diff options
authorRepository QA checks <>2017-05-10 18:41:48 +0000
committerRepository QA checks <>2017-05-10 18:41:48 +0000
commitb06b3c70dd6a45556e789f6a5ebe0a3dd949c6b1 (patch)
parent2017-05-10 18:22:10 UTC (diff)
parentapp-admin/puppet-agent: add experimental support for the better puppet portag... (diff)
Merge updates from master
-rw-r--r--kde-frameworks/kauth/kauth-5.33.0-r1.ebuild (renamed from kde-frameworks/kauth/kauth-5.33.0.ebuild)2
6 files changed, 630 insertions, 1 deletions
diff --git a/app-admin/puppet-agent/files/43e2c935252b995134ce353e5e6312cf77aea480.patch b/app-admin/puppet-agent/files/43e2c935252b995134ce353e5e6312cf77aea480.patch
new file mode 100644
index 000000000000..619c5dd68cba
--- /dev/null
+++ b/app-admin/puppet-agent/files/43e2c935252b995134ce353e5e6312cf77aea480.patch
@@ -0,0 +1,329 @@
+diff --git a/lib/puppet/provider/package/portage.rb b/lib/puppet/provider/package/portage.rb
+index 374667c..12160c6 100644
+--- a/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/package/portage.rb
++++ b/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/package/portage.rb
+@@ -2,14 +2,19 @@
+ require 'fileutils'
+ Puppet::Type.type(:package).provide :portage, :parent => Puppet::Provider::Package do
+- desc "Provides packaging support for Gentoo's portage system."
++ desc "Provides packaging support for Gentoo's portage system.
+- has_features :versionable, :reinstallable
++ This provider supports the `install_options` and `uninstall_options` attributes, which allows command-line
++ flags to be passed to emerge. These options should be specified as a string (e.g. '--flag'), a hash
++ (e.g. {'--flag' => 'value'}), or an array where each element is either a string or a hash."
++ has_features :install_options, :purgeable, :reinstallable, :uninstall_options, :versionable, :virtual_packages
+ {
+- :emerge => "/usr/bin/emerge",
+- :eix => "/usr/bin/eix",
+- :update_eix => "/usr/bin/eix-update",
++ :emerge => '/usr/bin/emerge',
++ :eix => '/usr/bin/eix',
++ :qatom_bin => '/usr/bin/qatom',
++ :update_eix => '/usr/bin/eix-update',
+ }.each_pair do |name, path|
+ has_command(name, path) do
+ environment :HOME => '/'
+@@ -24,15 +29,18 @@ def self.instances
+ result_format = self.eix_result_format
+ result_fields = self.eix_result_fields
++ limit = self.eix_limit
+ version_format = self.eix_version_format
+ slot_versions_format = self.eix_slot_versions_format
++ installed_versions_format = self.eix_installed_versions_format
++ installable_versions_format = self.eix_install_versions_format
+ begin
+- eix_file ="/var/cache/eix") ? "/var/cache/eix/portage.eix" : "/var/cache/eix"
++ eix_file ='/var/cache/eix') ? '/var/cache/eix/portage.eix' : '/var/cache/eix'
+ update_eix if !FileUtils.uptodate?(eix_file, %w{/usr/bin/eix /usr/portage/metadata/timestamp})
+ search_output = nil
+- Puppet::Util.withenv :LASTVERSION => version_format, :LASTSLOTVERSIONS => slot_versions_format do
+- search_output = eix *(self.eix_search_arguments + ["--installed"])
++ Puppet::Util.withenv :EIX_LIMIT => limit, :LASTVERSION => version_format, :LASTSLOTVERSIONS => slot_versions_format, :INSTALLEDVERSIONS => installed_versions_format, :STABLEVERSIONS => installable_versions_format do
++ search_output = eix *(self.eix_search_arguments + ['--installed'])
+ end
+ packages = []
+@@ -57,65 +65,123 @@ def self.instances
+ def install
+ should = @resource.should(:ensure)
+- name = package_name
+- unless should == :present or should == :latest
+- # We must install a specific version
+- name = package_atom_with_version(should)
++ cmd = %w{}
++ name = qatom[:category] ? "#{qatom[:category]}/#{qatom[:pn]}" : qatom[:pn]
++ name = qatom[:pfx] + name if qatom[:pfx]
++ name = name + '-' + qatom[:pv] if qatom[:pv]
++ name = name + '-' + qatom[:pr] if qatom[:pr]
++ name = name + qatom[:slot] if qatom[:slot]
++ cmd << '--update' if [:latest].include?(should)
++ cmd += install_options if @resource[:install_options]
++ cmd << name
++ emerge *cmd
++ end
++ def uninstall
++ should = @resource.should(:ensure)
++ cmd = %w{--rage-clean}
++ name = qatom[:category] ? "#{qatom[:category]}/#{qatom[:pn]}" : qatom[:pn]
++ name = qatom[:pfx] + name if qatom[:pfx]
++ name = name + '-' + qatom[:pv] if qatom[:pv]
++ name = name + '-' + qatom[:pr] if qatom[:pr]
++ name = name + qatom[:slot] if qatom[:slot]
++ cmd += uninstall_options if @resource[:uninstall_options]
++ cmd << name
++ if [:purged].include?(should)
++ Puppet::Util.withenv :CONFIG_PROTECT => "-*" do
++ emerge *cmd
++ end
++ else
++ emerge *cmd
+ end
+- emerge name
+ end
+- # The common package name format.
