From c006f861f27d664944c9cbbd8653aa5a5fdc1a75 Mon Sep 17 00:00:00 2001 From: Michael Palimaka Date: Sat, 10 Feb 2018 00:55:21 +1100 Subject: kde-plasma/plasma-workspace: revision bump fixes CVE-2018-6790 and CVE-2018-6791 Bug: https://bugs.gentoo.org/647106 Package-Manager: Portage-2.3.19, Repoman-2.3.6 --- .../plasma-workspace-5.11.5-CVE-2018-6790.patch | 409 +++++++++++++++++++++ .../plasma-workspace-5.11.5-CVE-2018-6791.patch | 31 ++ .../plasma-workspace-5.11.5-r1.ebuild | 175 +++++++++ 3 files changed, 615 insertions(+) create mode 100644 kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6790.patch create mode 100644 kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6791.patch create mode 100644 kde-plasma/plasma-workspace/plasma-workspace-5.11.5-r1.ebuild (limited to 'kde-plasma') diff --git a/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6790.patch b/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6790.patch new file mode 100644 index 000000000000..b424e397a802 --- /dev/null +++ b/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6790.patch @@ -0,0 +1,409 @@ +From f1e9a1c458ea44e9169c7e79b90a57fb7c65135f Mon Sep 17 00:00:00 2001 +From: David Edmundson +Date: Wed, 31 Jan 2018 14:28:17 +0000 +Subject: [PATCH 1/2] Sanitise notification HTML + +Summary: +Qt labels support a HTML subset, using a completely internal parser in +QTextDocument. + +The Notification spec support an even smaller subset of notification +elements. + +It's important to strip out irrelevant tags that could potentially load +remote information without user interaction, such as img +src or even ("messageIn"); ++ QTest::addColumn("expectedOut"); ++ ++ QTest::newRow("basic no HTML") << "I am a notification" << "I am a notification"; ++ QTest::newRow("whitespace") << " I am a notification " << "I am a notification"; ++ ++ QTest::newRow("basic html") << "I am the notification" << "I am the notification"; ++ QTest::newRow("nested html") << "I am the notification" << "I am the notification"; ++ ++ QTest::newRow("no extra tags") << "I am the notification" << "I am the notification"; ++ QTest::newRow("no extra attrs") << "I am the notification" << "I am the notification"; ++ ++ QTest::newRow("newlines") << "I am\nthe\nnotification" << "I am
the
notification"; ++ QTest::newRow("multinewlines") << "I am\n\nthe\n\n\nnotification" << "I am
the
notification"; ++ ++ QTest::newRow("amp") << "me&you" << "me&you"; ++ QTest::newRow("double escape") << "foo & <bar>" << "foo & <bar>"; ++ ++ QTest::newRow("quotes") << "'foo'" << "'foo'";//as label can't handle this normally valid entity ++ ++ QTest::newRow("image normal") << "This is \"cheese\"/ and more text" << "This is \"cheese\"/ and more text"; ++ ++ //this input is technically wrong, so the output is also wrong, but QTextHtmlParser does the "right" thing ++ QTest::newRow("image normal no close") << "This is \"cheese\" and more text" << "This is \"cheese\" and more text"; ++ ++ QTest::newRow("image remote URL") << "This is \"cheese\" and more text" << "This is \"cheese\"/ and more text"; ++ ++ //more bad formatted options. To some extent actual output doesn't matter. Garbage in, garbabe out. ++ //the important thing is that it doesn't contain anything that could be parsed as the remote URL ++ QTest::newRow("image remote URL no close") << "This is \" alt=\"cheese\"> and more text" << "This is \"cheese\" and more text"; ++ QTest::newRow("image remote URL double open") << "This is <\" and more text" << "This is "; ++ QTest::newRow("image remote URL no entitiy close") << "This is \"cheese\" and more text" << "This is "; ++ ++ QTest::newRow("link") << "This is a link and more text" << "This is a link and more text"; ++} ++ ++void NotificationTest::parse() ++{ ++ QFETCH(QString, messageIn); ++ QFETCH(QString, expectedOut); ++ ++ const QString out = NotificationSanitizer::parse(messageIn); ++ expectedOut = "" + expectedOut + "\n"; ++ QCOMPARE(out, expectedOut); ++} ++ ++ ++QTEST_GUILESS_MAIN(NotificationTest) ++ ++#include "notifications_test.moc" +diff --git a/dataengines/notifications/notificationsanitizer.cpp b/dataengines/notifications/notificationsanitizer.cpp +new file mode 100644 +index 00000000..5410132c +--- /dev/null ++++ b/dataengines/notifications/notificationsanitizer.cpp +@@ -0,0 +1,106 @@ ++/* ++ * Copyright (C) 2017 David Edmundson ++ * ++ * This program is free software you can redistribute it and/or ++ * modify it under the terms of the GNU Library General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Library General Public License for more details. ++ * ++ * You should have received a copy of the GNU Library General Public License ++ * along with this library; see the file COPYING.LIB. If not, write to ++ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++ * Boston, MA 02110-1301, USA. ++*/ ++ ++#include "notificationsanitizer.h" ++ ++#include ++#include ++#include ++#include ++#include ++ ++QString NotificationSanitizer::parse(const QString &text) ++{ ++ // replace all \ns with
++ QString t = text; ++ ++ t.replace(QLatin1String("\n"), QStringLiteral("
")); ++ // Now remove all inner whitespace (\ns are already
s) ++ t = t.simplified(); ++ // Finally, check if we don't have multiple
s following, ++ // can happen for example when "\n \n" is sent, this replaces ++ // all
s in succsession with just one ++ t.replace(QRegularExpression(QStringLiteral("
\\s*
(\\s|
)*")), QLatin1String("
")); ++ // This fancy RegExp escapes every occurence of & since QtQuick Text will blatantly cut off ++ // text where it finds a stray ampersand. ++ // Only &{apos, quot, gt, lt, amp}; as well as { character references will be allowed ++ t.replace(QRegularExpression(QStringLiteral("&(?!(?:apos|quot|[gl]t|amp);|#)")), QLatin1String("&")); ++ ++ QXmlStreamReader r(QStringLiteral("") + t + QStringLiteral("")); ++ QString result; ++ QXmlStreamWriter out(&result); ++ ++ const QVector allowedTags = {"b", "i", "u", "img", "a", "html", "br"}; ++ ++ out.writeStartDocument(); ++ while (!r.atEnd()) { ++ r.readNext(); ++ ++ if (r.tokenType() == QXmlStreamReader::StartElement) { ++ const QString name = r.name().toString(); ++ if (!allowedTags.contains(name)) { ++ continue; ++ } ++ out.writeStartElement(name); ++ if (name == QLatin1String("img")) { ++ auto src = r.attributes().value("src").toString(); ++ auto alt = r.attributes().value("alt").toString(); ++ ++ const QUrl url(src); ++ if (url.isLocalFile()) { ++ out.writeAttribute(QStringLiteral("src"), src); ++ } else { ++ //image denied for security reasons! Do not copy the image src here! ++ } ++ ++ out.writeAttribute(QStringLiteral("alt"), alt); ++ } ++ if (name == QLatin1String("a")) { ++ out.writeAttribute(QStringLiteral("href"), r.attributes().value("href").toString()); ++ } ++ } ++ ++ if (r.tokenType() == QXmlStreamReader::EndElement) { ++ const QString name = r.name().toString(); ++ if (!allowedTags.contains(name)) { ++ continue; ++ } ++ out.writeEndElement(); ++ } ++ ++ if (r.tokenType() == QXmlStreamReader::Characters) { ++ const auto text = r.text().toString(); ++ out.writeCharacters(text); //this auto escapes chars -> HTML entities ++ } ++ } ++ out.writeEndDocument(); ++ ++ if (r.hasError()) { ++ qWarning() << "Notification to send to backend contains invalid XML: " ++ << r.errorString() << "line" << r.lineNumber() ++ << "col" << r.columnNumber(); ++ } ++ ++ // The Text.StyledText format handles only html3.2 stuff and ' is html4 stuff ++ // so we need to replace it here otherwise it will not render at all. ++ result = result.replace(QLatin1String("'"), QChar('\'')); ++ ++ ++ return result; ++} +diff --git a/dataengines/notifications/notificationsanitizer.h b/dataengines/notifications/notificationsanitizer.h +new file mode 100644 +index 00000000..561a84b7 +--- /dev/null ++++ b/dataengines/notifications/notificationsanitizer.h +@@ -0,0 +1,35 @@ ++/* ++ * Copyright (C) 2017 David Edmundson ++ * ++ * This program is free software you can redistribute