---
community/kconfig/APKBUILD | 12 +-
community/kconfig/CVE-2019-14744.patch | 147 +++++++++++++++++++++++++
2 files changed, 156 insertions(+), 3 deletions(-)
create mode 100644 community/kconfig/CVE-2019-14744.patch
diff --git a/community/kconfig/APKBUILD b/community/kconfig/APKBUILD
index d7706c98dc..1fd51bfbcf 100644
--- a/community/kconfig/APKBUILD
@@ -2,16 +2,21 @@
# Maintainer: Bart Ribbers <bribbers@disroot.org>
pkgname=kconfig
pkgver=5.60.0
-pkgrel=0
+pkgrel=1
pkgdesc="Configuration system"
arch="all"
url="https://community.kde.org/Frameworks"
license="LGPL-2.0-or-later AND LGPL-2.0-only AND LGPL-2.1-or-later"
makedepends="extra-cmake-modules qt5-qttools-dev doxygen"
checkdepends="xvfb-run"
-source="https://download.kde.org/stable/frameworks/${pkgver%.*}/$pkgname-$pkgver.tar.xz"
+source="https://download.kde.org/stable/frameworks/${pkgver%.*}/$pkgname-$pkgver.tar.xz
+ CVE-2019-14744.patch"
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
+# secfixes:
+# 5.60.0-r1:
+# - CVE-2019-14744
+
build() {
cmake \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
@@ -29,4 +34,5 @@ package() {
DESTDIR="$pkgdir" make install
}
-sha512sums="76aa15e9e1630c687ff7cc6b77060c74472f307442d07ae09d5f4aa61d7b6f29f3f1d270218c6d7fea8e86eb9dda43c96821d19d827a781c7f71da6135d98753 kconfig-5.60.0.tar.xz"
+sha512sums="76aa15e9e1630c687ff7cc6b77060c74472f307442d07ae09d5f4aa61d7b6f29f3f1d270218c6d7fea8e86eb9dda43c96821d19d827a781c7f71da6135d98753 kconfig-5.60.0.tar.xz
+0265a6e02e1ac6a7bb30e75eb169c83a69237e2dd2f80a4be18b47ecd758aa27dbcecc45d2e18a52df049b32313dfd5b5432bfcfa39611279194d2c9b48dc35e CVE-2019-14744.patch"
diff --git a/community/kconfig/CVE-2019-14744.patch b/community/kconfig/CVE-2019-14744.patch
new file mode 100644
index 0000000000..e8a799ca5d
--- /dev/null
@@ -0,0 +1,147 @@
+From 5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22 Mon Sep 17 00:00:00 2001
+From: David Faure <faure@kde.org>
+Date: Wed, 7 Aug 2019 09:35:36 +0200
+Subject: Security: remove support for $(...) in config keys with [$e] marker.
+
+Summary:
+It is very unclear at this point what a valid use case for this feature
+would possibly be. The old documentation only mentions $(hostname) as
+an example, which can be done with $HOSTNAME instead.
+
+Note that $(...) is still supported in Exec lines of desktop files,
+this does not require [$e] anyway (and actually works better without it,
+otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...).
+
+Test Plan:
+ctest passes; various testcases with $(...) in desktop files,
+directory files, and config files, no longer execute commands.
