commit: bb81637747a3a0d3cc36bd19f73250d32dfc8b6c Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Sun Oct 4 08:35:47 2020 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Sun Oct 4 15:54:07 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb816377
kde-misc/kdeconnect: Fix CVE-2020-26164 See also: https://kde.org/info/security/advisory-20201002-1.txt Bug: https://bugs.gentoo.org/746401 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> ...re-SSL-errors-except-for-self-signed-cert.patch | 65 +++++++++++++ ...ot-leak-the-local-user-in-the-device-name.patch | 32 +++++++ ...fter-free-in-LanLinkProvider-connectError.patch | 28 ++++++ ...20.04.3-04-Limit-identity-packets-to-8KiB.patch | 36 ++++++++ ...lanlink-connections-stay-open-for-long-wi.patch | 37 ++++++++ ...3-06-Don-t-brute-force-reading-the-socket.patch | 102 +++++++++++++++++++++ ...r-of-connected-sockets-from-unpaired-devi.patch | 42 +++++++++ ...mber-more-than-a-few-identity-packets-at-.patch | 54 +++++++++++ ...orts-we-try-to-connect-to-to-the-port-ran.patch | 32 +++++++ ...ace-connections-for-a-given-deviceId-if-t.patch | 58 ++++++++++++ kde-misc/kdeconnect/kdeconnect-20.04.3-r1.ebuild | 98 ++++++++++++++++++++ kde-misc/kdeconnect/kdeconnect-20.08.1-r1.ebuild | 99 ++++++++++++++++++++ 12 files changed, 683 insertions(+) diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-01-Do-not-ignore-SSL-errors-except-for-self-signed-cert.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-01-Do-not-ignore-SSL-errors-except-for-self-signed-cert.patch new file mode 100644 index 00000000000..cafeb9501cd --- /dev/null +++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-01-Do-not-ignore-SSL-errors-except-for-self-signed-cert.patch @@ -0,0 +1,65 @@ +From f183b5447bad47655c21af87214579f03bf3a163 Mon Sep 17 00:00:00 2001 +From: Albert Vaca Cintora <[email protected]> +Date: Thu, 24 Sep 2020 16:59:22 +0200 +Subject: [PATCH 01/10] Do not ignore SSL errors, except for self-signed cert + errors. + +Thanks Matthias Gerstner <[email protected]> for reporting this. +--- + core/backends/lan/lanlinkprovider.cpp | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp +index d9a7d8fa..fc005cee 100644 +--- a/core/backends/lan/lanlinkprovider.cpp ++++ b/core/backends/lan/lanlinkprovider.cpp +@@ -297,9 +297,7 @@ void LanLinkProvider::tcpSocketConnected() + + connect(socket, &QSslSocket::encrypted, this, &LanLinkProvider::encrypted); + +- if (isDeviceTrusted) { +- connect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors); +- } ++ connect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors); + + socket->startServerEncryption(); + +@@ -326,8 +324,6 @@ void LanLinkProvider::encrypted() + + QSslSocket* socket = qobject_cast<QSslSocket*>(sender()); + if (!socket) return; +- // TODO delete me? +- disconnect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors); + + Q_ASSERT(socket->mode() != QSslSocket::UnencryptedMode); + LanDeviceLink::ConnectionStarted connectionOrigin = (socket->mode() == QSslSocket::SslClientMode)? LanDeviceLink::Locally : LanDeviceLink::Remotely; +@@ -346,14 +342,20 @@ void LanLinkProvider::sslErrors(const QList<QSslError>& errors) + QSslSocket* socket = qobject_cast<QSslSocket*>(sender()); + if (!socket) return; + +- qCDebug(KDECONNECT_CORE) << "Failing due to " << errors; +- Device* device = Daemon::instance()->getDevice(socket->peerVerifyName()); +- if (device) { +- device->unpair(); ++ bool fatal = false; ++ for (const QSslError& error : errors) { ++ if (error.error() != QSslError::SelfSignedCertificate) { ++ qCCritical(KDECONNECT_CORE) << "Disconnecting due to fatal SSL Error: " << error; ++ fatal = true; ++ } else { ++ qCDebug(KDECONNECT_CORE) << "Ignoring self-signed cert error"; ++ } + } + +- delete m_receivedIdentityPackets.take(socket).np; +- // Socket disconnects itself on ssl error and will be deleted by deleteLater slot, no need to delete manually ++ if (fatal) { ++ socket->disconnectFromHost(); ++ delete m_receivedIdentityPackets.take(socket).np; ++ } + } + + //I'm the new device and this is the answer to my UDP identity packet (no data received yet). They are connecting to us through TCP, and they should send an identity. +-- +2.28.0 + diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-02-Do-not-leak-the-local-user-in-the-device-name.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-02-Do-not-leak-the-local-user-in-the-device-name.patch new file mode 100644 index 00000000000..b374d001036 --- /dev/null +++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-02-Do-not-leak-the-local-user-in-the-device-name.patch @@ -0,0 +1,32 @@ +From b279c52101d3f7cc30a26086d58de0b5f1c547fa Mon Sep 17 00:00:00 2001 +From: Albert Vaca Cintora <[email protected]> +Date: Thu, 24 Sep 2020 17:01:03 +0200 +Subject: [PATCH 02/10] Do not leak the local user in the device name. + +Thanks Matthias Gerstner <[email protected]> for reporting this. +--- + core/kdeconnectconfig.cpp | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/core/kdeconnectconfig.cpp b/core/kdeconnectconfig.cpp +index 91719303..a8dbcf5c 100644 +--- a/core/kdeconnectconfig.cpp ++++ b/core/kdeconnectconfig.cpp +@@ -90,13 +90,7 @@ KdeConnectConfig::KdeConnectConfig() + + QString KdeConnectConfig::name() + { +- QString username; +- #ifdef Q_OS_WIN +- username = QString::fromLatin1(qgetenv("USERNAME")); +- #else +- username = QString::fromLatin1(qgetenv("USER")); +- #endif +- QString defaultName = username + QStringLiteral("@") + QHostInfo::localHostName(); ++ QString defaultName = QHostInfo::localHostName(); + QString name = d->m_config->value(QStringLiteral("name"), defaultName).toString(); + return name; + } +-- +2.28.0 + diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-03-Fix-use-after-free-in-LanLinkProvider-connectError.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-03-Fix-use-after-free-in-LanLinkProvider-connectError.patch new file mode 100644 index 00000000000..52fb9057b93 --- /dev/null +++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-03-Fix-use-after-free-in-LanLinkProvider-connectError.patch @@ -0,0 +1,28 @@ +From d35b88c1b25fe13715f9170f18674d476ca9acdc Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner <[email protected]> +Date: Thu, 24 Sep 2020 17:03:06 +0200 +Subject: [PATCH 03/10] Fix use after free in LanLinkProvider::connectError() + +If QSslSocket::connectToHost() hasn't finished running. + +Thanks Matthias Gerstner <[email protected]> for reporting this. +--- + core/backends/lan/lanlinkprovider.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp +index fc005cee..235c221f 100644 +--- a/core/backends/lan/lanlinkprovider.cpp ++++ b/core/backends/lan/lanlinkprovider.cpp +@@ -252,7 +252,7 @@ void LanLinkProvider::connectError(QAbstractSocket::SocketError socketError) + //The socket we created didn't work, and we didn't manage + //to create a LanDeviceLink from it, deleting everything. + delete m_receivedIdentityPackets.take(socket).np; +- delete socket; ++ socket->deleteLater(); + } + + //We received a UDP packet and answered by connecting to them by TCP. This gets called on a successful connection. +-- +2.28.0 + diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-04-Limit-identity-packets-to-8KiB.