Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package kde-workspace In order to fix CVE-2014-8651: https://security-tracker.debian.org/tracker/CVE-2014-8651 unblock kde-workspace/4:4.11.13-2 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
diff -Nru kde-workspace-4.11.13/debian/changelog kde-workspace-4.11.13/debian/changelog --- kde-workspace-4.11.13/debian/changelog 2014-10-20 17:13:03.000000000 +0200 +++ kde-workspace-4.11.13/debian/changelog 2014-11-07 10:11:29.000000000 +0100 @@ -1,3 +1,13 @@ +kde-workspace (4:4.11.13-2) unstable; urgency=medium + + * New patch: upstream_do_not_pass_ntpUtility_as_an_argument.patch fix + for https://www.kde.org/info/security/advisory-20141106-1.txt + (CVE-2014-8651 : https://security-tracker.debian.org/tracker/CVE-2014-8651) + * New patch: upstream_validate_timezone_name_before_setting.patch, + avoids .. in timezone name. + + -- Maximiliano Curia <m...@debian.org> Fri, 07 Nov 2014 10:11:28 +0100 + kde-workspace (4:4.11.13-1) unstable; urgency=medium * New upstream release (4.11.13). diff -Nru kde-workspace-4.11.13/debian/patches/series kde-workspace-4.11.13/debian/patches/series --- kde-workspace-4.11.13/debian/patches/series 2014-10-20 17:13:03.000000000 +0200 +++ kde-workspace-4.11.13/debian/patches/series 2014-11-07 10:11:29.000000000 +0100 @@ -26,3 +26,5 @@ kubuntu_avoid_zic_and_deep_copy_timezone_data.diff check_if_SensorMgr ksysguardd_acpi_valgrind_complain +upstream_do_not_pass_ntpUtility_as_an_argument.patch +upstream_validate_timezone_name_before_setting.patch diff -Nru kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch --- kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch 1970-01-01 01:00:00.000000000 +0100 +++ kde-workspace-4.11.13/debian/patches/upstream_do_not_pass_ntpUtility_as_an_argument.patch 2014-11-07 10:11:29.000000000 +0100 @@ -0,0 +1,119 @@ +commit eebcb17746d9fa86ea8c5a7344709ef6750781cf +Author: David Edmundson <k...@davidedmundson.co.uk> +Date: Tue Nov 4 13:57:59 2014 +0100 + + Do not pass ntpUtility as an argument to datetime helper + + Passing the name of a binary to run to a polkit helper is a security + risk as it allows any arbitrary process to be executed. + + This patch moves the detection of ntp utility location into the helper + function. + + REVIEW: 120977 + +Index: kde-workspace/kcontrol/dateandtime/dtime.cpp +=================================================================== +--- kde-workspace.orig/kcontrol/dateandtime/dtime.cpp 2014-11-07 09:09:31.005905464 +0100 ++++ kde-workspace/kcontrol/dateandtime/dtime.cpp 2014-11-07 09:09:30.997905785 +0100 +@@ -142,27 +142,15 @@ + //kclock->setEnabled(enabled); + } + +-void Dtime::findNTPutility(){ +- QByteArray envpath = qgetenv("PATH"); +- if (!envpath.isEmpty() && envpath[0] == ':') { +- envpath = envpath.mid(1); +- } +- +- QString path = "/sbin:/usr/sbin:"; +- if (!envpath.isEmpty()) { +- path += QString::fromLocal8Bit(envpath); +- } else { +- path += QLatin1String("/bin:/usr/bin"); +- } +- +- foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { +- if( !((ntpUtility = KStandardDirs::findExe(possible_ntputility, path)).isEmpty()) ) { +- kDebug() << "ntpUtility = " << ntpUtility; +- return; ++void Dtime::findNTPutility() ++{ ++ const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin"); ++ foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { ++ ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath); ++ if (!ntpUtility.isEmpty()) { ++ return; ++ } + } +- } +- +- kDebug() << "ntpUtility not found!"; + } + + void Dtime::set_time() +@@ -238,7 +226,6 @@ + helperargs["ntp"] = true; + helperargs["ntpServers"] = list; + helperargs["ntpEnabled"] = setDateTimeAuto->isChecked(); +- helperargs["ntpUtility"] = ntpUtility; + + if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){ + // NTP Time setting - done in helper +Index: kde-workspace/kcontrol/dateandtime/helper.cpp +=================================================================== +--- kde-workspace.orig/kcontrol/dateandtime/helper.cpp 2014-11-07 09:09:31.005905464 +0100 ++++ kde-workspace/kcontrol/dateandtime/helper.cpp 2014-11-07 09:09:30.997905785 +0100 +@@ -52,8 +52,18 @@ + // clears it. So we have to use a reasonable default. + static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin"); + +-int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled, +- const QString& ntpUtility ) ++static QString findNtpUtility() ++{ ++ foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) { ++ const QString ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath); ++ if (!ntpUtility.isEmpty()) { ++ return ntpUtility; ++ } ++ } ++ return QString(); ++} ++ ++int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled ) + { + int ret = 0; + +@@ -69,6 +79,8 @@ + config.writeEntry("servers", ntpServers ); + config.writeEntry("enabled", ntpEnabled ); + ++ QString ntpUtility(findNtpUtility()); ++ + if ( ntpEnabled && !ntpUtility.isEmpty() ) { + // NTP Time setting + QString timeServer = ntpServers.first(); +@@ -236,7 +248,7 @@ + int ret = 0; // error code + // The order here is important + if( _ntp ) +- ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() ); ++ ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool()); + if( _date ) + ret |= date( args.value("newdate").toString(), args.value("olddate").toString() ); + if( _tz ) +Index: kde-workspace/kcontrol/dateandtime/helper.h +=================================================================== +--- kde-workspace.orig/kcontrol/dateandtime/helper.h 2014-11-07 09:09:31.005905464 +0100 ++++ kde-workspace/kcontrol/dateandtime/helper.h 2014-11-07 09:09:31.001905624 +0100 +@@ -42,8 +42,7 @@ + ActionReply save(const QVariantMap &map); + + private: +- int ntp(const QStringList& ntpServers, bool ntpEnabled, +- const QString& ntpUtility); ++ int ntp(const QStringList& ntpServers, bool ntpEnabled); + int date(const QString& newdate, const QString& olddate); + int tz(const QString& selectedzone); + int tzreset(); diff -Nru kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch --- kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch 1970-01-01 01:00:00.000000000 +0100 +++ kde-workspace-4.11.13/debian/patches/upstream_validate_timezone_name_before_setting.patch 2014-11-07 10:11:29.000000000 +0100 @@ -0,0 +1,28 @@ +commit 54d0bfb5effff9c8cf60da890b7728cbe36a454e +Author: David Edmundson <k...@davidedmundson.co.uk> +Date: Tue Nov 4 14:00:54 2014 +0100 + + Validate timezone name before setting + + This patch ensures that the symlink /etc/localtime always points to a + file in /usr/share/timezones and not an arbitrary file in a user's home + directory. + +diff --git a/kcontrol/dateandtime/helper.cpp b/kcontrol/dateandtime/helper.cpp +index 101d8ca..21fc51a 100644 +--- a/kcontrol/dateandtime/helper.cpp ++++ b/kcontrol/dateandtime/helper.cpp +@@ -123,6 +123,13 @@ int ClockHelper::date( const QString& newdate, const QString& olddate ) + int ClockHelper::tz( const QString& selectedzone ) + { + int ret = 0; ++ ++ //only allow letters, numbers hyphen underscore plus and forward slash ++ //allowed pattern taken from time-util.c in systemd ++ if (!QRegExp("[a-zA-Z0-9-_+/]*").exactMatch(selectedzone)) { ++ return ret; ++ } ++ + #if defined(USE_SOLARIS) // MARCO + + KTemporaryFile tf;
