Backport patch from upstream to solve CVE-2014-5033 wrt bug #517864.

(Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key 0x06B1F38DCA45A1EC!)

4 files changed, 365 insertions, 2 deletions

diff --git a/kde-base/kdelibs/ChangeLog b/kde-base/kdelibs/ChangeLog
index 027c7a13e90a..410b078630f4 100644
--- a/kde-base/kdelibs/ChangeLog
+++ b/kde-base/kdelibs/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for kde-base/kdelibs
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/kde-base/kdelibs/ChangeLog,v 1.1016 2014/07/16 17:40:37 johu Exp $
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kdelibs/ChangeLog,v 1.1017 2014/07/23 11:07:59 kensington Exp $
+
+*kdelibs-4.12.5-r2 (23 Jul 2014)
+*kdelibs-4.13.3-r1 (23 Jul 2014)
+
+  23 Jul 2014; Michael Palimaka <kensington@gentoo.org>
+  +files/kdelibs-4.13.3-CVE-2014-5033.patch, +kdelibs-4.12.5-r2.ebuild,
+  +kdelibs-4.13.3-r1.ebuild, -kdelibs-4.13.3.ebuild:
+  Backport patch from upstream to solve CVE-2014-5033 wrt bug #517864.
 
 *kdelibs-4.13.3 (16 Jul 2014)
 
