Backport CVE-2015-7543 fix (Joseph Wenninger) from kdelibs 4 (#1289235)

* Thu Dec 10 2015 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-71 - Backport CVE-2015-7543 fix (Joseph Wenninger) from kdelibs 4 (#1289235)
2015-12-10 10:13:39 +01:00 · 2015-12-10 10:13:39 +01:00 · e28f8c1fc2
parent cdf75c236b
commit e28f8c1fc2
2 changed files with 48 additions and 1 deletions
--- a/kdelibs-3.5.10-CVE-2015-7543.patch
+++ b/kdelibs-3.5.10-CVE-2015-7543.patch
@ -0,0 +1,38 @@
+diff -ur kdelibs-3.5.10/kinit/lnusertemp.c kdelibs-3.5.10-CVE-2015-7543/kinit/lnusertemp.c
+--- kdelibs-3.5.10/kinit/lnusertemp.c	2007-05-14 09:52:34.000000000 +0200
+++ kdelibs-3.5.10-CVE-2015-7543/kinit/lnusertemp.c	2015-12-10 10:04:02.934321515 +0100
+@@ -178,7 +178,11 @@
+      if (result == 0) return 0; /* Success */
+      unlink(kde_tmp_dir);
+      strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir));
+#if 0
+      mktemp(user_tmp_dir); /* We want a directory, not a file, so using mkstemp makes no sense and is wrong */
+#else
+     if (mkdtemp(user_tmp_dir)==0) return 1; /*JOWENN: isn't that the better solution ?? */
+#endif
+      return create_link(kde_tmp_dir, user_tmp_dir);
+   }
+   if ((result == -1) || (!S_ISLNK(stat_buf.st_mode)))
+@@ -204,14 +208,22 @@
+      if (result == 0) return 0; /* Success */
+      unlink(kde_tmp_dir);
+      strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir));
+#if 0
+      mktemp(user_tmp_dir); /* We want a directory, not a file, so using mkstemp makes no sense and is wrong */
+#else
+     if (mkdtemp(user_tmp_dir)==0) return 1; /*JOWENN: isn't that the better solution ?? */
+#endif
+      return create_link(kde_tmp_dir, user_tmp_dir);
+   }
+   result = check_tmp_dir(tmp_buf);
+   if (result == 0) return 0; /* Success */
+   unlink(kde_tmp_dir);
+   strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir));
+#if 0
+   mktemp(user_tmp_dir); /* We want a directory, not a file, so using mkstemp makes no sense and is wrong */
+#else
+     if (mkdtemp(user_tmp_dir)==0) return 1; /*JOWENN: isn't that the better solution ?? */
+#endif
+   return create_link(kde_tmp_dir, user_tmp_dir);
+ }
+ 
--- a/kdelibs3.spec
+++ b/kdelibs3.spec
@ -18,7 +18,7 @@
 Summary: KDE 3 Libraries
 Name:    kdelibs3
 Version: 3.5.10
-Release: 70%{?dist}
+Release: 71%{?dist}

 License: LGPLv2
 Url: http://www.kde.org/
@ -108,6 +108,11 @@ Patch207: libltdl-CVE-2009-3736.patch
 Patch208: kdelibs-3.5.x-CVE-2011-3365.patch
 # CVE-2013-2074, prints passwords contained in HTTP URLs in error messages
 Patch209: kdelibs-3.5.10-CVE-2013-2074.patch
+# CVE-2015-7543 arts,kdelibs3: Use of mktemp(3) allows attacker to hijack the IPC
+# backport upstream fix (the lnusertemp.c change) from kdelibs 4:
+# http://commits.kde.org/kdelibs/cc5515ed7ce8884c9b18169158ba29ab2f7a3db7
+# upstream fix by Joseph Wenninger, rediffed for kdelibs 3.5.10 by Kevin Kofler
+Patch210: kdelibs-3.5.10-CVE-2015-7543.patch

 ## fixes to common KDE 3 autotools machinery
 # tweak autoconfigury so that it builds with autoconf 2.64 or 2.65
@ -271,6 +276,7 @@ format for easy browsing
 %patch207 -p1 -b .CVE-2009-3736
 %patch208 -p1 -b .CVE-2011-3365
 %patch209 -p1 -b .CVE-2013-2074
+%patch210 -p1 -b .CVE-2015-7543

 %patch300 -p1 -b .acinclude
 %patch301 -p1 -b .automake-version
@ -592,6 +598,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :


 %changelog
+* Thu Dec 10 2015 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-71
+- Backport CVE-2015-7543 fix (Joseph Wenninger) from kdelibs 4 (#1289235)
+
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.5.10-70
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild