Add upstream fixes for CVE-2017-8422 to x11/kdelibs4 and devel/kf5-kauth

KAuth contains a logic flaw in which the service invoking dbus is not properly checked. This allows spoofing the identity of the caller and with some carefully crafted calls can lead to gaining root from an unprivileged account. https://www.kde.org/info/security/advisory-20170510-1.txt Reviewed by: rakuco Approved by: rakuco (mentor) Obtained from: https://www.kde.org/info/security/advisory-20170510-1.txt MFH: 2017Q2 Security: CVE-2017-8422 Differential Revision: https://reviews.freebsd.org/D10660
author: tcberner <tcberner@FreeBSD.org> 2017-05-10 12:03:58 +0000
committer: tcberner <tcberner@FreeBSD.org> 2017-05-10 12:03:58 +0000
commit: 55cfda373355a315a51dfbc26c7e9a608caa4029 (patch)
tree: 0c1b0462128d25f484a20237db9d8ef7573b18c0
parent: 99a4821511acd7243ef65a62b8859388e42e44d6 (diff)
download: FreeBSD-ports-55cfda373355a315a51dfbc26c7e9a608caa4029.zip
FreeBSD-ports-55cfda373355a315a51dfbc26c7e9a608caa4029.tar.gz
4 files changed, 400 insertions, 1 deletions
diff --git a/devel/kf5-kauth/Makefile b/devel/kf5-kauth/Makefile
index 50cf82f..0e19f51 100644
--- a/devel/kf5-kauth/Makefile
+++ b/devel/kf5-kauth/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	kauth
 PORTVERSION=	${KDE_FRAMEWORKS_VERSION}
+PORTREVISION=	1
 CATEGORIES=	devel kde kde-frameworks
 
 MAINTAINER=	kde@FreeBSD.org
diff --git a/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422 b/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422
new file mode 100644
index 0000000..ff19dcc
--- /dev/null
+++ b/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422
@@ -0,0 +1,198 @@
+From df875f725293af53399f5146362eb158b4f9216a Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 10 May 2017 10:03:45 +0200
+Subject: Verify that whoever is calling us is actually who he says he is
+
+CVE-2017-8422
+---
+ src/AuthBackend.cpp                         |  5 +++++
+ src/AuthBackend.h                           |  7 +++++++
+ src/backends/dbus/DBusHelperProxy.cpp       | 27 +++++++++++++++++++++++++--
+ src/backends/dbus/DBusHelperProxy.h         |  6 +++++-
+ src/backends/policykit/PolicyKitBackend.cpp |  5 +++++
+ src/backends/policykit/PolicyKitBackend.h   |  1 +
+ src/backends/polkit-1/Polkit1Backend.cpp    |  5 +++++
+ src/backends/polkit-1/Polkit1Backend.h      |  1 +
+ 8 files changed, 54 insertions(+), 3 deletions(-)
+
+diff --git a/src/AuthBackend.cpp b/src/AuthBackend.cpp
+index a41d4f1..a847494 100644
+--- src/AuthBackend.cpp
++++ src/AuthBackend.cpp
+@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
+     d->capabilities = capabilities;
+ }
+ 
++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
++{
++    return NoExtraCallerIDVerificationMethod;
++}
++
+ bool AuthBackend::actionExists(const QString &action)
+ {
+     Q_UNUSED(action);
+diff --git a/src/AuthBackend.h b/src/AuthBackend.h
+index c67a706..09195ef 100644
+--- src/AuthBackend.h
++++ src/AuthBackend.h
+@@ -43,6 +43,12 @@ public:
+     };
+     Q_DECLARE_FLAGS(Capabilities, Capability)
+ 
++    enum ExtraCallerIDVerificationMethod {
++        NoExtraCallerIDVerificationMethod,
++        VerifyAgainstDBusServiceName,
++        VerifyAgainstDBusServicePid,
++    };
++
+     AuthBackend();
+     virtual ~AuthBackend();
+     virtual void setupAction(const QString &action) = 0;
+@@ -50,6 +56,7 @@ public:
+     virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
+     virtual Action::AuthStatus actionStatus(const QString &action) = 0;
+     virtual QByteArray callerID() const = 0;
++    virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
+     virtual bool actionExists(const QString &action);
+ 
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index 9c5cb96..3c1c108 100644
+--- src/backends/dbus/DBusHelperProxy.cpp
++++ src/backends/dbus/DBusHelperProxy.cpp
+@@ -235,6 +235,29 @@ bool DBusHelperProxy::hasToStopAction()
+     return m_stopRequest;
+ }
+ 
++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
++{
++    // Check the caller is really who it says it is
++    switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
++        case AuthBackend::NoExtraCallerIDVerificationMethod:
++        break;
++
++        case AuthBackend::VerifyAgainstDBusServiceName:
