Hello community, here is the log from the commit of package kdeconnect-kde for openSUSE:Factory checked in at 2020-10-08 13:07:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kdeconnect-kde (Old) and /work/SRC/openSUSE:Factory/.kdeconnect-kde.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kdeconnect-kde" Thu Oct 8 13:07:41 2020 rev:26 rq:839178 version:20.08.1 Changes: -------- --- /work/SRC/openSUSE:Factory/kdeconnect-kde/kdeconnect-kde.changes 2020-09-09 17:54:54.490814897 +0200 +++ /work/SRC/openSUSE:Factory/.kdeconnect-kde.new.4249/kdeconnect-kde.changes 2020-10-08 13:09:07.799006523 +0200 @@ -1,0 +2,15 @@ +Fri Oct 2 13:43:04 UTC 2020 - Luca Beltrame <[email protected]> + +- Add upstream patches to fix security issues in kdeconnect + (CVE-2020-26164, boo#1176268): + * 0001-Do-not-leak-the-local-user-in-the-device-name.patch + * 0002-Fix-use-after-free-in-LanLinkProvider-connectError.patch + * 0003-Limit-identity-packets-to-8KiB.patch + * 0004-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch + * 0005-Don-t-brute-force-reading-the-socket.patch + * 0006-Limit-number-of-connected-sockets-from-unpaired-devi.patch + * 0007-Do-not-remember-more-than-a-few-identity-packets-at-.patch + * 0008-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch + * 0009-Do-not-replace-connections-for-a-given-deviceId-if-t.patch + +------------------------------------------------------------------- New: ---- 0001-Do-not-leak-the-local-user-in-the-device-name.patch 0002-Fix-use-after-free-in-LanLinkProvider-connectError.patch 0003-Limit-identity-packets-to-8KiB.patch 0004-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch 0005-Don-t-brute-force-reading-the-socket.patch 0006-Limit-number-of-connected-sockets-from-unpaired-devi.patch 0007-Do-not-remember-more-than-a-few-identity-packets-at-.patch 0008-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch 0009-Do-not-replace-connections-for-a-given-deviceId-if-t.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdeconnect-kde.spec ++++++ --- /var/tmp/diff_new_pack.Pd7kz9/_old 2020-10-08 13:09:10.667009120 +0200 +++ /var/tmp/diff_new_pack.Pd7kz9/_new 2020-10-08 13:09:10.671009123 +0200 @@ -32,6 +32,24 @@ %endif Source100: kdeconnect-kde.SuSEfirewall Source101: kdeconnect-kde-firewalld.xml +# PATCH-FIX-UPSTREAM +Patch1: 0001-Do-not-leak-the-local-user-in-the-device-name.patch +# PATCH-FIX-UPSTREAM +Patch2: 0002-Fix-use-after-free-in-LanLinkProvider-connectError.patch +# PATCH-FIX-UPSTREAM +Patch3: 0003-Limit-identity-packets-to-8KiB.patch +# PATCH-FIX-UPSTREAM +Patch4: 0004-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch +# PATCH-FIX-UPSTREAM +Patch5: 0005-Don-t-brute-force-reading-the-socket.patch +# PATCH-FIX-UPSTREAM +Patch6: 0006-Limit-number-of-connected-sockets-from-unpaired-devi.patch +# PATCH-FIX-UPSTREAM +Patch7: 0007-Do-not-remember-more-than-a-few-identity-packets-at-.patch +# PATCH-FIX-UPSTREAM +Patch8: 0008-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch +# PATCH-FIX-UPSTREAM +Patch9: 0009-Do-not-replace-connections-for-a-given-deviceId-if-t.patch BuildRequires: cmake >= 3.0 BuildRequires: extra-cmake-modules BuildRequires: kf5-filesystem @@ -91,7 +109,7 @@ %lang_package %prep -%setup -q +%autosetup -p1 %build %cmake_kf5 -d build ++++++ 0001-Do-not-leak-the-local-user-in-the-device-name.patch ++++++ >From b279c52101d3f7cc30a26086d58de0b5f1c547fa Mon Sep 17 00:00:00 2001 From: Albert Vaca Cintora <[email protected]> Date: Thu, 24 Sep 2020 17:01:03 +0200 Subject: [PATCH 1/9] Do not leak the local user in the device name. Thanks Matthias Gerstner <[email protected]> for