Page MenuHomeFreeBSD

Add patches for CVE-2017-8422 in x11/kdelibs4 and devel/kf5-kauth
ClosedPublic

Authored by tcberner on May 10 2017, 9:39 AM.

Details

Summary

Import the patches from the following security advisory:

KDE Project Security Advisory
=============================
 
Title           kauth: Local privilege escalation
Risk Rating     High
CVE             CVE-2017-8422
Versions        kauth < 5.34, kdelibs < 4.14.32
Date            10 May 2017


Overview
========
KAuth contains a logic flaw in which the service invoking dbus
is not properly checked.

This allows spoofing the identity of the caller and with some
carefully crafted calls can lead to gaining root from an
unprivileged account.

Solution
========
Update to kauth >= 5.34 and kdelibs >= 4.14.32 (when released)

Or apply the following patches:
  kauth: https://commits.kde.org/kauth/df875f725293af53399f5146362eb158b4f9216a
kdelibs: https://commits.kde.org/kdelibs/264e97625abe2e0334f97de17f6ffb52582888ab

Credits
=======
Thanks to Sebastian Krahmer from SUSE for the report and
to Albert Astals Cid from KDE for the fix.

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

lgtm
don't forget to add the appropriate entries to vuln.xml first and reference their UUIDs in your commit message.

This revision is now accepted and ready to land.May 10 2017, 9:56 AM

I though I can leave the vuln.xml editing to someone else, and just set Security: CVE-2017-8422 in the commit?

It's good practice to do both if you can, otherwise you're basically relying on ports-secteam or someone else to do that, which may take long or not happen at all. Let me know if you need help with it.

tcberner edited edge metadata.

Add vuxml magic.

This revision now requires review to proceed.May 10 2017, 10:49 AM

Correct kdelibs version. Ports has only 4.14.30.

security/vuxml/vuln.xml
86 ↗(On Diff #28193)

The more references you have, the better. This flaw already has a CVE assigned, so you should add <cvename>CVE-2017-8422</cvename>.

I like using Debian's security-tracker page because it contains links to several possible sources of information. For example, https://security-tracker.debian.org/tracker/CVE-2017-8422 has a working link to an oss-sec mailing list post you can reference using <mlist> tags.

Add cvename and mlist -- the mlist-entry does not appear in the make VID=.. html output -- should it?

lgtm
Remember to land the vuln.xml first, and then ask for an MFH to 2017Q2. As for mlist, I don't see anything wrong with it, so as long as it passes make validate it should be fine.

This revision is now accepted and ready to land.May 10 2017, 11:56 AM
This revision was automatically updated to reflect the committed changes.