+- def package_name
+- @resource[:category] ? "#{@resource[:category]}/#{@resource[:name]}" : @resource[:name]
++ def reinstall
++ self.install
+ end
+- def package_name_without_slot
+- package_name.sub(self.class.slot_pattern, '')
++ def update
++ self.install
+ end
+- def package_slot
+- if match = package_name.match(self.class.slot_pattern)
+- match[1]
++ def qatom
++ output_format = self.qatom_output_format
++ result_format = self.qatom_result_format
++ result_fields = self.qatom_result_fields
++ @atom ||= begin
++ search_output = nil
++ package_info = {}
++ # do the search
++ search_output = qatom_bin *([@resource[:name], '--format', output_format])
++ # verify if the search found anything
++ match = result_format.match(search_output)
++ if match
++ do |field, value|
++ # some fields can be empty or (null) (if we are not passed a category in the package name for instance)
++ if value == '(null)'
++ package_info[field] = nil
++ elsif !value or value.empty?
++ package_info[field] = nil
++ else
++ package_info[field] = value
++ end
++ end
++ end
++ @atom = package_info
++ rescue Puppet::ExecutionFailure => detail
++ raise
+ end
+ end
+- def package_atom_with_version(version)
+- if slot = package_slot
+- "=#{package_name_without_slot}-#{version}:#{package_slot}"
+- else
+- "=#{package_name}-#{version}"
+- end
++ def qatom_output_format
++ '"[%{CATEGORY}] [%{PN}] [%{PV}] [%[PR]] [%[SLOT]] [%[pfx]] [%[sfx]]"'
+ end
+- def uninstall
+- emerge "--unmerge", package_name
++ def qatom_result_format
++ /^\"\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\](.*)\"$/
+ end
+- def reinstall
+- self.install
++ def qatom_result_fields
++ [:category, :pn, :pv, :pr, :slot, :pfx, :sfx]
+ end
+- def update
+- self.install
++ def self.get_sets
++ @sets ||= begin
++ @sets = emerge *(['--list-sets'])
++ end
+ end
+ def query
++ limit = self.class.eix_limit
+ result_format = self.class.eix_result_format
+ result_fields = self.class.eix_result_fields
+ version_format = self.class.eix_version_format
+ slot_versions_format = self.class.eix_slot_versions_format
+- search_field = package_name_without_slot.count('/') > 0 ? "--category-name" : "--name"
+- search_value = package_name_without_slot
++ installed_versions_format = self.class.eix_installed_versions_format
++ installable_versions_format = self.class.eix_install_versions_format
++ search_field = qatom[:category] ? '--category-name' : '--name'
++ search_value = qatom[:category] ? "#{qatom[:category]}/#{qatom[:pn]}" : qatom[:pn]
++ @eix_result ||= begin
++ # package sets
++ package_sets = []
++ self.class.get_sets.each_line do |package_set|
++ package_sets << package_set.to_s.strip
++ end
+- begin
+- eix_file ="/var/cache/eix") ? "/var/cache/eix/portage.eix" : "/var/cache/eix"
++ if @resource[:name].match(/^@/)
++ if package_sets.include?(@resource[:name][1..-1].to_s)
++ return({:name => "#{@resource[:name]}", :ensure => '9999', :version_available => nil, :installed_versions => nil, :installable_versions => "9999,"})
++ end
++ end
++ eix_file ='/var/cache/eix') ? '/var/cache/eix/portage.eix' : '/var/cache/eix'
+ update_eix if !FileUtils.uptodate?(eix_file, %w{/usr/bin/eix /usr/portage/metadata/timestamp})
+ search_output = nil
+- Puppet::Util.withenv :LASTVERSION => version_format, :LASTSLOTVERSIONS => slot_versions_format do
+- search_output = eix *(self.class.eix_search_arguments + ["--exact",search_field,search_value])
++ Puppet::Util.withenv :EIX_LIMIT => limit, :LASTVERSION => version_format, :LASTSLOTVERSIONS => slot_versions_format, :INSTALLEDVERSIONS => installed_versions_format, :STABLEVERSIONS => installable_versions_format do
++ search_output = eix *(self.class.eix_search_arguments + ['--exact',search_field,search_value])
+ end
+ packages = []
+@@ -127,10 +193,19 @@ def query
+ do |field, value|
+ package[field] = value unless !value or value.empty?
+ end
+- if package_slot
+- package[:version_available] = eix_get_version_for_slot(package[:slot_versions_available], package_slot)
+- package[:ensure] = eix_get_version_for_slot(package[:installed_slots], package_slot)
++ # dev-lang python [3.4.5] [3.5.2] [2.7.12:2.7,3.4.5:3.4] [2.7.12:2.7,3.4.5:3.4,3.5.2:3.5] An interpreted, interactive, object-oriented programming language
++ # version_available is what we CAN install / update to
++ # ensure is what is currently installed
++ # This DOES NOT choose to install/upgrade or not, just provides current info
++ # prefer checking versions to slots as versions are finer grained
++ if qatom[:pv]
++ package[:version_available] = eix_get_version_for_versions(package[:installable_versions], qatom[:pv])
++ package[:ensure] = eix_get_version_for_versions(package[:installed_versions], qatom[:pv])
++ elsif qatom[:slot]
++ package[:version_available] = eix_get_version_for_slot(package[:slot_versions_available], qatom[:slot])
++ package[:ensure] = eix_get_version_for_slot(package[:installed_slots], qatom[:slot])
+ end
+ package[:ensure] = package[:ensure] ? package[:ensure] : :absent
+ packages << package
+ end
+@@ -138,10 +213,9 @@ def query
+ case packages.size
+ when 0
+- not_found_value = "#{@resource[:category] ? @resource[:category] : "<unspecified category>"}/#{@resource[:name]}"
+- raise"No package found with the specified name [#{not_found_value}]")
++ raise"No package found with the specified name [#{@resource[:name]}]")
+ when 1
+- return packages[0]
++ @eix_result = packages[0]
+ else
+ raise"More than one package with the specified name [#{search_value}], please use the category parameter to disambiguate")
+ end
+@@ -155,39 +229,73 @@ def latest
+ end
+ private
++ def eix_get_version_for_versions(versions, target)
++ # [2.7.10-r1,2.7.12,3.4.3-r1,3.4.5,3.5.2] 3.5.2
++ return nil if versions.nil?
++ versions = versions.split(',')
++ # [2.7.10-r1 2.7.12 3.4.3-r1 3.4.5 3.5.2]
++ versions.find { |version| version == target }
++ # 3.5.2
++ end
++ private
+ def eix_get_version_for_slot(versions_and_slots, slot)
++ # [2.7.12:2.7 3.4.5:3.4 3.5.2:3.5] 3.5
+ return nil if versions_and_slots.nil?
