5.35.0

.gitignore

@@ -1,12 +1 @@
-/kauth-5.21.0.tar.xz
+/kauth-5.35.0.tar.xz
-/kauth-5.22.0.tar.xz
-/kauth-5.23.0.tar.xz
-/kauth-5.24.0.tar.xz
-/kauth-5.25.0.tar.xz
-/kauth-5.26.0.tar.xz
-/kauth-5.27.0.tar.xz
-/kauth-5.29.0.tar.xz
-/kauth-5.31.0.tar.xz
-/kauth-5.32.0.tar.xz
-/kauth-5.33.0.tar.xz
-/kauth-5.34.0.tar.xz

kauth-5.33.0-2017-8422-local-privilige-escalation.patch

@@ -1,198 +0,0 @@
-From df875f725293af53399f5146362eb158b4f9216a Mon Sep 17 00:00:00 2001
-From: Albert Astals Cid <aacid@kde.org>
-Date: Wed, 10 May 2017 10:03:45 +0200
-Subject: Verify that whoever is calling us is actually who he says he is
-
-CVE-2017-8422
----
- src/AuthBackend.cpp                         |  5 +++++
- src/AuthBackend.h                           |  7 +++++++
- src/backends/dbus/DBusHelperProxy.cpp       | 27 +++++++++++++++++++++++++--
- src/backends/dbus/DBusHelperProxy.h         |  6 +++++-
- src/backends/policykit/PolicyKitBackend.cpp |  5 +++++
- src/backends/policykit/PolicyKitBackend.h   |  1 +
- src/backends/polkit-1/Polkit1Backend.cpp    |  5 +++++
- src/backends/polkit-1/Polkit1Backend.h      |  1 +
- 8 files changed, 54 insertions(+), 3 deletions(-)
-
-diff --git a/src/AuthBackend.cpp b/src/AuthBackend.cpp
-index a41d4f1..a847494 100644
---- a/src/AuthBackend.cpp
-+++ b/src/AuthBackend.cpp
-@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
-     d->capabilities = capabilities;
- }
- 
-+AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
-+{
-+    return NoExtraCallerIDVerificationMethod;
-+}
-+
- bool AuthBackend::actionExists(const QString &action)
- {
-     Q_UNUSED(action);
-diff --git a/src/AuthBackend.h b/src/AuthBackend.h
-index c67a706..09195ef 100644
---- a/src/AuthBackend.h
-+++ b/src/AuthBackend.h
-@@ -43,6 +43,12 @@ public:
-     };
-     Q_DECLARE_FLAGS(Capabilities, Capability)
- 
-+    enum ExtraCallerIDVerificationMethod {
-+        NoExtraCallerIDVerificationMethod,
-+        VerifyAgainstDBusServiceName,
-+        VerifyAgainstDBusServicePid,
-+    };
-+
-     AuthBackend();
-     virtual ~AuthBackend();
-     virtual void setupAction(const QString &action) = 0;
-@@ -50,6 +56,7 @@ public:
-     virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
-     virtual Action::AuthStatus actionStatus(const QString &action) = 0;
-     virtual QByteArray callerID() const = 0;
-+    virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
-     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
-     virtual bool actionExists(const QString &action);
- 
-diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
-index 9c5cb96..3c1c108 100644
---- a/src/backends/dbus/DBusHelperProxy.cpp
-+++ b/src/backends/dbus/DBusHelperProxy.cpp
-@@ -235,6 +235,29 @@ bool DBusHelperProxy::hasToStopAction()
-     return m_stopRequest;
- }
- 
-+bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
-+{
-+    // Check the caller is really who it says it is
-+    switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
-+        case AuthBackend::NoExtraCallerIDVerificationMethod:
-+        break;
-+
-+        case AuthBackend::VerifyAgainstDBusServiceName:
-+            if (message().service().toUtf8() != callerID) {
-+                return false;
-+            }
-+        break;
-+
-+        case AuthBackend::VerifyAgainstDBusServicePid:
-+            if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
-+                return false;
-+            }
-+        break;
-+    }
-+
-+    return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
-+}
-+
- QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
- {
-     if (!responder) {
-@@ -259,7 +282,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
-     QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
-     timer->stop();
- 
--    if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
-+    if (isCallerAuthorized(action, callerID)) {
-         QString slotname = action;
-         if (slotname.startsWith(m_name + QLatin1Char('.'))) {
-             slotname = slotname.right(slotname.length() - m_name.length() - 1);
-@@ -301,7 +324,7 @@ uint DBusHelperProxy::authorizeAction(const QString &action, const QByteArray &c
-     QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
-     timer->stop();
- 
--    if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
-+    if (isCallerAuthorized(action, callerID)) {
-         retVal = static_cast<uint>(Action::AuthorizedStatus);
-     } else {
-         retVal = static_cast<uint>(Action::DeniedStatus);
-diff --git a/src/backends/dbus/DBusHelperProxy.h b/src/backends/dbus/DBusHelperProxy.h
-index 52b0ac4..82cec5a 100644
---- a/src/backends/dbus/DBusHelperProxy.h
-+++ b/src/backends/dbus/DBusHelperProxy.h
-@@ -25,12 +25,13 @@
- #include "kauthactionreply.h"
- 
- #include <QDBusConnection>
-+#include <QDBusContext>
- #include <QVariant>
- 
- namespace KAuth
- {
- 
--class DBusHelperProxy : public HelperProxy
-+class DBusHelperProxy : public HelperProxy, protected QDBusContext
- {
-     Q_OBJECT
-     Q_PLUGIN_METADATA(IID "org.kde.DBusHelperProxy")
-@@ -79,6 +80,9 @@ Q_SIGNALS:
- 
- private Q_SLOTS:
-     void remoteSignalReceived(int type, const QString &action, QByteArray blob);
-+
-+private:
-+    bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
- };
- 
- } // namespace Auth
-diff --git a/src/backends/policykit/PolicyKitBackend.cpp b/src/backends/policykit/PolicyKitBackend.cpp
-index c2b4d42..bf038a8 100644
---- a/src/backends/policykit/PolicyKitBackend.cpp
-+++ b/src/backends/policykit/PolicyKitBackend.cpp
-@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
-     return a;
- }
- 
-+AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
-+{
-+    return VerifyAgainstDBusServicePid;
-+}
-+
- bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
- {
-     QDataStream s(&callerID, QIODevice::ReadOnly);
-diff --git a/src/backends/policykit/PolicyKitBackend.h b/src/backends/policykit/PolicyKitBackend.h
-index eb17a3a..38b0240 100644
---- a/src/backends/policykit/PolicyKitBackend.h
-+++ b/src/backends/policykit/PolicyKitBackend.h
-@@ -40,6 +40,7 @@ public:
-     virtual Action::AuthStatus authorizeAction(const QString &);
-     virtual Action::AuthStatus actionStatus(const QString &);
-     virtual QByteArray callerID() const;
-+    ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
-     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
- 
- private Q_SLOTS:
-diff --git a/src/backends/polkit-1/Polkit1Backend.cpp b/src/backends/polkit-1/Polkit1Backend.cpp
-index 78ee5bb..774588c 100644
---- a/src/backends/polkit-1/Polkit1Backend.cpp
-+++ b/src/backends/polkit-1/Polkit1Backend.cpp
-@@ -162,6 +162,11 @@ QByteArray Polkit1Backend::callerID() const
-         return QDBusConnection::systemBus().baseService().toUtf8();
- }
- 
-+AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
-+{
-+    return VerifyAgainstDBusServiceName;
-+}
-+
- bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
- {
-     PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
-diff --git a/src/backends/polkit-1/Polkit1Backend.h b/src/backends/polkit-1/Polkit1Backend.h
-index d7d1e3a..2357892 100644
---- a/src/backends/polkit-1/Polkit1Backend.h
-+++ b/src/backends/polkit-1/Polkit1Backend.h
-@@ -49,6 +49,7 @@ public:
-     Action::AuthStatus authorizeAction(const QString &) Q_DECL_OVERRIDE;
-     Action::AuthStatus actionStatus(const QString &) Q_DECL_OVERRIDE;
-     QByteArray callerID() const Q_DECL_OVERRIDE;
-+    ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
-     bool isCallerAuthorized(const QString &action, QByteArray callerID) Q_DECL_OVERRIDE;
-     bool actionExists(const QString &action) Q_DECL_OVERRIDE;
- 
--- 
-cgit v0.11.2
-

