Bug#985970: unblock: kglobalaccel/5.78.0-3

Norbert Preining norbert at preining.info
Sat Mar 27 06:04:19 GMT 2021 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-kde-talk at alioth-lists.debian.net

Please unblock package kglobalaccel

[ Reason ]
Upstream asked to backport a security fix:
There is the possibility that kglobalaccel runs under a wrong UID,
which would result in programs started by the logged in user under a
different UID.

Unrelated change: graphviz was removed from B-D since it is not
necessary (as seen, all builds succeeded).

[ Impact ]
Security fix:
Possibility of
- broken functionality (programs started as different uid will behave
  differently)
- security (different uid files can be read/changed)

B-D drop: none

[ Tests ]
security fix:
The package contains an extensive set of tests that are automatically
run on build.

B-D drop: builds succeeded.

[ Risks ]
The code change is simple and adds a check for the UID and returns in
case the disagree.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock kglobalaccel/5.78.0-3

Best

Norbert

--
PREINING Norbert                              https://www.preining.info
Fujitsu Research Labs  +  IFMGA Guide + TU Wien + TeX Live + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
-------------- next part --------------
diff -Nru kglobalaccel-5.78.0/debian/changelog kglobalaccel-5.78.0/debian/changelog
--- kglobalaccel-5.78.0/debian/changelog	2021-01-17 12:02:21.000000000 +0900
+++ kglobalaccel-5.78.0/debian/changelog	2021-03-27 07:26:39.000000000 +0900
@@ -1,3 +1,12 @@
+kglobalaccel (5.78.0-3) unstable; urgency=medium
+
+  [ Norbert Preining ]
+  * Remove graphviz from build depends.
+  * Cherry pick upstream fix for kglobalaccel possibly running under an
+    incorrect uid, thus starting programs as different user.
+
+ -- Norbert Preining <norbert at preining.info>  Sat, 27 Mar 2021 07:26:39 +0900
+
 kglobalaccel (5.78.0-2) unstable; urgency=medium
 
   * Release to unstable.
diff -Nru kglobalaccel-5.78.0/debian/control kglobalaccel-5.78.0/debian/control
--- kglobalaccel-5.78.0/debian/control	2021-01-17 11:54:33.000000000 +0900
+++ kglobalaccel-5.78.0/debian/control	2021-03-27 07:22:05.000000000 +0900
@@ -8,7 +8,6 @@
                debhelper-compat (= 13),
                doxygen,
                extra-cmake-modules (>= 5.78.0~),
-               graphviz,
                libkf5config-dev (>= 5.78.0~),
                libkf5coreaddons-dev (>= 5.78.0~),
                libkf5crash-dev (>= 5.78.0~),
diff -Nru kglobalaccel-5.78.0/debian/patches/series kglobalaccel-5.78.0/debian/patches/series
--- kglobalaccel-5.78.0/debian/patches/series	1970-01-01 09:00:00.000000000 +0900
+++ kglobalaccel-5.78.0/debian/patches/series	2021-03-27 07:23:25.000000000 +0900
@@ -0,0 +1 @@
+upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch
diff -Nru kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch
--- kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch	1970-01-01 09:00:00.000000000 +0900
+++ kglobalaccel-5.78.0/debian/patches/upstream-bbec7433-dont-run-kglobalaccel-with-wrong-uid.patch	2021-03-27 07:24:20.000000000 +0900
@@ -0,0 +1,38 @@
+From bbec74337b3186bc258bd5adf849b89191789535 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian at ritter-vogt.de>
+Date: Fri, 29 Jan 2021 11:31:54 +0100
+Subject: [PATCH] Don't let kglobalaccel run if KDE_SESSION_UID mismatches
+
+Otherwise shortcuts execute actions as the wrong user.
+---
+ src/runtime/main.cpp |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/src/runtime/main.cpp
++++ b/src/runtime/main.cpp
+@@ -10,6 +10,8 @@
+ #include "kglobalacceld.h"
+ #include "logging_p.h"
+ 
++#include <unistd.h>
++
+ #include <KCrash>
+ #include <KAboutData>
+ #include <KDBusService>
+@@ -58,6 +60,16 @@ extern "C" Q_DECL_EXPORT int main(int ar
+         return 0;
+     }
+ 
++    // It's possible that kglobalaccel gets started as the wrong user by
++    // accident, e.g. kdesu dolphin leads to dbus activation. It then installs
++    // its grabs and the actions are run as the wrong user.
++    bool isUidset = false;
++    const int sessionuid = qEnvironmentVariableIntValue("KDE_SESSION_UID", &isUidset);
++    if(isUidset && static_cast<uid_t>(sessionuid) != getuid()) {
++        qCWarning(KGLOBALACCELD) << "kglobalaccel running as wrong user, exiting.";
++        return 0;
++    }
++
+     KDBusService service(KDBusService::Unique);
+ 
+     app.setQuitOnLastWindowClosed( false );

More information about the pkg-kde-talk mailing list