it and/or ++ * modify it under the terms of the GNU Library General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Library General Public License for more details. ++ * ++ * You should have received a copy of the GNU Library General Public License ++ * along with this library; see the file COPYING.LIB. If not, write to ++ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++ * Boston, MA 02110-1301, USA. ++*/ ++ ++#include ++ ++namespace NotificationSanitizer ++{ ++ /* ++ * This turns generic random text of either plain text of any degree of faux-HTML into HTML allowed ++ * in the notification spec namely: ++ * a, img, b, i, u and br ++ * All other tags and attributes are stripped ++ * Whitespace is stripped and converted to
++ * Double newlines are compressed ++ * ++ * Image src is only copied when referring to a local file ++ */ ++ QString parse(const QString &in); ++} +diff --git a/dataengines/notifications/notificationsengine.cpp b/dataengines/notifications/notificationsengine.cpp +index 72338aeb..caf310e5 100644 +--- a/dataengines/notifications/notificationsengine.cpp ++++ b/dataengines/notifications/notificationsengine.cpp +@@ -20,6 +20,7 @@ + #include "notificationsengine.h" + #include "notificationservice.h" + #include "notificationsadaptor.h" ++#include "notificationsanitizer.h" + + #include + #include +@@ -281,23 +282,7 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id, + + const QString source = QStringLiteral("notification %1").arg(id); + +- // First trim whitespace from beginning and end +- bodyFinal = bodyFinal.trimmed(); +- // Now replace all \ns with
+- bodyFinal = bodyFinal.replace(QLatin1String("\n"), QLatin1String("
")); +- // Now remove all inner whitespace (\ns are already
s +- bodyFinal = bodyFinal.simplified(); +- // Finally, check if we don't have multiple
s following, +- // can happen for example when "\n \n" is sent, this replaces +- // all
s in succsession with just one +- bodyFinal.replace(QRegularExpression(QStringLiteral("
\\s*
(\\s|
)*")), QLatin1String("
")); +- // This fancy RegExp escapes every occurence of & since QtQuick Text will blatantly cut off +- // text where it finds a stray ampersand. +- // Only &{apos, quot, gt, lt, amp}; as well as { character references will be allowed +- bodyFinal.replace(QRegularExpression(QStringLiteral("&(?!(?:apos|quot|[gl]t|amp);|#)")), QLatin1String("&")); +- // The Text.StyledText format handles only html3.2 stuff and ' is html4 stuff +- // so we need to replace it here otherwise it will not render at all. +- bodyFinal.replace(QLatin1String("'"), QChar('\'')); ++ bodyFinal = NotificationSanitizer::parse(bodyFinal); + + Plasma::DataEngine::Data notificationData; + notificationData.insert(QStringLiteral("id"), QString::number(id)); +-- +2.13.6 + +From cb791b571aed1ea6976e0a6906df3e35dea657ef Mon Sep 17 00:00:00 2001 +From: Kai Uwe Broulik +Date: Mon, 5 Feb 2018 13:53:17 +0100 +Subject: [PATCH 2/2] [Notifications] Fix grouping + +Sanitize the body before doing anything else. +Cleanup grouping logic. + +Differential Revision: https://phabricator.kde.org/D10315 +--- + dataengines/notifications/notificationsengine.cpp | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/dataengines/notifications/notificationsengine.cpp b/dataengines/notifications/notificationsengine.cpp +index caf310e5..bc48deed 100644 +--- a/dataengines/notifications/notificationsengine.cpp ++++ b/dataengines/notifications/notificationsengine.cpp +@@ -217,7 +217,7 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id, + qDebug() << "Currrent active notifications:" << m_activeNotifications; + qDebug() << "Guessing partOf as:" << partOf; + qDebug() << " New Notification: " << summary << body << timeout << "& Part of:" << partOf; +- QString bodyFinal = body; ++ QString bodyFinal = NotificationSanitizer::parse(body); + QString summaryFinal = summary; + + if (partOf > 0) { +@@ -225,13 +225,13 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id, + Plasma::DataContainer *container = containerForSource(source); + if (container) { + // append the body text +- QString _body = container->data()[QStringLiteral("body")].toString(); +- if (_body != body) { +- _body.append("\n").append(body); +- } else { +- _body = body; ++ const QString previousBody = container->data()[QStringLiteral("body")].toString(); ++ if (previousBody != bodyFinal) { ++ // FIXME: This will just append the entire old XML document to another one, leading to: ++ // old