+- versions_and_slots = versions_and_slots.split(",")
+-! { |version_and_slot| version_and_slot.split(":") }
+- version_for_slot = versions_and_slots.find { |version_and_slot| version_and_slot.last == slot }
++ versions_and_slots = versions_and_slots.split(',')
++ # [2.7.12:2.7 3.4.5:3.4 3.5.2:3.5]
++! { |version_and_slot| version_and_slot.split(':') }
++ # [2.7.12: 2.7
++ # 3.4.5: 3.4
++ # 3.5.2: 3.5]
++ version_for_slot = versions_and_slots.find { |version_and_slot| version_and_slot.last == slot[1..-1] }
++ # [3.5.2: 3.5]
+ version_for_slot.first if version_for_slot
+- end
+- def self.slot_pattern
+- /:([\w+.\/*=-]+)$/
++ # 3.5.2
+ end
+ def self.eix_search_format
+- "'<category> <name> [<installedversions:LASTVERSION>] [<bestversion:LASTVERSION>] [<installedversions:LASTSLOTVERSIONS>] [<bestslotversions:LASTSLOTVERSIONS>] <homepage> <description>\n'"
++ "'<category> <name> [<installedversions:LASTVERSION>] [<bestversion:LASTVERSION>] [<installedversions:LASTSLOTVERSIONS>] [<installedversions:INSTALLEDVERSIONS>] [<availableversions:STABLEVERSIONS>] [<bestslotversions:LASTSLOTVERSIONS>] <homepage> <description>\n'"
+ end
+ def self.eix_result_format
+- /^(\S+)\s+(\S+)\s+\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\]\s+(\S+)\s+(.*)$/
++ /^(\S+)\s+(\S+)\s+\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\]\s+\[(\S*)\]\s+(\S+)\s+(.*)$/
+ end
+ def self.eix_result_fields
+- [:category, :name, :ensure, :version_available, :installed_slots, :slot_versions_available, :vendor, :description]
++ # ensure:[3.4.5], version_available:[3.5.2], installed_slots:[2.7.12:2.7,3.4.5:3.4], installable_versions:[2.7.10-r1,2.7.12,3.4.3-r1,3.4.5,3.5.2] slot_versions_available:[2.7.12:2.7,3.4.5:3.4,3.5.2:3.5]
++ [:category, :name, :ensure, :version_available, :installed_slots, :installed_versions, :installable_versions, :slot_versions_available, :vendor, :description]
+ end
+ def self.eix_version_format
+- "{last}<version>{}"
++ '{last}<version>{}'
+ end
+ def self.eix_slot_versions_format
+- "{!first},{}<version>:<slot>"
++ '{!first},{}<version>:<slot>'
++ end
++ def self.eix_installed_versions_format
++ '{!first},{}<version>'
++ end
++ def self.eix_install_versions_format
++ '{!first}{!last},{}{}{isstable}<version>{}'
++ end
++ def self.eix_limit
++ '0'
+ end
+ def self.eix_search_arguments
+- ["--nocolor", "--pure-packages", "--format",self.eix_search_format]
++ ['--nocolor', '--pure-packages', '--format', self.eix_search_format]
++ end
++ def install_options
++ join_options(@resource[:install_options])
++ end
++ def uninstall_options
++ join_options(@resource[:uninstall_options])
+ end
+ end
diff --git a/app-admin/puppet-agent/metadata.xml b/app-admin/puppet-agent/metadata.xml
index aef6ae7f136c..423c18e429e6 100644
--- a/app-admin/puppet-agent/metadata.xml
+++ b/app-admin/puppet-agent/metadata.xml
@@ -7,6 +7,7 @@
<flag name="puppetdb">Adds puppetdb support</flag>
+ <flag name="experimental">Add patches for things in testing</flag>
<longdescription lang="en">
Collection of puppet utils, clients and batteries included.