++            if (message().service().toUtf8() != callerID) {
++                return false;
++            }
++        break;
++
++        case AuthBackend::VerifyAgainstDBusServicePid:
++            if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
++                return false;
++            }
++        break;
++    }
++
++    return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
++}
++
+ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
+ {
+     if (!responder) {
+@@ -259,7 +282,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+     QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
+     timer->stop();
+ 
+-    if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++    if (isCallerAuthorized(action, callerID)) {
+         QString slotname = action;
+         if (slotname.startsWith(m_name + QLatin1Char('.'))) {
+             slotname = slotname.right(slotname.length() - m_name.length() - 1);
+@@ -301,7 +324,7 @@ uint DBusHelperProxy::authorizeAction(const QString &action, const QByteArray &c
+     QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
+     timer->stop();
+ 
+-    if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++    if (isCallerAuthorized(action, callerID)) {
+         retVal = static_cast<uint>(Action::AuthorizedStatus);
+     } else {
+         retVal = static_cast<uint>(Action::DeniedStatus);
+diff --git a/src/backends/dbus/DBusHelperProxy.h b/src/backends/dbus/DBusHelperProxy.h
+index 52b0ac4..82cec5a 100644
+--- src/backends/dbus/DBusHelperProxy.h
++++ src/backends/dbus/DBusHelperProxy.h
+@@ -25,12 +25,13 @@
+ #include "kauthactionreply.h"
+ 
+ #include <QDBusConnection>
++#include <QDBusContext>
+ #include <QVariant>
+ 
+ namespace KAuth
+ {
+ 
+-class DBusHelperProxy : public HelperProxy
++class DBusHelperProxy : public HelperProxy, protected QDBusContext
+ {
+     Q_OBJECT
+     Q_PLUGIN_METADATA(IID "org.kde.DBusHelperProxy")
+@@ -79,6 +80,9 @@ Q_SIGNALS:
+ 
+ private Q_SLOTS:
+     void remoteSignalReceived(int type, const QString &action, QByteArray blob);
++
++private:
++    bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
+ };
+ 
+ } // namespace Auth
+diff --git a/src/backends/policykit/PolicyKitBackend.cpp b/src/backends/policykit/PolicyKitBackend.cpp
+index c2b4d42..bf038a8 100644
+--- src/backends/policykit/PolicyKitBackend.cpp
++++ src/backends/policykit/PolicyKitBackend.cpp
+@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
+     return a;
+ }
+ 
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++    return VerifyAgainstDBusServicePid;
++}
++
+ bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+     QDataStream s(&callerID, QIODevice::ReadOnly);
+diff --git a/src/backends/policykit/PolicyKitBackend.h b/src/backends/policykit/PolicyKitBackend.h
+index eb17a3a..38b0240 100644
+--- src/backends/policykit/PolicyKitBackend.h
++++ src/backends/policykit/PolicyKitBackend.h
+@@ -40,6 +40,7 @@ public:
+     virtual Action::AuthStatus authorizeAction(const QString &);
+     virtual Action::AuthStatus actionStatus(const QString &);
+     virtual QByteArray callerID() const;
++    ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
+     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+ 
+ private Q_SLOTS:
+diff --git a/src/backends/polkit-1/Polkit1Backend.cpp b/src/backends/polkit-1/Polkit1Backend.cpp
+index 78ee5bb..774588c 100644
+--- src/backends/polkit-1/Polkit1Backend.cpp
++++ src/backends/polkit-1/Polkit1Backend.cpp
+@@ -162,6 +162,11 @@ QByteArray Polkit1Backend::callerID() const
+         return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+ 
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++    return VerifyAgainstDBusServiceName;
++}
++
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+     PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+diff --git a/src/backends/polkit-1/Polkit1Backend.h b/src/backends/polkit-1/Polkit1Backend.h
+index d7d1e3a..2357892 100644
+--- src/backends/polkit-1/Polkit1Backend.h
++++ src/backends/polkit-1/Polkit1Backend.h
+@@ -49,6 +49,7 @@ public:
+     Action::AuthStatus authorizeAction(const QString &) Q_DECL_OVERRIDE;
+     Action::AuthStatus actionStatus(const QString &) Q_DECL_OVERRIDE;
+     QByteArray callerID() const Q_DECL_OVERRIDE;