new ++ // It works but is not very clean. ++ bodyFinal = previousBody + QStringLiteral("
") + bodyFinal; + } +- bodyFinal = _body; + + replaces_id = partOf; + +@@ -267,7 +267,7 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id, + + const int AVERAGE_WORD_LENGTH = 6; + const int WORD_PER_MINUTE = 250; +- int count = summary.length() + body.length(); ++ int count = summary.length() + body.length() - strlen(""); + + // -1 is "server default", 0 is persistent with "server default" display time, + // anything more should honor the setting +@@ -282,8 +282,6 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id, + + const QString source = QStringLiteral("notification %1").arg(id); + +- bodyFinal = NotificationSanitizer::parse(bodyFinal); +- + Plasma::DataEngine::Data notificationData; + notificationData.insert(QStringLiteral("id"), QString::number(id)); + notificationData.insert(QStringLiteral("eventId"), eventId); +-- +2.13.6 + diff --git a/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6791.patch b/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6791.patch new file mode 100644 index 000000000000..621687c59d24 --- /dev/null +++ b/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6791.patch @@ -0,0 +1,31 @@ +From f32002ce50edc3891f1fa41173132c820b917d57 Mon Sep 17 00:00:00 2001 +From: Marco Martin +Date: Mon, 5 Feb 2018 13:12:51 +0100 +Subject: [PATCH] Make sure device paths are quoted + +in the case a vfat removable device has $() or `` in its label, +such as $(touch foo) the quoted command may get executed, +leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote +to make sure everything is quoted and not interpreted as a command + +BUG:389815 +--- + soliduiserver/deviceserviceaction.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/soliduiserver/deviceserviceaction.cpp b/soliduiserver/deviceserviceaction.cpp +index f49c967a..738b27c8 100644 +--- a/soliduiserver/deviceserviceaction.cpp ++++ b/soliduiserver/deviceserviceaction.cpp +@@ -158,7 +158,7 @@ void DelayedExecutor::delayedExecute(const QString &udi) + + QString exec = m_service.exec(); + MacroExpander mx(device); +- mx.expandMacros(exec); ++ mx.expandMacrosShellQuote(exec); + + KRun::runCommand(exec, QString(), m_service.icon(), 0); + deleteLater(); +-- +2.13.6 + diff --git a/kde-plasma/plasma-workspace/plasma-workspace-5.11.5-r1.ebuild b/kde-plasma/plasma-workspace/plasma-workspace-5.11.5-r1.ebuild new file mode 100644 index 000000000000..adebe223325e --- /dev/null +++ b/kde-plasma/plasma-workspace/plasma-workspace-5.11.5-r1.ebuild @@ -0,0 +1,175 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +KDE_HANDBOOK="forceoptional" +KDE_TEST="forceoptional" +VIRTUALX_REQUIRED="test" +inherit kde5 qmake-utils + +DESCRIPTION="KDE Plasma workspace" +KEYWORDS="~amd64 ~arm ~arm64 ~x86" +IUSE="appstream +calendar geolocation gps prison qalculate +semantic-desktop systemd" + +REQUIRED_USE="gps? ( geolocation )" + +COMMON_DEPEND=" + $(add_frameworks_dep kactivities) + $(add_frameworks_dep kauth) + $(add_frameworks_dep kbookmarks) + $(add_frameworks_dep kcompletion) + $(add_frameworks_dep kconfig) + $(add_frameworks_dep kconfigwidgets) + $(add_frameworks_dep kcoreaddons) + $(add_frameworks_dep kcrash) + $(add_frameworks_dep kdbusaddons) + $(add_frameworks_dep kdeclarative) + $(add_frameworks_dep kdelibs4support) + $(add_frameworks_dep kglobalaccel) + $(add_frameworks_dep kguiaddons) + $(add_frameworks_dep ki18n) + $(add_frameworks_dep kiconthemes) + $(add_frameworks_dep