diff --git a/app-admin/puppet-agent/puppet-agent-1.10.0-r1.ebuild b/app-admin/puppet-agent/puppet-agent-1.10.0-r1.ebuild
new file mode 100644
index 000000000000..669892ac4a97
--- /dev/null
+++ b/app-admin/puppet-agent/puppet-agent-1.10.0-r1.ebuild
@@ -0,0 +1,111 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+inherit eutils systemd unpacker user
+DESCRIPTION="general puppet client utils along with mcollective hiera and facter"
+ amd64? ( ${SRC_BASE}_amd64.deb )
+ x86? ( ${SRC_BASE}_i386.deb )
+KEYWORDS="~amd64 ~x86"
+IUSE="experimental puppetdb selinux"
+ !app-admin/mcollective
+ !app-admin/puppet
+ !dev-ruby/hiera
+ !dev-ruby/facter
+ !app-emulation/virt-what"
+ app-portage/eix
+ sys-apps/dmidecode
+ sys-libs/glibc
+ >=sys-libs/readline-6.0
+ <sys-libs/readline-7.0
+ selinux? (
+ sys-libs/libselinux[ruby]
+ sec-policy/selinux-puppet
+ )
+ puppetdb? ( >=dev-ruby/puppetdb-termini-3.1.0 )"
+ /opt/puppetlabs/puppet
+ /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/2.1.0/x86_64-linux/*
+ /opt/puppetlabs/puppet/lib/ruby/2.1.0/x86_64-linux/mathn/*
+ /opt/puppetlabs/puppet/lib/ruby/2.1.0/x86_64-linux/io/*
+ /opt/puppetlabs/puppet/lib/ruby/2.1.0/x86_64-linux/dl/*
+ /opt/puppetlabs/puppet/lib/ruby/2.1.0/x86_64-linux/racc/*
+ /opt/puppetlabs/puppet/lib/ruby/2.1.0/x86_64-linux/enc/*
+ /opt/puppetlabs/puppet/lib/ruby/2.1.0/x86_64-linux/json/ext/*
+ /opt/puppetlabs/puppet/lib/ruby/2.1.0/x86_64-linux/rbconfig/*
+ /opt/puppetlabs/puppet/lib/ruby/2.1.0/x86_64-linux/digest/*
+ /opt/puppetlabs/puppet/lib/ruby/2.1.0/x86_64-linux/*
+ /opt/puppetlabs/puppet/lib/engines/*
+ /opt/puppetlabs/puppet/lib/virt-what/*
+ /opt/puppetlabs/puppet/lib/*
+ /opt/puppetlabs/puppet/bin/*"
+pkg_setup() {
+ enewgroup puppet
+ enewuser puppet -1 -1 /var/run/puppet puppet
+src_prepare() {
+ if use experimental; then
+ epatch "${FILESDIR}/43e2c935252b995134ce353e5e6312cf77aea480.patch"
+ fi
+src_install() {
+ # conf.d
+ doconfd etc/default/puppet
+ doconfd etc/default/mcollective
+ doconfd etc/default/pxp-agent
+ # logrotate.d
+ insinto /etc/logrotate.d
+ doins etc/logrotate.d/mcollective
+ doins etc/logrotate.d/pxp-agent
+ # puppet itself
+ insinto /etc/puppetlabs
+ doins -r etc/puppetlabs/*
+ # logdir for systemd
+ dodir var/log/puppetlabs/puppet/
+ fperms 0750 var/log/puppetlabs/puppet/
+ # the rest
+ insinto /opt
+ dodir opt/puppetlabs/puppet/cache
+ doins -r opt/*
+ fperms 0750 /opt/puppetlabs/puppet/cache
+ # init
+ newinitd "${FILESDIR}/puppet.initd" puppet
+ newinitd "${FILESDIR}/mcollective.initd" mcollective
+ systemd_dounit lib/systemd/system/puppet.service
+ systemd_dounit lib/systemd/system/mcollective.service
+ systemd_dounit lib/systemd/system/pxp-agent.service
+ systemd_newtmpfilesd "${FILESDIR}/puppet-agent.conf.tmpfilesd" puppet-agent.conf
+ # symlinks
+ chmod 0755 -R "${D}/opt/puppetlabs/puppet/bin/"
+ chmod 0755 "${D}//opt/puppetlabs/puppet/lib/virt-what/virt-what-cpuid-helper"
+ dosym /opt/puppetlabs/bin/facter /usr/bin/facter
+ dosym /opt/puppetlabs/bin/hiera /usr/bin/hiera
+ dosym /opt/puppetlabs/bin/mco /usr/bin/mco
+ dosym /opt/puppetlabs/bin/puppet /usr/bin/puppet
+ dosym /opt/puppetlabs/puppet/bin/mcollectived /usr/sbin/mcollectived
+ dosym /opt/puppetlabs/puppet/bin/virt-what /usr/bin/virt-what
+ dosym /opt/puppetlabs/puppet/bin/augparse /usr/bin/augparse
+ dosym /opt/puppetlabs/puppet/bin/augtool /usr/bin/augtool
+ dosym /opt/puppetlabs/puppet/bin/extlookup2hiera /usr/bin/extlookup2hiera
diff --git a/app-admin/puppet-agent/puppet-agent-1.10.0.ebuild b/app-admin/puppet-agent/puppet-agent-1.10.0.ebuild