reporting this. --- core/kdeconnectconfig.cpp | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/core/kdeconnectconfig.cpp b/core/kdeconnectconfig.cpp index 91719303..a8dbcf5c 100644 --- a/core/kdeconnectconfig.cpp +++ b/core/kdeconnectconfig.cpp @@ -90,13 +90,7 @@ KdeConnectConfig::KdeConnectConfig() QString KdeConnectConfig::name() { - QString username; - #ifdef Q_OS_WIN - username = QString::fromLatin1(qgetenv("USERNAME")); - #else - username = QString::fromLatin1(qgetenv("USER")); - #endif - QString defaultName = username + QStringLiteral("@") + QHostInfo::localHostName(); + QString defaultName = QHostInfo::localHostName(); QString name = d->m_config->value(QStringLiteral("name"), defaultName).toString(); return name; } -- 2.28.0 ++++++ 0002-Fix-use-after-free-in-LanLinkProvider-connectError.patch ++++++ >From d35b88c1b25fe13715f9170f18674d476ca9acdc Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <[email protected]> Date: Thu, 24 Sep 2020 17:03:06 +0200 Subject: [PATCH 2/9] Fix use after free in LanLinkProvider::connectError() If QSslSocket::connectToHost() hasn't finished running. Thanks Matthias Gerstner <[email protected]> for reporting this. --- core/backends/lan/lanlinkprovider.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp index fc005cee..235c221f 100644 --- a/core/backends/lan/lanlinkprovider.cpp +++ b/core/backends/lan/lanlinkprovider.cpp @@ -252,7 +252,7 @@ void LanLinkProvider::connectError(QAbstractSocket::SocketError socketError) //The socket we created didn't work, and we didn't manage //to create a LanDeviceLink from it, deleting everything. delete m_receivedIdentityPackets.take(socket).np; - delete socket; + socket->deleteLater(); } //We received a UDP packet and answered by connecting to them by TCP. This gets called on a successful connection. -- 2.28.0 ++++++ 0003-Limit-identity-packets-to-8KiB.patch ++++++ >From b496e66899e5bc9547b6537a7f44ab44dd0aaf38 Mon Sep 17 00:00:00 2001 From: Aleix Pol <[email protected]> Date: Wed, 16 Sep 2020 02:28:58 +0200 Subject: [PATCH 3/9] Limit identity packets to 8KiB Healthy identity packages shouldn't be that big and we don't want to allow systems around us to send us ever humongous packages that will just leave us without any memory. Thanks Matthias Gerstner <[email protected]> for reporting this. --- core/backends/lan/lanlinkprovider.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp index 235c221f..1fd3870e 100644 --- a/core/backends/lan/lanlinkprovider.cpp +++ b/core/backends/lan/lanlinkprovider.cpp @@ -381,6 +381,14 @@ void LanLinkProvider::newConnection() void LanLinkProvider::dataReceived() { QSslSocket* socket = qobject_cast<QSslSocket*>(sender()); + //the size here is arbitrary and is now at 8192 bytes. It needs to be considerably long as it includes the capabilities but there needs to be a limit + //Tested between my systems and I get around 2000 per identity package. + if (socket->bytesAvailable() > 8192) { + qCWarning(KDECONNECT_CORE) << "LanLinkProvider/newConnection: Suspiciously long identity package received. Closing connection." << socket->peerAddress() << socket->bytesAvailable(); + socket->disconnectFromHost(); + return; + } + #if QT_VERSION < QT_VERSION_CHECK(5,7,0) if (!socket->canReadLine()) return; -- 2.28.0 ++++++ 0004-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch ++++++ >From 5310eae85dbdf92fba30375238a2481f2e34943e Mon Sep 17 00:00:00 2001 From: Aleix Pol <[email protected]> Date: Wed, 16 Sep 2020 02:44:38 +0200 Subject: [PATCH 4/9] Do not let lanlink connections stay open for long without authenticating If there's no information received, close the socket to try again. Thanks Matthias Gerstner <[email protected]> for reporting this. --- core/backends/lan/lanlinkprovider.