Your message dated Fri, 7 Nov 2014 13:07:33 +0100
with message-id <[email protected]>
and subject line Re: Bug#768430: unblock: kde-workspace/4:4.11.13-2
has caused the Debian Bug report #768430,
regarding unblock: kde-workspace/4:4.11.13-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
768430: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768430
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package kde-workspace
In order to fix CVE-2014-8651:
https://security-tracker.debian.org/tracker/CVE-2014-8651
unblock kde-workspace/4:4.11.13-2
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -Nru kde-workspace-4.11.13/debian/changelog kde-workspace-4.11.13/debian/changelog
--- kde-workspace-4.11.13/debian/changelog 2014-10-20 17:13:03.000000000 +0200
+++ kde-workspace-4.11.13/debian/changelog 2014-11-07 10:11:29.000000000 +0100
@@ -1,3 +1,13 @@
+kde-workspace (4:4.11.13-2) unstable; urgency=medium
+
+ * New patch: upstream_do_not_pass_ntpUtility_as_an_argument.patch fix
+ for https://www.kde.org/info/security/advisory-20141106-1.txt
+ (CVE-2014-8651 : https://security-tracker.debian.org/tracker/CVE-2014-8651)
+ * New patch: upstream_validate_timezone_name_before_setting.patch,
+ avoids .. in timezone name.
+
+ -- Maximiliano Curia <[email protected]> Fri, 07 Nov 2014 10:11:28 +0100
+
kde-workspace (4:4.11.13-1) unstable; urgency=medium
* New upstream release (4.11.13).
diff -Nru kde-workspace-4.11.13/debian/patches/series kde-workspace-4.11.13/debian/patches/series
--- kde-workspace-4.11.13/debian/patches/series 2014-10-20 17:13:03.000000000 +0200
+++ kde-workspace-4.11.13/debian/patches/series 2014-11-07 10:11:29.000000000 +0100
@@ -26,3 +26,5 @@
kubuntu_avoid_zic_and_deep_copy_timezone_data.diff
check_if_SensorMgr
ksysguardd_acpi_valgrind_complain
+upstream_do_not_pass_ntpUtility_as_an_argument.patch
+upstream_validate_timezone_name_before_setting.patch
diff -Nru kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch
--- kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch 1970-01-01 01:00:00.000000000 +0100
+++ kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch 2014-11-07 10:11:29.000000000 +0100
@@ -0,0 +1,119 @@
+commit eebcb17746d9fa86ea8c5a7344709ef6750781cf
+Author: David Edmundson <[email protected]>
+Date: Tue Nov 4 13:57:59 2014 +0100
+
+ Do not pass ntpUtility as an argument to datetime helper
+
+ Passing the name of a binary to run to a polkit helper is a security
+ risk as it allows any arbitrary process to be executed.
+
+ This patch moves the detection of ntp utility location into the helper
+ function.
+
+ REVIEW: 120977
+
+Index: kde-workspace/kcontrol/dateandtime/dtime.cpp
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/dtime.cpp 2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/dtime.cpp 2014-11-07 09:09:30.997905785 +0100
+@@ -142,27 +142,15 @@
+ //kclock->setEnabled(enabled);
+ }
+
+-void Dtime::findNTPutility(){
+- QByteArray envpath = qgetenv("PATH");
+- if (!envpath.isEmpty() && envpath[0] == ':') {
+- envpath = envpath.mid(1);
+- }
+-
+- QString path = "/sbin:/usr/sbin:";
+- if (!envpath.isEmpty()) {
+- path += QString::fromLocal8Bit(envpath);
+- } else {
+- path += QLatin1String("/bin:/usr/bin");
+- }
+-
+- foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
+- if( !((ntpUtility = KStandardDirs::findExe(possible_ntputility, path)).isEmpty()) ) {
+- kDebug() << "ntpUtility = " << ntpUtility;
+- return;
++void Dtime::findNTPutility()
++{
++ const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
++ foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
++ ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
++ if (!ntpUtility.isEmpty()) {
++ return;
++ }
+ }
+- }
+-
+- kDebug() << "ntpUtility not found!";
+ }
+
+ void Dtime::set_time()
+@@ -238,7 +226,6 @@
+ helperargs["ntp"] = true;
+ helperargs["ntpServers"] = list;
+ helperargs["ntpEnabled"] = setDateTimeAuto->isChecked();
+- helperargs["ntpUtility"] = ntpUtility;
+
+ if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){
+ // NTP Time setting - done in helper
+Index: kde-workspace/kcontrol/dateandtime/helper.cpp
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/helper.cpp 2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/helper.cpp 2014-11-07 09:09:30.997905785 +0100
+@@ -52,8 +52,18 @@
+ // clears it. So we have to use a reasonable default.
