1 |
commit: bcbbc28935e68cd159ba8c04fac867cc8f284ce5 |
2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Aug 30 07:54:06 2020 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Aug 30 07:58:22 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcbbc289 |
7 |
|
8 |
kde-apps/kleopatra: Fix CVE-2020-24972 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/739556 |
11 |
Package-Manager: Portage-3.0.4, Repoman-3.0.1 |
12 |
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> |
13 |
|
14 |
.../files/kleopatra-20.04.3-CVE-2020-24972.patch | 110 +++++++++++++++++++++ |
15 |
kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild | 57 +++++++++++ |
16 |
2 files changed, 167 insertions(+) |
17 |
|
18 |
diff --git a/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch b/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch |
19 |
new file mode 100644 |
20 |
index 00000000000..ebcbb232e08 |
21 |
--- /dev/null |
22 |
+++ b/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch |
23 |
@@ -0,0 +1,110 @@ |
24 |
+From b4bd63c1739900d94c04da03045e9445a5a5f54b Mon Sep 17 00:00:00 2001 |
25 |
+From: Andre Heinecke <aheinecke@×××××.org> |
26 |
+Date: Tue, 7 Jul 2020 14:39:29 +0200 |
27 |
+Subject: [PATCH] Allow safe usage of query |
28 |
+ |
29 |
+To allow secure usage of query and search the parameters are |
30 |
+no longer parsed as value but instead of positional arguments. |
31 |
+ |
32 |
+This allows us to register "kleoptra --query -- $1" as an |
33 |
+URL handler for openpgp4fpr: without the risk of command |
34 |
+line injection through an unsescaped query string. |
35 |
+ |
36 |
+Similarly the double dash should be used for file handling |
37 |
+to avoid command line injection through filenames. |
38 |
+--- |
39 |
+ src/kleopatra_options.h | 19 ++++++++++++++----- |
40 |
+ src/kleopatraapplication.cpp | 25 ++++++++++++++----------- |
41 |
+ 2 files changed, 28 insertions(+), 16 deletions(-) |
42 |
+ |
43 |
+diff --git a/src/kleopatra_options.h b/src/kleopatra_options.h |
44 |
+index 661c44d7..8ce7fccf 100644 |
45 |
+--- a/src/kleopatra_options.h |
46 |
++++ b/src/kleopatra_options.h |
47 |
+@@ -79,8 +79,7 @@ static void kleopatra_options(QCommandLineParser *parser) |
48 |
+ << QStringLiteral("D"), |
49 |
+ i18n("Decrypt and/or verify file(s)")) |
50 |
+ << QCommandLineOption(QStringList() << QStringLiteral("search"), |
51 |
+- i18n("Search for a certificate on a keyserver"), |
52 |
+- QStringLiteral("search string")) |
53 |
++ i18n("Search for a certificate on a keyserver")) |
54 |
+ << QCommandLineOption(QStringList() << QStringLiteral("checksum"), |
55 |
+ i18n("Create or check a checksum file")) |
56 |
+ << QCommandLineOption(QStringList() << QStringLiteral("query") |
57 |
+@@ -88,8 +87,7 @@ static void kleopatra_options(QCommandLineParser *parser) |
58 |
+ i18nc("If a certificate is already known it shows the certificate details dialog." |
59 |
+ "Otherwise it brings up the certificate search dialog.", |
60 |
+ "Show details of a local certificate or search for it on a keyserver" |
61 |
+- " by fingerprint"), |
62 |
+- QStringLiteral("fingerprint")) |
63 |
++ " by fingerprint")) |
64 |
+ << QCommandLineOption(QStringList() << QStringLiteral("gen-key"), |
65 |
+ i18n("Create a new key pair or certificate signing request")) |
66 |
+ << QCommandLineOption(QStringLiteral("parent-windowid"), |
67 |
+@@ -100,8 +98,19 @@ static void kleopatra_options(QCommandLineParser *parser) |
68 |
+ |
69 |
+ parser->addOptions(options); |
70 |
+ |
71 |
++ /* Security note: To avoid code execution by shared library injection |
72 |
++ * through e.g. -platformpluginpath any external input should be seperated |
73 |
++ * by a double dash -- this is why query / search uses positional arguments. |
74 |
++ * |
75 |
++ * For example on Windows there is an URLhandler for openpgp4fpr: |
76 |
++ * be opened with Kleopatra's query function. And while a browser should |
77 |
++ * urlescape such a query there might be tricks to inject a quote character |
78 |
++ * and as such inject command line options for Kleopatra in an URL. */ |
79 |
+ parser->addPositionalArgument(QStringLiteral("files"), |
80 |
+ i18n("File(s) to process"), |
81 |
+- QStringLiteral("[files..]")); |
82 |
++ QStringLiteral("-- [files..]")); |
83 |
++ parser->addPositionalArgument(QStringLiteral("query"), |
84 |
++ i18n("String or Fingerprint for query and search"), |
85 |
++ QStringLiteral("-- [query..]")); |