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-04-Limit-identity-packets-to-8KiB.patch new file mode 100644 index 00000000000..e083f5896de --- /dev/null +++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-04-Limit-identity-packets-to-8KiB.patch @@ -0,0 +1,36 @@ +From b496e66899e5bc9547b6537a7f44ab44dd0aaf38 Mon Sep 17 00:00:00 2001 +From: Aleix Pol <[email protected]> +Date: Wed, 16 Sep 2020 02:28:58 +0200 +Subject: [PATCH 04/10] Limit identity packets to 8KiB + +Healthy identity packages shouldn't be that big and we don't want to +allow systems around us to send us ever humongous packages that will +just leave us without any memory. + +Thanks Matthias Gerstner <[email protected]> for reporting this. +--- + core/backends/lan/lanlinkprovider.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp +index 235c221f..1fd3870e 100644 +--- a/core/backends/lan/lanlinkprovider.cpp ++++ b/core/backends/lan/lanlinkprovider.cpp +@@ -381,6 +381,14 @@ void LanLinkProvider::newConnection() + void LanLinkProvider::dataReceived() + { + QSslSocket* socket = qobject_cast<QSslSocket*>(sender()); ++ //the size here is arbitrary and is now at 8192 bytes. It needs to be considerably long as it includes the capabilities but there needs to be a limit ++ //Tested between my systems and I get around 2000 per identity package. ++ if (socket->bytesAvailable() > 8192) { ++ qCWarning(KDECONNECT_CORE) << "LanLinkProvider/newConnection: Suspiciously long identity package received. Closing connection." << socket->peerAddress() << socket->bytesAvailable(); ++ socket->disconnectFromHost(); ++ return; ++ } ++ + #if QT_VERSION < QT_VERSION_CHECK(5,7,0) + if (!socket->canReadLine()) + return; +-- +2.28.0 + diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-05-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-05-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch new file mode 100644 index 00000000000..1465ce48b98 --- /dev/null +++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-05-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch @@ -0,0 +1,37 @@ +From 5310eae85dbdf92fba30375238a2481f2e34943e Mon Sep 17 00:00:00 2001 +From: Aleix Pol <[email protected]> +Date: Wed, 16 Sep 2020 02:44:38 +0200 +Subject: [PATCH 05/10] Do not let lanlink connections stay open for long + without authenticating + +If there's no information received, close the socket to try again. + +Thanks Matthias Gerstner <[email protected]> for reporting this. +--- + core/backends/lan/lanlinkprovider.cpp | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp +index 1fd3870e..a4942c65 100644 +--- a/core/backends/lan/lanlinkprovider.cpp ++++ b/core/backends/lan/lanlinkprovider.cpp +@@ -374,6 +374,16 @@ void LanLinkProvider::newConnection() + connect(socket, &QIODevice::readyRead, + this, &LanLinkProvider::dataReceived); + ++ QTimer* timer = new QTimer(socket); ++ timer->setSingleShot(true); ++ timer->setInterval(1000); ++ connect(socket, &QSslSocket::encrypted, ++ timer, &QObject::deleteLater); ++ connect(timer, &QTimer::timeout, socket, [socket] { ++ qCWarning(KDECONNECT_CORE) << "LanLinkProvider/newConnection: Host timed out without sending any identity." << socket->peerAddress(); ++ socket->disconnectFromHost(); ++ }); ++ timer->start(); + } + } + +-- +2.28.0 + diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-06-Don-t-brute-force-reading-the-socket.