++    ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
+     bool isCallerAuthorized(const QString &action, QByteArray callerID) Q_DECL_OVERRIDE;
+     bool actionExists(const QString &action) Q_DECL_OVERRIDE;
+ 
+-- 
+cgit v0.11.2
+
diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
index f233807..8942f63 100644
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE4_KDELIBS_VERSION}
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	x11 kde kde-applications
 
 MAINTAINER=	kde@FreeBSD.org
diff --git a/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422 b/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422
new file mode 100644
index 0000000..e2ed5bb
--- /dev/null
+++ b/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422
@@ -0,0 +1,200 @@
+From 264e97625abe2e0334f97de17f6ffb52582888ab Mon Sep 17 00:00:00 2001
+From: Albert Ast/.als Cid <aacid@kde.org>
+Date: Wed, 10 May 2017 10:06:07 +0200
+Subject: Verify that whoever is calling us is actually who he says he is
+
+CVE-2017-8422
+---
+ kdecore/auth/AuthBackend.cpp                       |  5 ++++
+ kdecore/auth/AuthBackend.h                         |  7 ++++++
+ kdecore/auth/backends/dbus/DBusHelperProxy.cpp     | 27 ++++++++++++++++++++--
+ kdecore/auth/backends/dbus/DBusHelperProxy.h       |  6 ++++-
+ .../auth/backends/policykit/PolicyKitBackend.cpp   |  5 ++++
+ kdecore/auth/backends/policykit/PolicyKitBackend.h |  1 +
+ kdecore/auth/backends/polkit-1/Polkit1Backend.cpp  |  5 ++++
+ kdecore/auth/backends/polkit-1/Polkit1Backend.h    |  1 +
+ 8 files changed, 54 insertions(+), 3 deletions(-)
+
+diff --git a/kdecore/auth/AuthBackend.cpp b/kdecore/auth/AuthBackend.cpp
+index c953b81..0ba4650 100644
+--- kdecore/auth/AuthBackend.cpp
++++ kdecore/auth/AuthBackend.cpp
+@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
+     d->capabilities = capabilities;
+ }
+ 
++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
++{
++    return NoExtraCallerIDVerificationMethod;
++}
++
+ bool AuthBackend::actionExists(const QString& action)
+ {
+     Q_UNUSED(action);
+diff --git a/kdecore/auth/AuthBackend.h b/kdecore/auth/AuthBackend.h
+index a86732e..6f4b1bc 100644
+--- kdecore/auth/AuthBackend.h
++++ kdecore/auth/AuthBackend.h
+@@ -43,6 +43,12 @@ public:
+     };
+     Q_DECLARE_FLAGS(Capabilities, Capability)
+ 
++    enum ExtraCallerIDVerificationMethod {
++        NoExtraCallerIDVerificationMethod,
++        VerifyAgainstDBusServiceName,
++        VerifyAgainstDBusServicePid,
++    };
++
+     AuthBackend();
+     virtual ~AuthBackend();
+     virtual void setupAction(const QString &action) = 0;
+@@ -50,6 +56,7 @@ public:
+     virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
+     virtual Action::AuthStatus actionStatus(const QString &action) = 0;
+     virtual QByteArray callerID() const = 0;
++    virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
+     virtual bool actionExists(const QString &action);
+ 
+diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.cpp b/kdecore/auth/backends/dbus/DBusHelperProxy.cpp
+index 9557a0f..ca59f1c 100644
+--- kdecore/auth/backends/dbus/DBusHelperProxy.cpp
++++ kdecore/auth/backends/dbus/DBusHelperProxy.cpp
+@@ -271,6 +271,29 @@ void DBusHelperProxy::performActions(QByteArray blob, const QByteArray &callerID
+     }
+ }
+ 
++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
++{
++    // Check the caller is really who it says it is
++    switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
++        case AuthBackend::NoExtraCallerIDVerificationMethod:
++        break;
++
++        case AuthBackend::VerifyAgainstDBusServiceName:
++            if (message().service().toUtf8() != callerID) {
++                return false;
++            }
++        break;
++
++        case AuthBackend::VerifyAgainstDBusServicePid:
++            if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
++                return false;
++            }
++        break;
++    }
++
++    return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
++}
++
+ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
+ {
+     if (!responder) {
+@@ -295,7 +318,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+     QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>();
+     timer->stop();
+ 