86 |
+ } |
87 |
+ #endif |
88 |
+diff --git a/src/kleopatraapplication.cpp b/src/kleopatraapplication.cpp |
89 |
+index 989f14b4..a8c5dd08 100644 |
90 |
+--- a/src/kleopatraapplication.cpp |
91 |
++++ b/src/kleopatraapplication.cpp |
92 |
+@@ -273,13 +273,18 @@ QString KleopatraApplication::newInstance(const QCommandLineParser &parser, |
93 |
+ |
94 |
+ QStringList files; |
95 |
+ const QDir cwd = QDir(workingDirectory); |
96 |
+- Q_FOREACH (const QString &file, parser.positionalArguments()) { |
97 |
+- // We do not check that file exists here. Better handle |
98 |
+- // these errors in the UI. |
99 |
+- if (QFileInfo(file).isAbsolute()) { |
100 |
+- files << file; |
101 |
+- } else { |
102 |
+- files << cwd.absoluteFilePath(file); |
103 |
++ bool queryMode = parser.isSet(QStringLiteral("query")) || parser.isSet(QStringLiteral("search")); |
104 |
++ |
105 |
++ // Query and Search treat positional arguments differently, see below. |
106 |
++ if (!queryMode) { |
107 |
++ Q_FOREACH (const QString &file, parser.positionalArguments()) { |
108 |
++ // We do not check that file exists here. Better handle |
109 |
++ // these errors in the UI. |
110 |
++ if (QFileInfo(file).isAbsolute()) { |
111 |
++ files << file; |
112 |
++ } else { |
113 |
++ files << cwd.absoluteFilePath(file); |
114 |
++ } |
115 |
+ } |
116 |
+ } |
117 |
+ |
118 |
+@@ -313,10 +318,8 @@ QString KleopatraApplication::newInstance(const QCommandLineParser &parser, |
119 |
+ |
120 |
+ // Handle openpgp4fpr URI scheme |
121 |
+ QString needle; |
122 |
+- if (parser.isSet(QStringLiteral("search"))) { |
123 |
+- needle = parser.value(QStringLiteral("search")); |
124 |
+- } else if (parser.isSet(QStringLiteral("query"))) { |
125 |
+- needle = parser.value(QStringLiteral("query")); |
126 |
++ if (queryMode) { |
127 |
++ needle = parser.positionalArguments().join(QLatin1Char(' ')); |
128 |
+ } |
129 |
+ if (needle.startsWith(QLatin1String("openpgp4fpr:"))) { |
130 |
+ needle.remove(0, 12); |
131 |
+-- |
132 |
+GitLab |
133 |
+ |
134 |
|
135 |
diff --git a/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild b/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild |
136 |
new file mode 100644 |
137 |
index 00000000000..3953432cb0f |
138 |
--- /dev/null |
139 |
+++ b/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild |
140 |
@@ -0,0 +1,57 @@ |
141 |
+# Copyright 1999-2020 Gentoo Authors |
142 |
+# Distributed under the terms of the GNU General Public License v2 |
143 |
+ |
144 |
+EAPI=7 |
145 |
+ |
146 |
+ECM_HANDBOOK="optional" |
147 |
+ECM_TEST="forceoptional" |
148 |
+PVCUT=$(ver_cut 1-3) |
149 |
+KFMIN=5.70.0 |
150 |
+QTMIN=5.14.2 |
151 |
+VIRTUALX_REQUIRED="test" |
152 |
+inherit ecm kde.org |
153 |
+ |
154 |
+DESCRIPTION="Certificate manager and GUI for OpenPGP and CMS cryptography" |
155 |
+HOMEPAGE="https://kde.org/applications/utilities/org.kde.kleopatra" |
156 |
+ |
157 |
+LICENSE="GPL-2+ handbook? ( FDL-1.2+ )" |
158 |
+SLOT="5" |
159 |
+KEYWORDS="~amd64 ~arm64 ~x86" |
160 |
+IUSE="" |
161 |
+ |
162 |
+DEPEND=" |
163 |
+ >=app-crypt/gpgme-1.11.1[cxx,qt5] |
164 |
+ dev-libs/boost:= |
165 |
+ dev-libs/libassuan |
166 |
+ dev-libs/libgpg-error |
167 |
+ >=dev-qt/qtdbus-${QTMIN}:5 |
168 |
+ >=dev-qt/qtgui-${QTMIN}:5 |
169 |
+ >=dev-qt/qtnetwork-${QTMIN}:5 |
170 |
+ >=dev-qt/qtprintsupport-${QTMIN}:5 |
171 |
+ >=dev-qt/qtwidgets-${QTMIN}:5 |
172 |
+ >=kde-apps/kmime-${PVCUT}:5 |
173 |
+ >=kde-apps/libkleo-${PVCUT}:5 |
174 |
+ >=kde-frameworks/kcmutils-${KFMIN}:5 |
175 |
+ >=kde-frameworks/kcodecs-${KFMIN}:5 |
176 |
+ >=kde-frameworks/kconfig-${KFMIN}:5 |
177 |
+ >=kde-frameworks/kconfigwidgets-${KFMIN}:5 |
178 |
+ >=kde-frameworks/kcoreaddons-${KFMIN}:5 |
179 |
+ >=kde-frameworks/kdbusaddons-${KFMIN}:5 |
180 |
+ >=kde-frameworks/ki18n-${KFMIN}:5 |
181 |
+ >=kde-frameworks/kiconthemes-${KFMIN}:5 |
182 |
+ >=kde-frameworks/kitemmodels-${KFMIN}:5 |
183 |
+ >=kde-frameworks/knotifications-${KFMIN}:5 |
184 |
+ >=kde-frameworks/ktextwidgets-${KFMIN}:5 |
185 |
+ >=kde-frameworks/kwidgetsaddons-${KFMIN}:5 |
186 |
+ >=kde-frameworks/kwindowsystem-${KFMIN}:5 |
187 |
+ >=kde-frameworks/kxmlgui-${KFMIN}:5 |
188 |
+" |
189 |
+RDEPEND="${DEPEND} |
190 |
+ >=app-crypt/gnupg-2.1 |
191 |
+ app-crypt/paperkey |
192 |
+" |
193 |
+ |
194 |
+# tests completely broken, bug #641720 |
195 |
+RESTRICT+=" test" |
196 |
+ |
197 |
+PATCHES=( "${FILESDIR}/${P}-CVE-2020-24972.patch" ) |