| 1 |
commit: bcbbc28935e68cd159ba8c04fac867cc8f284ce5 |
| 2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sun Aug 30 07:54:06 2020 +0000 |
| 4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Aug 30 07:58:22 2020 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcbbc289 |
| 7 |
|
| 8 |
kde-apps/kleopatra: Fix CVE-2020-24972 |
| 9 |
|
| 10 |
Bug: https://bugs.gentoo.org/739556 |
| 11 |
Package-Manager: Portage-3.0.4, Repoman-3.0.1 |
| 12 |
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> |
| 13 |
|
| 14 |
.../files/kleopatra-20.04.3-CVE-2020-24972.patch | 110 +++++++++++++++++++++ |
| 15 |
kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild | 57 +++++++++++ |
| 16 |
2 files changed, 167 insertions(+) |
| 17 |
|
| 18 |
diff --git a/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch b/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch |
| 19 |
new file mode 100644 |
| 20 |
index 00000000000..ebcbb232e08 |
| 21 |
--- /dev/null |
| 22 |
+++ b/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch |
| 23 |
@@ -0,0 +1,110 @@ |
| 24 |
+From b4bd63c1739900d94c04da03045e9445a5a5f54b Mon Sep 17 00:00:00 2001 |
| 25 |
+From: Andre Heinecke <aheinecke@×××××.org> |
| 26 |
+Date: Tue, 7 Jul 2020 14:39:29 +0200 |
| 27 |
+Subject: [PATCH] Allow safe usage of query |
| 28 |
+ |
| 29 |
+To allow secure usage of query and search the parameters are |
| 30 |
+no longer parsed as value but instead of positional arguments. |
| 31 |
+ |
| 32 |
+This allows us to register "kleoptra --query -- $1" as an |
| 33 |
+URL handler for openpgp4fpr: without the risk of command |
| 34 |
+line injection through an unsescaped query string. |
| 35 |
+ |
| 36 |
+Similarly the double dash should be used for file handling |
| 37 |
+to avoid command line injection through filenames. |
| 38 |
+--- |
| 39 |
+ src/kleopatra_options.h | 19 ++++++++++++++----- |
| 40 |
+ src/kleopatraapplication.cpp | 25 ++++++++++++++----------- |
| 41 |
+ 2 files changed, 28 insertions(+), 16 deletions(-) |
| 42 |
+ |
| 43 |
+diff --git a/src/kleopatra_options.h b/src/kleopatra_options.h |
| 44 |
+index 661c44d7..8ce7fccf 100644 |
| 45 |
+--- a/src/kleopatra_options.h |
| 46 |
++++ b/src/kleopatra_options.h |
| 47 |
+@@ -79,8 +79,7 @@ static void kleopatra_options(QCommandLineParser *parser) |
| 48 |
+ << QStringLiteral("D"), |
| 49 |
+ i18n("Decrypt and/or verify file(s)")) |
| 50 |
+ << QCommandLineOption(QStringList() << QStringLiteral("search"), |
| 51 |
+- i18n("Search for a certificate on a keyserver"), |
| 52 |
+- QStringLiteral("search string")) |
| 53 |
++ i18n("Search for a certificate on a keyserver")) |
| 54 |
+ << QCommandLineOption(QStringList() << QStringLiteral("checksum"), |
| 55 |
+ i18n("Create or check a checksum file")) |
| 56 |
+ << QCommandLineOption(QStringList() << QStringLiteral("query") |
| 57 |
+@@ -88,8 +87,7 @@ static void kleopatra_options(QCommandLineParser *parser) |
| 58 |
+ i18nc("If a certificate is already known it shows the certificate details dialog." |
| 59 |
+ "Otherwise it brings up the certificate search dialog.", |