diff --git a/kde-base/kdelibs/files/kdelibs-4.13.3-CVE-2014-5033.patch b/kde-base/kdelibs/files/kdelibs-4.13.3-CVE-2014-5033.patch
new file mode 100644
index 000000000000..6d059b52eb31
--- /dev/null
+++ b/kde-base/kdelibs/files/kdelibs-4.13.3-CVE-2014-5033.patch
@@ -0,0 +1,53 @@
+From c36bf4f314e6ee1203898697abe294ed0c8dcb32 Mon Sep 17 00:00:00 2001
+From: "Martin T. H. Sandsmark" <martin.sandsmark@kde.org>
+Date: Mon, 21 Jul 2014 22:52:40 +0200
+Subject: [PATCH] Use dbus system bus name instead of PID for authentication.
+
+Using the PID for authentication is prone to a PID reuse
+race condition, and a security issue.
+
+REVIEW: 119323
+---
+ kdecore/auth/backends/polkit-1/Polkit1Backend.cpp | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+index cd7f6f3..732d2cb 100644
+--- a/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
++++ b/kdecore/auth/backends/polkit-1/Polkit1Backend.cpp
+@@ -144,7 +144,7 @@ void Polkit1Backend::setupAction(const QString &action)
+ 
+ Action::AuthStatus Polkit1Backend::actionStatus(const QString &action)
+ {
+-    PolkitQt1::UnixProcessSubject subject(QCoreApplication::applicationPid());
++    PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID()));
+     PolkitQt1::Authority::Result r = PolkitQt1::Authority::instance()->checkAuthorizationSync(action, subject,
+                                                                                               PolkitQt1::Authority::None);
+     switch (r) {
+@@ -160,21 +160,12 @@ Action::AuthStatus Polkit1Backend::actionStatus(const QString &action)
+ 
+ QByteArray Polkit1Backend::callerID() const
+ {
+-    QByteArray a;
+-    QDataStream s(&a, QIODevice::WriteOnly);
+-    s << QCoreApplication::applicationPid();
+-
+-    return a;
++    return QDBusConnection::systemBus().baseService().toUtf8();
+ }
+ 
+ bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
+ {
+-    QDataStream s(&callerID, QIODevice::ReadOnly);
+-    qint64 pid;
+-
+-    s >> pid;
+-
+-    PolkitQt1::UnixProcessSubject subject(pid);
++    PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
+     PolkitQt1::Authority *authority = PolkitQt1::Authority::instance();
+ 
+     PolkitResultEventLoop e;
+-- 
+1.8.5.5
+
diff --git a/kde-base/kdelibs/kdelibs-4.12.5-r2.ebuild b/kde-base/kdelibs/kdelibs-4.12.5-r2.ebuild
new file mode 100644
index 000000000000..67f2a8df6a6c
--- /dev/null
+++ b/kde-base/kdelibs/kdelibs-4.12.5-r2.ebuild
@@ -0,0 +1,301 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kdelibs/kdelibs-4.12.5-r2.ebuild,v 1.1 2014/07/23 11:07:59 kensington Exp $
+
+EAPI=5
+
+CPPUNIT_REQUIRED="optional"
+DECLARATIVE_REQUIRED="always"
+OPENGL_REQUIRED="optional"
+KDE_HANDBOOK="optional"
+inherit kde4-base fdo-mime multilib toolchain-funcs flag-o-matic
+
+EGIT_BRANCH="KDE/4.12"
+
+DESCRIPTION="KDE libraries needed by all KDE programs."
+
+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux"
+LICENSE="LGPL-2.1"
+IUSE="3dnow acl alsa altivec +bzip2 debug doc fam jpeg2k kerberos lzma
+mmx nls openexr +policykit semantic-desktop spell sse sse2 ssl +udev +udisks
++upower zeroconf"
+
+REQUIRED_USE="
+	udisks? ( udev )
+	upower? ( udev )
+"
+
+# needs the kate regression testsuite from svn
+RESTRICT="test"
+
+COMMONDEPEND="
+	app-crypt/qca:2
+	>=app-misc/strigi-0.7.7
+	app-text/docbook-xml-dtd:4.2
+	app-text/docbook-xsl-stylesheets
+	>=dev-libs/libattica-0.4.2
+	>=dev-libs/libdbusmenu-qt-0.3.2
+	dev-libs/libpcre[unicode]
+	dev-libs/libxml2
+	dev-libs/libxslt
+	media-libs/fontconfig
+	media-libs/freetype:2
+	media-libs/giflib
+	media-libs/libpng:0=
+	>=media-libs/phonon-4.4.3
+	sys-libs/zlib
+	virtual/jpeg:0
+	>=x11-misc/shared-mime-info-0.60
+	acl? ( virtual/acl )
+	alsa? ( media-libs/alsa-lib )
+	!aqua? (
+		x11-libs/libICE
+		x11-libs/libSM
+		x11-libs/libX11
+		x11-libs/libXau
+		x11-libs/libXcursor
+		x11-libs/libXdmcp
+		x11-libs/libXext
+		x11-libs/libXfixes
+		x11-libs/libXft
+		x11-libs/libXpm
+		x11-libs/libXrender
+		x11-libs/libXScrnSaver
+		x11-libs/libXtst
+		!kernel_SunOS? (
