Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.9.git;a=commitdiff;h=fc0914ab3de85cec91786dde2270bb478aeac250
commit fc0914ab3de85cec91786dde2270bb478aeac250 Author: kikadf <[email protected]> Date: Wed Aug 20 11:13:32 2014 +0200 kdelibs--2arcturus1-x86_64 * Fix CVE-2014-5033 diff --git a/source/kde/kdelibs/CVE-2014-5033.patch b/source/kde/kdelibs/CVE-2014-5033.patch new file mode 100644 index 0000000..b4a78e4 --- /dev/null +++ b/source/kde/kdelibs/CVE-2014-5033.patch @@ -0,0 +1,50 @@ +From: Martin T. H. Sandsmark <[email protected]> +Date: Mon, 21 Jul 2014 20:52:40 +0000 +Subject: Use dbus system bus name instead of PID for authentication. +X-Git-Url: http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23 +--- +Use dbus system bus name instead of PID for authentication. + +Using the PID for authentication is prone to a PID reuse +race condition, and a security issue. + +REVIEW: 119323 +--- + + +--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp ++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp +@@ -144,7 +144,7 @@ + + Action::AuthStatus Polkit1Backend::actionStatus(const QString &action) + { +- PolkitQt1::UnixProcessSubject subject(QCoreApplication::applicationPid()); ++ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID())); + PolkitQt1::Authority::Result r = PolkitQt1::Authority::instance()->checkAuthorizationSync(action, subject, + PolkitQt1::Authority::None); + switch (r) { +@@ -160,21 +160,12 @@ + + QByteArray Polkit1Backend::callerID() const + { +- QByteArray a; +- QDataStream s(&a, QIODevice::WriteOnly); +- s << QCoreApplication::applicationPid(); +- +- return a; ++ return QDBusConnection::systemBus().baseService().toUtf8(); + } + + bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID) + { +- QDataStream s(&callerID, QIODevice::ReadOnly); +- qint64 pid; +- +- s >> pid; +- +- PolkitQt1::UnixProcessSubject subject(pid); ++ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID)); + PolkitQt1::Authority *authority = PolkitQt1::Authority::instance(); + + PolkitResultEventLoop e; + diff --git a/source/kde/kdelibs/FrugalBuild b/source/kde/kdelibs/FrugalBuild index 133f31a..cc906e5 100644 --- a/source/kde/kdelibs/FrugalBuild +++ b/source/kde/kdelibs/FrugalBuild @@ -6,7 +6,7 @@ options+=('asneeded') USE_DETECTDEPENDS=${USE_DETECTDEPENDS:-"n"} pkgname=kdelibs -pkgrel=1 +pkgrel=2arcturus1 pkgdesc="KDE4 Core Libraries." groups=('kde') archs=('i686' 'x86_64') @@ -335,6 +335,12 @@ if Fuse DETECTDEPENDS; then makedepends=("${makedepends[@]}" "$pkgname" "${subpkgs[@]}") fi +# FSA fix *** +source=(${source[@]} CVE-2014-5033.patch) +sha1sums=(${sha1sums[@]} '9f38e460cccf679873b9221ab3af1aefbc44dbcb') +# *********** + + build() { Fcd _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