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-06-Don-t-brute-force-reading-the-socket.patch new file mode 100644 index 00000000000..7bb674a8e8f --- /dev/null +++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-06-Don-t-brute-force-reading-the-socket.patch @@ -0,0 +1,102 @@ +From 721ba9faafb79aac73973410ee1dd3624ded97a5 Mon Sep 17 00:00:00 2001 +From: Aleix Pol <[email protected]> +Date: Wed, 16 Sep 2020 02:27:13 +0200 +Subject: [PATCH 06/10] Don't brute-force reading the socket + +The package will arrive eventually, and dataReceived will be emitted. +Otherwise we just end up calling dataReceived to no end. + +Thanks Matthias Gerstner <[email protected]> for reporting this. +--- + core/backends/lan/socketlinereader.cpp | 8 ------- + tests/testsocketlinereader.cpp | 31 ++++++++++++++++++++++++-- + 2 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/core/backends/lan/socketlinereader.cpp b/core/backends/lan/socketlinereader.cpp +index f67fdf3f..da77052a 100644 +--- a/core/backends/lan/socketlinereader.cpp ++++ b/core/backends/lan/socketlinereader.cpp +@@ -38,14 +38,6 @@ void SocketLineReader::dataReceived() + } + } + +- //If we still have things to read from the socket, call dataReceived again +- //We do this manually because we do not trust readyRead to be emitted again +- //So we call this method again just in case. +- if (m_socket->bytesAvailable() > 0) { +- QMetaObject::invokeMethod(this, "dataReceived", Qt::QueuedConnection); +- return; +- } +- + //If we have any packets, tell it to the world. + if (!m_packets.isEmpty()) { + Q_EMIT readyRead(); +diff --git a/tests/testsocketlinereader.cpp b/tests/testsocketlinereader.cpp +index 75584556..b6425b03 100644 +--- a/tests/testsocketlinereader.cpp ++++ b/tests/testsocketlinereader.cpp +@@ -25,16 +25,19 @@ + #include <QProcess> + #include <QEventLoop> + #include <QTimer> ++#include <QSignalSpy> + + class TestSocketLineReader : public QObject + { + Q_OBJECT + public Q_SLOTS: +- void initTestCase(); ++ void init(); ++ void cleanup() { delete m_server; } + void newPacket(); + + private Q_SLOTS: + void socketLineReader(); ++ void badData(); + + private: + QTimer m_timer; +@@ -45,8 +48,9 @@ private: + SocketLineReader* m_reader; + }; + +-void TestSocketLineReader::initTestCase() ++void TestSocketLineReader::init() + { ++ m_packets.clear(); + m_server = new Server(this); + + QVERIFY2(m_server->listen(QHostAddress::LocalHost, 8694), "Failed to create local tcp server"); +@@ -97,6 +101,29 @@ void TestSocketLineReader::socketLineReader() + } + } + ++void TestSocketLineReader::badData() ++{ ++ const QList<QByteArray> dataToSend = { "data1\n", "data" }; //does not end in a \n ++ for (const QByteArray& line : qAsConst(dataToSend)) { ++ m_conn->write(line); ++ } ++ m_conn->flush(); ++ ++ QSignalSpy spy(m_server, &QTcpServer::newConnection); ++ QVERIFY(m_server->hasPendingConnections() || spy.wait(1000)); ++ QSslSocket* sock = m_server->nextPendingConnection(); ++ ++ QVERIFY2(sock != nullptr, "Could not open a connection to the client"); ++ ++ m_reader = new SocketLineReader(sock, this); ++ connect(m_reader, &SocketLineReader::readyRead, this, &TestSocketLineReader::newPacket); ++ m_timer.start(); ++ m_loop.exec(); ++ ++ QCOMPARE(m_packets.count(), 1); ++ QCOMPARE(m_packets[0], dataToSend[0]); ++} ++ + void TestSocketLineReader::newPacket() + { + if (!m_reader->bytesAvailable()) { +-- +2.28.0 + diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-07-Limit-number-of-connected-sockets-from-unpaired-devi.