+
+Reviewers: mdawson, aacid, broulik, davidedmundson, kossebau, apol, sitter, security-team
+
+Reviewed By: mdawson, davidedmundson
+
+Subscribers: ZaWertun, rikmills, fvogt, ngraham, kde-frameworks-devel
+
+Tags: #frameworks
+
+Differential Revision: https://phabricator.kde.org/D22979
+---
+ autotests/kconfigtest.cpp | 10 ++--------
+ docs/options.md | 11 ++++-------
+ src/core/kconfig.cpp | 37 +------------------------------------
+ 3 files changed, 7 insertions(+), 51 deletions(-)
+
+diff --git a/autotests/kconfigtest.cpp b/autotests/kconfigtest.cpp
+index 410b5b8..9af3b46 100644
+--- a/autotests/kconfigtest.cpp
++++ b/autotests/kconfigtest.cpp
+@@ -38,7 +38,7 @@
+ #include <utime.h>
+ #endif
+ #ifndef Q_OS_WIN
+-#include <unistd.h> // gethostname
++#include <unistd.h> // getuid
+ #endif
+
+ KCONFIGGROUP_DECLARE_ENUM_QOBJECT(KConfigTest, Testing)
+@@ -546,14 +546,8 @@ void KConfigTest::testPath()
+ QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH));
+ QVERIFY(group.hasKey("URL"));
+ QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH));
+-#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC)
+- // I don't know if this will work on windows
+- // This test hangs on OS X
+ QVERIFY(group.hasKey("hostname"));
+- char hostname[256];
+- QVERIFY(::gethostname(hostname, sizeof(hostname)) == 0);
+- QCOMPARE(group.readEntry("hostname", QString()), QString::fromLatin1(hostname));
+-#endif
++ QCOMPARE(group.readEntry("hostname", QString()), QStringLiteral("(hostname)")); // the $ got removed because empty var name
+ QVERIFY(group.hasKey("noeol"));
+ QCOMPARE(group.readEntry("noeol", QString()), QString("foo"));
+
+diff --git a/docs/options.md b/docs/options.md
+index c634c00..4a6e9bc 100644
+--- a/docs/options.md
++++ b/docs/options.md
+@@ -67,18 +67,15 @@ environment variables (and `XDG_CONFIG_HOME` in particular).
+ Shell Expansion
+ ---------------
+
+-If an entry is marked with `$e`, environment variables and shell commands will
+-be expanded.
++If an entry is marked with `$e`, environment variables will be expanded.
+
+ Name[$e]=$USER
+- Host[$e]=$(hostname)
+
+ When the "Name" entry is read `$USER` will be replaced with the value of the
+-`$USER` environment variable, and `$(hostname)` will be replaced with the output
+-of the `hostname` command.
++`$USER` environment variable.
+
+-Note that the application will replace `$USER` and `$(hostname)` with their
+-respective expanded values after saving. To prevent this combine the `$e` option
++Note that the application will replace `$USER` with its
++expanded value after saving. To prevent this combine the `$e` option
+ with `$i` (immmutable) option. For example:
+
+ Name[$ei]=$USER
+diff --git a/src/core/kconfig.cpp b/src/core/kconfig.cpp
+index e1b11ed..f6824ce 100644
+--- a/src/core/kconfig.cpp
++++ b/src/core/kconfig.cpp
+@@ -28,19 +28,6 @@
+ #include <cstdlib>
+ #include <fcntl.h>
+
+-#ifdef _MSC_VER
+-static inline FILE *popen(const char *cmd, const char *mode)
+-{
+- return _popen(cmd, mode);
+-}
+-static inline int pclose(FILE *stream)
+-{
+- return _pclose(stream);
+-}
+-#else
+-#include <unistd.h>
+-#endif
+-
+ #include "kconfigbackend_p.h"
+ #include "kconfiggroup.h"
+
+@@ -183,29 +170,7 @@ QString KConfigPrivate::expandString(const QString &value)
+ int nDollarPos = aValue.indexOf(QLatin1Char('$'));
+ while (nDollarPos != -1 && nDollarPos + 1 < aValue.length()) {
+ // there is at least one $
+- if (aValue[nDollarPos + 1] == QLatin1Char('(')) {
+- int nEndPos = nDollarPos + 1;
+- // the next character is not $
+- while ((nEndPos <= aValue.length()) && (aValue[nEndPos] != QLatin1Char(')'))) {
+- nEndPos++;
+- }
+- nEndPos++;
+- QString cmd = aValue.mid(nDollarPos + 2, nEndPos - nDollarPos - 3);
+-
+- QString result;
+-
+-// FIXME: wince does not have pipes
+-#ifndef _WIN32_WCE
+- FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
+- if (fs) {
+- QTextStream ts(fs, QIODevice::ReadOnly);
+- result = ts.readAll().trimmed();
+- pclose(fs);
+- }
+-#endif
+- aValue.replace(nDollarPos, nEndPos - nDollarPos, result);
+- nDollarPos += result.length();
+- } else if (aValue[nDollarPos + 1] != QLatin1Char('$')) {
++ if (aValue[nDollarPos + 1] != QLatin1Char('$')) {
+ int nEndPos = nDollarPos + 1;
+ // the next character is not $
+ QStringRef aVarName;
+--
+cgit v1.1
+
--
2.21.0