| 60 |
+ "Show details of a local certificate or search for it on a keyserver" |
| 61 |
+- " by fingerprint"), |
| 62 |
+- QStringLiteral("fingerprint")) |
| 63 |
++ " by fingerprint")) |
| 64 |
+ << QCommandLineOption(QStringList() << QStringLiteral("gen-key"), |
| 65 |
+ i18n("Create a new key pair or certificate signing request")) |
| 66 |
+ << QCommandLineOption(QStringLiteral("parent-windowid"), |
| 67 |
+@@ -100,8 +98,19 @@ static void kleopatra_options(QCommandLineParser *parser) |
| 68 |
+ |
| 69 |
+ parser->addOptions(options); |
| 70 |
+ |
| 71 |
++ /* Security note: To avoid code execution by shared library injection |
| 72 |
++ * through e.g. -platformpluginpath any external input should be seperated |
| 73 |
++ * by a double dash -- this is why query / search uses positional arguments. |
| 74 |
++ * |
| 75 |
++ * For example on Windows there is an URLhandler for openpgp4fpr: |
| 76 |
++ * be opened with Kleopatra's query function. And while a browser should |
| 77 |
++ * urlescape such a query there might be tricks to inject a quote character |
| 78 |
++ * and as such inject command line options for Kleopatra in an URL. */ |
| 79 |
+ parser->addPositionalArgument(QStringLiteral("files"), |
| 80 |
+ i18n("File(s) to process"), |
| 81 |
+- QStringLiteral("[files..]")); |
| 82 |
++ QStringLiteral("-- [files..]")); |
| 83 |
++ parser->addPositionalArgument(QStringLiteral("query"), |
| 84 |
++ i18n("String or Fingerprint for query and search"), |
| 85 |
++ QStringLiteral("-- [query..]")); |
| 86 |
+ } |
| 87 |
+ #endif |
| 88 |
+diff --git a/src/kleopatraapplication.cpp b/src/kleopatraapplication.cpp |
| 89 |
+index 989f14b4..a8c5dd08 100644 |
| 90 |
+--- a/src/kleopatraapplication.cpp |
| 91 |
++++ b/src/kleopatraapplication.cpp |
| 92 |
+@@ -273,13 +273,18 @@ QString KleopatraApplication::newInstance(const QCommandLineParser &parser, |
| 93 |
+ |
| 94 |
+ QStringList files; |
| 95 |
+ const QDir cwd = QDir(workingDirectory); |
| 96 |
+- Q_FOREACH (const QString &file, parser.positionalArguments()) { |
| 97 |
+- // We do not check that file exists here. Better handle |
| 98 |
+- // these errors in the UI. |
| 99 |
+- if (QFileInfo(file).isAbsolute()) { |
| 100 |
+- files << file; |
| 101 |
+- } else { |
| 102 |
+- files << cwd.absoluteFilePath(file); |
| 103 |
++ bool queryMode = parser.isSet(QStringLiteral("query")) || parser.isSet(QStringLiteral("search")); |
| 104 |
++ |
| 105 |
++ // Query and Search treat positional arguments differently, see below. |
| 106 |
++ if (!queryMode) { |
| 107 |
++ Q_FOREACH (const QString &file, parser.positionalArguments()) { |
| 108 |
++ // We do not check that file exists here. Better handle |
| 109 |
++ // these errors in the UI. |
| 110 |
++ if (QFileInfo(file).isAbsolute()) { |
| 111 |
++ files << file; |
| 112 |
++ } else { |
| 113 |
++ files << cwd.absoluteFilePath(file); |
| 114 |
++ } |
| 115 |
+ } |
| 116 |
+ } |
| 117 |
+ |
| 118 |
+@@ -313,10 +318,8 @@ QString KleopatraApplication::newInstance(const QCommandLineParser &parser, |
| 119 |
+ |
| 120 |
+ // Handle openpgp4fpr URI scheme |
