From cb46ab970f7c28a9cc0173ec2c771446b86e327d Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Sat, 9 Feb 2019 21:59:08 -0600 Subject: [PATCH] (branch) Remove support for passing gui QVariants to KAuth helpers --- ...or-passing-gui-QVariants-to-KAuth-he.patch | 68 +++++++++++++++++++ kf5-kauth.spec | 8 ++- 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 0003-Remove-support-for-passing-gui-QVariants-to-KAuth-he.patch diff --git a/0003-Remove-support-for-passing-gui-QVariants-to-KAuth-he.patch b/0003-Remove-support-for-passing-gui-QVariants-to-KAuth-he.patch new file mode 100644 index 0000000..708eda0 --- /dev/null +++ b/0003-Remove-support-for-passing-gui-QVariants-to-KAuth-he.patch @@ -0,0 +1,68 @@ +From fc70fb0161c1b9144d26389434d34dd135cd3f4a Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Sat, 2 Feb 2019 14:35:25 +0100 +Subject: [PATCH 3/6] Remove support for passing gui QVariants to KAuth helpers + +Supporting gui variants is very dangerous since they can end up triggering +image loading plugins which are one of the biggest vectors for crashes, which +for very smart people mean possible code execution, which is very dangerous +in code that is executed as root. + +We've checked all the KAuth helpers inside KDE git and none seems to be using +gui variants, so we're not actually limiting anything that people wanted to do. + +Reviewed by security@kde.org and Aleix Pol + +Issue reported by Fabian Vogt +--- + src/backends/dbus/DBusHelperProxy.cpp | 9 +++++++++ + src/kauthaction.h | 2 ++ + 2 files changed, 11 insertions(+) + +diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp +index 10c14c6..8f0d336 100644 +--- a/src/backends/dbus/DBusHelperProxy.cpp ++++ b/src/backends/dbus/DBusHelperProxy.cpp +@@ -31,6 +31,8 @@ + #include "kf5authadaptor.h" + #include "kauthdebug.h" + ++extern Q_CORE_EXPORT const QMetaTypeInterface *qMetaTypeGuiHelper; ++ + namespace KAuth + { + +@@ -229,10 +231,17 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra + return ActionReply::HelperBusyReply().serialized(); + } + ++ // Make sure we don't try restoring gui variants, in particular QImage/QPixmap/QIcon are super dangerous ++ // since they end up calling the image loaders and thus are a vector for crashing → executing code ++ auto origMetaTypeGuiHelper = qMetaTypeGuiHelper; ++ qMetaTypeGuiHelper = nullptr; ++ + QVariantMap args; + QDataStream s(&arguments, QIODevice::ReadOnly); + s >> args; + ++ qMetaTypeGuiHelper = origMetaTypeGuiHelper; ++ + m_currentAction = action; + emit remoteSignal(ActionStarted, action, QByteArray()); + QEventLoop e; +diff --git a/src/kauthaction.h b/src/kauthaction.h +index c67a70a..01f3ba1 100644 +--- a/src/kauthaction.h ++++ b/src/kauthaction.h +@@ -298,6 +298,8 @@ public: + * This method sets the variant map that the application + * can use to pass arbitrary data to the helper when executing the action. + * ++ * Only non-gui variants are supported. ++ * + * @param arguments The new arguments map + */ + void setArguments(const QVariantMap &arguments); +-- +2.17.2 + diff --git a/kf5-kauth.spec b/kf5-kauth.spec index e216883..5b20355 100644 --- a/kf5-kauth.spec +++ b/kf5-kauth.spec @@ -2,7 +2,7 @@ Name: kf5-%{framework} Version: 5.54.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: KDE Frameworks 5 Tier 2 integration module to perform actions as privileged user License: LGPLv2+ @@ -17,6 +17,9 @@ URL: https://cgit.kde.org/%{framework}.git %endif Source0: http://download.kde.org/%{stable}/frameworks/%{majmin}/%{framework}-%{version}.tar.xz +## upstream patches +Patch3: 0003-Remove-support-for-passing-gui-QVariants-to-KAuth-he.patch + BuildRequires: extra-cmake-modules >= %{majmin} BuildRequires: kf5-kcoreaddons-devel >= %{majmin} BuildRequires: kf5-rpm-macros @@ -78,6 +81,9 @@ make install/fast DESTDIR=%{buildroot} -C %{_target_platform} %changelog +* Sat Feb 09 2019 Rex Dieter - 5.54.0-2 +- (branch) Remove support for passing gui QVariants to KAuth helpers + * Tue Jan 08 2019 Rex Dieter - 5.54.0-1 - 5.54.0