kidletime) + $(add_frameworks_dep kio) + $(add_frameworks_dep kitemmodels) + $(add_frameworks_dep kitemviews) + $(add_frameworks_dep kjobwidgets) + $(add_frameworks_dep kjs) + $(add_frameworks_dep kjsembed) + $(add_frameworks_dep knewstuff) + $(add_frameworks_dep knotifications) + $(add_frameworks_dep knotifyconfig) + $(add_frameworks_dep kpackage) + $(add_frameworks_dep krunner) + $(add_frameworks_dep kservice) + $(add_frameworks_dep ktexteditor) + $(add_frameworks_dep ktextwidgets) + $(add_frameworks_dep kwallet) + $(add_frameworks_dep kwayland) + $(add_frameworks_dep kwidgetsaddons) + $(add_frameworks_dep kwindowsystem) + $(add_frameworks_dep kxmlgui) + $(add_frameworks_dep plasma) + $(add_frameworks_dep solid) + $(add_plasma_dep kscreenlocker) + $(add_plasma_dep kwin) + $(add_plasma_dep libksysguard) + $(add_qt_dep qtdbus) + $(add_qt_dep qtdeclarative 'widgets') + $(add_qt_dep qtgui 'jpeg') + $(add_qt_dep qtnetwork) + $(add_qt_dep qtscript) + $(add_qt_dep qtsql) + $(add_qt_dep qtwidgets) + $(add_qt_dep qtx11extras) + $(add_qt_dep qtxml) + media-libs/phonon[qt5(+)] + sys-libs/zlib + x11-libs/libICE + x11-libs/libSM + x11-libs/libX11 + x11-libs/libXau + x11-libs/libxcb + x11-libs/libXfixes + x11-libs/libXrender + x11-libs/libXtst + x11-libs/xcb-util + x11-libs/xcb-util-image + appstream? ( dev-libs/appstream[qt5] ) + calendar? ( $(add_kdeapps_dep kholidays) ) + geolocation? ( $(add_frameworks_dep networkmanager-qt) ) + gps? ( sci-geosciences/gpsd ) + prison? ( $(add_frameworks_dep prison) ) + qalculate? ( sci-libs/libqalculate:= ) + semantic-desktop? ( $(add_frameworks_dep baloo) ) +" +RDEPEND="${COMMON_DEPEND} + $(add_frameworks_dep kded) + $(add_frameworks_dep kdesu) + $(add_kdeapps_dep kio-extras) + $(add_plasma_dep kde-cli-tools) + $(add_plasma_dep ksysguard) + $(add_plasma_dep milou) + $(add_plasma_dep plasma-integration) + $(add_qt_dep qdbus) + $(add_qt_dep qtgraphicaleffects) + $(add_qt_dep qtpaths) + $(add_qt_dep qtquickcontrols 'widgets') + app-text/iso-codes + x11-apps/mkfontdir + x11-apps/xmessage + x11-apps/xprop + x11-apps/xrdb + x11-apps/xset + x11-apps/xsetroot + systemd? ( sys-apps/dbus[user-session] ) + !systemd? ( sys-apps/dbus ) + !dev-libs/xembed-sni-proxy + !kde-plasma/freespacenotifier:4 + !kde-plasma/libtaskmanager:4 + !kde-plasma/kcminit:4 + !kde-plasma/kdebase-startkde:4 + !kde-plasma/klipper:4 + !kde-plasma/krunner:4 + !kde-plasma/ksmserver:4 + !kde-plasma/ksplash:4 + !kde-plasma/plasma-workspace:4 +" +DEPEND="${COMMON_DEPEND} + $(add_qt_dep qtconcurrent) + x11-proto/xproto +" + +PATCHES=( + "${FILESDIR}/${PN}-5.4-startkde-script.patch" + "${FILESDIR}/${PN}-5.10-startplasmacompositor-script.patch" + "${FILESDIR}/${PN}-5.10.4-unused-dep.patch" + "${FILESDIR}/${P}-CVE-2018-6790.patch" + "${FILESDIR}/${P}-CVE-2018-6791.patch" +) + +RESTRICT+=" test" + +src_prepare() { + kde5_src_prepare + + sed -e "s|\`qtpaths|\`$(qt5_get_bindir)/qtpaths|" \ + -i startkde/startkde.cmake startkde/startplasmacompositor.cmake || die +} + +src_configure() { + local mycmakeargs=( + $(cmake-utils_use_find_package appstream AppStreamQt) + $(cmake-utils_use_find_package calendar KF5Holidays) + $(cmake-utils_use_find_package geolocation KF5NetworkManagerQt) + $(cmake-utils_use_find_package prison KF5Prison) + $(cmake-utils_use_find_package qalculate Qalculate) + $(cmake-utils_use_find_package semantic-desktop KF5Baloo) + ) + + use gps && mycmakeargs+=( $(cmake-utils_use_find_package gps libgps) ) + + kde5_src_configure +} + +src_install() { + kde5_src_install + + # startup and shutdown scripts + insinto /etc/plasma/startup + doins "${FILESDIR}/10-agent-startup.sh" + + insinto /etc/plasma/shutdown + doins "${FILESDIR}/10-agent-shutdown.sh" +} + +pkg_postinst () { + kde5_pkg_postinst + + echo + elog "To enable gpg-agent and/or ssh-agent in Plasma sessions," + elog "edit ${EPREFIX}/etc/plasma/startup/10-agent-startup.sh and" + elog "${EPREFIX}/etc/plasma/shutdown/10-agent-shutdown.sh" + echo +} -- cgit v1.2.3-65-gdbad