From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9F00C13835B for ; Sun, 30 Aug 2020 07:58:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E0C19E0953; Sun, 30 Aug 2020 07:58:53 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BDFB2E0953 for ; Sun, 30 Aug 2020 07:58:53 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E1DE4340DE5 for ; Sun, 30 Aug 2020 07:58:51 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id EF5CA33D for ; Sun, 30 Aug 2020 07:58:48 +0000 (UTC) From: "Andreas Sturmlechner" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Andreas Sturmlechner" Message-ID: <1598774302.bcbbc28935e68cd159ba8c04fac867cc8f284ce5.asturm@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: kde-apps/kleopatra/, kde-apps/kleopatra/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild X-VCS-Directories: kde-apps/kleopatra/files/ kde-apps/kleopatra/ X-VCS-Committer: asturm X-VCS-Committer-Name: Andreas Sturmlechner X-VCS-Revision: bcbbc28935e68cd159ba8c04fac867cc8f284ce5 X-VCS-Branch: master Date: Sun, 30 Aug 2020 07:58:48 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 761f8e8a-dc57-4119-bd84-2193d44c2d6d X-Archives-Hash: b71a2691042688d5d685e7a653503034 commit: bcbbc28935e68cd159ba8c04fac867cc8f284ce5 Author: Andreas Sturmlechner gentoo org> AuthorDate: Sun Aug 30 07:54:06 2020 +0000 Commit: Andreas Sturmlechner gentoo org> CommitDate: Sun Aug 30 07:58:22 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcbbc289 kde-apps/kleopatra: Fix CVE-2020-24972 Bug: https://bugs.gentoo.org/739556 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Andreas Sturmlechner gentoo.org> .../files/kleopatra-20.04.3-CVE-2020-24972.patch | 110 +++++++++++++++++++++ kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild | 57 +++++++++++ 2 files changed, 167 insertions(+) diff --git a/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch b/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch new file mode 100644 index 00000000000..ebcbb232e08 --- /dev/null +++ b/kde-apps/kleopatra/files/kleopatra-20.04.3-CVE-2020-24972.patch @@ -0,0 +1,110 @@ +From b4bd63c1739900d94c04da03045e9445a5a5f54b Mon Sep 17 00:00:00 2001 +From: Andre Heinecke +Date: Tue, 7 Jul 2020 14:39:29 +0200 +Subject: [PATCH] Allow safe usage of query + +To allow secure usage of query and search the parameters are +no longer parsed as value but instead of positional arguments. + +This allows us to register "kleoptra --query -- $1" as an +URL handler for openpgp4fpr: without the risk of command +line injection through an unsescaped query string. + +Similarly the double dash should be used for file handling +to avoid command line injection through filenames. +--- + src/kleopatra_options.h | 19 ++++++++++++++----- + src/kleopatraapplication.cpp | 25 ++++++++++++++----------- + 2 files changed, 28 insertions(+), 16 deletions(-) + +diff --git a/src/kleopatra_options.h b/src/kleopatra_options.h +index 661c44d7..8ce7fccf 100644 +--- a/src/kleopatra_options.h ++++ b/src/kleopatra_options.h +@@ -79,8 +79,7 @@ static void kleopatra_options(QCommandLineParser *parser) + << QStringLiteral("D"), + i18n("Decrypt and/or verify file(s)")) + << QCommandLineOption(QStringList() << QStringLiteral("search"), +- i18n("Search for a certificate on a keyserver"), +- QStringLiteral("search string")) ++ i18n("Search for a certificate on a keyserver")) + << QCommandLineOption(QStringList() << QStringLiteral("checksum"), + i18n("Create or check a checksum file")) + << QCommandLineOption(QStringList() << QStringLiteral("query") +@@ -88,8 +87,7 @@ static void kleopatra_options(QCommandLineParser *parser) + i18nc("If a certificate is already known it shows the certificate details dialog." + "Otherwise it brings up the certificate search dialog.", + "Show details of a local certificate or search for it on a keyserver" +- " by fingerprint"), +- QStringLiteral("fingerprint")) ++ " by fingerprint")) + << QCommandLineOption(QStringList() << QStringLiteral("gen-key"), + i18n("Create a new key pair or certificate signing request")) + << QCommandLineOption(QStringLiteral("parent-windowid"), +@@ -100,8 +98,19 @@ static void kleopatra_options(QCommandLineParser *parser) + + parser->addOptions(options); + ++ /* Security note: To avoid