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp index 1fd3870e..a4942c65 100644 --- a/core/backends/lan/lanlinkprovider.cpp +++ b/core/backends/lan/lanlinkprovider.cpp @@ -374,6 +374,16 @@ void LanLinkProvider::newConnection() connect(socket, &QIODevice::readyRead, this, &LanLinkProvider::dataReceived); + QTimer* timer = new QTimer(socket); + timer->setSingleShot(true); + timer->setInterval(1000); + connect(socket, &QSslSocket::encrypted, + timer, &QObject::deleteLater); + connect(timer, &QTimer::timeout, socket, [socket] { + qCWarning(KDECONNECT_CORE) << "LanLinkProvider/newConnection: Host timed out without sending any identity." << socket->peerAddress(); + socket->disconnectFromHost(); + }); + timer->start(); } } -- 2.28.0 ++++++ 0005-Don-t-brute-force-reading-the-socket.patch ++++++ >From 721ba9faafb79aac73973410ee1dd3624ded97a5 Mon Sep 17 00:00:00 2001 From: Aleix Pol <[email protected]> Date: Wed, 16 Sep 2020 02:27:13 +0200 Subject: [PATCH 5/9] Don't brute-force reading the socket The package will arrive eventually, and dataReceived will be emitted. Otherwise we just end up calling dataReceived to no end. Thanks Matthias Gerstner <[email protected]> for reporting this. --- core/backends/lan/socketlinereader.cpp | 8 ------- tests/testsocketlinereader.cpp | 31 ++++++++++++++++++++++++-- 2 files changed, 29 insertions(+), 10 deletions(-) diff --git a/core/backends/lan/socketlinereader.cpp b/core/backends/lan/socketlinereader.cpp index f67fdf3f..da77052a 100644 --- a/core/backends/lan/socketlinereader.cpp +++ b/core/backends/lan/socketlinereader.cpp @@ -38,14 +38,6 @@ void SocketLineReader::dataReceived() } } - //If we still have things to read from the socket, call dataReceived again - //We do this manually because we do not trust readyRead to be emitted again - //So we call this method again just in case. - if (m_socket->bytesAvailable() > 0) { - QMetaObject::invokeMethod(this, "dataReceived", Qt::QueuedConnection); - return; - } - //If we have any packets, tell it to the world. if (!m_packets.isEmpty()) { Q_EMIT readyRead(); diff --git a/tests/testsocketlinereader.cpp b/tests/testsocketlinereader.cpp index 75584556..b6425b03 100644 --- a/tests/testsocketlinereader.cpp +++ b/tests/testsocketlinereader.cpp @@ -25,16 +25,19 @@ #include <QProcess> #include <QEventLoop> #include <QTimer> +#include <QSignalSpy> class TestSocketLineReader : public QObject { Q_OBJECT public Q_SLOTS: - void initTestCase(); + void init(); + void cleanup() { delete m_server; } void newPacket(); private Q_SLOTS: void socketLineReader(); + void badData(); private: QTimer m_timer; @@ -45,8 +48,9 @@ private: SocketLineReader* m_reader; }; -void TestSocketLineReader::initTestCase() +void TestSocketLineReader::init() { + m_packets.clear(); m_server = new Server(this); QVERIFY2(m_server->listen(QHostAddress::LocalHost, 8694), "Failed to create local tcp server"); @@ -97,6 +101,29 @@ void TestSocketLineReader::socketLineReader() } } +void TestSocketLineReader::badData() +{ + const QList<QByteArray> dataToSend = { "data1\n", "data" }; //does not end in a \n + for (const QByteArray& line : qAsConst(dataToSend)) { + m_conn->write(line); + } + m_conn->flush(); + + QSignalSpy spy(m_server, &QTcpServer::newConnection); + QVERIFY(m_server->hasPendingConnections() || spy.wait(1000)); + QSslSocket* sock = m_server->nextPendingConnection(); + + QVERIFY2(sock != nullptr, "Could not open a connection to the client"); + + m_reader = new