index 6c086d53b70c..2d099b35fe06 100644
--- a/app-admin/puppet-agent/puppet-agent-1.10.0.ebuild
+++ b/app-admin/puppet-agent/puppet-agent-1.10.0.ebuild
@@ -14,7 +14,7 @@ SRC_URI="
-KEYWORDS="amd64 x86"
+KEYWORDS="~amd64 ~x86"
IUSE="puppetdb selinux"
diff --git a/kde-frameworks/kauth/files/kauth-5.33.0-CVE-2017-8422.patch b/kde-frameworks/kauth/files/kauth-5.33.0-CVE-2017-8422.patch
new file mode 100644
index 000000000000..b789d734f18a
--- /dev/null
+++ b/kde-frameworks/kauth/files/kauth-5.33.0-CVE-2017-8422.patch
@@ -0,0 +1,186 @@
+commit df875f725293af53399f5146362eb158b4f9216a
+Author: Albert Astals Cid <>
+Date: Wed May 10 10:03:45 2017 +0200
+ Verify that whoever is calling us is actually who he says he is
+ CVE-2017-8422
+diff --git a/src/AuthBackend.cpp b/src/AuthBackend.cpp
+index a41d4f1..a847494 100644
+--- a/src/AuthBackend.cpp
++++ b/src/AuthBackend.cpp
+@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
+ d->capabilities = capabilities;
+ }
++AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
++ return NoExtraCallerIDVerificationMethod;
+ bool AuthBackend::actionExists(const QString &action)
+ {
+ Q_UNUSED(action);
+diff --git a/src/AuthBackend.h b/src/AuthBackend.h
+index c67a706..09195ef 100644
+--- a/src/AuthBackend.h
++++ b/src/AuthBackend.h
+@@ -43,6 +43,12 @@ public:
+ };
+ Q_DECLARE_FLAGS(Capabilities, Capability)
++ enum ExtraCallerIDVerificationMethod {
++ NoExtraCallerIDVerificationMethod,
++ VerifyAgainstDBusServiceName,
++ VerifyAgainstDBusServicePid,
++ };
+ AuthBackend();
+ virtual ~AuthBackend();
+ virtual void setupAction(const QString &action) = 0;
+@@ -50,6 +56,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
+ virtual Action::AuthStatus actionStatus(const QString &action) = 0;
+ virtual QByteArray callerID() const = 0;
++ virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
+ virtual bool actionExists(const QString &action);
+diff --git a/src/backends/dbus/DBusHelperProxy.cpp b/src/backends/dbus/DBusHelperProxy.cpp
+index 9c5cb96..3c1c108 100644
+--- a/src/backends/dbus/DBusHelperProxy.cpp
++++ b/src/backends/dbus/DBusHelperProxy.cpp
+@@ -235,6 +235,29 @@ bool DBusHelperProxy::hasToStopAction()
+ return m_stopRequest;
+ }
++bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
++ // Check the caller is really who it says it is
++ switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
++ case AuthBackend::NoExtraCallerIDVerificationMethod:
++ break;
++ case AuthBackend::VerifyAgainstDBusServiceName:
++ if (message().service().toUtf8() != callerID) {
++ return false;
++ }
++ break;
++ case AuthBackend::VerifyAgainstDBusServicePid:
++ if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
++ return false;
++ }
++ break;
++ }
++ return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
+ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
+ {
+ if (!responder) {
+@@ -259,7 +282,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
+ QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
+ timer->stop();
+- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++ if (isCallerAuthorized(action, callerID)) {
+ QString slotname = action;
+ if (slotname.startsWith(m_name + QLatin1Char('.'))) {
+ slotname = slotname.right(slotname.length() - m_name.length() - 1);
+@@ -301,7 +324,7 @@ uint DBusHelperProxy::authorizeAction(const QString &action, const QByteArray &c
+ QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer *>();
+ timer->stop();
+- if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
++ if (isCallerAuthorized(action, callerID)) {