+			|| (
+				sys-libs/libutempter
+				>=sys-freebsd/freebsd-lib-9.0
+			)
+		)
+	)
+	bzip2? ( app-arch/bzip2 )
+	fam? ( virtual/fam )
+	jpeg2k? ( media-libs/jasper )
+	kerberos? ( virtual/krb5 )
+	openexr? (
+		media-libs/openexr:=
+		media-libs/ilmbase:=
+	)
+	policykit? ( >=sys-auth/polkit-qt-0.103.0 )
+	semantic-desktop? (
+		>=dev-libs/shared-desktop-ontologies-0.11.0
+		>=dev-libs/soprano-2.9.0[dbus,raptor,redland]
+	)
+	spell? ( app-text/enchant )
+	ssl? ( dev-libs/openssl )
+	udev? ( virtual/udev )
+	zeroconf? ( net-dns/avahi[mdnsresponder-compat] )
+"
+DEPEND="${COMMONDEPEND}
+	doc? ( app-doc/doxygen )
+	nls? ( virtual/libintl )
+"
+RDEPEND="${COMMONDEPEND}
+	!dev-qt/qtphonon
+	!<=kde-base/plasma-workspace-4.7.1:4
+	!<=kde-base/kcontrol-4.4.50:4
+	>=app-crypt/gnupg-2.0.11
+	app-misc/ca-certificates
+	$(add_kdebase_dep kde-env)
+	sys-apps/dbus[X]
+	!aqua? (
+		udisks? ( sys-fs/udisks:2 )
+		x11-apps/iceauth
+		x11-apps/rgb
+		>=x11-misc/xdg-utils-1.0.2-r3
+		upower? ( || ( >=sys-power/upower-0.9.23 sys-power/upower-pm-utils ) )
+	)
+	udev? ( app-misc/media-player-info )
+"
+PDEPEND="
+	$(add_kdebase_dep katepart)
+	|| (
+		$(add_kdebase_dep kfmclient)
+		x11-misc/xdg-utils
+	)
+	handbook? ( $(add_kdebase_dep khelpcenter) )
+	policykit? (
+		>=sys-auth/polkit-kde-agent-0.99
+	)
+	semantic-desktop? (
+		$(add_kdebase_dep nepomuk-core)
+		$(add_kdebase_dep nepomuk-widgets)
+	)
+"
+
+PATCHES=(
+	"${FILESDIR}/dist/01_gentoo_set_xdg_menu_prefix-1.patch"
+	"${FILESDIR}/dist/02_gentoo_append_xdg_config_dirs-1.patch"
+	"${FILESDIR}/${PN}-4.7.96-mimetypes.patch"
+	"${FILESDIR}/${PN}-4.4.90-xslt.patch"
+	"${FILESDIR}/${PN}-4.6.2-armlinking.patch"
+	"${FILESDIR}/${PN}-4.6.3-no_suid_kdeinit.patch"
+	"${FILESDIR}/${PN}-4.8.1-norpath.patch"
+	"${FILESDIR}/${PN}-4.9.3-werror.patch"
+	"${FILESDIR}/${PN}-4.10.0-udisks.patch"
+	"${FILESDIR}/${PN}-4.13.2-CVE-2014-3494.patch" # Bug 513726
+	"${FILESDIR}/${PN}-4.13.3-CVE-2014-5033.patch"
+)
+
+pkg_pretend() {
+	if [[ ${MERGE_TYPE} != binary ]]; then
+		[[ $(gcc-major-version) -lt 4 ]] || \
+				( [[ $(gcc-major-version) -eq 4 && $(gcc-minor-version) -le 3 ]] ) \
+			&& die "Sorry, but gcc-4.3 and earlier won't work for KDE SC 4.6 (see bug #354837)."
+	fi
+}
+
+src_prepare() {
+	kde4-base_src_prepare
+
+	# Rename applications.menu (needs 01_gentoo_set_xdg_menu_prefix-1.patch to work)
+	sed -e 's|FILES[[:space:]]applications.menu|FILES applications.menu RENAME kde-4-applications.menu|g' \
+		-i kded/CMakeLists.txt || die "Sed on CMakeLists.txt for applications.menu failed."
+
+	if use aqua; then
+		sed -i -e \
+			"s:BUNDLE_INSTALL_DIR \"/Applications:BUNDLE_INSTALL_DIR \"${EPREFIX}/${APP_BUNDLE_DIR}:g" \
+			cmake/modules/FindKDE4Internal.cmake || die "failed to sed FindKDE4Internal.cmake"
+
+		#if [[ ${CHOST} == *-darwin8 ]]; then
+		sed -i -e \
+			"s:set(_add_executable_param MACOSX_BUNDLE):remove(_add_executable_param MACOSX_BUNDLE):g" \
+			cmake/modules/KDE4Macros.cmake || die "failed to sed KDE4Macros.cmake"
+		#fi
+
+		# solid/solid/backends/iokit doesn't properly link, so disable it.
+		sed -e "s|\(APPLE\)|(FALSE)|g" -i solid/solid/CMakeLists.txt \
+			|| die "disabling solid/solid/backends/iokit failed"
+		sed -e "s|m_backend = .*Backends::IOKit.*;|m_backend = 0;|g" -i solid/solid/managerbase.cpp \
+			|| die "disabling solid/solid/backends/iokit failed"
+
+		# There's no fdatasync on OSX and the check fails to detect that.
+		sed -e "/HAVE_FDATASYNC/ d" -i config.h.cmake \
+			|| die "disabling fdatasync failed"
+
+		# Fix nameser include to nameser8_compat
+		sed -e "s|nameser8_compat.h|nameser_compat.h|g" -i kio/misc/kpac/discovery.cpp \
+			|| die "fixing nameser include failed"
+		append-flags -DHAVE_ARPA_NAMESER8_COMPAT_H=1
+
+		# Try to fix kkeyserver_mac
+		epatch "${FILESDIR}"/${PN}-4.3.80-kdeui_util_kkeyserver_mac.patch
+	fi
+}
+
+src_configure() {
+	mycmakeargs=(
+		-DWITH_HSPELL=OFF
+		-DWITH_ASPELL=OFF
+		-DWITH_DNSSD=OFF
+		-DKDE_DEFAULT_HOME=.kde4
+		-DKAUTH_BACKEND=POLKITQT-1
