Bug#985970: marked as done (unblock: kglobalaccel/5.78.0-3)

Debian Bug Tracking System Sat, 27 Mar 2021 01:27:21 -0700

Your message dated Sat, 27 Mar 2021 08:25:40 +0000
with message-id <[email protected]>
and subject line unblock kglobalaccel
has caused the Debian Bug report #985970,
regarding unblock: kglobalaccel/5.78.0-3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
985970: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985970
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]

Please unblock package kglobalaccel

[ Reason ]
Upstream asked to backport a security fix:
There is the possibility that kglobalaccel runs under a wrong UID,
which would result in programs started by the logged in user under a
different UID.

Unrelated change: graphviz was removed from B-D since it is not
necessary (as seen, all builds succeeded).

[ Impact ]
Security fix:
Possibility of
- broken functionality (programs started as different uid will behave
  differently)
- security (different uid files can be read/changed)

B-D drop: none

[ Tests ]
security fix:
The package contains an extensive set of tests that are automatically
run on build.

B-D drop: builds succeeded.

[ Risks ]
The code change is simple and adds a check for the UID and returns in
case the disagree.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock kglobalaccel/5.78.0-3

Best

Norbert

--
PREINING Norbert                              https://www.preining.info
Fujitsu Research Labs  +  IFMGA Guide + TU Wien + TeX Live + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

diff -Nru kglobalaccel-5.78.0/debian/changelog 
kglobalaccel-5.78.0/debian/changelog
--- kglobalaccel-5.78.0/debian/changelog        2021-01-17 12:02:21.000000000 
+0900
+++ kglobalaccel-5.78.0/debian/changelog        2021-03-27 07:26:39.000000000 
+0900
@@ -1,3 +1,12 @@
+kglobalaccel (5.78.0-3) unstable; urgency=medium
+
+  [ Norbert Preining ]
+  * Remove graphviz from build depends.
+  * Cherry pick upstream fix for kglobalaccel possibly running under an
+    incorrect uid, thus starting programs as different user.
+
+ -- Norbert Preining <[email protected]>  Sat, 27 Mar 2021 07:26:39 +0900
+
 kglobalaccel (5.78.0-2) unstable; urgency=medium
 
   * Release to unstable.
diff -Nru kglobalaccel-5.78.0/debian/control kglobalaccel-5.78.0/debian/control
--- kglobalaccel-5.78.0/debian/control  2021-01-17 11:54:33.000000000 +0900
+++ kglobalaccel-5.78.0/debian/control  2021-03-27 07:22:05.000000000 +0900
@@ -8,7 +8,6 @@
                debhelper-compat (= 13),
                doxygen,
                extra-cmake-modules (>= 5.78.0~),
-               graphviz,
                libkf5config-dev (>= 5.78.0~),
                libkf5coreaddons-dev (>= 5.78.0~),
                libkf5crash-dev (>= 5.78.0~),
diff -Nru kglobalaccel-5.78.0/debian/patches/series 
kglobalaccel-5.78.0/debian/patches/series
--- kglobalaccel-5.78.0/debian/patches/series   1970-01-01 09:00:00.000000000 
+0900
+++ kglobalaccel-5.78.0/debian/patches/series   2021-03-27 07:23:25.000000000 
+0900
@@ -0,0 +1 @@
+upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch
diff -Nru 
kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch
 
kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch
--- 
kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch
     1970-01-01 09:00:00.000000000 +0900
+++ 
kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch
     2021-03-27 07:24:20.000000000 +0900
@@ -0,0 +1,38 @@
+From bbec74337b3186bc258bd5adf849b89191789535 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <[email protected]>
+Date: Fri, 29 Jan 2021 11:31:54 +0100
+Subject: [PATCH] Don't let kglobalaccel run if KDE_SESSION_UID mismatches
+
+Otherwise shortcuts execute actions as the wrong user.
+---
+ src/runtime/main.cpp |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/src/runtime/main.cpp
++++ b/src/runtime/main.cpp
+@@ -10,6 +10,8 @@
+ #include "kglobalacceld.h"
+ #include "logging_p.h"
+ 
++#include <unistd.h>
++
+ #include <KCrash>
+ #include <KAboutData>
+ #include <KDBusService>
+@@ -58,6 +60,16 @@ extern "C" Q_DECL_EXPORT int main(int ar
+         return 0;
+     }
+ 
++    // It's possible that kglobalaccel gets started as the wrong user by
++    // accident, e.g. kdesu dolphin leads to dbus activation. It then installs
++    // its grabs and the actions are run as the wrong user.
++    bool isUidset = false;
++    const int sessionuid = qEnvironmentVariableIntValue("KDE_SESSION_UID", 
&isUidset);
++    if(isUidset && static_cast<uid_t>(sessionuid) != getuid()) {
++        qCWarning(KGLOBALACCELD) << "kglobalaccel running as wrong user, 
exiting.";
++        return 0;
++    }
++
+     KDBusService service(KDBusService::Unique);
+ 
+     app.setQuitOnLastWindowClosed( false );

--- End Message ---

--- Begin Message ---
Unblocked.
--- End Message ---

Bug#985970: marked as done (unblock: kglobalaccel/5.78.0-3)

Reply via email to