+ retVal = static_cast<uint>(Action::AuthorizedStatus);
+ } else {
+ retVal = static_cast<uint>(Action::DeniedStatus);
+diff --git a/src/backends/dbus/DBusHelperProxy.h b/src/backends/dbus/DBusHelperProxy.h
+index 52b0ac4..82cec5a 100644
+--- a/src/backends/dbus/DBusHelperProxy.h
++++ b/src/backends/dbus/DBusHelperProxy.h
+@@ -25,12 +25,13 @@
+ #include "kauthactionreply.h"
+ #include <QDBusConnection>
++#include <QDBusContext>
+ #include <QVariant>
+ namespace KAuth
+ {
+-class DBusHelperProxy : public HelperProxy
++class DBusHelperProxy : public HelperProxy, protected QDBusContext
+ {
+ Q_PLUGIN_METADATA(IID "org.kde.DBusHelperProxy")
+@@ -79,6 +80,9 @@ Q_SIGNALS:
+ private Q_SLOTS:
+ void remoteSignalReceived(int type, const QString &action, QByteArray blob);
++ bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
+ };
+ } // namespace Auth
+diff --git a/src/backends/policykit/PolicyKitBackend.cpp b/src/backends/policykit/PolicyKitBackend.cpp
+index c2b4d42..bf038a8 100644
+--- a/src/backends/policykit/PolicyKitBackend.cpp
++++ b/src/backends/policykit/PolicyKitBackend.cpp
+@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
+ return a;
+ }
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++ return VerifyAgainstDBusServicePid;
+ bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+ QDataStream s(&callerID, QIODevice::ReadOnly);
+diff --git a/src/backends/policykit/PolicyKitBackend.h b/src/backends/policykit/PolicyKitBackend.h
+index eb17a3a..38b0240 100644
+--- a/src/backends/policykit/PolicyKitBackend.h
++++ b/src/backends/policykit/PolicyKitBackend.h
+@@ -40,6 +40,7 @@ public:
+ virtual Action::AuthStatus authorizeAction(const QString &);
+ virtual Action::AuthStatus actionStatus(const QString &);
+ virtual QByteArray callerID() const;
++ ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
+ virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
+ private Q_SLOTS:
+diff --git a/src/backends/polkit-1/Polkit1Backend.cpp b/src/backends/polkit-1/Polkit1Backend.cpp
+index 78ee5bb..774588c 100644
+--- a/src/backends/polkit-1/Polkit1Backend.cpp
++++ b/src/backends/polkit-1/Polkit1Backend.cpp
+@@ -162,6 +162,11 @@ QByteArray Polkit1Backend::callerID() const
+ return QDBusConnection::systemBus().baseService().toUtf8();
+ }
++AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
++ return VerifyAgainstDBusServiceName;
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+diff --git a/src/backends/polkit-1/Polkit1Backend.h b/src/backends/polkit-1/Polkit1Backend.h
+index d7d1e3a..2357892 100644
+--- a/src/backends/polkit-1/Polkit1Backend.h
++++ b/src/backends/polkit-1/Polkit1Backend.h
+@@ -49,6 +49,7 @@ public:
+ Action::AuthStatus authorizeAction(const QString &) Q_DECL_OVERRIDE;
+ Action::AuthStatus actionStatus(const QString &) Q_DECL_OVERRIDE;
+ QByteArray callerID() const Q_DECL_OVERRIDE;
++ ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const Q_DECL_OVERRIDE;
+ bool isCallerAuthorized(const QString &action, QByteArray callerID) Q_DECL_OVERRIDE;
+ bool actionExists(const QString &action) Q_DECL_OVERRIDE;
diff --git a/kde-frameworks/kauth/kauth-5.33.0.ebuild b/kde-frameworks/kauth/kauth-5.33.0-r1.ebuild
index fbd559a21c37..24fc0d1e02cf 100644
--- a/kde-frameworks/kauth/kauth-5.33.0.ebuild
+++ b/kde-frameworks/kauth/kauth-5.33.0-r1.ebuild
@@ -24,6 +24,8 @@ DEPEND="${RDEPEND}
PDEPEND="policykit? ( kde-plasma/polkit-kde-agent )"
+PATCHES=( "${FILESDIR}/${P}-CVE-2017-8422.patch" )
src_configure() {
local mycmakeargs=(
$(cmake-utils_use_find_package policykit PolkitQt5-1)