+-    if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++    if (isCallerAuthorized(action, callerID)) {
+         QString slotname = action;
+         if (slotname.startsWith(m_name + QLatin1Char('.'))) {
+             slotname = slotname.right(slotname.length() - m_name.length() - 1);
+@@ -338,7 +361,7 @@ uint DBusHelperProxy::authorizeAction(const QString& action, const QByteArray& c
+     QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>();
+     timer->stop();
+ 
+-    if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++    if (isCallerAuthorized(action, callerID)) {
+         retVal = static_cast<uint>(Action::Authorized);
+     } else {
+         retVal = static_cast<uint>(Action::Denied);
+diff --git a/kdecore/auth/backends/dbus/DBusHelperProxy.h b/kdecore/auth/backends/dbus/DBusHelperProxy.h
+index 455cf51..264f6cc 100644
+--- kdecore/auth/backends/dbus/DBusHelperProxy.h
++++ kdecore/auth/backends/dbus/DBusHelperProxy.h
+@@ -21,6 +21,7 @@
+ #ifndef DBUS_HELPER_PROXY_H
+ #define DBUS_HELPER_PROXY_H
+ 
++#include <QDBusContext>
+ #include <QVariant>
+ #include "HelperProxy.h"
+ #include "kauthactionreply.h"
+@@ -28,7 +29,7 @@
+ namespace KAuth
+ {
+ 
+-class DBusHelperProxy : public HelperProxy
++class DBusHelperProxy : public HelperProxy, protected QDBusContext
+ {
+     Q_OBJECT
+     Q_INTERFACES(KAuth::HelperProxy)
+@@ -73,6 +74,9 @@ signals:
+ 
+ private slots:
+     void remoteSignalReceived(int type, const QString &action, QByteArray blob);
++
++private:
++    bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
+ };
+ 
+ } // namespace Auth
+diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.cpp b/kdecore/auth/backends/policykit/PolicyKitBackend.cpp
+index 3be97f2..9d041d1 100644
+--- kdecore/auth/backends/policykit/PolicyKitBackend.cpp
++++ kdecore/auth/backends/policykit/PolicyKitBackend.cpp
+@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
+     return a;
+ }
+ 
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++    return VerifyAgainstDBusServicePid;
++}
++
+ bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+     QDataStream s(&callerID, QIODevice::ReadOnly);
+diff --git a/kdecore/auth/backends/policykit/PolicyKitBackend.h b/kdecore/auth/backends/policykit/PolicyKitBackend.h
+index 7154e93..0d3d8f9 100644
+--- kdecore/auth/backends/policykit/PolicyKitBackend.h
++++ kdecore/auth/backends/policykit/PolicyKitBackend.h
+@@ -40,6 +40,7 @@ public:
+     virtual Action::AuthStatus authorizeAction(const QString&);
+     virtual Action::AuthStatus actionStatus(const QString&);
+     virtual QByteArray callerID() const;
++    virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+ 
+ private Q_SLOTS:
+diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+index 732d2cb..63c0e1e 100644
+--- kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
++++ kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+@@ -163,6 +163,11 @@ QByteArray Polkit1Backend::callerID() const
+     return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+ 
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++{
++    return VerifyAgainstDBusServiceName;
++}
++
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+     PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.h b/kdecore/auth/backends/polkit-1/Polkit1Backend.h
+index 18ed1a2..d579da2 100644
+--- kdecore/auth/backends/polkit-1/Polkit1Backend.h
++++ kdecore/auth/backends/polkit-1/Polkit1Backend.h
+@@ -48,6 +48,7 @@ public:
+     virtual Action::AuthStatus authorizeAction(const QString&);
+     virtual Action::AuthStatus actionStatus(const QString&);
+     virtual QByteArray callerID() const;
++    virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+     virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+     virtual bool actionExists(const QString& action);
+ 
+-- 
+cgit v0.11.2
+
author	tcberner <tcberner@FreeBSD.org>	2017-05-10 12:03:58 +0000
committer	tcberner <tcberner@FreeBSD.org>	2017-05-10 12:03:58 +0000
commit	55cfda373355a315a51dfbc26c7e9a608caa4029 (patch)
tree	0c1b0462128d25f484a20237db9d8ef7573b18c0
parent	99a4821511acd7243ef65a62b8859388e42e44d6 (diff)
download	FreeBSD-ports-55cfda373355a315a51dfbc26c7e9a608caa4029.zip FreeBSD-ports-55cfda373355a315a51dfbc26c7e9a608caa4029.tar.gz