+ static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
+
+-int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled,
+- const QString& ntpUtility )
++static QString findNtpUtility()
++{
++ foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
++ const QString ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
++ if (!ntpUtility.isEmpty()) {
++ return ntpUtility;
++ }
++ }
++ return QString();
++}
++
++int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled )
+ {
+ int ret = 0;
+
+@@ -69,6 +79,8 @@
+ config.writeEntry("servers", ntpServers );
+ config.writeEntry("enabled", ntpEnabled );
+
++ QString ntpUtility(findNtpUtility());
++
+ if ( ntpEnabled && !ntpUtility.isEmpty() ) {
+ // NTP Time setting
+ QString timeServer = ntpServers.first();
+@@ -236,7 +248,7 @@
+ int ret = 0; // error code
+ // The order here is important
+ if( _ntp )
+- ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() );
++ ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool());
+ if( _date )
+ ret |= date( args.value("newdate").toString(), args.value("olddate").toString() );
+ if( _tz )
+Index: kde-workspace/kcontrol/dateandtime/helper.h
+===================================================================
+--- kde-workspace.orig/kcontrol/dateandtime/helper.h 2014-11-07 09:09:31.005905464 +0100
++++ kde-workspace/kcontrol/dateandtime/helper.h 2014-11-07 09:09:31.001905624 +0100
+@@ -42,8 +42,7 @@
+ ActionReply save(const QVariantMap &map);
+
+ private:
+- int ntp(const QStringList& ntpServers, bool ntpEnabled,
+- const QString& ntpUtility);
++ int ntp(const QStringList& ntpServers, bool ntpEnabled);
+ int date(const QString& newdate, const QString& olddate);
+ int tz(const QString& selectedzone);
+ int tzreset();
diff -Nru kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch
--- kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch 1970-01-01 01:00:00.000000000 +0100
+++ kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch 2014-11-07 10:11:29.000000000 +0100
@@ -0,0 +1,28 @@
+commit 54d0bfb5effff9c8cf60da890b7728cbe36a454e
+Author: David Edmundson <[email protected]>
+Date: Tue Nov 4 14:00:54 2014 +0100
+
+ Validate timezone name before setting
+
+ This patch ensures that the symlink /etc/localtime always points to a
+ file in /usr/share/timezones and not an arbitrary file in a user's home
+ directory.
+
+diff --git a/kcontrol/dateandtime/helper.cpp b/kcontrol/dateandtime/helper.cpp
+index 101d8ca..21fc51a 100644
+--- a/kcontrol/dateandtime/helper.cpp
++++ b/kcontrol/dateandtime/helper.cpp
+@@ -123,6 +123,13 @@ int ClockHelper::date( const QString& newdate, const QString& olddate )
+ int ClockHelper::tz( const QString& selectedzone )
+ {
+ int ret = 0;
++
++ //only allow letters, numbers hyphen underscore plus and forward slash
++ //allowed pattern taken from time-util.c in systemd
++ if (!QRegExp("[a-zA-Z0-9-_+/]*").exactMatch(selectedzone)) {
++ return ret;
++ }
++
+ #if defined(USE_SOLARIS) // MARCO
+
+ KTemporaryFile tf;
--- End Message ---
--- Begin Message ---
On Fri, Nov 7, 2014 at 12:19:25 +0100, Maximiliano Curia wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package kde-workspace
>
> In order to fix CVE-2014-8651:
> https://security-tracker.debian.org/tracker/CVE-2014-8651
>
> unblock kde-workspace/4:4.11.13-2
>
Unblocked.
Cheers,
Julien
--- End Message ---