| 121 |
+ QString needle; |
| 122 |
+- if (parser.isSet(QStringLiteral("search"))) { |
| 123 |
+- needle = parser.value(QStringLiteral("search")); |
| 124 |
+- } else if (parser.isSet(QStringLiteral("query"))) { |
| 125 |
+- needle = parser.value(QStringLiteral("query")); |
| 126 |
++ if (queryMode) { |
| 127 |
++ needle = parser.positionalArguments().join(QLatin1Char(' ')); |
| 128 |
+ } |
| 129 |
+ if (needle.startsWith(QLatin1String("openpgp4fpr:"))) { |
| 130 |
+ needle.remove(0, 12); |
| 131 |
+-- |
| 132 |
+GitLab |
| 133 |
+ |
| 134 |
|
| 135 |
diff --git a/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild b/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild |
| 136 |
new file mode 100644 |
| 137 |
index 00000000000..3953432cb0f |
| 138 |
--- /dev/null |
| 139 |
+++ b/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild |
| 140 |
@@ -0,0 +1,57 @@ |
| 141 |
+# Copyright 1999-2020 Gentoo Authors |
| 142 |
+# Distributed under the terms of the GNU General Public License v2 |
| 143 |
+ |
| 144 |
+EAPI=7 |
| 145 |
+ |
| 146 |
+ECM_HANDBOOK="optional" |
| 147 |
+ECM_TEST="forceoptional" |
| 148 |
+PVCUT=$(ver_cut 1-3) |
| 149 |
+KFMIN=5.70.0 |
| 150 |
+QTMIN=5.14.2 |
| 151 |
+VIRTUALX_REQUIRED="test" |
| 152 |
+inherit ecm kde.org |
| 153 |
+ |
| 154 |
+DESCRIPTION="Certificate manager and GUI for OpenPGP and CMS cryptography" |
| 155 |
+HOMEPAGE="https://kde.org/applications/utilities/org.kde.kleopatra" |
| 156 |
+ |
| 157 |
+LICENSE="GPL-2+ handbook? ( FDL-1.2+ )" |
| 158 |
+SLOT="5" |
| 159 |
+KEYWORDS="~amd64 ~arm64 ~x86" |
| 160 |
+IUSE="" |
| 161 |
+ |
| 162 |
+DEPEND=" |
| 163 |
+ >=app-crypt/gpgme-1.11.1[cxx,qt5] |
| 164 |
+ dev-libs/boost:= |
| 165 |
+ dev-libs/libassuan |
| 166 |
+ dev-libs/libgpg-error |
| 167 |
+ >=dev-qt/qtdbus-${QTMIN}:5 |
| 168 |
+ >=dev-qt/qtgui-${QTMIN}:5 |
| 169 |
+ >=dev-qt/qtnetwork-${QTMIN}:5 |
| 170 |
+ >=dev-qt/qtprintsupport-${QTMIN}:5 |
| 171 |
+ >=dev-qt/qtwidgets-${QTMIN}:5 |
| 172 |
+ >=kde-apps/kmime-${PVCUT}:5 |
| 173 |
+ >=kde-apps/libkleo-${PVCUT}:5 |
| 174 |
+ >=kde-frameworks/kcmutils-${KFMIN}:5 |
| 175 |
+ >=kde-frameworks/kcodecs-${KFMIN}:5 |
| 176 |
+ >=kde-frameworks/kconfig-${KFMIN}:5 |
| 177 |
+ >=kde-frameworks/kconfigwidgets-${KFMIN}:5 |
| 178 |
+ >=kde-frameworks/kcoreaddons-${KFMIN}:5 |
| 179 |
+ >=kde-frameworks/kdbusaddons-${KFMIN}:5 |
| 180 |
+ >=kde-frameworks/ki18n-${KFMIN}:5 |
| 181 |
+ >=kde-frameworks/kiconthemes-${KFMIN}:5 |
| 182 |
+ >=kde-frameworks/kitemmodels-${KFMIN}:5 |
| 183 |
+ >=kde-frameworks/knotifications-${KFMIN}:5 |
| 184 |
+ >=kde-frameworks/ktextwidgets-${KFMIN}:5 |
| 185 |
+ >=kde-frameworks/kwidgetsaddons-${KFMIN}:5 |
| 186 |
+ >=kde-frameworks/kwindowsystem-${KFMIN}:5 |
| 187 |
+ >=kde-frameworks/kxmlgui-${KFMIN}:5 |
| 188 |
+" |
| 189 |
+RDEPEND="${DEPEND} |
| 190 |
+ >=app-crypt/gnupg-2.1 |
| 191 |
+ app-crypt/paperkey |
| 192 |
+" |
| 193 |
+ |
| 194 |
+# tests completely broken, bug #641720 |
| 195 |
+RESTRICT+=" test" |
| 196 |
+ |
| 197 |
+PATCHES=( "${FILESDIR}/${P}-CVE-2020-24972.patch" ) |
Archives