kf5-kauth.spec

@@ -1,7 +1,7 @@
 %global framework kauth
 
 Name:           kf5-%{framework}
-Version: 5.34.0
+Version: 5.35.0
 Release: 1%{?dist}
 Summary:        KDE Frameworks 5 Tier 2 integration module to perform actions as privileged user
 
@@ -26,8 +26,6 @@ BuildRequires:  qt5-qttools-devel
 
 Requires:       kf5-filesystem >= %{version}
 
-# security fix for CVE-2017-8422
-Patch1:         kauth-5.33.0-2017-8422-local-privilige-escalation.patch
 %description
 KAuth is a framework to let applications perform actions as a privileged user.
 
@@ -41,7 +39,7 @@ developing applications that use %{name}.
 
 
 %prep
-%autosetup -p 1 -n %{framework}-%{version}
+%autosetup -n %{framework}-%{version} -p1
 
 
 %build
@@ -58,15 +56,15 @@ make %{?_smp_mflags} -C %{_target_platform}
 %install
 make install/fast DESTDIR=%{buildroot} -C %{_target_platform}
 
-%find_lang kauth5_qt --with-qt --all-name
+%find_lang %{name} --all-name --with-qt
 
 
 %post -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
 
-%files -f kauth5_qt.lang
+%files -f %{name}.lang
 %doc README.md
-%license COPYING.LIB
+%license COPYING*
 %{_kf5_libdir}/libKF5Auth.so.5*
 %{_kf5_sysconfdir}/dbus-1/system.d/org.kde.kf5auth.conf
 %{_kf5_qtplugindir}/kauth/
@@ -82,6 +80,9 @@ make install/fast DESTDIR=%{buildroot} -C %{_target_platform}
 
 
 %changelog
+* Sun Jun 04 2017 Rex Dieter <rdieter@fedoraproject.org> - 5.35.0-1
+- 5.35.0
+
 * Mon May 15 2017 Rex Dieter <rdieter@fedoraproject.org> - 5.34.0-1
 - 5.34.0
 

sources

@@ -1 +1 @@
-SHA512 (kauth-5.34.0.tar.xz) = ddd70a297a864e2b4cb522b1bf8482519c3fcd35bc5ba7fc7449d2b1a203b788337e8ea5a8e91b6bcc82c431b98b80f3b48ccad45f1c7529de70f6940e4ab6ea
+SHA512 (kauth-5.35.0.tar.xz) = bfd916a048b5e8a8553b3d888fa9079f8fdab1bec36b836e27b8dc1a6cb01dbb4cbaec16cef2faebe4fa39b6e538e1ce2a4ba71c57d5b75aef5cba4323b394e0