Details

Reviewers

rakuco
mat

Group Reviewers

kde

Commits

rP440556: Add upstream fixes for CVE-2017-8422 to x11/kdelibs4 and devel/kf5-kauth
rP440555: Document kauth privilege escalation.

Summary

Import the patches from the following security advisory:

KDE Project Security Advisory
=============================
 
Title           kauth: Local privilege escalation
Risk Rating     High
CVE             CVE-2017-8422
Versions        kauth < 5.34, kdelibs < 4.14.32
Date            10 May 2017


Overview
========
KAuth contains a logic flaw in which the service invoking dbus
is not properly checked.

This allows spoofing the identity of the caller and with some
carefully crafted calls can lead to gaining root from an
unprivileged account.

Solution
========
Update to kauth >= 5.34 and kdelibs >= 4.14.32 (when released)

Or apply the following patches:
  kauth: https://commits.kde.org/kauth/df875f725293af53399f5146362eb158b4f9216a
kdelibs: https://commits.kde.org/kdelibs/264e97625abe2e0334f97de17f6ffb52582888ab

Credits
=======
Thanks to Sebastian Krahmer from SUSE for the report and
to Albert Astals Cid from KDE for the fix.

Diff Detail

Repository

rP FreeBSD ports repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

tcberner created this revision.May 10 2017, 9:39 AM

lgtm
don't forget to add the appropriate entries to vuln.xml first and reference their UUIDs in your commit message.

This revision is now accepted and ready to land.May 10 2017, 9:56 AM

I though I can leave the vuln.xml editing to someone else, and just set Security: CVE-2017-8422 in the commit?

It's good practice to do both if you can, otherwise you're basically relying on ports-secteam or someone else to do that, which may take long or not happen at all. Let me know if you need help with it.

Add vuxml magic.

This revision now requires review to proceed.May 10 2017, 10:49 AM

Correct kdelibs version. Ports has only 4.14.30.

Harbormaster completed remote builds in B9166: Diff 28193.May 10 2017, 10:51 AM

rakuco added inline comments.May 10 2017, 11:14 AM

security/vuxml/vuln.xml
86 ↗	(On Diff #28193)	The more references you have, the better. This flaw already has a CVE assigned, so you should add `<cvename>CVE-2017-8422</cvename>`. I like using Debian's security-tracker page because it contains links to several possible sources of information. For example, https://security-tracker.debian.org/tracker/CVE-2017-8422 has a working link to an oss-sec mailing list post you can reference using `<mlist>` tags.

Add cvename and mlist -- the mlist-entry does not appear in the make VID=.. html output -- should it?

lgtm
Remember to land the vuln.xml first, and then ask for an MFH to 2017Q2. As for mlist, I don't see anything wrong with it, so as long as it passes make validate it should be fine.

This revision is now accepted and ready to land.May 10 2017, 11:56 AM

Closed by commit rP440556: Add upstream fixes for CVE-2017-8422 to x11/kdelibs4 and devel/kf5-kauth (authored by tcberner). · Explain WhyMay 10 2017, 12:04 PM

This revision was automatically updated to reflect the committed changes.

Add patches for CVE-2017-8422 in x11/kdelibs4 and devel/kf5-kauth
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 28196

head/devel/kf5-kauth/Makefile

head/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422

head/x11/kdelibs4/Makefile

head/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422

Add patches for CVE-2017-8422 in x11/kdelibs4 and devel/kf5-kauthClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 28196

head/devel/kf5-kauth/Makefile

head/devel/kf5-kauth/files/patch-git_df875f7_CVE-2017-8422

head/x11/kdelibs4/Makefile

head/x11/kdelibs4/files/patch-git_264e976_CVE-2017-8422

Add patches for CVE-2017-8422 in x11/kdelibs4 and devel/kf5-kauth
ClosedPublic
Actions

Revision Contents
Changeset List