Ubuntu Pastebin

Paste from Simon Quigley at Thu, 29 Sep 2016 23:51:57 +0000

Download as text 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
diff -Nru kde-cli-tools-5.5.5/debian/changelog kde-cli-tools-5.5.5/debian/changelog
--- kde-cli-tools-5.5.5/debian/changelog	2016-04-14 20:35:02.000000000 +0000
+++ kde-cli-tools-5.5.5/debian/changelog	2016-09-29 23:43:32.000000000 +0000
@@ -1,3 +1,9 @@
+kde-cli-tools (4:5.5.5-0ubuntu1.1) xenial; urgency=high
+
+  * Fix CVE-2016-7787.
+
+ -- Simon Quigley <tsimonq2@ubuntu.com>  Thu, 29 Sep 2016 18:43:32 -0500
+
 kde-cli-tools (4:5.5.5-0ubuntu1) xenial; urgency=medium
 
   * New upstream bugfix release
diff -Nru kde-cli-tools-5.5.5/debian/patches/01-patch-kde-CVE-2016-7787.diff kde-cli-tools-5.5.5/debian/patches/01-patch-kde-CVE-2016-7787.diff
--- kde-cli-tools-5.5.5/debian/patches/01-patch-kde-CVE-2016-7787.diff	1970-01-01 00:00:00.000000000 +0000
+++ kde-cli-tools-5.5.5/debian/patches/01-patch-kde-CVE-2016-7787.diff	2016-09-29 23:42:33.000000000 +0000
@@ -0,0 +1,35 @@
+Description: Fix for CVE-2016-7787
+ A maliciously crafted command line for kdesu can result in the user only
+ seeing part of the commands that will actually get executed as super user.
+Author: Martin Sandsmark <martin.sandsmark@kde.org>
+Origin: backport
+Applied-Upstream: 5eda179a099ba68a20dc21dc0da63e85a565a171
+Last-Update: 2016-09-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/kdesu/kdesu.cpp
++++ b/kdesu/kdesu.cpp
+@@ -146,6 +146,10 @@ int main(int argc, char *argv[])
+     {
+         KMessageBox::sorry(0, i18n("Cannot execute command '%1'.", QString::fromLocal8Bit(command)));
+     }
++    if (result == -2)
++    {
++        KMessageBox::sorry(0, i18n("Cannot execute command '%1'. It contains invalid characters.", QString::fromLocal8Bit(command)));
++    }
+ 
+     return result;
+ }
+@@ -371,6 +375,12 @@ static int startApp(QCommandLineParser&
+         qDebug() << "Don't need password!!\n";
+     }
+ 
++    for (const QChar character : QString::fromLocal8Bit(command)) {
++        if (!character.isPrint() && character.category() != QChar::Other_Surrogate) {
++            return -2;
++        }
++    }
++
+     // Start the dialog
+     QString password;
+     if (needpw)
diff -Nru kde-cli-tools-5.5.5/debian/patches/series kde-cli-tools-5.5.5/debian/patches/series
--- kde-cli-tools-5.5.5/debian/patches/series	2016-04-14 20:35:02.000000000 +0000
+++ kde-cli-tools-5.5.5/debian/patches/series	2016-09-29 23:32:20.000000000 +0000
@@ -1 +1,2 @@
+01-patch-kde-CVE-2016-7787.diff
 disable_failing_tests
Download as text