rpms/kdelibs
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

security fix CVE-2014-5033

Browse Source
This commit is contained in:
Than Ngo 2014-09-23 11:26:02 +02:00
parent a1007e1b91
commit adb7ba49b7
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
kdelibs-4.11.5-CVE-2014-5033.patch Normal file
View File

@ -0,0 +1,36 @@
diff -up kdelibs-4.11.5/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp.than kdelibs-4.11.5/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
--- kdelibs-4.11.5/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp.than 2014-09-23 11:19:47.000000000 +0200
+++ kdelibs-4.11.5/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp 2014-09-23 11:22:50.000000000 +0200
@@ -144,7 +144,7 @@ void Polkit1Backend::setupAction(const Q
Action::AuthStatus Polkit1Backend::actionStatus(const QString &action)
{
- PolkitQt1::UnixProcessSubject subject(QCoreApplication::applicationPid());
+ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID()));
PolkitQt1::Authority::Result r = PolkitQt1::Authority::instance()->checkAuthorizationSync(action, subject,
PolkitQt1::Authority::None);
switch (r) {
@@ -160,21 +160,12 @@ Action::AuthStatus Polkit1Backend::actio
QByteArray Polkit1Backend::callerID() const
{
- QByteArray a;
- QDataStream s(&a, QIODevice::WriteOnly);
- s << QCoreApplication::applicationPid();
-
- return a;
+ return QDBusConnection::systemBus().baseService().toUtf8();
}
bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
{
- QDataStream s(&callerID, QIODevice::ReadOnly);
- qint64 pid;
-
- s >> pid;
-
- PolkitQt1::UnixProcessSubject subject(pid);
+ PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
PolkitQt1::Authority *authority = PolkitQt1::Authority::instance();
PolkitResultEventLoop e;

7
kdelibs.spec
View File

@ -39,7 +39,7 @@
Summary: KDE Libraries
Version: 4.11.5
Release: 4%{?dist}
Release: 5%{?dist}
Name: kdelibs
Epoch: 6
@ -171,6 +171,7 @@ Patch093: turn-the-packagekit-support-feature-off-by-default.patch
## security fix
Patch158: 0008-Don-t-require-a-job-to-handle-messageboxes.patch
Patch159: kdelibs-4.11.5-CVE-2014-5033.patch
# rhel patches
@ -374,6 +375,7 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
# security fixes
%patch158 -p1 -b .0008
%patch159 -p1 -b .CVE-2014-5033
# rhel patches
%if ! 0%{?webkit}
@ -630,6 +632,9 @@ gtk-update-icon-cache %{_kde4_iconsdir}/hicolor &> /dev/null || :
%changelog
* Tue Sep 23 2014 Than Ngo <than@redhat.com> - 6:4.11.5-5
- security fix CVE-2014-5033
* Thu Jun 19 2014 Rex Dieter <rdieter@fedoraproject.org> - 6:4.11.5-4
- Provides: kdelibs4-webkit ...