SocketLineReader(sock, this); + connect(m_reader, &SocketLineReader::readyRead, this, &TestSocketLineReader::newPacket); + m_timer.start(); + m_loop.exec(); + + QCOMPARE(m_packets.count(), 1); + QCOMPARE(m_packets[0], dataToSend[0]); +} + void TestSocketLineReader::newPacket() { if (!m_reader->bytesAvailable()) { -- 2.28.0 ++++++ 0006-Limit-number-of-connected-sockets-from-unpaired-devi.patch ++++++ >From ae58b9dec49c809b85b5404cee17946116f8a706 Mon Sep 17 00:00:00 2001 From: Albert Vaca Cintora <[email protected]> Date: Thu, 24 Sep 2020 17:13:34 +0200 Subject: [PATCH 6/9] Limit number of connected sockets from unpaired devices Thanks Matthias Gerstner <[email protected]> for reporting this. --- core/backends/lan/lanlinkprovider.cpp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp index a4942c65..770e7866 100644 --- a/core/backends/lan/lanlinkprovider.cpp +++ b/core/backends/lan/lanlinkprovider.cpp @@ -46,6 +46,8 @@ #define MIN_VERSION_WITH_SSL_SUPPORT 6 +static const int MAX_UNPAIRED_CONNECTIONS = 42; + LanLinkProvider::LanLinkProvider( bool testMode, quint16 udpBroadcastPort, @@ -555,6 +557,15 @@ void LanLinkProvider::addLink(const QString& deviceId, QSslSocket* socket, Netwo deviceLink->reset(socket, connectionOrigin); } else { deviceLink = new LanDeviceLink(deviceId, this, socket, connectionOrigin); + // Socket disconnection will now be handled by LanDeviceLink + disconnect(socket, &QAbstractSocket::disconnected, socket, &QObject::deleteLater); + bool isDeviceTrusted = KdeConnectConfig::instance().trustedDevices().contains(deviceId); + if (!isDeviceTrusted && m_links.size() > MAX_UNPAIRED_CONNECTIONS) { + qCWarning(KDECONNECT_CORE) << "Too many unpaired devices to remember them all. Ignoring " << deviceId; + socket->disconnectFromHost(); + socket->deleteLater(); + return; + } connect(deviceLink, &QObject::destroyed, this, &LanLinkProvider::deviceLinkDestroyed); m_links[deviceId] = deviceLink; if (m_pairingHandlers.contains(deviceId)) { -- 2.28.0 ++++++ 0007-Do-not-remember-more-than-a-few-identity-packets-at-.patch ++++++ >From 66c768aa9e7fba30b119c8b801efd49ed1270b0a Mon Sep 17 00:00:00 2001 From: Albert Vaca Cintora <[email protected]> Date: Thu, 24 Sep 2020 17:16:02 +0200 Subject: [PATCH 7/9] Do not remember more than a few identity packets at a time To prevent the kdeconnect process from using too much memory. Thanks Matthias Gerstner <[email protected]> for reporting this. --- core/backends/lan/lanlinkprovider.cpp | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp index 770e7866..6afb8552 100644 --- a/core/backends/lan/lanlinkprovider.cpp +++ b/core/backends/lan/lanlinkprovider.cpp @@ -47,6 +47,7 @@ #define MIN_VERSION_WITH_SSL_SUPPORT 6 static const int MAX_UNPAIRED_CONNECTIONS = 42; +static const int MAX_REMEMBERED_IDENTITY_PACKETS = 42; LanLinkProvider::LanLinkProvider( bool testMode, @@ -225,6 +226,12 @@ void LanLinkProvider::udpBroadcastReceived() //qCDebug(KDECONNECT_CORE) << "Received Udp identity packet from" << sender << " asking for a tcp connection on port " << tcpPort; + if (m_receivedIdentityPackets.size() > MAX_REMEMBERED_IDENTITY_PACKETS) { + qCWarning(KDECONNECT_CORE) << "Too many remembered identities, ignoring" << receivedPacket->get<QString>(QStringLiteral("deviceId")) << "received via UDP"; + delete receivedPacket; + continue; + } + QSslSocket* socket = new QSslSocket(this); socket->setProxy(QNetworkProxy::NoProxy); m_receivedIdentityPackets[socket].np = receivedPacket; @@ -435,6 +442,12 @@ void LanLinkProvider::dataReceived() return; } + if (m_receivedIdentityPackets.size() > MAX_REMEMBERED_IDENTITY_PACKETS) { + qCWarning(KDECONNECT_CORE) << "Too