code execution by shared library injection ++ * through e.g. -platformpluginpath any external input should be seperated ++ * by a double dash -- this is why query / search uses positional arguments. ++ * ++ * For example on Windows there is an URLhandler for openpgp4fpr: ++ * be opened with Kleopatra's query function. And while a browser should ++ * urlescape such a query there might be tricks to inject a quote character ++ * and as such inject command line options for Kleopatra in an URL. */ + parser->addPositionalArgument(QStringLiteral("files"), + i18n("File(s) to process"), +- QStringLiteral("[files..]")); ++ QStringLiteral("-- [files..]")); ++ parser->addPositionalArgument(QStringLiteral("query"), ++ i18n("String or Fingerprint for query and search"), ++ QStringLiteral("-- [query..]")); + } + #endif +diff --git a/src/kleopatraapplication.cpp b/src/kleopatraapplication.cpp +index 989f14b4..a8c5dd08 100644 +--- a/src/kleopatraapplication.cpp ++++ b/src/kleopatraapplication.cpp +@@ -273,13 +273,18 @@ QString KleopatraApplication::newInstance(const QCommandLineParser &parser, + + QStringList files; + const QDir cwd = QDir(workingDirectory); +- Q_FOREACH (const QString &file, parser.positionalArguments()) { +- // We do not check that file exists here. Better handle +- // these errors in the UI. +- if (QFileInfo(file).isAbsolute()) { +- files << file; +- } else { +- files << cwd.absoluteFilePath(file); ++ bool queryMode = parser.isSet(QStringLiteral("query")) || parser.isSet(QStringLiteral("search")); ++ ++ // Query and Search treat positional arguments differently, see below. ++ if (!queryMode) { ++ Q_FOREACH (const QString &file, parser.positionalArguments()) { ++ // We do not check that file exists here. Better handle ++ // these errors in the UI. ++ if (QFileInfo(file).isAbsolute()) { ++ files << file; ++ } else { ++ files << cwd.absoluteFilePath(file); ++ } + } + } + +@@ -313,10 +318,8 @@ QString KleopatraApplication::newInstance(const QCommandLineParser &parser, + + // Handle openpgp4fpr URI scheme + QString needle; +- if (parser.isSet(QStringLiteral("search"))) { +- needle = parser.value(QStringLiteral("search")); +- } else if (parser.isSet(QStringLiteral("query"))) { +- needle = parser.value(QStringLiteral("query")); ++ if (queryMode) { ++ needle = parser.positionalArguments().join(QLatin1Char(' ')); + } + if (needle.startsWith(QLatin1String("openpgp4fpr:"))) { + needle.remove(0, 12); +-- +GitLab + diff --git a/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild b/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild new file mode 100644 index 00000000000..3953432cb0f --- /dev/null +++ b/kde-apps/kleopatra/kleopatra-20.04.3-r1.ebuild @@ -0,0 +1,57 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +ECM_HANDBOOK="optional" +ECM_TEST="forceoptional" +PVCUT=$(ver_cut 1-3) +KFMIN=5.70.0 +QTMIN=5.14.2 +VIRTUALX_REQUIRED="test" +inherit ecm kde.org + +DESCRIPTION="Certificate manager and GUI for OpenPGP and CMS cryptography" +HOMEPAGE="https://kde.org/applications/utilities/org.kde.kleopatra" + +LICENSE="GPL-2+ handbook? ( FDL-1.2+ )" +SLOT="5" +KEYWORDS="~amd64 ~arm64 ~x86" +IUSE="" + +DEPEND=" + >=app-crypt/gpgme-1.11.1[cxx,qt5] + dev-libs/boost:= + dev-libs/libassuan + dev-libs/libgpg-error + >=dev-qt/qtdbus-${QTMIN}:5 + >=dev-qt/qtgui-${QTMIN}:5 + >=dev-qt/qtnetwork-${QTMIN}:5 + >=dev-qt/qtprintsupport-${QTMIN}:5 + >=dev-qt/qtwidgets-${QTMIN}:5 + >=kde-apps/kmime-${PVCUT}:5 + >=kde-apps/libkleo-${PVCUT}:5 + >=kde-frameworks/kcmutils-${KFMIN}:5 + >=kde-frameworks/kcodecs-${KFMIN}:5 + >=kde-frameworks/kconfig-${KFMIN}:5 + >=kde-frameworks/kconfigwidgets-${KFMIN}:5 + >=kde-frameworks/kcoreaddons-${KFMIN}:5 + >=kde-frameworks/kdbusaddons-${KFMIN}:5 + >=kde-frameworks/ki18n-${KFMIN}:5 + >=kde-frameworks/kiconthemes-${KFMIN}:5 + >=kde-frameworks/kitemmodels-${KFMIN}:5 + >=kde-frameworks/knotifications-${KFMIN}:5 + >=kde-frameworks/ktextwidgets-${KFMIN}:5 + >=kde-frameworks/kwidgetsaddons-${KFMIN}:5 + >=kde-frameworks/kwindowsystem-${KFMIN}:5 + >=kde-frameworks/kxmlgui-${KFMIN}:5 +" +RDEPEND="${DEPEND} + >=app-crypt/gnupg-2.1 + app-crypt/paperkey +" + +# tests completely broken, bug #641720 +RESTRICT+=" test" + +PATCHES=( "${FILESDIR}/${P}-CVE-2020-24972.patch" )