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-07-Limit-number-of-connected-sockets-from-unpaired-devi.patch new file mode 100644 index 00000000000..6a6bdb01cb9 --- /dev/null +++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-07-Limit-number-of-connected-sockets-from-unpaired-devi.patch @@ -0,0 +1,42 @@ +From ae58b9dec49c809b85b5404cee17946116f8a706 Mon Sep 17 00:00:00 2001 +From: Albert Vaca Cintora <[email protected]> +Date: Thu, 24 Sep 2020 17:13:34 +0200 +Subject: [PATCH 07/10] Limit number of connected sockets from unpaired devices + +Thanks Matthias Gerstner <[email protected]> for reporting this. +--- + core/backends/lan/lanlinkprovider.cpp | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp +index a4942c65..770e7866 100644 +--- a/core/backends/lan/lanlinkprovider.cpp ++++ b/core/backends/lan/lanlinkprovider.cpp +@@ -46,6 +46,8 @@ + + #define MIN_VERSION_WITH_SSL_SUPPORT 6 + ++static const int MAX_UNPAIRED_CONNECTIONS = 42; ++ + LanLinkProvider::LanLinkProvider( + bool testMode, + quint16 udpBroadcastPort, +@@ -555,6 +557,15 @@ void LanLinkProvider::addLink(const QString& deviceId, QSslSocket* socket, Netwo + deviceLink->reset(socket, connectionOrigin); + } else { + deviceLink = new LanDeviceLink(deviceId, this, socket, connectionOrigin); ++ // Socket disconnection will now be handled by LanDeviceLink ++ disconnect(socket, &QAbstractSocket::disconnected, socket, &QObject::deleteLater); ++ bool isDeviceTrusted = KdeConnectConfig::instance().trustedDevices().contains(deviceId); ++ if (!isDeviceTrusted && m_links.size() > MAX_UNPAIRED_CONNECTIONS) { ++ qCWarning(KDECONNECT_CORE) << "Too many unpaired devices to remember them all. Ignoring " << deviceId; ++ socket->disconnectFromHost(); ++ socket->deleteLater(); ++ return; ++ } + connect(deviceLink, &QObject::destroyed, this, &LanLinkProvider::deviceLinkDestroyed); + m_links[deviceId] = deviceLink; + if (m_pairingHandlers.contains(deviceId)) { +-- +2.28.0 + diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-08-Do-not-remember-more-than-a-few-identity-packets-at-.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-08-Do-not-remember-more-than-a-few-identity-packets-at-.patch new file mode 100644 index 00000000000..36d612e9cbc --- /dev/null +++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-08-Do-not-remember-more-than-a-few-identity-packets-at-.patch @@ -0,0 +1,54 @@ +From 66c768aa9e7fba30b119c8b801efd49ed1270b0a Mon Sep 17 00:00:00 2001 +From: Albert Vaca Cintora <[email protected]> +Date: Thu, 24 Sep 2020 17:16:02 +0200 +Subject: [PATCH 08/10] Do not remember more than a few identity packets at a + time + +To prevent the kdeconnect process from using too much memory. + +Thanks Matthias Gerstner <[email protected]> for reporting this. +--- + core/backends/lan/lanlinkprovider.cpp | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp +index 770e7866..6afb8552 100644 +--- a/core/backends/lan/lanlinkprovider.cpp ++++ b/core/backends/lan/lanlinkprovider.cpp +@@ -47,6 +47,7 @@ + #define MIN_VERSION_WITH_SSL_SUPPORT 6 + + static const int MAX_UNPAIRED_CONNECTIONS = 42; ++static const int MAX_REMEMBERED_IDENTITY_PACKETS = 42; + + LanLinkProvider::LanLinkProvider( + bool testMode, +@@ -225,6 +226,12 @@ void LanLinkProvider::udpBroadcastReceived() + + //qCDebug(KDECONNECT_CORE) << "Received Udp identity packet from" << sender << " asking for a tcp connection on port " << tcpPort; + ++ if (m_receivedIdentityPackets.size() > MAX_REMEMBERED_IDENTITY_PACKETS) { ++ qCWarning(KDECONNECT_CORE) << "Too many remembered identities, ignoring" << receivedPacket->get<QString>(QStringLiteral("deviceId")) << "received via UDP"; ++ delete receivedPacket; ++ continue; ++ } ++ + QSslSocket* socket = new QSslSocket(this); + socket->setProxy(QNetworkProxy::NoProxy); + m_receivedIdentityPackets[socket].np = receivedPacket; +@@ -435,6 +442,12 @@ void LanLinkProvider::dataReceived() + return; + } + ++ if (m_receivedIdentityPackets.size() > MAX_REMEMBERED_IDENTITY_PACKETS) { ++ qCWarning(KDECONNECT_CORE) << "Too many remembered identities, ignoring" << np->get<QString>(QStringLiteral("deviceId")) << "received via TCP"; ++ delete np; ++ return; ++ } ++ + // Needed in "encrypted" if ssl is used, similar to "tcpSocketConnected" + m_receivedIdentityPackets[socket].np = np; + +-- +2.28.0 + diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-09-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-09-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch new file mode 100644 index 00000000000..c108144632c --- /dev/null +++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-09-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch @@ -0,0 +1,32 @@ +From 85b691e40f525e22ca5cc4ebe79c361d71d7dc05 Mon Sep 17 00:00:00 2001 +From: Albert Vaca Cintora <[email protected]> +Date: Thu, 24 Sep 2020 17:18:06 +0200 +Subject: [PATCH 09/10] Limit the ports we try to connect to to the port range + of KDE Connect + +So we can't trigger connections to other services. + +Thanks Matthias Gerstner <[email protected]> for reporting this. +--- + core/backends/lan/lanlinkprovider.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp +index 6afb8552..f3d6801d 100644 +--- a/core/backends/lan/lanlinkprovider.cpp ++++ b/core/backends/lan/lanlinkprovider.cpp +@@ -223,6 +223,11 @@ void LanLinkProvider::udpBroadcastReceived() + } + + int tcpPort = receivedPacket->get<int>(QStringLiteral("tcpPort")); ++ if (tcpPort < MIN_TCP_PORT || tcpPort > MAX_TCP_PORT) { ++ qCDebug(KDECONNECT_CORE) << "TCP port outside of kdeconnect's range"; ++ delete receivedPacket; ++ continue; ++ } + + //qCDebug(KDECONNECT_CORE) << "Received Udp identity packet from" << sender << " asking for a tcp connection on port " << tcpPort; + +-- +2.28.0 + diff --git a/kde-misc/kdeconnect/files/kdeconnect-20.04.3-10-Do-not-replace-connections-for-a-given-deviceId-if-t.patch b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-10-Do-not-replace-connections-for-a-given-deviceId-if-t.patch new file mode 100644 index 00000000000..d10f0193dac --- /dev/null +++ b/kde-misc/kdeconnect/files/kdeconnect-20.04.3-10-Do-not-replace-connections-for-a-given-deviceId-if-t.patch @@ -0,0 +1,58 @@ +From 48180b46552d40729a36b7431e97bbe2b5379306 Mon Sep 17 00:00:00 2001 +From: Albert Vaca Cintora <[email protected]> +Date: Thu, 24 Sep 2020 18:46:57 +0200 +Subject: [PATCH 10/10] Do not replace connections for a given deviceId if the + certs have changed + +Thanks Matthias Gerstner <[email protected]> for reporting this. +--- + core/backends/lan/landevicelink.cpp | 5 +++++ + core/backends/lan/landevicelink.h | 1 + + core/backends/lan/lanlinkprovider.cpp | 6 ++++++ + 3 files changed, 12 insertions(+) + +diff --git a/core/backends/lan/landevicelink.cpp b/core/backends/lan/landevicelink.cpp +index 8a65fb92..41af6f0e 100644 +--- a/core/backends/lan/landevicelink.cpp ++++ b/core/backends/lan/landevicelink.cpp +@@ -192,3 +192,8 @@ bool LanDeviceLink::linkShouldBeKeptAlive() { + //return (mConnectionSource == ConnectionStarted::Remotely || pairStatus() == Paired); + + } ++ ++QSslCertificate LanDeviceLink::certificate() const ++{ ++ return m_socketLineReader->peerCertificate(); ++} +diff --git a/core/backends/lan/landevicelink.h b/core/backends/lan/landevicelink.h +index 28f63db2..485c58b5 100644 +--- a/core/backends/lan/landevicelink.h ++++ b/core/backends/lan/landevicelink.h +@@ -56,6 +56,7 @@ public: + bool linkShouldBeKeptAlive() override; + + QHostAddress hostAddress() const; ++ QSslCertificate certificate() const; + + private Q_SLOTS: + void dataReceived(); +diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp +index f3d6801d..372cdc8f 100644 +--- a/core/backends/lan/lanlinkprovider.cpp ++++ b/core/backends/lan/lanlinkprovider.cpp +@@ -345,6 +345,12 @@ void LanLinkProvider::encrypted() + NetworkPacket* receivedPacket = m_receivedIdentityPackets[socket].np; + const QString& deviceId = receivedPacket->get<QString>(QStringLiteral("deviceId")); + ++ if (m_links.contains(deviceId) && m_links[deviceId]->certificate() != socket->peerCertificate()) { ++ socket->disconnectFromHost(); ++ qCWarning(KDECONNECT_CORE) << "Got connection for the same deviceId but certificates don't match. Ignoring " << deviceId; ++ return; ++ } ++ + addLink(deviceId, socket, receivedPacket, connectionOrigin); + + // Copied from tcpSocketConnected slot, now delete received packet +-- +2.28.0 + diff --git a/kde-misc/kdeconnect/kdeconnect-20.04.3-r1.ebuild b/kde-misc/kdeconnect/kdeconnect-20.04.3-r1.ebuild new file mode 100644 index 00000000000..1729d66f2f8 --- /dev/null +++ b/kde-misc/kdeconnect/kdeconnect-20.04.3-r1.ebuild @@ -0,0 +1,98 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +ECM_HANDBOOK="optional" +ECM_TEST="true" +KDE_ORG_NAME="${PN}-kde" +KDE_RELEASE_SERVICE="true" +KDE_SELINUX_MODULE="${PN}" +KFMIN=5.70.0 +QTMIN=5.14.2 +inherit ecm kde.org + +DESCRIPTION="Adds communication between KDE Plasma and your smartphone" +HOMEPAGE="https://kdeconnect.kde.org/ +https://kde.org/applications/en/kdeconnect.kcm"; + +LICENSE="GPL-2+" +SLOT="5" +KEYWORDS="~amd64 ~arm64 ~x86" +IUSE="bluetooth pulseaudio wayland X" + +DEPEND=" + >=app-crypt/qca-2.3.0:2[ssl] + >=dev-qt/qtdbus-${QTMIN}:5 + >=dev-qt/qtdeclarative-${QTMIN}:5 + >=dev-qt/qtgui-${QTMIN}:5 + >=dev-qt/qtmultimedia-${QTMIN}:5 + >=dev-qt/qtnetwork-${QTMIN}:5 + >=dev-qt/qtwidgets-${QTMIN}:5 + >=kde-frameworks/kcmutils-${KFMIN}:5 + >=kde-frameworks/kconfig-${KFMIN}:5 + >=kde-frameworks/kconfigwidgets-${KFMIN}:5 + >=kde-frameworks/kcoreaddons-${KFMIN}:5 + >=kde-frameworks/kdbusaddons-${KFMIN}:5 + >=kde-frameworks/ki18n-${KFMIN}:5 + >=kde-frameworks/kiconthemes-${KFMIN}:5 + >=kde-frameworks/kio-${KFMIN}:5 + >=kde-frameworks/kirigami-${KFMIN}:5 + >=kde-frameworks/knotifications-${KFMIN}:5 + >=kde-frameworks/kpeople-${KFMIN}:5 + >=kde-frameworks/kservice-${KFMIN}:5 + >=kde-frameworks/kwidgetsaddons-${KFMIN}:5 + >=kde-frameworks/plasma-${KFMIN}:5 + bluetooth? ( >=dev-qt/qtbluetooth-${QTMIN}:5 ) + X? ( + >=dev-qt/qtx11extras-${QTMIN}:5 + x11-libs/libfakekey + x11-libs/libX11 + x11-libs/libXtst + ) + pulseaudio? ( media-libs/pulseaudio-qt ) + wayland? ( >=kde-frameworks/kwayland-${KFMIN}:5 ) +" +RDEPEND="${DEPEND} + dev-libs/kpeoplevcard + >=dev-qt/qtgraphicaleffects-${QTMIN}:5 + >=dev-qt/qtquickcontrols2-${QTMIN}:5 + >=kde-frameworks/kdeclarative-${KFMIN}:5 + net-fs/sshfs +" + +RESTRICT+=" test" + +PATCHES=( + # CVE-2020-26164, bug 746401 + "${FILESDIR}"/${P}-01-Do-not-ignore-SSL-errors-except-for-self-signed-cert.patch + "${FILESDIR}"/${P}-02-Do-not-leak-the-local-user-in-the-device-name.patch + "${FILESDIR}"/${P}-03-Fix-use-after-free-in-LanLinkProvider-connectError.patch + "${FILESDIR}"/${P}-04-Limit-identity-packets-to-8KiB.patch + "${FILESDIR}"/${P}-05-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch + "${FILESDIR}"/${P}-06-Don-t-brute-force-reading-the-socket.patch + "${FILESDIR}"/${P}-07-Limit-number-of-connected-sockets-from-unpaired-devi.patch + "${FILESDIR}"/${P}-08-Do-not-remember-more-than-a-few-identity-packets-at-.patch + "${FILESDIR}"/${P}-09-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch + "${FILESDIR}"/${P}-10-Do-not-replace-connections-for-a-given-deviceId-if-t.patch +) + +src_configure() { + local mycmakeargs=( + -DBLUETOOTH_ENABLED=$(usex bluetooth) + $(cmake_use_find_package pulseaudio KF5PulseAudioQt) + $(cmake_use_find_package wayland KF5Wayland) + $(cmake_use_find_package X LibFakeKey) + ) + + ecm_src_configure +} + +pkg_postinst(){ + ecm_pkg_postinst + + elog "The Android .apk file is available via" + elog "https://play.google.com/store/apps/details?id=org.kde.kdeconnect_tp"; + elog "or via" + elog "https://f-droid.org/repository/browse/?fdid=org.kde.kdeconnect_tp"; +} diff --git a/kde-misc/kdeconnect/kdeconnect-20.08.1-r1.ebuild b/kde-misc/kdeconnect/kdeconnect-20.08.1-r1.ebuild new file mode 100644 index 00000000000..a43c4f2bd59 --- /dev/null +++ b/kde-misc/kdeconnect/kdeconnect-20.08.1-r1.ebuild @@ -0,0 +1,99 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +ECM_HANDBOOK="optional" +ECM_TEST="true" +KDE_ORG_NAME="${PN}-kde" +KDE_RELEASE_SERVICE="true" +KDE_SELINUX_MODULE="${PN}" +KFMIN=5.72.0 +QTMIN=5.14.2 +inherit ecm kde.org + +DESCRIPTION="Adds communication between KDE Plasma and your smartphone" +HOMEPAGE="https://kdeconnect.kde.org/ +https://kde.org/applications/en/kdeconnect.kcm"; + +LICENSE="GPL-2+" +SLOT="5" +KEYWORDS="~amd64 ~arm64 ~x86" +IUSE="bluetooth pulseaudio wayland X" + +DEPEND=" + >=app-crypt/qca-2.3.0:2[ssl] + >=dev-qt/qtdbus-${QTMIN}:5 + >=dev-qt/qtdeclarative-${QTMIN}:5 + >=dev-qt/qtgui-${QTMIN}:5 + >=dev-qt/qtmultimedia-${QTMIN}:5 + >=dev-qt/qtnetwork-${QTMIN}:5 + >=dev-qt/qtwidgets-${QTMIN}:5 + >=kde-frameworks/kcmutils-${KFMIN}:5 + >=kde-frameworks/kconfig-${KFMIN}:5 + >=kde-frameworks/kconfigwidgets-${KFMIN}:5 + >=kde-frameworks/kcoreaddons-${KFMIN}:5 + >=kde-frameworks/kdbusaddons-${KFMIN}:5 + >=kde-frameworks/ki18n-${KFMIN}:5 + >=kde-frameworks/kiconthemes-${KFMIN}:5 + >=kde-frameworks/kio-${KFMIN}:5 + >=kde-frameworks/kirigami-${KFMIN}:5 + >=kde-frameworks/knotifications-${KFMIN}:5 + >=kde-frameworks/kpeople-${KFMIN}:5 + >=kde-frameworks/kservice-${KFMIN}:5 + >=kde-frameworks/kwidgetsaddons-${KFMIN}:5 + >=kde-frameworks/plasma-${KFMIN}:5 + >=kde-frameworks/solid-${KFMIN}:5 + bluetooth? ( >=dev-qt/qtbluetooth-${QTMIN}:5 ) + X? ( + >=dev-qt/qtx11extras-${QTMIN}:5 + x11-libs/libfakekey + x11-libs/libX11 + x11-libs/libXtst + ) + pulseaudio? ( media-libs/pulseaudio-qt ) + wayland? ( >=kde-frameworks/kwayland-${KFMIN}:5 ) +" +RDEPEND="${DEPEND} + dev-libs/kpeoplevcard + >=dev-qt/qtgraphicaleffects-${QTMIN}:5 + >=dev-qt/qtquickcontrols2-${QTMIN}:5 + >=kde-frameworks/kdeclarative-${KFMIN}:5 + net-fs/sshfs +" + +RESTRICT+=" test" + +PATCHES=( + # CVE-2020-26164, bug 746401 + "${FILESDIR}"/${PN}-20.04.3-01-Do-not-ignore-SSL-errors-except-for-self-signed-cert.patch + "${FILESDIR}"/${PN}-20.04.3-02-Do-not-leak-the-local-user-in-the-device-name.patch + "${FILESDIR}"/${PN}-20.04.3-03-Fix-use-after-free-in-LanLinkProvider-connectError.patch + "${FILESDIR}"/${PN}-20.04.3-04-Limit-identity-packets-to-8KiB.patch + "${FILESDIR}"/${PN}-20.04.3-05-Do-not-let-lanlink-connections-stay-open-for-long-wi.patch + "${FILESDIR}"/${PN}-20.04.3-06-Don-t-brute-force-reading-the-socket.patch + "${FILESDIR}"/${PN}-20.04.3-07-Limit-number-of-connected-sockets-from-unpaired-devi.patch + "${FILESDIR}"/${PN}-20.04.3-08-Do-not-remember-more-than-a-few-identity-packets-at-.patch + "${FILESDIR}"/${PN}-20.04.3-09-Limit-the-ports-we-try-to-connect-to-to-the-port-ran.patch + "${FILESDIR}"/${PN}-20.04.3-10-Do-not-replace-connections-for-a-given-deviceId-if-t.patch +) + +src_configure() { + local mycmakeargs=( + -DBLUETOOTH_ENABLED=$(usex bluetooth) + $(cmake_use_find_package pulseaudio KF5PulseAudioQt) + $(cmake_use_find_package wayland KF5Wayland) + $(cmake_use_find_package X LibFakeKey) + ) + + ecm_src_configure +} + +pkg_postinst(){ + ecm_pkg_postinst + + elog "The Android .apk file is available via" + elog "https://play.google.com/store/apps/details?id=org.kde.kdeconnect_tp"; + elog "or via" + elog "https://f-droid.org/repository/browse/?fdid=org.kde.kdeconnect_tp"; +}