many remembered identities, ignoring" << np->get<QString>(QStringLiteral("deviceId")) << "received via TCP"; + delete np; + return; + } + // Needed in "encrypted" if ssl is used, similar to "tcpSocketConnected" m_receivedIdentityPackets[socket].np = np; -- 2.28.0 ++++++ 0008-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch ++++++ >From 85b691e40f525e22ca5cc4ebe79c361d71d7dc05 Mon Sep 17 00:00:00 2001 From: Albert Vaca Cintora <[email protected]> Date: Thu, 24 Sep 2020 17:18:06 +0200 Subject: [PATCH 8/9] Limit the ports we try to connect to to the port range of KDE Connect So we can't trigger connections to other services. Thanks Matthias Gerstner <[email protected]> for reporting this. --- core/backends/lan/lanlinkprovider.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp index 6afb8552..f3d6801d 100644 --- a/core/backends/lan/lanlinkprovider.cpp +++ b/core/backends/lan/lanlinkprovider.cpp @@ -223,6 +223,11 @@ void LanLinkProvider::udpBroadcastReceived() } int tcpPort = receivedPacket->get<int>(QStringLiteral("tcpPort")); + if (tcpPort < MIN_TCP_PORT || tcpPort > MAX_TCP_PORT) { + qCDebug(KDECONNECT_CORE) << "TCP port outside of kdeconnect's range"; + delete receivedPacket; + continue; + } //qCDebug(KDECONNECT_CORE) << "Received Udp identity packet from" << sender << " asking for a tcp connection on port " << tcpPort; -- 2.28.0 ++++++ 0009-Do-not-replace-connections-for-a-given-deviceId-if-t.patch ++++++ >From 48180b46552d40729a36b7431e97bbe2b5379306 Mon Sep 17 00:00:00 2001 From: Albert Vaca Cintora <[email protected]> Date: Thu, 24 Sep 2020 18:46:57 +0200 Subject: [PATCH 9/9] Do not replace connections for a given deviceId if the certs have changed Thanks Matthias Gerstner <[email protected]> for reporting this. --- core/backends/lan/landevicelink.cpp | 5 +++++ core/backends/lan/landevicelink.h | 1 + core/backends/lan/lanlinkprovider.cpp | 6 ++++++ 3 files changed, 12 insertions(+) diff --git a/core/backends/lan/landevicelink.cpp b/core/backends/lan/landevicelink.cpp index 8a65fb92..41af6f0e 100644 --- a/core/backends/lan/landevicelink.cpp +++ b/core/backends/lan/landevicelink.cpp @@ -192,3 +192,8 @@ bool LanDeviceLink::linkShouldBeKeptAlive() { //return (mConnectionSource == ConnectionStarted::Remotely || pairStatus() == Paired); } + +QSslCertificate LanDeviceLink::certificate() const +{ + return m_socketLineReader->peerCertificate(); +} diff --git a/core/backends/lan/landevicelink.h b/core/backends/lan/landevicelink.h index 28f63db2..485c58b5 100644 --- a/core/backends/lan/landevicelink.h +++ b/core/backends/lan/landevicelink.h @@ -56,6 +56,7 @@ public: bool linkShouldBeKeptAlive() override; QHostAddress hostAddress() const; + QSslCertificate certificate() const; private Q_SLOTS: void dataReceived(); diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp index f3d6801d..372cdc8f 100644 --- a/core/backends/lan/lanlinkprovider.cpp +++ b/core/backends/lan/lanlinkprovider.cpp @@ -345,6 +345,12 @@ void LanLinkProvider::encrypted() NetworkPacket* receivedPacket = m_receivedIdentityPackets[socket].np; const QString& deviceId = receivedPacket->get<QString>(QStringLiteral("deviceId")); + if (m_links.contains(deviceId) && m_links[deviceId]->certificate() != socket->peerCertificate()) { + socket->disconnectFromHost(); + qCWarning(KDECONNECT_CORE) << "Got connection for the same deviceId but certificates don't match. Ignoring " << deviceId; + return; + } + addLink(deviceId, socket, receivedPacket, connectionOrigin); // Copied from tcpSocketConnected slot, now delete received packet -- 2.28.0