+		-DBUILD_libkactivities=OFF
+		$(cmake-utils_use_build handbook doc)
+		$(cmake-utils_use_has 3dnow X86_3DNOW)
+		$(cmake-utils_use_has altivec PPC_ALTIVEC)
+		$(cmake-utils_use_has mmx X86_MMX)
+		$(cmake-utils_use_has sse X86_SSE)
+		$(cmake-utils_use_has sse2 X86_SSE2)
+		$(cmake-utils_use_with acl)
+		$(cmake-utils_use_with alsa)
+		$(cmake-utils_use_with bzip2 BZip2)
+		$(cmake-utils_use_with fam)
+		$(cmake-utils_use_with jpeg2k Jasper)
+		$(cmake-utils_use_with kerberos GSSAPI)
+		$(cmake-utils_use_with lzma LibLZMA)
+		$(cmake-utils_use_with nls Libintl)
+		$(cmake-utils_use_with openexr OpenEXR)
+		$(cmake-utils_use_with opengl OpenGL)
+		$(cmake-utils_use_with policykit PolkitQt-1)
+		$(cmake-utils_use_with semantic-desktop Soprano)
+		$(cmake-utils_use_with semantic-desktop SharedDesktopOntologies)
+		$(cmake-utils_use_with spell ENCHANT)
+		$(cmake-utils_use_with ssl OpenSSL)
+		$(cmake-utils_use_with udev UDev)
+		$(cmake-utils_use_with udisks SOLID_UDISKS2)
+		$(cmake-utils_use_with zeroconf Avahi)
+	)
+	kde4-base_src_configure
+}
+
+src_compile() {
+	kde4-base_src_compile
+
+	# The building of apidox is not managed anymore by the build system
+	if use doc; then
+		einfo "Building API documentation"
+		cd "${S}"/doc/api/
+		./doxygen.sh "${S}" || die "APIDOX generation failed"
+	fi
+}
+
+src_install() {
+	kde4-base_src_install
+
+	# use system certificates
+	rm -f "${ED}"/usr/share/apps/kssl/ca-bundle.crt || die
+	dosym /etc/ssl/certs/ca-certificates.crt /usr/share/apps/kssl/ca-bundle.crt
+
+	if use doc; then
+		einfo "Installing API documentation. This could take a bit of time."
+		cd "${S}"/doc/api/
+		docinto /HTML/en/kdelibs-apidox
+		dohtml -r ${P}-apidocs/*
+	fi
+
+	if use aqua; then
+		einfo "fixing ${PN} plugins"
+
+		local _PV=${PV:0:3}.0
+		local _dir=${EPREFIX}/usr/$(get_libdir)/kde4/plugins/script
+
+		install_name_tool -id \
+			"${_dir}/libkrossqtsplugin.${_PV}.dylib" \
+			"${D}/${_dir}/libkrossqtsplugin.${_PV}.dylib" \
+			|| die "failed fixing libkrossqtsplugin.${_PV}.dylib"
+
+		einfo "fixing ${PN} cmake detection files"
+		#sed -i -e \
+		#	"s:if (HAVE_XKB):if (HAVE_XKB AND NOT APPLE):g" \
+		echo -e "set(XKB_FOUND FALSE)\nset(HAVE_XKB FALSE)" > \
+			"${ED}"/usr/share/apps/cmake/modules/FindXKB.cmake \
+			|| die "failed fixing FindXKB.cmake"
+	fi
+
+	einfo Installing environment file.
+	# Since 44qt4 is sourced earlier QT_PLUGIN_PATH is defined.
+	echo "COLON_SEPARATED=QT_PLUGIN_PATH" > "${T}/77kde"
+	echo "QT_PLUGIN_PATH=${EPREFIX}/usr/$(get_libdir)/kde4/plugins" >> "${T}/77kde"
+	doenvd "${T}/77kde"
+}
+
+pkg_postinst() {
+	fdo-mime_mime_database_update
+
+	if use zeroconf; then
+		echo
+		elog "To make zeroconf support available in KDE make sure that the avahi daemon"
+		elog "is running."
+		echo
+		einfo "If you also want to use zeroconf for hostname resolution, emerge sys-auth/nss-mdns"
+		einfo "and enable multicast dns lookups by editing the 'hosts:' line in /etc/nsswitch.conf"
+		einfo "to include 'mdns', e.g.:"
+		einfo "	hosts: files mdns dns"
+		echo
+	fi
+
+	kde4-base_pkg_postinst
+}
+
+pkg_prerm() {
+	# Remove ksycoca4 global database
+	rm -f "${EROOT}${PREFIX}"/share/kde4/services/ksycoca4
+}
+
+pkg_postrm() {
+	fdo-mime_mime_database_update
+
+	kde4-base_pkg_postrm
+}
diff --git a/kde-base/kdelibs/kdelibs-4.13.3.ebuild b/kde-base/kdelibs/kdelibs-4.13.3-r1.ebuild
index 18208bbc83cc..1e433ac2b0d3 100644
--- a/kde-base/kdelibs/kdelibs-4.13.3.ebuild
+++ b/kde-base/kdelibs/kdelibs-4.13.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/kde-base/kdelibs/kdelibs-4.13.3.ebuild,v 1.1 2014/07/16 17:40:37 johu Exp $
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kdelibs/kdelibs-4.13.3-r1.ebuild,v 1.1 2014/07/23 11:07:59 kensington Exp $
 
 EAPI=5
 
@@ -134,6 +134,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-4.8.1-norpath.patch"
 	"${FILESDIR}/${PN}-4.9.3-werror.patch"
 	"${FILESDIR}/${PN}-4.10.0-udisks.patch"
+	"${FILESDIR}/${PN}-4.13.3-CVE-2014-5033.patch"
 )
 
 pkg_pretend() {