actually who he says he is
+
+CVE-2017-8422
+---
+ src/AuthBackend.cpp                         |  5 +++++
+ src/AuthBackend.h                           |  7 +++++++
+ src/backends/dbus/DBusHelperProxy.cpp       | 27 +++++++++++++++++++++++++--
+ src/backends/dbus/DBusHelperProxy.h         |  6 +++++-
+ src/backends/policykit/PolicyKitBackend.cpp |  5 +++++
+ src/backends/policykit/PolicyKitBackend.h   |  1 +
+ src/backends/polkit-1/Polkit1Backend.cpp    |  5 +++++
+ src/backends/polkit-1/Polkit1Backend.h      |  1 +
+ 8 files changed, 54 insertions(+), 3 deletions(-)
+
+diff --git a/src/AuthBackend.cpp b/src/AuthBackend.cpp
+index a41d4f1..a847494 100644
+--- a/src/AuthBackend.cpp
+++ b/src/AuthBackend.cpp
+@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
+     d->capabilities = capabilities;
+ }
+ 
+AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
+{
+    return NoExtraCallerIDVerificationMethod;
+}
+
+ bool AuthBackend::actionExists(const QString &action)
+ {
+     Q_UNUSED(action);
+diff --git a/src/AuthBackend.h b/src/AuthBackend.h
+index c67a706..09195ef 100644
+--- a/src/AuthBackend.h
+++ b/src/AuthBackend.h
+@@ -43,6 +43,12 @@ public:
+     };
+     Q_DECLARE_FLAGS(Capabilities, Capability)
+ 
+    enum ExtraCallerIDVerificationMethod {
+        NoExtraCallerIDVerificationMethod,
+        VerifyAgainstDBusServiceName,
+        VerifyAgainstDBusServicePid,
+    };
+
+     AuthBackend();
+     virtual ~AuthBackend();
+     virtual void setupAction(const QString &action) = 0;
+@@ -50,6 +56,7 @@ public:
+     virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
+     virtual Action::AuthStatus actionStatus(const QString &action) = 0;
+     virtual QByteArray callerID() const = 0;
+    virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
+     virtual bool actionExists(const QString &action);
+ 
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index 9c5cb96..3c1c108 100644
+--- a/src/backends/dbus/DBusHelperProxy.cpp
+++ b/src/backends/dbus/DBusHelperProxy.cpp
+@@ -235,6 +235,29 @@ bool DBusHelperProxy::hasToStopAction()
+     return m_stopRequest;
+ }
+ 
+bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
+{
+    // Check the caller is really who it says it is
+    switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
+        case AuthBackend::NoExtraCallerIDVerificationMethod:
+        break;
+
+        case AuthBackend::VerifyAgainstDBusServiceName:
+            if (message().service().toUtf8() != callerID) {
+                return false;
+            }
+        break;
+
+        case AuthBackend::VerifyAgainstDBusServicePid:
+            if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
+                return false;
+            }
+        break;
+    }
+
+    return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
+}
+
+ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
+ {
+     if (!responder) {
+@@ -259,7 +282,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+     QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
+     timer->stop();
+ 
+-    if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
+    if (isCallerAuthorized(action, callerID)) {
+         QString slotname = action;
+         if (slotname.startsWith(m_name + QLatin1Char('.'))) {
+             slotname = slotname.right(slotname.length() - m_name.length() - 1);
+@@ -301,7 +324,7 @@ uint DBusHelperProxy::authorizeAction(const QString &action, const QByteArray &c
+     QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
+     timer->stop();
+ 
+-    if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
+    if (isCallerAuthorized(action, callerID)) {
+         retVal = static_cast<uint>(Action::AuthorizedStatus);
+     } else {
+         retVal = static_cast<uint>(Action::DeniedStatus);
+diff --git a/src/backends/dbus/DBusHelperProxy.h b/src/backends/dbus/DBusHelperProxy.h
+index 52b0ac4..82cec5a 100644
+--- a/src/backends/dbus/DBusHelperProxy.h
+++ b/src/backends/dbus/DBusHelperProxy.h
+@@ -25,12 +25,13 @@
+ #include "kauthactionreply.h"
+ 
+ #include <QDBusConnection>
+#include <QDBusContext>
+ #include <QVariant>
+ 
+ namespace KAuth
+ {
+ 
+-class DBusHelperProxy : public HelperProxy
+class DBusHelperProxy : public HelperProxy, protected QDBusContext
+ {
+     Q_OBJECT
+     Q_PLUGIN_METADATA(IID "org.kde.DBusHelperProxy")
+@@ -79,6 +80,9 @@ Q_SIGNALS:
+ 
+ private Q_SLOTS:
+     void remoteSignalReceived(int type, const QString &action, QByteArray blob);
+
+private:
+    bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
+ };
+ 
+ } // namespace Auth
+diff --git a/src/backends/policykit/PolicyKitBackend.cpp b/src/backends/policykit/PolicyKitBackend.cpp
+index c2b4d42..bf038a8 100644
+--- a/src/backends/policykit/PolicyKitBackend.cpp
+++ b/src/backends/policykit/PolicyKitBackend.cpp
+@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
+     return a;
+ }
+ 
+AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
+{
+    return VerifyAgainstDBusServicePid;
+}
+
+ bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+     QDataStream s(&callerID, QIODevice::ReadOnly);
+diff --git a/src/backends/policykit/PolicyKitBackend.h b/src/backends/policykit/PolicyKitBackend.h
+index eb17a3a..38b0240 100644
+--- a/src/backends/policykit/PolicyKitBackend.h
+++ b/src/backends/policykit/PolicyKitBackend.h
+@@ -40,6 +40,7 @@ public:
+     virtual Action::AuthStatus authorizeAction(const QString &);
+     virtual Action::AuthStatus actionStatus(const QString &);
+     virtual QByteArray callerID() const;
+    ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
+     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+ 
+ private Q_SLOTS:
+diff --git a/src/backends/polkit-1/Polkit1Backend.cpp b/src/backends/polkit-1/Polkit1Backend.cpp
+index 78ee5bb..774588c 100644
+--- a/src/backends/polkit-1/Polkit1Backend.cpp
+++ b/src/backends/polkit-1/Polkit1Backend.cpp
+@@ -162,6 +162,11 @@ QByteArray Polkit1Backend::callerID() const
+         return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+ 
+AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
+{
+    return VerifyAgainstDBusServiceName;
+}
+
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+     PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+diff --git a/src/backends/polkit-1/Polkit1Backend.h b/src/backends/polkit-1/Polkit1Backend.h
+index d7d1e3a..2357892 100644
+--- a/src/backends/polkit-1/Polkit1Backend.h
+++ b/src/backends/polkit-1/Polkit1Backend.h
+@@ -49,6 +49,7 @@ public:
+     Action::AuthStatus authorizeAction(const QString &) Q_DECL_OVERRIDE;
+     Action::AuthStatus actionStatus(const QString &) Q_DECL_OVERRIDE;
+     QByteArray callerID() const Q_DECL_OVERRIDE;
+    ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
+     bool isCallerAuthorized(const QString &action, QByteArray callerID) Q_DECL_OVERRIDE;
+     bool actionExists(const QString &action) Q_DECL_OVERRIDE;
+ 
+-- 
+cgit v0.11.2
+